Dr. Kasper Bonne Rasmussen

May 26, 2011 (slide 1 of 41)

Localization and Distance Bounding

Dr. Kasper Bonne Rasmussen

Computer Science DepartmentUniversity of Califorrnia, Irvine

[email protected]

May 26, 2011 (slide 2 of 41)

Short Personal Introduction

Kasper Bonne Rasmussen

Post-doc in Prof. Gene Tsudik’s group.

From Denmark

May 26, 2011 (slide 3 of 41)

This Lecture

Guest lecture

I hope you’ll still find it relevant.

Main topic: Distance bounding (localization)

Examples of crypto use.Problems that might not be solvable with crypto.

Question

Who has heard about distance bounding before?

May 26, 2011 (slide 4 of 41)

Localization Is Everywhere

May 26, 2011 (slide 5 of 41)

Localization Is Everywhere

May 26, 2011 (slide 6 of 41)

Localization in the Context of Security

Access Control

Authentication

Key Exchange

. . .

May 26, 2011 (slide 7 of 41)

If It’s So Important, It Must Be Secure

What does secure mean?

Question

Is GPS localization ’Secure’?

Question

Is GSM localization ’Secure’?

Neither is WiFi localization (Skyhook) or LORAN or GLONASor . . .

May 26, 2011 (slide 8 of 41)

If It’s So Important, It Must Be Secure

What does secure mean?

Question

Is GPS localization ’Secure’?

Question

Is GSM localization ’Secure’?

Neither is WiFi localization (Skyhook) or LORAN or GLONASor . . .

May 26, 2011 (slide 9 of 41)

Let’s start with distance.(Distance Bounding)

May 26, 2011 (slide 10 of 41)

What is Distance Bounding

Enable V to measure an upper-bound on the physical distance to P

Verifier is trusted. Prover is untrusted.

The prover (P) cannot pretend to be closer than he really is.

The verifier (V) knows that the prover is within a certaindistance.

May 26, 2011 (slide 11 of 41)






May 26, 2011 (slide 12 of 41)






May 26, 2011 (slide 13 of 41)

Why is this Useful?

May 26, 2011 (slide 14 of 41)

Distance Bounding Protocol (first attempt)

Question

How would V measure the distance?

We can’t trust the prover.

This attack is called Distance Fraud

May 26, 2011 (slide 15 of 41)


Question


d =t2 − t1

2· c



May 26, 2011 (slide 16 of 41)


Question


d =t2 − t1 − ∆

2· c



May 26, 2011 (slide 17 of 41)

Distance Bounding Protocol (second attempt)

Question

Distance:

d =t2 − t1

2· c

We can’t trust the protocol environment.

This attack is called Mafia Fraud

May 26, 2011 (slide 18 of 41)

Distance Bounding Protocol (second attempt)

Question

Distance:

d =t2 − t1 − ∆

2· c

We can’t trust the protocol environment.

This attack is called Mafia Fraud

May 26, 2011 (slide 19 of 41)

Distance Bounding Protocol (Version 1)

Secure∗ against Distance Fraud and Mafia Fraud.

The Prover can’t reply before he receives the message.An external attacker can’t reply before the prover.

Question

What about delay?

May 26, 2011 (slide 20 of 41)

Now we have a simple distance bounding protocol,what can we do with it?

May 26, 2011 (slide 21 of 41)

May 26, 2011 (slide 22 of 41)

Safety/Security Trade-Off

MUST prevent unauthorized access.

Medical data is private and sensitive.Device settings can be critical.

MUST allow access to authorized physicians.

Change settings.Readout data.Access history.

MUST NOT “get in the way” in case of an emergency.

Emergency staff must be able to access medical device.. . . possibly in another country.

May 26, 2011 (slide 23 of 41)

Existing Solutions

Token Based Approaches

Token based access (USB, Smartcard, ...)Communication Cloaker

Certificate Based Approaches

IMD has a key from a trusted 3rd party.

User Alerts

Sound/vibration when IMD is engaging in wirelesscommunication.

Proximity Based Access Control Approaches.

Magnetic SwitchTelemetric Link: Confirm proximity via ’close range’communication.Distance Bounding Solution

May 26, 2011 (slide 24 of 41)


Secure∗ against Distance Fraud and Mafia Fraud.

The Prover can’t reply before he receives the message.An external attacker can’t reply before the prover.

Question

Is this really secure? Why is there an asterisk there?

May 26, 2011 (slide 25 of 41)


Change the single challenge response to a rapid bit exchange.

Secure against Distance Fraud and Mafia Fraud.

Question

How much difference does one little bit (e.g., 1ms) make?

d =t2 − t1

2· c =

0.001s

2· 300000km/s = 150km ≈ 93mi

May 26, 2011 (slide 26 of 41)


Change the single challenge response to a rapid bit exchange.

Secure against Distance Fraud and Mafia Fraud.

Question

How much difference does one little bit (e.g., 1ms) make?

d =t2 − t1

2· c =

0.001s

2· 300000km/s = 150km ≈ 93mi

May 26, 2011 (slide 27 of 41)

What about this processing function?

May 26, 2011 (slide 28 of 41)

Processing Function Speed

The real equation for finding the distance is

d =t2 − t1 − δp

2· c

δp must be a public value.

Question

Is this a problem?

A malicious prover can potentially cheat by asmuch as derror =

δp2 · c.

May 26, 2011 (slide 29 of 41)

Processing Function Speed

The real equation for finding the distance is

d =t2 − t1 − δp

2· c

δp must be a public value.

Question

Is this a problem? A malicious prover can potentially cheat by asmuch as derror =

δp2 · c.

May 26, 2011 (slide 30 of 41)

Processing Function Choices

sign(), MAC, h(), enc(). Slow!

XOR

Selection

May 26, 2011 (slide 31 of 41)

Processing Function Choices

sign(), MAC, h(), enc(). Slow!

XOR

Selection

May 26, 2011 (slide 32 of 41)

XOR and Selection

XOR and Selection are not well suited for DB.

Long symbol lengths are problematic.

May 26, 2011 (slide 33 of 41)

XOR and Selection

XOR and Selection are not well suited for DB.

Long symbol lengths are problematic.

May 26, 2011 (slide 34 of 41)

Challenge Reflection with Channel Selection (CRCS)

May 26, 2011 (slide 35 of 41)

Implementation of CRCS

CRCS enables receive + processing + send in tp < 1ns

Mixer creates two copies of the signal at fc ± f∆

May 26, 2011 (slide 36 of 41)

Measurements

May 26, 2011 (slide 37 of 41)

MeasurementsThat is a maximum window for the attacker to cheat of:

d =δp2

· c =1ns

2· 300000km/s ≈ 15cm ≈ 12in

May 26, 2011 (slide 38 of 41)

Final words...

May 26, 2011 (slide 39 of 41)

RF- Vs. Ultrasonic Distance Bounding

Radio (RF)

X Radio is fast

X Attacker can not speed upthe signal and create awormhole.

X Provides firm guaranties.

– Needs special purpose radio.

Appropriate for mostapplications

Ultrasound (US)

–/X Sound is slow

X US Radio has enough timeto do almost any function(e.g., XOR).

X Inexpensive hardware.

– Attacker create a wormhole.

– An attacker might be ableto induce current in thereceiver.

Appropriate for someapplications. E.g.,Implantable Medical devices.

May 26, 2011 (slide 40 of 41)

Summary

– Questions?

A distance bounding protocol provides an upper bound on thephysical distance from a verifier to a prover.

Attacks are often against the protocol itself rather than thecrypto involved.

The prover must be able to process messages fast.Instantaneously would be ideal.

Questions?

May 26, 2011 (slide 41 of 41)

Summary – Questions?

A distance bounding protocol provides an upper bound on thephysical distance from a verifier to a prover.

Attacks are often against the protocol itself rather than thecrypto involved.

The prover must be able to process messages fast.Instantaneously would be ideal.

Questions?

End of presentation.

Dr. Kasper Bonne Rasmussen

Documents

Transcript of Dr. Kasper Bonne Rasmussen