Dr. Kasper Bonne Rasmussen
Transcript of Dr. Kasper Bonne Rasmussen
May 26, 2011 (slide 1 of 41)
Localization and Distance Bounding
Dr. Kasper Bonne Rasmussen
Computer Science DepartmentUniversity of Califorrnia, Irvine
May 26, 2011 (slide 2 of 41)
Short Personal Introduction
Kasper Bonne Rasmussen
Post-doc in Prof. Gene Tsudik’s group.
From Denmark
May 26, 2011 (slide 3 of 41)
This Lecture
Guest lecture
I hope you’ll still find it relevant.
Main topic: Distance bounding (localization)
Examples of crypto use.Problems that might not be solvable with crypto.
Question
Who has heard about distance bounding before?
May 26, 2011 (slide 4 of 41)
Localization Is Everywhere
May 26, 2011 (slide 5 of 41)
Localization Is Everywhere
May 26, 2011 (slide 6 of 41)
Localization in the Context of Security
Access Control
Authentication
Key Exchange
. . .
May 26, 2011 (slide 7 of 41)
If It’s So Important, It Must Be Secure
What does secure mean?
Question
Is GPS localization ’Secure’?
Question
Is GSM localization ’Secure’?
Neither is WiFi localization (Skyhook) or LORAN or GLONASor . . .
May 26, 2011 (slide 8 of 41)
If It’s So Important, It Must Be Secure
What does secure mean?
Question
Is GPS localization ’Secure’?
Question
Is GSM localization ’Secure’?
Neither is WiFi localization (Skyhook) or LORAN or GLONASor . . .
May 26, 2011 (slide 9 of 41)
Let’s start with distance.(Distance Bounding)
May 26, 2011 (slide 10 of 41)
What is Distance Bounding
Enable V to measure an upper-bound on the physical distance to P
Verifier is trusted. Prover is untrusted.
The prover (P) cannot pretend to be closer than he really is.
The verifier (V) knows that the prover is within a certaindistance.
May 26, 2011 (slide 11 of 41)
What is Distance Bounding
Enable V to measure an upper-bound on the physical distance to P
Verifier is trusted. Prover is untrusted.
The prover (P) cannot pretend to be closer than he really is.
The verifier (V) knows that the prover is within a certaindistance.
May 26, 2011 (slide 12 of 41)
What is Distance Bounding
Enable V to measure an upper-bound on the physical distance to P
Verifier is trusted. Prover is untrusted.
The prover (P) cannot pretend to be closer than he really is.
The verifier (V) knows that the prover is within a certaindistance.
May 26, 2011 (slide 13 of 41)
Why is this Useful?
May 26, 2011 (slide 14 of 41)
Distance Bounding Protocol (first attempt)
Question
How would V measure the distance?
We can’t trust the prover.
This attack is called Distance Fraud
May 26, 2011 (slide 15 of 41)
Distance Bounding Protocol (first attempt)
Question
How would V measure the distance?
d =t2 − t1
2· c
We can’t trust the prover.
This attack is called Distance Fraud
May 26, 2011 (slide 16 of 41)
Distance Bounding Protocol (first attempt)
Question
How would V measure the distance?
d =t2 − t1 − ∆
2· c
We can’t trust the prover.
This attack is called Distance Fraud
May 26, 2011 (slide 17 of 41)
Distance Bounding Protocol (second attempt)
Question
Distance:
d =t2 − t1
2· c
We can’t trust the protocol environment.
This attack is called Mafia Fraud
May 26, 2011 (slide 18 of 41)
Distance Bounding Protocol (second attempt)
Question
Distance:
d =t2 − t1 − ∆
2· c
We can’t trust the protocol environment.
This attack is called Mafia Fraud
May 26, 2011 (slide 19 of 41)
Distance Bounding Protocol (Version 1)
Secure∗ against Distance Fraud and Mafia Fraud.
The Prover can’t reply before he receives the message.An external attacker can’t reply before the prover.
Question
What about delay?
May 26, 2011 (slide 20 of 41)
Now we have a simple distance bounding protocol,what can we do with it?
May 26, 2011 (slide 21 of 41)
May 26, 2011 (slide 22 of 41)
Safety/Security Trade-Off
MUST prevent unauthorized access.
Medical data is private and sensitive.Device settings can be critical.
MUST allow access to authorized physicians.
Change settings.Readout data.Access history.
MUST NOT “get in the way” in case of an emergency.
Emergency staff must be able to access medical device.. . . possibly in another country.
May 26, 2011 (slide 23 of 41)
Existing Solutions
Token Based Approaches
Token based access (USB, Smartcard, ...)Communication Cloaker
Certificate Based Approaches
IMD has a key from a trusted 3rd party.
User Alerts
Sound/vibration when IMD is engaging in wirelesscommunication.
Proximity Based Access Control Approaches.
Magnetic SwitchTelemetric Link: Confirm proximity via ’close range’communication.Distance Bounding Solution
May 26, 2011 (slide 24 of 41)
Distance Bounding Protocol (Version 1)
Secure∗ against Distance Fraud and Mafia Fraud.
The Prover can’t reply before he receives the message.An external attacker can’t reply before the prover.
Question
Is this really secure? Why is there an asterisk there?
May 26, 2011 (slide 25 of 41)
Distance Bounding Protocol (Version 2)
Change the single challenge response to a rapid bit exchange.
Secure against Distance Fraud and Mafia Fraud.
Question
How much difference does one little bit (e.g., 1ms) make?
d =t2 − t1
2· c =
0.001s
2· 300000km/s = 150km ≈ 93mi
May 26, 2011 (slide 26 of 41)
Distance Bounding Protocol (Version 2)
Change the single challenge response to a rapid bit exchange.
Secure against Distance Fraud and Mafia Fraud.
Question
How much difference does one little bit (e.g., 1ms) make?
d =t2 − t1
2· c =
0.001s
2· 300000km/s = 150km ≈ 93mi
May 26, 2011 (slide 27 of 41)
What about this processing function?
May 26, 2011 (slide 28 of 41)
Processing Function Speed
The real equation for finding the distance is
d =t2 − t1 − δp
2· c
δp must be a public value.
Question
Is this a problem?
A malicious prover can potentially cheat by asmuch as derror =
δp2 · c.
May 26, 2011 (slide 29 of 41)
Processing Function Speed
The real equation for finding the distance is
d =t2 − t1 − δp
2· c
δp must be a public value.
Question
Is this a problem? A malicious prover can potentially cheat by asmuch as derror =
δp2 · c.
May 26, 2011 (slide 30 of 41)
Processing Function Choices
sign(), MAC, h(), enc(). Slow!
XOR
Selection
May 26, 2011 (slide 31 of 41)
Processing Function Choices
sign(), MAC, h(), enc(). Slow!
XOR
Selection
May 26, 2011 (slide 32 of 41)
XOR and Selection
XOR and Selection are not well suited for DB.
Long symbol lengths are problematic.
May 26, 2011 (slide 33 of 41)
XOR and Selection
XOR and Selection are not well suited for DB.
Long symbol lengths are problematic.
May 26, 2011 (slide 34 of 41)
Challenge Reflection with Channel Selection (CRCS)
May 26, 2011 (slide 35 of 41)
Implementation of CRCS
CRCS enables receive + processing + send in tp < 1ns
Mixer creates two copies of the signal at fc ± f∆
May 26, 2011 (slide 36 of 41)
Measurements
May 26, 2011 (slide 37 of 41)
MeasurementsThat is a maximum window for the attacker to cheat of:
d =δp2
· c =1ns
2· 300000km/s ≈ 15cm ≈ 12in
May 26, 2011 (slide 38 of 41)
Final words...
May 26, 2011 (slide 39 of 41)
RF- Vs. Ultrasonic Distance Bounding
Radio (RF)
X Radio is fast
X Attacker can not speed upthe signal and create awormhole.
X Provides firm guaranties.
– Needs special purpose radio.
Appropriate for mostapplications
Ultrasound (US)
–/X Sound is slow
X US Radio has enough timeto do almost any function(e.g., XOR).
X Inexpensive hardware.
– Attacker create a wormhole.
– An attacker might be ableto induce current in thereceiver.
Appropriate for someapplications. E.g.,Implantable Medical devices.
May 26, 2011 (slide 40 of 41)
Summary
– Questions?
A distance bounding protocol provides an upper bound on thephysical distance from a verifier to a prover.
Attacks are often against the protocol itself rather than thecrypto involved.
The prover must be able to process messages fast.Instantaneously would be ideal.
Questions?
May 26, 2011 (slide 41 of 41)
Summary – Questions?
A distance bounding protocol provides an upper bound on thephysical distance from a verifier to a prover.
Attacks are often against the protocol itself rather than thecrypto involved.
The prover must be able to process messages fast.Instantaneously would be ideal.
Questions?
End of presentation.