Christian T. Zenger

Efficient E-Cash in Practice: NFC-Based Payments for Public Transportation Systems

Near field communication (NFC) is a recent popular technology that will facilitate many aspects of payments with mobile tokens. In the domain of public transportation payment systems electronic payments have many benefits, including improved throughput, new capabilities (congestion-based pricing etc.) and user convenience. A common concern when using electronic payments is that a user’s privacy is sacrificed. However, cryptographic e-cash schemes provide provable guarantees for both security and user privacy. Even though e-cash protocols have been proposed three decades ago, there are relatively few actual implementations, since their computation complexity makes an execution on lightweight devices rather difficult. This paper presents an efficient implementation of Brands [11] and ACL[4] e-cash schemes on an NFC smartphone: the BlackBerry Bold 9900. Due to their efficiency during the spending phase, when compared to other schemes, and the fact that payments can be verified offline, these schemes are especially suited for, but not limited to, use in public transport. Additionally, the encoding of validated attributes (e.g. a user’s age range, zip code etc.) is possible in the coins being withdrawn, which allows for additional features such as variable pricing (e.g. reduced fare for senior customers) and privacy-preserving data collection. We present a subtle technique to make use of the ECDHKeyAgreement class that is available in the BlackBerry API (and in the API of other systems) and show how the schemes can be implemented efficiently to satisfy the tight timing imposed by the transportation setting.

Security Analysis of Quantization Schemes for Channel-based Key Extraction

The use of reciprocal and random properties of wireless channels for the generation of secret keys is a highly attractive option for many applications that operate in a mobile environment. In recent years, several practice-oriented protocols have been proposed, but unfortunately without a sufficient and consistent security analysis and without a fair comparison between each other. This can be attributed to the fact that until now neither a common evaluation basis, nor a security metric in an on-line scenario (e.g., with changing channel properties) was proposed. We attempt to close this gap by presenting test vectors based on a large measurement campaign, an extensive comparative evaluation framework (including ten protocols as well as new on-line entropy estimators), and a rigorous experimental security analysis. Further, we answer for the first time a variety of security and performance related questions about the behavior of 10 channel-based key establishment schemes from the literature.

Bringing PHY-Based Key Generation into the Field: An Evaluation for Practical Scenarios

The need for secured communication between computationally weak wireless devices has driven the development of novel key generation protocols. Various schemes for extracting symmetric cryptographic keys out of wireless channel properties have been proposed during recent years, making the generation protocol more and more efficient for individual applications. However, often these schemes were evaluated based on theoretical models and without considering practical effects. We present a system for PHY-based key generation with two legitimate users as well as a passive attacker of equivalent power and analyze results from practical measurements in real world scenarios. Furthermore we extend practical constraints by considering heterogeneous setups and show the impact onto representative performance indicators.

Authenticated key establishment for low-resource devices exploiting correlated random channels

Abstract Authenticated key establishment is a central requirement for securing IoT devices. For efficiency and management reasons, it might be desirable to avoid public-key-based solutions that are ubiquitous in traditional Internet settings but have many drawbacks for resource-constrained (RC) nodes. We introduce a novel Vicinity-based Pairing (VP) mechanism that allows authenticating arbitrary ‘unloaded’ RC-nodes by delegating trust from already authenticated and secured, we call it ‘loaded’, RC-nodes. For authenticating RC-nodes, VP exploits the correlation between channel profiles from devices that are in close physical proximity. In our setting, only devices that are within a few centimetres from the ‘loaded’ RC-nodes are authenticated after a user initiates such a process. Subsequently, the embedded end device can extract an unique shared symmetric key with another device such as a SCADA gateway, again by exploiting channel parameters. Based on extensive experiments, we propose new techniques for extracting time-varying randomness from channel parameters for use in VP. We describe the first MITM-resistant device pairing protocol purely based on a single wireless interface with an extensive adversarial model and protocol analysis. We show that existing wireless devices can be retro-fitted with the VP protocol via software updates, i.e. without changes to the hardware. Implementation results of our embedded prototype demonstrates that the approach has the potential to dramatically reduce the cost and efforts of securing low-resource devices that are common in the IoT.

Exploiting the Physical Environment for Securing the Internet of Things

Using the randomness provided by the physical environment to build security solutions has received much attention recently. In particular, the shared entropy provided by measuring ambient audio, luminosity modalities or electromagnetic emanations has been used to build location-based, proximity-based, or context-based security mechanisms. The majority of those protocols is based on a standard model consisting channel probing, quantization, information reconciliation, privacy amplification, and key verification. The main problem for almost all approaches is the limited understanding of the security that is provided. For example, security analyses often only address single components and not the entire system or are based on broad abstractions of the physical source of randomness. Further, a big open question is the feasibility of such systems for low-resource platforms. Our first contribution is a detailed, optimized realization of a key establishment system. We demonstrate the feasibility of deriving a shared secret from correlated quantities on resource-constrained devices with tight power budget. Our system was realized on the popular ARM Cortex-M3 processor that reports detailed resource requirements. The second major contribution is a summary and abstraction of previous works together with a rigorous security analysis. We substantiate our investigation by presenting practical attack results.

On-line Entropy Estimation for Secure Information Reconciliation

The random number generator (RNG) is a critical, if not in fact the most important, component in every cryptographic device. Introducing the symmetric radio channel, represented by estimations of location-specific, reciprocal, and time- variant channel characteristics, as a common RNG is not a trivial task. In recent years, several practice-oriented protocols have been proposed, challenging the utilization of wireless communication channels to enable the computation of a shared key. However, the security claims of those protocols typically rely on channel abstractions that are not fully experimentally substantiated, and (at best) rely on statistical off-line tests. In the present paper, we investigate on-line statistical testing for channel-based key extraction schemes, which is independent from channel abstractions due to the capability to verify the entropy of the resulting key material. We demonstrate an important security breach if on-line estimation is not applied, e.g., if the device is in an environment with an insufficient amount of entropy. Further, we present real-world evaluation results of 10 recent protocols for the generation of keys with a verified security level of 128-bit.

Rights Management with NFC Smartphones and Electronic ID Cards: A Proof of Concept for Modern Car Sharing

Numerous contactless smartcards (and the corresponding RFID readers) are compatible with NFC, e.g., Mifare cards and the governmental ID card in Germany called nPA. NFC-enabled smartphones and other NFC objects such as door locks have become widespread. Existing and future applications of the up-and-coming technology require a secure way of assigning and transporting user rights, e.g., for opening and starting a car or access control to a building. In this paper, we propose a scheme that securely identifies a customer on a website and creates a (personalized) credential containing the booked access permissions. This credential is safely transported via the Internet to the user’s smartphone and finally grants access to an NFC-enabled object. In our proof-of-concept implementation, an application on a commercial smartphone is used for communicating with a web server of a car rental agency. During the booking process, the phone operates as an RFID reader to interrogate the nPA of the user and utilizes the security mechanisms of the nPA, including the PACE protocol, for identifying the customer. After having obtained the credential, the smartphone emulates a Mifare DESFire card that is read by the NFC door lock of a rental car to verify the validity of the access permission. We discuss security issues and limitations of our approach.

The Passive Eavesdropper Affects My Channel: Secret-Key Rates under Real-World Conditions

Channel-reciprocity based key generation (CRKG) has gained significant importance as it has recently been proposed as a potential lightweight security solution for IoT devices. However, the impact of the attackers position in close range has only rarely been evaluated in practice, posing an open research problem about the security of real-world realizations. Furthermore, this would further bridge the gap between theoretical channel models and their practice-oriented realizations. For security metrics, we utilize cross-correlation, mutual information, and a lower bound on secret-key capacity. We design a practical setup of three parties such that the channel statistics, although based on joint randomness, are always reproducible. We run experiments to obtain channel states and evaluate the aforementioned metrics for the impact of an attacker depending on his position. It turns out the attacker himself affects the outcome, which has not been adequately regarded yet in standard channel models.

Preventing Scaling of Successful Attacks: A Cross-Layer Security Architecture for Resource-Constrained Platforms

Key-establishment based on parameters of the communication channels is a highly attractive option for many applications that operate in a dynamic mobile environment with peer-to-peer association. So far, high usability and dynamic key management with the capability of perfect forward secrecy are very difficult to achieve for wireless devices which have to operate under strict resource constraints. Additionally, previous work has failed to address hybrid systems composed of physical layer security PHYSEC and asymmetric cryptography for key establishment. In this work we present the first hybrid system architecture suitable for resource-constrained platforms. As a result, long term deployment due to key diversity and forward/backward secrecy can be achieved while still satisfying the tight timing of an initial setup imposed by high user acceptance. Our design strongly focuses on reusing communication chip components for PHYSEC and makes use of efficient asymmetric cryptography e.g., ECDH augmented by physical layer security. Our prototype implementation demonstrates that our approach has the potential to dramatically reduce the cost of securing small embedded devices for the Internet of Things, and hence make mass production and deployment viable.

Constructive and Destructive Aspects of Adaptive Wormholes for the 5G Tactile Internet

In this work, we constructively combine adaptive wormholes with channel-reciprocity based key establishment (CRKE), which has been proposed as a lightweight security solution for IoT devices and might be even more important for the 5G Tactile Internet and its embedded low-end devices. We present a new secret key generation protocol where two parties compute shared cryptographic keys under narrow-band multi-path fading models over a delayed digital channel. The proposed approach furthermore enables distance-bounding the key establishment process via the coherence time dependencies of the wireless channel. Our scheme is thoroughly evaluated both theoretically and practically. For the latter, we used a testbed based on the IEEE 802.15.4 standard and performed extensive experiments in a real-world manufacturing environment. Additionally, we demonstrate adaptive wormhole attacks (AWOAs) and their consequences on several physical-layer security schemes. Furthermore, we proposed a countermeasure that minimizes the risk of AWOAs.