PUBLIC-KEY DISTANCE BOUNDING AND ITS APPLICATION ON CONTACTLESS ACCESS

CONTROLHandan Kılınç

handan.kilinc@epfl.ch

Presentation at FutureDB - Distance-bounding: past, present, future

*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

2

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

3

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

4

INTRODUCTIONDISTANCE BOUNDING

ProverVerifier

4

INTRODUCTIONDISTANCE BOUNDING

The prover authenticatesand proves its proximity

ProverVerifier

INTRODUCTION

Symmetric Distance Bounding: The prover and the verifier share a secret

Public-key Distance Bounding: The prover has its own secret/public key and the public-key of the verifier

5

INTRODUCTIONPROBLEMS IN PUBLIC KEY DB

6

Slower than symmetric key operations

Limited computational resources on the devices

INTRODUCTIONPROBLEMS IN PUBLIC KEY DB

6

Slower than symmetric key operations

Limited computational resources on the devices

INTRODUCTIONPROBLEMS IN PUBLIC KEY DB

6

Slower than symmetric key operations

Limited computational resources on the devices

INTRODUCTIONPROBLEMS IN PUBLIC KEY DB

6

Slower than symmetric key operations

Limited computational resources on the devices

Construct an efficient and secure public-key distance bounding

STRONG PRIVACY IN DBHPVP*

7

We have provers P1, P2, P3,…, Pn and the adversary A A can corrupt the provers: learns the secret keys of the provers.

As a challenge, A picks two provers Pi, Pj

Challenger picks one of them as a virtual tag and gives the virtual

prover to A.

A can send messages to the virtual tag.

A can send messages to the verifier.

If A can recognize the virtual tag, then he wins the game.

* J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A new RFID privacy model. In ESORICS, 2011

STRONG PRIVACY IN DBHPVP*

7

We have provers P1, P2, P3,…, Pn and the adversary A A can corrupt the provers: learns the secret keys of the provers.

As a challenge, A picks two provers Pi, Pj

Challenger picks one of them as a virtual tag and gives the virtual

prover to A.

A can send messages to the virtual tag.

A can send messages to the verifier.

If A can recognize the virtual tag, then he wins the game.

A DB protocol is strong private if A wins the above game with negligible advantage.

* J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A new RFID privacy model. In ESORICS, 2011

AN OVERVIEW OF OUR PROTOCOL

8

Agree on a key s with using a key agreement (KA) protocol

Run a symmetric DB with s

AN OVERVIEW OF OUR PROTOCOL

8

Agree on a key s with using a key agreement (KA) protocol

Run a symmetric DB with s

What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?

AN OVERVIEW OF OUR PROTOCOL

8

Agree on a key s with using a key agreement (KA) protocol

Run a symmetric DB with s

What kind of security properties do we need for the key agreement protocol to have MiM, DF and DH secure and strong private DB protocol?

KA Efficiency Security

MQV 2.5 No proof

HMQV 2.5 CK

KEA+ 3 CK

NAXOS 4 eCK

CMQV 3 eCK

9

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

AUTHENTICATED KEY AGREEMENTONE PASS

10

!"#,%"#,%"& !"#, %"#,%"&

*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016

AUTHENTICATED KEY AGREEMENTONE PASS

10

! ← #(1&))(*+,, .+,, .+/,!)

!"#,%"#,%"& !"#, %"#,%"&

*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016

AUTHENTICATED KEY AGREEMENTONE PASS

10

! ← #(1&))(*+,, .+,, .+/,!)

!"#,%"#,%"& !"#, %"#,%"&

!

*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016

AUTHENTICATED KEY AGREEMENTONE PASS

10

!(#$%,'$%,'$(, ))! ← #(1&))(*+,, .+,, .+/,!)

!"#,%"#,%"& !"#, %"#,%"&

!

*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016

AUTHENTICATED KEY AGREEMENTONE PASS

10

!(#$%,'$%,'$(, ))! ← #(1&))(*+,, .+,, .+/,!)

!"#,%"#,%"& !"#, %"#,%"&

!

!!

*Handan Kılınç and Serge Vaudenay. Efficient public-key distance bounding protocol. In ASIACRYPT, 2016

Decisional-Authenticated Key Agreement(D-AKA)

11

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

!"#

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

!"#!, #$

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

!",#, %&', %&(

!"#!, #$

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

Itcanaccesstheoraclesexcept("#$,&)

!",#, %&', %&(

!"#!, #$

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

Itcanaccesstheoraclesexcept("#$,&)

!"

!",#, %&', %&(

!"#!, #$

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

Itcanaccesstheoraclesexcept("#$,&)

!" If!" = !Itwins

!",#, %&', %&(

!"#!, #$

Challenger Adversary

Decisional-Authenticated Key Agreement(D-AKA)

11

Generate !"#, %"# , !"&,%"&Pick!'Pick( ∈ {0,1}

!"#$%&'(.)N← )(1,)runB(./', 1/', . ,3)

!"#$%&4(.,.)5(./4,1/4, . , . )

Itcanaccesstheoraclesexcept("#$,&)

!" If!" = !Itwins

!",#, %&', %&(

!"#!, #$

Challenger Adversary

A one-pass AKA is D-AKA secure if the adversary’s advantagewinning this game is negligible.

D-AKA PRIVACY GAME

12

Challenger Adversary

D-AKA PRIVACY GAME

12

Challenger Adversary

Generate !"#, %"# , !"&' ,%"&'

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

Generate !"#, %"# , !"&' ,%"&'

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'

Generate !"#, %"# , !"&' ,%"&'

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'

Pick!"#$,&"#$

Generate !"#, %"# , !"&' ,%"&'

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

Pick!"#$,&"#$

Generate !"#, %"# , !"&' ,%"&'

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

Pick!"#$,&"#$

Generate !"#, %"# , !"&' ,%"&'

Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

!Pick!"#$,&"#$

Generate !"#, %"# , !"&' ,%"&'

Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

!Pick!"#$,&"#$

Generate !"#, %"# , !"&' ,%"&'

Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

!Pick!"#$,&"#$

!"

Generate !"#, %"# , !"&' ,%"&'

Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

!Pick!"#$,&"#$

!" If!" = !Itwins

Generate !"#, %"# , !"&' ,%"&'

Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()

D-AKA PRIVACY GAME

12

Challenger Adversary

!"#$%&'(.,.)((*+',-+', . , . )

!"#, %"&',!"&'!"#$,&"#$

!Pick!"#$,&"#$

!" If!" = !Itwins

Generate !"#, %"# , !"&' ,%"&'

Pick! ∈ {0,1}( ← *(1,),. = 0(.123, 4123,415,()

A one-pass AKA is D-AKA private if the adversary’s advantagewinning this game is negligible.

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

!"#, %"#,%"&!"&,%"&,%"#

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

Publicparameter! orderof" and# ∈ !

!"# ∈ ℤ'("# = *+,-

!". ∈ ℤ'(". = *+,/

!"#, %"#,%"&!"&,%"&,%"#

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

Publicparameter! orderof" and# ∈ !

!"# ∈ ℤ'("# = *+,-

!". ∈ ℤ'(". = *+,/

!"#, %"#,%"&!"&,%"&,%"#

Pick! ∈ 0,1 ℓ

' = )(+, ,-., ,-/,,-/012,!)

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

Publicparameter! orderof" and# ∈ !

!"# ∈ ℤ'("# = *+,-

!". ∈ ℤ'(". = *+,/

!"#, %"#,%"&!"&,%"&,%"#

Pick! ∈ 0,1 ℓ

' = )(+, ,-., ,-/,,-/012,!)

!

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

Publicparameter! orderof" and# ∈ !

!"# ∈ ℤ'("# = *+,-

!". ∈ ℤ'(". = *+,/

!"#, %"#,%"&!"&,%"&,%"#

Pick! ∈ 0,1 ℓ

' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()

+,- ,.)

!

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

Publicparameter! orderof" and# ∈ !

!"# ∈ ℤ'("# = *+,-

!". ∈ ℤ'(". = *+,/

!"#, %"#,%"&!"&,%"&,%"#

Pick! ∈ 0,1 ℓ

' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()

+,- ,.)

!

Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.

NONCE-DHD-AKA SECURE AND PRIVATE KEY AGREEMENT PROTOCOL

13

Publicparameter! orderof" and# ∈ !

!"# ∈ ℤ'("# = *+,-

!". ∈ ℤ'(". = *+,/

!"#, %"#,%"&!"&,%"&,%"#

Pick! ∈ 0,1 ℓ

' = )(+, ,-., ,-/,,-/012,!)! = #(%, '(),'(*,'()

+,- ,.)

!

Nonce-DH is D-AKA secure and private in the random oracle model assuming that Gap Diffie-Hellman problem is hard.

KA Efficiency Security

MQV 2.5 No proof

HMQV 2.5 CK

KEA+ 3 CK

NAXOS 4 eCK

CMQV 3 eCK

Nonce-DH 1 D-AKA

14

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

EFF-PKDB

15

Verifier Prover!"#, %"#, %"&!"&, %"&

! ← #(1&)( = *((+,, .+,, .+/, !)

!, #$%! = #(!%&,(%&,(%),*)

symDB(!)

Out

SECURITY OF EFF-PKDB

16

MiM Security: If symDB is multi-verifier OT-MiM secure and the key agreement protocol is D-AKA secure, the Eff-pkDB is MiM-secure.

DF Security: If symDB is DF-secure, then Eff-pkDB is DF-secure.

DH security: If symDB is OT-MiM-secure, OT-DH-secure and if the key agreement protocol is D-AKA secure then Eff-pkDB is DH-secure.

STRONG PRIVATE VARIANT OF EFF-PKDB

17

! ← #(1&)( = *+,-./0 !, 2345 = 6(534, 234, 237, !)

(

!, 234 = #(,8./0 (()5 = 9 53:,23:,23;,!

234 isprivateoutput

Verifier Prover

symDB(5)

Out

534, 234, 237=(2370 ,237< )

Assuming the key agreement protocol is D-AKA-private and the cryptosystem is IND-CCA secure, then the variant of Eff-pkDB is strong private in HPVP model.

AN INSTANCE OF EFF-PKDBNONCE-DH+OTDB*

18

!"# ∈ ℤ'("# = *+,-

!"., ("., ("# !". ∈ ℤ'(". = *+,0

Publicparameter1 orderof2 and* ∈ 1

!"#, ("#,(".

Pick3 ∈ 0,1 ℓ

! = 7 *,("., ("#,("#+,0 ,3

8 = 3#⨁!

:; = 8<;=>?

3,(".

3#for@ = 0toA

B;:;Out

! = # $,&'(, &'),&'(*+, ,-

pick-) ∈ 0,1 12

3 = -)⨁!

starttimerendtimer

checkif∀6899: < 2= and8:iscorrect

* S. Vaudenay, Private and Secure Distance Bounding: Application to NFC Payment, FC 2015

19

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

COMPARISON

20

Protocol Security Privacy PK Operation Number of Computations

Brands-Chaum MiM, DF No privacy 1 commitment, 1 signature 1 EC multiplication, 2 hashing, 1 modular inversion, 1 random string selection

HPO (Hermans et al.)

MiM, DF Weak 4 EC multiplication, 2 random string selections, 2 mappings

PrivDB (Vaudenay)

MiM, DF, DH Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption,  1 modular inversion,  1mapping, 1 MAC

ProProx (Vaudenay) MiM, DF, DH, TF No Privacy n+1 commitment, n ZK proofs

eProProx (Vaudenay)

MiM, DF, DH, TF Strong 1 encryption, n+1 commitments, n ZK proofs

TREAD (Avoine et al.)

MiM, DF, DH, TF* Strong 1 signature, 1 IND-CCA encryption 3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption,  1 modular inversion,  1mapping, 1 MAC

Eff-pkDB MiM, DF, DH, (TF*)

No Privacy 1 D-AKA secure KA protocol 1 EC multiplication, 2 hashing, 1 random string selection,

Private Variant of Eff-pkDB

MiM, DF, DH, (TF*)

Strong 1 IND-CCA encryption, 1 D-AKA secure KA protocol

3 EC multiplication, 2 hashing, 2 random string selections, 1 symmetric key encryption, 1 MAC

*ECDSAforthesignatureschemeandECIESfortheIND-CCAsecureencryption scheme

21

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

INTRODUCTIONPREVIOUS WORKS

Smart Card Alliance: Defines the components (controller, database, reader and tag) and defines security in a informal way

PLAID*

OPACITY**

Privacy is an important issue in access control.

22

Based on establishing secret keyand mutual authentication

* C. A. governments Department of Human Services (DHS). Protocol for lightweight authentication of identity (PLAID), 2010.* * S. C. Alliance. Industry technical contributions: Opacity, 2013

INTRODUCTIONTHE STRUCTURE (CONTROLLERS, READERS, TAGS)

23

INTRODUCTIONTHE STRUCTURE (CONTROLLERS, READERS, TAGS)

23

24

INTRODUCTION COMPOSITION WITH DB

TagReaderController

24

INTRODUCTION COMPOSITION WITH DB

TagReaderControllerAn AC Protocol

24

INTRODUCTION COMPOSITION WITH DB

TagReaderControllerAn AC Protocol

A DB protocol

24

INTRODUCTION COMPOSITION WITH DB

TagReaderController

Is this natural

composition

secure and

private?

An AC Protocol

A DB protocol

25

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

ACCESS CONTROLCONTACTLESS AC PROTOCOL

Controller and Database Reader Tag

ACCESS CONTROLCONTACTLESS AC PROTOCOL

Controller and Database Reader Tag

GenC ! (skC , pkC) GenT ! (skT1 , pkT1)

(skT2 , pkT2)

(skTk , pkTk)

…

ACCESS CONTROLCONTACTLESS AC PROTOCOL

Controller and Database Reader Tag

GenC ! (skC , pkC)

C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)

GenT ! (skT1 , pkT1)

(skT2 , pkT2)

(skTk , pkTk)

…

ACCESS CONTROLCONTACTLESS AC PROTOCOL

Controller and Database Reader Tag

GenC ! (skC , pkC)

C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)

OutROutC

GenT ! (skT1 , pkT1)

(skT2 , pkT2)

(skTk , pkTk)

…

POutC = (pkT , locR, req)

ACCESS CONTROLCONTACTLESS AC PROTOCOL

Controller and Database Reader Tag

GenC ! (skC , pkC)

C(skC , pkC , DataB,B) T (skT , pkT , pkC , req)R(locR)

OutROutC

GenT ! (skT1 , pkT1)

(skT2 , pkT2)

(skTk , pkTk)

…

DataB = {(pk1, locRi , reqx), (pk2, locRj , reqy), ..., (pkk, locRi , reqx)}POutC = (pkT , locR, req)

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Tags are honest

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Create DatabaseCreate fake tags

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Activate(req)

Create DatabaseCreate fake tags

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Activate(req)

req

Create DatabaseCreate fake tags

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Activate(req)

req

Move(loc’)

Create DatabaseCreate fake tags

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Activate(req)

req

Move(loc’)

Create DatabaseCreate fake tags

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Activate(req)

req

Move(loc’)

Terminate

Create DatabaseCreate fake tags

27

ACCESS CONTROLADVERSARIAL AND COMMUNICATION MODEL

Secure and authenticatedTags are honest

Activate(req)

req

Move(loc’)

Terminate

Create DatabaseCreate fake tags

It can intercept, observe, replace the messages between readers and tagsIt can create may instances of each party

28

ACCESS CONTROLAC-GAME

GenC ! pkC , skCGenT ! {pkTi

, skTi}

28

ACCESS CONTROLAC-GAME

GenC ! pkC , skC{pkTi

}, pkCGenT ! {pkTi

, skTi}

28

ACCESS CONTROLAC-GAME

GenC ! pkC , skC Create fake tags {s̃kT , p̃kT }{pkTi}, pkC

GenT ! {pkTi, skTi}

Create DataB

28

ACCESS CONTROLAC-GAME

GenC ! pkC , skC Create fake tags {s̃kT , p̃kT }{pkTi}, pkC

GenT ! {pkTi, skTi}

DataB Create DataB

29

ACCESS CONTROLAC-GAME

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

(MiM)pk is honest tag’s key and

no close honest tag

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

T

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

(MiM)pk is honest tag’s key and

no close honest tag

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

TT̃

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

(MiM)pk is honest tag’s key and

no close honest tag

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

(MiM)pk is honest tag’s key and

no close honest tag

(DH)

pk is fake tag’s key andno close fake tag

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

T̃

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

(MiM)pk is honest tag’s key and

no close honest tag

(DH)

pk is fake tag’s key andno close fake tag

Adversary wins if one of the conditions are satisfied:

29

ACCESS CONTROLAC-GAME

R

TT̃

R T

RT

T̃T̃

R

T̃

R

T

RT

T̃

R

OutR = 1

GenC ! pkC , skC

GenT ! {pkTi, skTi}

DataB

T̃

T

POutC = (pk, loc, req)

POutC = (pk, loc, req) /2 DataB

(MiM)pk is honest tag’s key and

no close honest tag

(DH)

pk is fake tag’s key andno close fake tag

Adversary wins if one of the conditions are satisfied:

30

ACCESS CONTROLPRIVACY

30

ACCESS CONTROLPRIVACY

pick b 2 {`, r}

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj)

pick b 2 {`, r}

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj) Pair(3,4)

Pair(5,8)

Pair(1,7)

Pair(2,9)Pair(6,6)

pick b 2 {`, r}

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj) Pair(3,4)

Pair(5,8)

Pair(1,7)

Pair(2,9)Pair(6,6)

Pair(5,8)

pick b 2 {`, r}

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj) Pair(3,4)

Pair(5,8)

Pair(1,7)

Pair(2,9)Pair(6,6)

Pair(5,8) simulate T8

simulate T5

else

if b = r

pick b 2 {`, r}

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj) Pair(3,4)

Pair(5,8)

Pair(1,7)

Pair(2,9)Pair(6,6)

Pair(5,8) simulate T8

simulate T5

else

if b = r

pick b 2 {`, r}

b0

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj) Pair(3,4)

Pair(5,8)

Pair(1,7)

Pair(2,9)Pair(6,6)

Pair(5,8) simulate T8

simulate T5

else

if b = r

pick b 2 {`, r}

b0

Adversary wins if b0 = b

30

ACCESS CONTROLPRIVACY

Adversary can pair tags

Draw(Ti, Tj)

• and are at the same location• and have the same access privilegesTi Tj

Ti Tj

Pair(3,4)

Pair(5,8)

Pair(1,7)

Pair(2,9)Pair(6,6)

Pair(5,8) simulate T8

simulate T5

else

if b = r

pick b 2 {`, r}

b0

Adversary wins if b0 = b

31

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run V (skC , pkC) run P (skT , pkT )

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )

output Out, pk

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )

output Out, pk

if (pk, locR, req) 2 DataB

OutC = Out

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )

output Out, pk

if (pk, locR, req) 2 DataB

OutC = Out

POut = (pk, locR, req)

else OutC = 0

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )

output Out, pk

if (pk, locR, req) 2 DataB

OutC = Out

POut = (pk, locR, req)

else OutC = 0

OutC

32

AC WITH DBOUR FRAMEWORK

TagReaderController(skC , pkC , DataB,B) (skT , pkT , pkC , req)(locR)

req, locR req

run DB = (KV ,KP , P, V,B)run V (skC , pkC) run P (skT , pkT )

output Out, pk

if (pk, locR, req) 2 DataB

OutC = Out

POut = (pk, locR, req)

else OutC = 0

OutCOutC

33

AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK

Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.

SECURITY

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

33

AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK

Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.

Assuming that the DB protocol is private DB, then an AC

protocol with our framework is private AC protocol when DataB is trivial.

SECURITY

PRIVACY

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

33

AC WITH DBSECURITY AND PRIVACY OF OUR FRAMEWORK

Assuming that the DB protocol is MiM-secure and DH-secure, then an AC protocol with using this DB protocol with our framework is a secure AC protocol.

Assuming that the DB protocol is private DB, then an AC

protocol with our framework is private AC protocol when DataB is trivial.

SECURITY

PRIVACY

empty or contains all possible triplets

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

V 0(skV , pkV ) P 0(skP , pkP , pkV )

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

V 0(skV , pkV ) P 0(skP , pkP , pkV )

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

V 0(skV , pkV ) P 0(skP , pkP , pkV )flag

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0 if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

V 0(skV , pkV ) P 0(skP , pkP , pkV )flag

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )flag

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

DataB = {(pk1, locR, req), (pk2, locR, req)}

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

Pair(1,2) pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

Pair(1,2) pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}R T

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

Pair(1,2) pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}R T

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

Pair(1,2) pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}Rflag = 1flag = 0

T

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

Pair(1,2) pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}ROutR

flag = 1flag = 0T

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

34

AC WITH DBPRIVACY

DB = (KP ,KV , P, V,B) DB0 = (KP ,KV , P0, V 0, B)

flag = 0

run V (skV , pkV )

if flag = 1 and pkP is odd

KP ! (sk0P , pk0P )

(skP , pkP ) (sk0P , pk0P )

run P (skP , pkP , pkV )

V 0(skV , pkV ) P 0(skP , pkP , pkV )

DB = (KP ,KV , P, V,B)

flag

AC Protocol using DB’ with our framework

Pair(1,2) pk1 is odd pk2 is even

DataB = {(pk1, locR, req), (pk2, locR, req)}ROutR

flag = 1flag = 0T

if OutR = 1output b0 = `

elseoutput b0 = r

*Handan Kılınç and Serge Vaudenay. Contactless Access Control based on Distance bounding. In ISC, 2017

35

AC WITH DBEFF-AC (AN INSTANTIATION OF OUR FRAMEWORK)

36

OUTLINE

✓EFFICIENT PUBLIC-KEY DB PROTOCOLIntroductionWeak-authenticated Key AgreementEff-pkDB and its private variantComparison

✓ACCESS CONTROL WITH DBIntroductionSecurity and Privacy model for ACOur FrameworkConclusion

37

CONCLUSION

We define an integrated security model for AC including identification, access control, and distance bounding.

We give a framework that clarifies how to use a secure DB to construct a secure AC in our new security model.

We show that the same framework can be used to achieve privacy in AC with restrictions on the database of AC system.

37

CONCLUSION

We define an integrated security model for AC including identification, access control, and distance bounding.

We give a framework that clarifies how to use a secure DB to construct a secure AC in our new security model.

We show that the same framework can be used to achieve privacy in AC with restrictions on the database of AC system.

*’Secure Contactless Payment’ will appear in ACISP 2018

EFF-PKDB WITH SIM-TF

38