On the Security of Carrier Phase-based Ranging

Multicarrier phase-based ranging is fast emerging as a cost-optimized solution for a wide variety of proximity-based applications due to its low power requirement, low hardware complexity and compatibility with existing standards such as ZigBee and 6LoWPAN. Given potentially critical nature of the applications in which phase-based ranging can be deployed (e.g., access control, asset tracking), it is important to evaluate its security guarantees. Therefore, in this work, we investigate the security of multicarrier phase-based ranging systems and specifically focus on distance decreasing relay attacks that have proven detrimental to the security of proximity-based access control systems (e.g., vehicular passive keyless entry and start systems). We show that phase-based ranging, as well as its implementations, are vulnerable to a variety of distance reduction attacks. We describe different attack realizations and verify their feasibility by simulations and experiments on a commercial ranging system. Specifically, we successfully reduced the estimated range to less than 3 m even though the devices were more than 50 m apart. We discuss possible countermeasures against such attacks and illustrate their limitations, therefore demonstrating that phase-based ranging cannot be fully secured against distance decreasing attacks

GossiCrypt: Wireless Sensor Network Data Confidentiality Against Parasitic Adversaries

Resource and cost constraints remain a challenge for wireless sensor network security. In this paper, we propose a new approach to protect confidentiality against a parasitic adversary, which seeks to exploit sensor networks by obtaining measurements in an unauthorized way. Our low-complexity solution, GossiCrypt, leverages on the large scale of sensor networks to protect confidentiality efficiently and effectively. GossiCrypt protects data by symmetric key encryption at their source nodes and re-encryption at a randomly chosen subset of nodes en route to the sink. Furthermore, it employs key refreshing to mitigate the physical compromise of cryptographic keys. We validate GossiCrypt analytically and with simulations, showing it protects data confidentiality with probability almost one. Moreover, compared with a system that uses public-key data encryption, the energy consumption of GossiCrypt is one to three orders of magnitude lower

Crypto-Chain: a relay resilience framework for smart vehicles

Recent findings show that smart vehicles can be exposed to relay attacks resulting from weaknesses in cryptographic operations, such as authentication and key derivation, or poor implementation of these operations. Relay attacks refer to attacks in which authentication is evaded without needing to attack a smart vehicle itself. They are a recurrent problem in practice. In this paper, we formulate the necessary relay resilience settings for strengthening authentication and key derivation and achieving the secure design and efficient implementation of cryptographic protocols based on universal composability, which allows the modular design and analysis of cryptographic protocols. We introduce Crypto-Chain, a relay resilience framework that extends Kusters's universal composition theorem on a fixed number of protocol systems to prevent bypass of cryptographic operations and avoid implementation errors. Our framework provides an ideal crypto-chain functionality that supports several cryptographic primitives. Furthermore, we provide an ideal functionality for mutual authentication and key derivation in Crypto-Chain by which cryptographic protocols can use cryptographic operations, knowledge about the computation time of the operations, and cryptographic timestamps to ensure relay resilience. As a proof of concept, we first propose and implement a mutual authentication and key derivation protocol (MKD) that confirms the efficiency and relay resilience capabilities of Crypto-Chain and then apply Crypto-Chain to fix two protocols used in smart vehicles, namely Megamos Crypto and Hitag-AES/Pro

Towards Seamless and Secure Mobile Authentication

abstract: With the rise of mobile technology, the personal lives and sensitive information of everyday citizens are carried about without a thought to the risks involved. Despite this high possibility of harm, many fail to use simple security to protect themselves because they feel the benefits of securing their devices do not outweigh the cost to usability. The main issue is that beyond initial authentication, sessions are maintained using optional timeout mechanisms where a session will end if a user is inactive for a period of time. This interruption-based form of continuous authentication requires constant user intervention leading to frustration, which discourages its use. No solution currently exists that provides an implementation beyond the insecure and low usability of simple timeout and re-authentication. This work identifies the flaws of current mobile authentication techniques and provides a new solution that is not limiting to the user, has a system for secure, active continuous authentication, and increases the usability and security over current methods.Dissertation/ThesisMasters Thesis Computer Science 201

Tietoturva auton sisäisissä CAN-verkoissa

Tiivistelmä. Tämä tutkielma käsittelee autojen sisäisten CAN-verkkoja sekä niihin liittyviä tietoturvakysymyksiä. Tutkielmassa käsitellään autoissa yleisesti käytetyn CAN-väyläjärjestelmän perusteita, historiaa sekä myös autojen tietoturvaan liittyviä periaatteita teoreettisella tasolla tasolla. Tämän jälkeen tarkastellaan jo olemassa olevan kirjallisuuden ja tutkimuksen pohjalta CAN-väylään liittyviä konkreettisia tietoturvaongelmia, sekä joissain tapauksissa myös tapoja, joilla niitä voidaan poistaa tai vähentää. Tutkielmassa pohditaan myös tietoturvan merkitystä autoissa, sekä sen mahdollisia suuntauksia autoteollisudessa tulevaisuudessa

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license