public-key distance bounding and its application …public-key distance bounding and its application...
TRANSCRIPT
PUBLIC-KEY DISTANCE BOUNDING AND ITS APPLICATION ON CONTACTLESS ACCESS
CONTROLHandan Kılınç
Presentation at FutureDB - Distance-bounding: past, present, future
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
2
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
3
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
4
INTRODUCTIONDISTANCE BOUNDING
ProverVerifier
4
INTRODUCTIONDISTANCE BOUNDING
The prover authenticatesand proves its proximity
ProverVerifier
INTRODUCTION
Symmetric Distance Bounding: The prover and the verifier share a secret
Public-key Distance Bounding: The prover has its own secret/public key and the public-key of the verifier
5
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
INTRODUCTIONPROBLEMS IN PUBLIC KEY DB
6
Slower than symmetric key operations
Limited computational resources on the devices
Construct an efficient and secure public-key distance bounding
STRONG PRIVACY IN DBHPVP*
7
We have provers P1, P2, P3,…, Pn and the adversary A A can corrupt the provers: learns the secret keys of the provers.
As a challenge, A picks two provers Pi, Pj
Challenger picks one of them as a virtual tag and gives the virtual
prover to A.
A can send messages to the virtual tag.
A can send messages to the verifier.
If A can recognize the virtual tag, then he wins the game.
* J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A new RFID privacy model. In ESORICS, 2011
STRONG PRIVACY IN DBHPVP*
7
We have provers P1, P2, P3,…, Pn and the adversary A A can corrupt the provers: learns the secret keys of the provers.
As a challenge, A picks two provers Pi, Pj
Challenger picks one of them as a virtual tag and gives the virtual
prover to A.
A can send messages to the virtual tag.
A can send messages to the verifier.
If A can recognize the virtual tag, then he wins the game.
A DB protocol is strong private if A wins the above game with negligible advantage.
* J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A new RFID privacy model. In ESORICS, 2011
AN OVERVIEW OF OUR PROTOCOL
8
Agree on a key s with using a key agreement (KA) protocol
Run a symmetric DB with s
AN OVERVIEW OF OUR PROTOCOL
8
Agree on a key s with using a key agreement (KA) protocol
Run a symmetric DB with s
What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?
AN OVERVIEW OF OUR PROTOCOL
8
Agree on a key s with using a key agreement (KA) protocol
Run a symmetric DB with s
What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?
KA Efficiency Security
MQV 2.5 No proof
HMQV 2.5 CK
KEA+ 3 CK
NAXOS 4 eCK
CMQV 3 eCK
9
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
AUTHENTICATED KEY AGREEMENTONE PASS
10
!"#,%"#,%"& !"#, %"#,%"&
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
AUTHENTICATED KEY AGREEMENTONE PASS
10
! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
AUTHENTICATED KEY AGREEMENTONE PASS
10
! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
!
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
AUTHENTICATED KEY AGREEMENTONE PASS
10
!(#$%,'$%,'$(, ))! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
!
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
AUTHENTICATED KEY AGREEMENTONE PASS
10
!(#$%,'$%,'$(, ))! ← #(1&))(*+,, .+,, .+/,!)
!"#,%"#,%"& !"#, %"#,%"&
!
!!
*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016
Decisional-Authenticated Key Agreement(D-AKA)
11
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
!"#
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
!"#!, #$
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!"
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!" If!" = !Itwins
!",#, %&', %&(
!"#!, #$
Challenger Adversary
Decisional-Authenticated Key Agreement(D-AKA)
11
Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}
!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)
!"#$%&4(.,.)5(./4,1/4, . , . )
Itcanaccesstheoraclesexcept("#$,&)
!" If!" = !Itwins
!",#, %&', %&(
!"#!, #$
Challenger Adversary
A one-pass AKA is D-AKA secure if the adversary’s advantagewinning this game is negligible.
D-AKA PRIVACY GAME
12
Challenger Adversary
D-AKA PRIVACY GAME
12
Challenger Adversary
Generate !"#, %"# , !"&' ,%"&'
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
Generate !"#, %"# , !"&' ,%"&'
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'
Generate !"#, %"# , !"&' ,%"&'
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'
Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
!"
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
!" If!" = !Itwins
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
D-AKA PRIVACY GAME
12
Challenger Adversary
!"#$%&'(.,.)((*+',-+', . , . )
!"#, %"&',!"&'!"#$,&"#$
!Pick!"#$,&"#$
!" If!" = !Itwins
Generate !"#, %"# , !"&' ,%"&'
Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()
A one-pass AKA is D-AKA private if the adversary’s advantagewinning this game is negligible.
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
!"#, %"#,%"&!"&,%"&,%"#
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)
!
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()
+,- ,.)
!
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()
+,- ,.)
!
Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.
NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL
13
Publicparameter! orderof" and# ∈ !
!"# ∈ ℤ'("# = *+,-
!". ∈ ℤ'(". = *+,/
!"#, %"#,%"&!"&,%"&,%"#
Pick! ∈ 0,1 ℓ
' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()
+,- ,.)
!
Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.
KA Efficiency Security
MQV 2.5 No proof
HMQV 2.5 CK
KEA+ 3 CK
NAXOS 4 eCK
CMQV 3 eCK
Nonce-DH 1 D-AKA
14
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
EFF-PKDB
15
Verifier Prover!"#, %"#, %"&!"&, %"&
! ← #(1&)( = *((+,, .+,, .+/, !)
!, #$%! = #(!%&,(%&,(%),*)
symDB(!)
Out
SECURITY OF EFF-PKDB
16
MiM Security: If symDB is multi-verifier OT-MiM secure and the key agreement protocol is D-AKA secure, the Eff-pkDB is MiM-secure.
DF Security: If symDB is DF-secure, then Eff-pkDB is DF-secure.
DH security: If symDB is OT-MiM-secure, OT-DH-secure and if the key agreement protocol is D-AKA secure then Eff-pkDB is DH-secure.
STRONG PRIVATE VARIANT OF EFF-PKDB
17
! ← #(1&)( = *+,-./0 !, 2345 = 6(534, 234, 237, !)
(
!, 234 = #(,8./0 (()5 = 9 53:,23:,23;,!
234 isprivateoutput
Verifier Prover
symDB(5)
Out
534, 234, 237=(2370 ,237< )
Assuming the key agreement protocol is D-AKA-private and the cryptosystem is IND-CCA secure, then the variant of Eff-pkDB is strong private in HPVP model.
AN INSTANCE OF EFF-PKDBNONCE-DH+OTDB*
18
!"# ∈ ℤ'("# = *+,-
!"., ("., ("# !". ∈ ℤ'(". = *+,0
Publicparameter1 orderof2 and* ∈ 1
!"#, ("#,(".
Pick3 ∈ 0,1 ℓ
! = 7 *,("., ("#,("#+,0 ,3
8 = 3#⨁!
:; = 8<;=>?
3,(".
3#for@ = 0toA
B;:;Out
! = # $,&'(, &'),&'(*+, ,-
pick-) ∈ 0,1 12
3 = -)⨁!
starttimerendtimer
checkif∀6899: < 2= and8:iscorrect
* S. Vaudenay, Private and Secure Distance Bounding: Application to NFC Payment, FC 2015
19
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
COMPARISON
20
Protocol Security Privacy PK Operation Number of Computations
Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection
HPO (Hermans et al.)
MiM, DF Weak 4 EC multiplication, 2 random string selections, 2 mappings
PrivDB (Vaudenay)
MiM, DF, DH Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MAC
ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs
eProProx (Vaudenay)
MiM, DF, DH, TF Strong 1 encryption, n+1 commitments, n ZK proofs
TREAD (Avoine et al.)
MiM, DF, DH, TF* Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 modular inversion, 1mapping, 1 MAC
Eff-pkDB MiM, DF, DH, (TF*)
No Privacy 1 D-AKA secure KA protocol 1 EC multiplication, 2 hashing, 1 random string selection,
Private Variant of Eff-pkDB
MiM, DF, DH, (TF*)
Strong 1 IND-CCA encryption, 1 D-AKA secure KA protocol
3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MAC
*ECDSAforthesignatureschemeandECIESfortheIND-CCAsecureencryption scheme
21
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
INTRODUCTIONPREVIOUS WORKS
Smart Card Alliance: Defines the components (controller, database, reader and tag) and defines security in a informal way
PLAID*
OPACITY**
Privacy is an important issue in access control.
22
Based on establishing secret keyand mutual authentication
* C. A. governments Department of Human Services (DHS). Protocol for lightweight authentication of identity (PLAID), 2010.* * S. C. Alliance. Industry technical contributions: Opacity, 2013
INTRODUCTIONTHE STRUCTURE (CONTROLLERS, READERS, TAGS)
23
INTRODUCTIONTHE STRUCTURE (CONTROLLERS, READERS, TAGS)
23
24
INTRODUCTION COMPOSITION WITH DB
TagReaderController
24
INTRODUCTION COMPOSITION WITH DB
TagReaderControllerAn AC Protocol
24
INTRODUCTION COMPOSITION WITH DB
TagReaderControllerAn AC Protocol
A DB protocol
24
INTRODUCTION COMPOSITION WITH DB
TagReaderController
Is this natural
composition
secure and
private?
An AC Protocol
A DB protocol
25
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC) GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC)
C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)
GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC)
C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)
OutROutC
GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
POutC = (pkT , locR, req)
ACCESS CONTROLCONTACTLESS AC PROTOCOL
Controller and Database Reader Tag
GenC ! (skC , pkC)
C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)
OutROutC
GenT ! (skT1 , pkT1)
(skT2 , pkT2)
(skTk , pkTk)
…
DataB = {(pk1, locRi , reqx), (pk2, locRj , reqy), ..., (pkk, locRi , reqx)}POutC = (pkT , locR, req)
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Tags are honest
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Create DatabaseCreate fake tags
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
Create DatabaseCreate fake tags
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Create DatabaseCreate fake tags
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Create DatabaseCreate fake tags
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Create DatabaseCreate fake tags
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Terminate
Create DatabaseCreate fake tags
27
ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL
Secure and authenticatedTags are honest
Activate(req)
req
Move(loc’)
Terminate
Create DatabaseCreate fake tags
It can intercept, observe, replace the messages between readers and tagsIt can create may instances of each party
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skCGenT ! {pkTi
, skTi}
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skC{pkTi
}, pkCGenT ! {pkTi
, skTi}
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skC Create fake tags {s̃kT , p̃kT }{pkTi}, pkC
GenT ! {pkTi, skTi}
Create DataB
28
ACCESS CONTROLAC-GAME
GenC ! pkC , skC Create fake tags {s̃kT , p̃kT }{pkTi}, pkC
GenT ! {pkTi, skTi}
DataB Create DataB
29
ACCESS CONTROLAC-GAME
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
T
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
TT̃
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
(DH)
pk is fake tag’s key andno close fake tag
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
T̃
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
(DH)
pk is fake tag’s key andno close fake tag
Adversary wins if one of the conditions are satisfied:
29
ACCESS CONTROLAC-GAME
R
TT̃
R T
RT
T̃T̃
R
T̃
R
T
RT
T̃
R
OutR = 1
GenC ! pkC , skC
GenT ! {pkTi, skTi}
DataB
T̃
T
POutC = (pk, loc, req)
POutC = (pk, loc, req) /2 DataB
(MiM)pk is honest tag’s key and
no close honest tag
(DH)
pk is fake tag’s key andno close fake tag
Adversary wins if one of the conditions are satisfied:
30
ACCESS CONTROLPRIVACY
30
ACCESS CONTROLPRIVACY
pick b 2 {`, r}
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj)
pick b 2 {`, r}
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
pick b 2 {`, r}
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8)
pick b 2 {`, r}
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
b0
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj) Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
b0
Adversary wins if b0 = b
30
ACCESS CONTROLPRIVACY
Adversary can pair tags
Draw(Ti, Tj)
• and are at the same location• and have the same access privilegesTi Tj
Ti Tj
Pair(3,4)
Pair(5,8)
Pair(1,7)
Pair(2,9)Pair(6,6)
Pair(5,8) simulate T8
simulate T5
else
if b = r
pick b 2 {`, r}
b0
Adversary wins if b0 = b
31
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run V (skC , pkC) run P (skT , pkT )
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
POut = (pk, locR, req)
else OutC = 0
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
POut = (pk, locR, req)
else OutC = 0
OutC
32
AC WITH DBOUR FRAMEWORK
TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)
req, locR req
run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )
output Out, pk
if (pk, locR, req) 2 DataB
OutC = Out
POut = (pk, locR, req)
else OutC = 0
OutCOutC
33
AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK
Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.
SECURITY
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
33
AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK
Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.
Assuming that the DB protocol is private DB, then an AC
protocol with our framework is private AC protocol when DataB is trivial.
SECURITY
PRIVACY
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
33
AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK
Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.
Assuming that the DB protocol is private DB, then an AC
protocol with our framework is private AC protocol when DataB is trivial.
SECURITY
PRIVACY
empty or contains all possible triplets
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
V 0(skV , pkV ) P 0(skP , pkP , pkV )
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
V 0(skV , pkV ) P 0(skP , pkP , pkV )
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
V 0(skV , pkV ) P 0(skP , pkP , pkV )flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0 if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
V 0(skV , pkV ) P 0(skP , pkP , pkV )flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
DataB = {(pk1, locR, req), (pk2, locR, req)}
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}R T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}R T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}Rflag = 1flag = 0
T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}ROutR
flag = 1flag = 0T
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
34
AC WITH DBPRIVACY
DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)
flag = 0
run V (skV , pkV )
if flag = 1 and pkP is odd
KP ! (sk0P , pk0P )
(skP , pkP ) (sk0P , pk0P )
run P (skP , pkP , pkV )
V 0(skV , pkV ) P 0(skP , pkP , pkV )
DB = (KP ,KV , P, V,B)
flag
AC Protocol using DB’ with our framework
Pair(1,2) pk1 is odd pk2 is even
DataB = {(pk1, locR, req), (pk2, locR, req)}ROutR
flag = 1flag = 0T
if OutR = 1output b0 = `
elseoutput b0 = r
*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017
35
AC WITH DBEFF-AC (AN INSTANTIATION OF OUR FRAMEWORK)
36
OUTLINE
✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison
✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion
37
CONCLUSION
We define an integrated security model for AC including identification, access control, and distance bounding.
We give a framework that clarifies how to use a secure DB to construct a secure AC in our new security model.
We show that the same framework can be used to achieve privacy in AC with restrictions on the database of AC system.
37
CONCLUSION
We define an integrated security model for AC including identification, access control, and distance bounding.
We give a framework that clarifies how to use a secure DB to construct a secure AC in our new security model.
We show that the same framework can be used to achieve privacy in AC with restrictions on the database of AC system.
*’Secure Contactless Payment’ will appear in ACISP 2018
EFF-PKDB WITH SIM-TF
38