Optimal security limits of RFID distance bounding protocols

In this paper, we classify the RFID distance bounding protocols having bitwise fast phases and no final signature. We also give the theoretical security bounds for two specific classes, leaving the security bounds for the general case as an open problem. As for the classification, we introduce the notion of k-previous challenge dependent (k-PCD) protocols where each response bit depends on the current and k-previous challenges and there is no final signature. We treat the case k = 0, which means each response bit depends only on the current challenge, as a special case and define such protocols as current challenge dependent (CCD) protocols. In general, we construct a trade-off curve between the security levels of mafia and distance frauds by introducing two generic attack algorithms. This leads to the conclusion that CCD protocols cannot attain the ideal security against distance fraud, i.e. 1/2, for each challenge-response bit, without totally losing the security against mafia fraud. We extend the generic attacks to 1-PCD protocols and obtain a trade-off curve for 1-PCD protocols pointing out that 1-PCD protocols can provide better security than CCD protocols. Thereby, we propose a natural extension of a CCD protocol to a 1-PCD protocol in order to improve its security. As a study case, we give two natural extensions of Hancke and Kuhn protocol to show how to enhance the security against either mafia fraud or distance fraud without extra cost

Efficient and secure schemes for private function evaluation

Development of computing devices with the proliferation of the Internet has prompted enormous opportunities for cooperative computation. These computations could occur between trusted or partially trusted partners, or even between competitors. Secure multi-party computation (MPC) protocols allow two or more parties to collaborate and compute a public functionality using their private inputs without the need for a trusted third-party. However, the generic solutions for MPC are not adequate for some particular cases where the function itself is also sensitive and required to be kept private. Private function evaluation (PFE) is a special case of MPC, where the function to be computed is known by only one party. PFE is useful in several real-life applications where an algorithm or a function itself needs to remain secret for reasons such as protecting intellectual property or security classification level. Recently, designing efficient PFE protocols have been a challenging and attractive task for cryptography researchers. iv In this dissertation, we mainly focus on improving two-party private function evaluation (2PFE) schemes. Our primary goal is enhancing the state-of-the-art by designing secure and cost-efficient 2PFE protocols for both symmetric and asymmetric cryptography based solutions. In this respect, we first aim to improve 2PFE protocols based on (mostly) symmetric cryptographic primitives. We look back at the seminal PFE framework presented by Mohassel and Sadeghian at Eurocrypt'13. We show how to adapt and utilize the well-known half gates garbling technique (Zahur et al., Eurocrypt'15) to their constant round 2PFE scheme. Compared to their scheme, our resulting optimization significantly improves both underlying oblivious extended permutation (OEP) and secure 2-party computation (2PC) protocols, and yields a more than 40% reduction in overall communication cost. We next propose a novel and highly efficient 2PFE scheme based on the decisional Di e-Hellman (DDH) assumption. Our scheme consists of two protocols, one is utilized in the initial execution, and the other is in the subsequent runs. One of the novelties of our scheme over the state-of-the-art is that it results in a significant cost reduction when the same private function is evaluated more than once between the same or varying parties. To the best of our knowledge, this is the most efficient and the first 2PFE scheme that enjoys reusability feature. Our protocols achieve linear communication and computation complexities, and a constant number of rounds which is at most three (depending on the size of the inputs of the party that holds the function)

A framework for analyzing RFID distance bounding protocols

Many distance bounding protocols appropriate for the RFID technology have been proposed recently. Unfortunately, they are commonly designed without any formal approach, which leads to inaccurate analyzes and unfair comparisons. Motivated by this need, we introduce a unied framework that aims to improve analysis and design of distance bounding protocols. Our framework includes a thorough terminology about the frauds, adversary, and prover, thus disambiguating many misleading terms. It also explores the adversary's capabilities and strategies, and addresses the impact of the prover's ability to tamper with his device. It thus introduces some new concepts in the distance bounding domain as the black-box and white-box models, and the relation between the frauds with respect to these models. The relevancy and impact of the framework is nally demonstrated on a study case: Munilla-Peinado distance bounding protocol

Security and Privacy Analysis of Recently Proposed ECC-Based RFID Authentication Schemes

Elliptic Curve Cryptography (ECC) has been popularly used in RFID authentication protocols to efficiently overcome many security and privacy issues. Even if the strong cryptography primitives of ECC are utilised in the authentication protocols, the schemes are alas far from providing security and privacy properties as desired level. In this paper, we analyze four up-to-minute ECC based RFID authentication schemes proposed by Gasbi et al., Benssalah et al., Kumar et al., and Agrahari and Varma. The authors claim that their schemes provide prominent and important security and privacy requirements. However, we have shown some crucial vulnerabilities of the schemes against their allegations. We attack to Gasbi et al.\u27s protocol by using transmitted messages in insecure channel and exploiting the message relations which points a specific tag, and show that the scheme does not provide tag anonymity/untraceability, forward and backward security and the scheme has performance problems. Moreover, we demonstrate that Kumar et al., and Agrahari and Varma\u27s schemes do not achieve forward and backward security because the schemes are not designed to eliminate the advantage of an adversary obtaining full knowledge of a tag from by attack definition. We also show that Benssalah et al.\u27s scheme suffers from tag anonymity/untraceability, forward and backward security when the pseudonym of a tag is transmitted in insecure channel somehow without updating

Optimal security limits of RFID distance bounding protocols

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.In this paper, we classify the RFID distance bounding protocols having bitwise fast phases and no final signature. We also give the theoretical security bounds for two specific classes, leaving the security bounds for the general case as an open problem. As for the classification, we introduce the notion of k-previous challenge dependent (k-PCD) protocols where each response bit depends on the current and k-previous challenges and there is no final signature. We treat the case k = 0, which means each response bit depends only on the current challenge, as a special case and define such protocols as current challenge dependent (CCD) protocols. In general, we construct a trade-off curve between the security levels of mafia and distance frauds by introducing two generic attack algorithms. This leads to the conclusion that CCD protocols cannot attain the ideal security against distance fraud, i.e. 1/2, for each challenge-response bit, without totally losing the security against mafia fraud. We extend the generic attacks to 1-PCD protocols and obtain a trade-off curve for 1-PCD protocols pointing out that 1-PCD protocols can provide better security than CCD protocols. Thereby, we propose a natural extension of a CCD protocol to a 1-PCD protocol in order to improve its security. As a study case, we give two natural extensions of Hancke and Kuhn protocol to show how to enhance the security against either mafia fraud or distance fraud without extra cost

Norwegian internet voting protocol revisited: ballot box and receipt generator are allowed to collude

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link. open access articleNorway experienced internet voting in 2011 and 2013 for municipal and parliamentary elections, respectively. Its security depends on the assumptions that the involving organizations are completely independent, reliable, and the receipt codes are securely sent to the voters. In this paper, we point out the following aspects: - The vote privacy of the Norwegian scheme is violated if Ballot Box and Receipt Generator cooperate because the private key of Decryption Service can be obtained by the two former players. We propose a solution to avoid this issue without adding new players. - To assure the correctness, the receipt codes are sent to the voters over a pre‐channel (postal service) and a post‐channel (Short Message Service [SMS]). However, by holding both SMS and the postal receipt code, a voter can reveal his vote even after the elections. Albeit revoting is a fairly well solution for coercion or concealment, intentional vote revealing is still a problem. We suggest SMS only for notification of vote submission. - In case the codes are falsely generated or the pre‐channel is not secure, a vote can be counted for a different candidate without detection. We propose a solution in which voters verify the integrity of the postal receipt codes

Simetrik kriptografi tabanlı RFID protokollerinin güvenlik analizi ve ileri mahremiyetli bir tasarının gerçeklenmesi

This M.Sc. thesis is mainly two folds: First part includes the the theoretical securityanalysis of privacy-friendly radio frequency identification (RFID) protocols that arebased on symmetric cryptography and sub-linear complexity. Second part is a practicalpart dedicated to an implementation of forward secure RFID authentication protocol.RFID technology provides wireless communication with an object or someone toidentify or authenticate by using radio waves with neither physical nor visual contact.RFID is one of the most promising technologies deployed in many applications such ascontactless payment systems, public transportation, electronic passports, access cards,logistic tracking systems etc. In fact RFID has entered in our lives, however, securityand privacy concerns have become controversial as a social demand. Moreover, thecost of RFID tags is an other obstacle to technological advance. Many works havebeen dedicated to this specific area to mitigate these issues. The large body of literatureRFID Security and Privacy demonstrates that designing a privacy friendly and efficientprotocol is still a challenging task and finding the appropriate one is quite awful forindustrials. Indeed, although many protocols have been proposed over the years, nonecan be deemed as ideal. Motivated by this need, in this work we examine most of theproposals in the field, categorize them according to common features analyze them,compare their properties and discuss about which can be considered as the best onesto date. We also provide new attacks on several of these protocols and some patches.First, this work includes a comprehensive analysis of privacy-friendly authenticationprotocols devoted to RFID that: (i) are based on well-established symmetric-keycryptographic building blocks; (ii) require a reader complexity lower than O(N)where N is the number of provers in the system. These two properties are sine quanon conditions for deploying privacy-friendly authentication protocols in large-scaleapplications, e.g., access control in mass transportation. We describe existing protocolsfulfilling these requirements and point out their drawbacks and weaknesses. Weespecially introduce new attacks and raise that some protocols are not resistant totiming attacks. We also suggest a number of new solutions to ameliorate some ofthe existing protocols and provide guidelines for those schemes. We have extensivelyevaluated and compared all the candidates according to their security, and performance.The security properties that we investigated include user privacy and as well as forwardprivacy, impersonation resiliency and desynchronization resistance. Furthermore, weexamined thoroughly their performance, in terms of computational and storage cost.According to our analysis by means of security and efficiency, we selected the mostappropriate candidates for practical uses.Second, this thesis includes an implementation of a real RFID system which is efficientand secure with respect to the first part of this work. We implemented one of the bestcandidate that is, according to our analysis and criteria, the most appropriate one forpractical uses. To the best of our knowledge, this is the first complete implementationof a forward-private RFID system based on time-memory trade-off. This methodis already introduced but never tried to implemented in a real RFID system. Weshow that our implementation practically allows achieving a high performance bymeans of search complexity and memory usage without degrading privacy. We haverun several experiments on the implemented real RFID system and we observedthat the experimental outputs are very close to the theoretical bounds. Finally, theauthentication speed and effective memory usage put forth that this forward-privateRFID system is ready to be used for practical proposes.Bu Yüksek Lisans tezi genel olarak iki kısımdan oluşmaktadır: Birinci kısımda"simetrik anahtarlı kriptografik sistem" tabanlı RFID (radyo frekansı tanımlama)protokollerinin teorik güvenlik ve mahremiyet analizi ele alınmıştır. İkinci kısımdaise ileri mahremiyet sağlayan bir RFID kimlik doğrulama protokolünün "zaman belleködünleşim" metodu kullanılarak gerçeklenmesi yapılmış ve sonuçları teorik sonuçlarile karşılaştırılmıştır. Aşağıda öncelikle RFID teknolojisi hakkında kısa bilgilerverilerek bu konudaki güvenlik ve mahremiyet gereksinimlerine değinilmiş daha sonrabu tezdeki yapılan çalışmalar özetlenmiştir.RFID teknolojisi, fiziksel temasa gerek olmaksızın radyo dalgalarıyla etiket taşıyanbir nesne ya da kişinin kimliğinin belirlenmesini veya doğrulanmasını sağlar. RFIDsistemi temel olarak etiket (tag), okuyucu (reader) ve etiket hakkında bilgileri güvenlibir şekilde depolayan veri tabanı sunucusundan (back-end server) oluşmaktadır. RFIDetiketi, okuyucudan gelen sorguları almaya ve cevaplamaya olanak tanıyan bir silikonyonga, anten ve kaplamadan meydana gelir. Yonga, etiketin üzerinde bulunduğunesne ile ilgili bilgileri saklar. Anten, radyo frekansı kullanarak kimlik bilgileriniokuyucuya iletir. Kaplama ise etiketin bir nesne üzerine yerleştirilebilmesi içinyonga ve anteni çevreler. Hafıza, okuma mesafesi, okuma/yazma kapasitesine görefarklılıklar göstermektedir. Etiketler okuma sırasında kullanılan frekans aralığına bağlıolarak da LF, HF, UHF ve mikrodalga frekans olmak üzere çeşitlendirilebilirler.RFID ilk defa ikinci dünya savaşında dost savaş uçaklarını düşman savaş uçaklarındanayırmak için geliştirilmiş ve kullanılmış bir teknolojidir. Günümüzde ise çok genişbir kullanım alanı vardır. RFID teknolojisi temassız ödeme, toplu taşıma, elektronikpasaport, giriş kontrol sistemleri, lojistik takip sistemleri, kütüphaneler, taşıt otomatikgeçiş sistemleri, otomatik tanıma ve bilgi toplama sistemleri gibi birçok alanda yaygınolarak uygulanmış ve ileride de daha birçok alanda gelecek vaat eden bir teknolojidir.Hayatımızın hemen hemen her alanına giren bu yeni teknoloji güvenlik ve kullanıcımahremiyeti gibi toplumsal endişeleri de beraberinde getirmiştir. Bu teknoloji güngeçtikçe önem kazanıp üzerinde yapılan çalışmaların da arttırılmasına rağmen gizlilikve güvenlik ile ilgili sorunları tam olarak çözülememiştir. İnsan mahremiyetininihlal edilmesi konusunda oluşan çekincelerle Eylül 2003'de bazı insan hakları vesivil toplum organizasyonları RFID teknolojisi kullanan marketleri dava etmiştir. Busistemin kötü yollar için kullanılabileceği öne sürülmüştür. RFID teknolojisinin birparçası olan RFID etiketlerin her biri yalnızca kendine özgü ve ait olduğu kişiyeyönelik bilgiler taşımaktadır. Bu durumda bu etiketleri taşıyan kişiler de adetabu aygıtlarla birlikte etiketlenmiş olmaktadırlar. Ayrıca, yaygın olarak kullanılanRFID etiketleri sorgulandıklarından haberi olmayan ve her türlü sorguya yanıt verenyapıdadırlar. Bunun sonucu olarak RFID etiketlerini taşıyan kişilerin habersiz olarakizlenmesi, özel hayatları hakkında istemedikleri bilgilerin ortaya dökülmesi durumuortaya çıkmaktadır.RFID teknolojisinin insanların özel yaşamlarının gizliliğine karşı oluşturduğu tehditlerönemli bir sorun olmakla beraber asıl büyük tehdit ve problem bu sistemlerinkontrolünün, protokoldeki güvenlik açıklarından ve teknik savunma zafiyetlerindenistifade edilerek istenmeyen kişiler tarafından elde edilmesi sonucu ortaya çıkmaktadır.Çünkü yukarıda bahsedilen kullanım alanlarında da görüldüğü gibi RFID sistemleriartık insan hayatının önemli bir parçasını oluşturmakta ve insanlar kendileri için çokbüyük önem taşıyan faaliyetlerini (ödemeler, sahip oldukları mülklerin korunması,kimlik denetim sistemleri ile kendilerini tanıtmaları vb.) bu sistemler üzerindengerçekleştirmektedirler.Tüm bu süreç esnasında ise RFID sistemlerinin güvenli olduğunu varsayarak hareketetmektedirler. Bir RFID sisteminin güvenliği sistemi oluşturan bileşenlerin (etiket,okuyucu ve veri tabanı) parçanın da güvenli olması ile doğrudan ilgilidir. RFIDetiketlerinin, özellikle de daha yaygın kullanılan pasif RFID etiketlerinin devre alanıve enerji tüketimi gibi kaynaklarının kısıtlı olduğu göz önünde bulundurulduğunda, bucihazlarda mevcut kriptografik algoritmaları kullanarak güvenlik sağlamanın zorluğuortadadır. RFID etiketlerinin düşük enerji tüketimi ile etkin çalışmasını sağlamak buçalışmanın ortaya konulmasının başlıca hedeflerindendir.Bu ihtiyaçlardan dolayı son zamanlarda akademik ve endüstriyel çalışmalar bu özelalanda ortaya konulmuştur. Literatürdeki RFID güvenlik ve gizlilik çalışmalarınınbüyük çoğunluğu, hem kullanıcı mahremiyetini sağlayacak hem de verimli olacakbir protokol dizaynının oldukça zor olduğu konusunda ortak fikirdedirler. Bu kadargeniş ve hızlı değişen literatürde uygun protokolün seçilmesi işi sanayiciler için de birproblemdir. Gerçekten de yıllar boyunca önerilen birçok protokol olmasına rağmen,hiçbiri ideal olarak kabul edilmemiştir. Bu çalışmada bahsedilen ihtiyaçlardan yolaçıkarak, bu alanda önerilen protokoller güvenlik ve verimlilik ortak özelliklerine görekategorize edilmiş ve kendi aralarında karşılaştırılmıştır.Bu çalışma ilk olarak mahremiyet özelliğini sağlayan protokollerin kapsamlı analiziniiçerir. Bu çalışmada ele alınan RFID kimlik doğrulama protokolleri şu iki özelliğitaşımaktadır: (i) Simetrik kriptografi yapı taşları ile oluşturulmuş olması, (ii) Nsistemdeki etiket sayısı olmak üzere O(N)'den daha düşük karmaşıklık ile kimlikdoğrulama işlemlerini yapabilmesi. Büyük ölçekli gerçek hayattaki uygulamalar(örn. toplu taşıma vb.) göz önüne alındığında bu iki koşul RFID sisteminintaşıması gereken olmazsa olmaz özelliklerindendir. Bu çalışmada bu özelliklerisağlayan protokoller ele alınmış ve bunların kapsamlı olarak teorik güvenlik analizleryapılmış, eksiklikleri ve zayıf noktaları ortaya konulmuştur. Bu protokoller üzerineyeni kriptografik ataklar yapılmış, özellikle zamanlama ataklarının birçok protokolüzerinde nasıl gerçekleştirilebileceği bu çalışma ile ortaya konulmuştur. Ayrıca bazımevcut protokolleri iyileştirmek için çözüm önerileri sunulmuş ve bu protokolleriçin bazı kılavuz bilgiler verilmiştir. Tüm aday protokolleri güvenlik ve performanskriterleri değerlendirilerek karşılaştırılmıştır. Protokollerin güvenlik olarak; kullanıcımahremiyeti, taklit edilmeye karşı dayanıklılık, desenkronize edilip takip edilmeyekarşı dayanıklılık ve iz sürülme tehlikesine karşı güvenirlik özellikleri ele alınmıştır. Performans olarak, etiket ve veri tabanı üzerinde az işlem yapma ve düşük yer kaplamakriterleri göz önüne alınmıştır. Böylece ortaya konular çalışmalar sonucunda pratikdünyada kullanılabilecek en uygun adaylar seçilmiştir.Bu çalışmada ikinci olarak, güvenliği ve performansı birinci bölümde değerlendirilenen uygun protokolün gerçek bir RFID sistemi üzerinde gerçeklenmesi yapılmıştır.Bildiğimiz kadarıyla zaman-hafıza ödünleşim metoduna dayalı ve ileri mahremiyetözelliği taşıyan ilk RFID sisteminin gerçeklenmesi bu çalışma ile ortaya konulmuştur.Daha önce teorik olarak tasarlanan bu sistemin şimdiye kadar gerçeklenmesiyapılmamıştı. Bu gerçeklemenin mahremiyet özellikler korunarak yüksek veritabanı arama hızı ve düşük bellek kullanılarak yüksek performans sağladığı yapılandeneyler ile ortaya konulmuştur. Ayrıca deney sonuçlarının teorik sınırlara yakınolması bu çalışmanın doğruluğunu ve olumlu etkisini göstermektedir. Sonuç olarakbu çalışmanın pratik olarak da kullanılabilecek hazır bir sistem olduğu ortayakonulmuştur.M.Sc.Yüksek Lisan

An efficient 2-party private function evaluation protocol based on half gates

Private function evaluation (PFE) is a special case of secure multi-party computation (MPC), where the function to be computed is known by only one party. PFE is useful in several real-life applications where an algorithm or a function itself needs to remain secret for reasons such as protecting intellectual property or security classification level. In this paper, we focus on improving 2-party PFE based on symmetric cryptographic primitives. In this respect, we look back at the seminal PFE framework presented by Mohassel and Sadeghian at Eurocrypt’13. We show how to adapt and utilize the well-known half gates garbling technique (Zahur et al., Eurocrypt’15) to their constant-round 2-party PFE scheme. Compared to their scheme, our resulting optimization significantly improves the efficiency of both the underlying Oblivious Evaluation of Extended Permutation (OEP) and secure 2-party computation (2PC) protocols, and yields a more than 40% reduction in overall communication cost (the computation time is also slightly decreased and the number of rounds remains unchanged)

A new security and privacy framework for RFID in cloud computing

RFID is a leading technology that has been rapidly deployed in several daily life applications that require strong security and privacy mechanisms. However, RFID systems commonly have limited computational capacity and inefficient data management. There is a demanding urge to address these issues in the light of some mechanism which can make the technology excel. Cloud computing is one of the fastest growing segments of IT industry that provides cost effective solutions for handling and using data collected with RFID. As more and more information on companies and individuals is placed in the cloud, concerns are beginning to escalate about just how safe an environment it is. Therefore, while integrating RFID into the cloud, the security and privacy of the tag owner must be considered. Motivated by this, we first provide a new security and privacy model for RFID technology integrated to the cloud computing. In this model, we define the capabilities of the adversary and give the formal definitions. After that we propose a cloud-based RFID authentication protocol to illustrate our model. The protocol utilizes symmetric-key based cryptography. We prove that the protocol achieves destructive privacy according to our model

Highly efficient and re-executable private function evaluation with linear complexity

Private function evaluation aims to securely compute a function f(x_1, x_n)f(x1,...,xn) without leaking any information other than what is revealed by the output, where ff is a private input of one of the parties (say Party_1Party1) and x_ixi is a private input of the iith party Party_iPartyi. In this article, we propose a novel and secure two-party private function evaluation (2PFE) scheme based on the DDH assumption. Our scheme introduces a reusability feature that significantly improves the state-of-the-art. Accordingly, our scheme has two variants, one is utilized in the initial execution of the function ff, and the other is utilized in its subsequent evaluations. To the best of our knowledge, this is the first and most efficient 2PFE scheme that enjoys a reusablity feature. Our protocols achieve linear communication and computation complexities and a constant number of rounds which is at most three