Consumerizing Industrial Access Control: Using UMA to Add Privacy and Usability to Strong Security
Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...
Transcript of Strong Privacy for RFID Systems from Plaintext-Aware ... strong privacy CANS 2012 1 / 32 Our Problem...
Strong Privacy for RFID Systems fromPlaintext-Aware Encryption
Khaled Ouafi and Serge Vaudenay
ÉCOLE POLYTECHNIQUEFÉDÉRALE DE LAUSANNE
http://lasec.epfl.ch/
supported by the ECRYPT project
SV strong privacy CANS 2012 1 / 32
Our Problem
Tag Systemwho’s there?�
-ZUKTHPFBVI
that’s tag ID=38925629
one system (may include several readers), many tags
tags: passive (no battery), limited capabilities, not tamper-proof
primary concern (industry driven): securityif System identifies tag ID, it must be tag ID
secondary concern (user driven): privacytags could only be identified/traced/linked by System
problem: formal model
SV strong privacy CANS 2012 2 / 32
A Typical Protocol
Tag Systemkey: S {. . . ,(ID,K ), . . .}
c=challenge←−−−−−−−−−−−−− pick ρ, c = Gen(ρ)r = Alg(S,c;coins)
r=response−−−−−−−−−−−−−→ find (ID,K ) s.t. Ver(K ,ρ, r)output: ID
stateless
2-round
SV strong privacy CANS 2012 3 / 32
1 Towards a Formal Model
2 Definitions and Results
3 Strong Privacy is Possible
SV strong privacy CANS 2012 4 / 32
1 Towards a Formal Model
2 Definitions and Results
3 Strong Privacy is Possible
SV strong privacy CANS 2012 5 / 32
ISO/IEC 9798-2 2-Pass Unilateral Authentication
Tag Systemstate: K {. . . ,(ID,K ), . . .}
a←−−−−−−−−−−−−− pick a
c = EncK (a)c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = EncK (a)
output: ID
pro stateless, symmetric crypto
con replay attack −→ tag traceability
SV strong privacy CANS 2012 6 / 32
Variant
Tag Systemstate: K {. . . ,(ID,K ), . . .}
pick ba←−−−−−−−−−−−−− pick a
c = EncK (a,b)b,c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = EncK (a,b)
output: ID
pro stateless, symmetric crypto, secure, weak privacy
con tag corruption −→ tag traceability
SV strong privacy CANS 2012 7 / 32
Evolution of Privacy Protocols
early: did not address corruption or result channel
OSK03: corruption at the end only (forward privacy)
ADO06: early corruption considered
JW06: result channel considered
Vau07: 2×4 matrix (result channel × corruption model)
SV strong privacy CANS 2012 8 / 32
1 Towards a Formal Model
2 Definitions and Results
3 Strong Privacy is Possible
SV strong privacy CANS 2012 9 / 32
RFID SchemeComponents:
System = (stateless) Reader securely connected� - (stateful) DatabaseSetupReader→ (KS,KP):generate keys (KS,KP), store in Reader, and empty databaseSetupTagKP
(ID)→ (K ,S):S is an initial state for tag ID(ID,data) is to be inserted in databaseProtocols:
Tag Reader Database(S) KS db
←−−− −−−→−−−→ output ←−−−
output: tag ID (if valid) or ⊥ (if not)
Functionality:correctness: identification under normal execution
SV strong privacy CANS 2012 10 / 32
Adversarial Model
Adversary
6ID1, ID2, ID3
CreateTag
� distr -
vtag1vtag2
vtag3
free tagsID1 ID2 ID3
+
3
vtag1 (ID2)
?
6
vtag2 (ID1)
s
k
vtag3 (ID3)
-� reader
SV strong privacy CANS 2012 11 / 32
Oracle Accesses
Adversary
+
vtag
Free
� -vtag,mes
mes′SendTag
k
s
distrvtag,bit
...(vtag, ID)
...DrawTag
?
6vtag state
Corrupt
6ID bit
CreateTag
s
k
bitπ
Result
-�π,mes
mes′SendReader
3
+
π
Launch
SV strong privacy CANS 2012 12 / 32
Security
Wining condition: one reader-protocol instance π identified ID but thistag did not have any matching conversation(i.e. same transcript and well interleaved messages).
DefinitionAn RFID scheme is secure if for any polynomially bounded adversarythe probability of success is negligible.
SV strong privacy CANS 2012 13 / 32
Privacy Adversary
A
-�
-�
-�
CrTag, Free, Corrupt
Launch, Send, Result
DrawTag
?
?true/false
table�
Wining condition: the adversary outputs true
Problem: there are trivial wining adversaries(e.g. an adversary who always answers true)
SV strong privacy CANS 2012 14 / 32
Blinders
A
-�
-�
-�
B
-�
-�
CrTag, Free, Corrupt
Launch, Send, Result
DrawTag
?
?true/false
table�
DefinitionA blinder is an interface between the adversary and the oracles that
passively looks at communications to CreateTag, DrawTag, Free,and Corrupt queries
simulates the oracles Launch, SendReader, SendTag, and Result
SV strong privacy CANS 2012 15 / 32
Privacy
A
-�
-�
-�
CrTag, Free, Corrupt
Launch, Send, Result
DrawTag
?
?true/false
table�
AB
-�
-�
-�
-�
-�
?
?true/false
-
Definition
An RFID scheme protects privacy if for any polynomially bounded Athere exists a polynomially bounded blinder B such thatPr[A wins]−Pr[AB wins] is negligible.
SV strong privacy CANS 2012 16 / 32
Privacy Models
no readeroutput
(narrow)
readeroutput
corrupt(strong)
destructivecorrupt
(destructive)
finalcorrupt
(forward)
nocorrupt(weak)
strong destructive forward weak
narrowstrong
narrowdestructive
narrowforward
narrowweak
⇒ ⇒ ⇒
⇒ ⇒ ⇒
⇓ ⇓ ⇓ ⇓
SV strong privacy CANS 2012 17 / 32
Challenge-Response RFID Scheme
Tag Systemstate: K {. . . ,(ID,K ), . . .}
pick ba←−−−−−−−−−−−−− pick a
c = FK (a,b)b,c−−−−−−−−−−−−−→ find (ID,K ) s.t. c = FK (a,b)
output: ID
TheoremAssuming that F is a pseudorandom function, this RFID scheme is
correct
secure
weak private⇓
⇒
no forward privacy: trace tag by corrupting it in the future
SV strong privacy CANS 2012 18 / 32
Narrow-Weak Privacy Implies One-Way Function
TheoremAn RFID scheme that is
correct
narrow-weak private⇓
⇒
can be transformed into a one-way function.
no privacy without any crypto!
Proof idea:1 the function mapping the initial states and random coins to the
protocol transcript must be one-way (otherwise compute newstates and identify in future sessions)
SV strong privacy CANS 2012 19 / 32
Modified OSK
Tag Systemstate: S {. . . ,(ID,K ), . . .}
a←−−−−−−−−−−−−− pick a
c = F(S,a)c−−−−−−−−−−−−−→ find (ID,K ) s.t.
replace S by G(S) c = F(Gi(K ),a) and i < treplace K by Gi(K )
output: ID
TheoremAssuming that F and G are random oracles, this RFID scheme is
correct
secure
narrow-destructive private⇓
⇒
no privacy with a side channel: DoS [JW 2006]
SV strong privacy CANS 2012 20 / 32
Public-Key-Based RFID Scheme
Tag Systemstate: KP , ID,K secret key: KS
{. . . ,(ID,K ), . . .}a←−−−−−−−−−−−−− pick a
c = EncKP (ID‖K‖a)c−−−−−−−−−−−−−→ DecKS(c) = ID‖K‖a
check a, (ID,K )output: ID
TheoremAssuming that Enc/Dec is an IND-CCA public-key cryptosystem, thisRFID scheme is
correct
secure
narrow-strong and forward private⇓
⇒
SV strong privacy CANS 2012 21 / 32
Narrow-Strong Privacy Implies Public-Key Cryptography
TheoremAn RFID scheme that is
correct
narrow-strong private⇓
⇒
can be transformed into a secure key agreement protocol.
no narrow-strong privacy without public-key crypto!
Proof idea:1 Alice creates two legitimate tags 0 and 1, sends their states to
Bob, and simulate the system for Bob2 Bob flips a bit b and simulate tag b to Alice3 Alice identifies b which is an agreed key bit
SV strong privacy CANS 2012 22 / 32
Caveat: Not Destructive Private
1: CreateTag(0)2: vtag0← DrawTag(0)3: S0← Corrupt(vtag0)4: (·,S1)← SetupTagKP
(1)5: flip a coin b ∈ {0,1}6: π← Launch7: simulate a tag of state Sb with
reader instance π8: x ← Result(π)9: if T (x) = b then
10: output true11: else12: output false13: end if
We have Pr[A wins]≈ 1.
A blinder who computes x translatesinto an IND-CPA adversary againstthe public-key cryptosystem, thusPr[AB wins]≈ 1
2 for any B.
Hence, A is a significant destructiveadversary.
SV strong privacy CANS 2012 23 / 32
Strong Privacy is Infeasible
TheoremAn RFID scheme cannot be
correct
narrow-strong and destructive private⇓
⇒
at the same time.
no strong privacy!
SV strong privacy CANS 2012 24 / 32
Results about Privacy Models (2007 Version)
no readeroutput
readeroutput
corruptdestructive
corruptfinal
corruptno
corrupt
impossible ??
equiv toPK-crypto
doable withPK-crypto
doablein ROM
doable withPRF
equiv toPRF
⇒ ⇒
⇒ ⇒ ⇒
⇓ ⇓ ⇓
possible: (PRF) (ROM) (PKC)
impossible: (w/o KA)
SV strong privacy CANS 2012 25 / 32
1 Towards a Formal Model
2 Definitions and Results
3 Strong Privacy is Possible
SV strong privacy CANS 2012 26 / 32
Impossibility Proof
take the following adver-sary (for destructive pri-vacy)
1: (·,S0)← SetupTagKP(0)
2: CreateTag(1)3: vtag← DrawTag(1)4: S1← Corrupt(vtag) (destroy it)5: flip a coin b ∈ {0,1}6: π← Launch7: simulate tag of state Sb with π8: x ← Result(π)9: output 1x=b
a blinder B for this advesary getsS1, simulate reader interacting withb = 0 or 1 and can guess b
B defines an adversary(for narrow-strong pri-vacy)
1: create tag 0 and tag 12: draw both tags3: corrupt both tags and get their
states S0 and S1
4: free both tags5: draw a random tag: vtag ←
DrawTag(0 or 1)6: simulate B with input KP , S1,
and interacting with vtag and getbit x
7: output 1T (vtag)=x
SV strong privacy CANS 2012 27 / 32
Ng-Susilo-Mu-Safavi-Naini 2008
not strong private because the adversary asks questions forwhich he knows the answer but the blinder cannot guess it
notion of “wise” adversary (cannot ask question for which heknows the answer)
we take a different approach:
we let the blinder be able to read the adversary’s thoughts
SV strong privacy CANS 2012 28 / 32
New Blinders
A
-�
-�
-�
B
-�
-�
CrTag, Free, Corrupt
Launch, Send, Result
DrawTag
?
?true/false
table�
DefinitionA blinder is an interface between the adversary and the oracles that
passively looks at communications to CreateTag, DrawTag, Free,and Corrupt queries
simulates the oracles Launch, SendReader, SendTag, and Result
see the adverary’s random coins
SV strong privacy CANS 2012 29 / 32
Public-Key-Based RFID Scheme
Tag Systemstate: KP , ID,K secret key: KS
{. . . ,(ID,K ), . . .}a←−−−−−−−−−−−−− pick a
c = EncKP (ID‖K‖a)c−−−−−−−−−−−−−→ DecKS(c) = ID‖K‖a
check a, (ID,K )output: ID
TheoremAssuming that Enc/Dec is a PA2+IND-CPA public-key cryptosystem,this RFID scheme is
correct
secure
strong private⇓
⇒
SV strong privacy CANS 2012 30 / 32
PA2 Trick
PA2 means for all valid ciphertexts form the adversary, either it isreused or the adversary must know the plaintext(Bellare-Palacio 2004)
know the plaintext =⇒ blinder can get it be reading his thoughts
PA2 needed because the blinder must simulate Result bydecrypting ciphertexts forged by the adversary (they could bebased on corrupted states)
SV strong privacy CANS 2012 31 / 32
Conclusion
no readeroutput
readeroutput
corruptfinal
corruptno
corrupt
doable withPA-crypto
equiv toPK-crypto
doable withPK-crypto
doablein ROM
doable withPRF
equiv toPRF
⇒ ⇒
⇒ ⇒
⇓ ⇓ ⇓
we have a good framework to study privacystrong privacy is possible, but only with PK-cryptosome open problems
forward privacy based on PRF (or ROM)?narrow-forward privacy based on PRF (no ROM)?separation with a concurrent model based on indistinguishability
SV strong privacy CANS 2012 32 / 32