François Koeune

The Swiss-Knife RFID Distance Bounding Protocol

Relay attacks are one of the most challenging threats RFID will have to face in the close future. They consist in making the verifier believe that the prover is in its close vicinity by surreptitiously forwarding the signal between the verifier and an out-of-field prover. Distance bounding protocols represent a promising way to thwart relay attacks, by measuring the round trip time of short authenticated messages. Several such protocols have been designed during the last years but none of them combine all the features one may expect in a RFID system. We introduce in this paper the first solution that compounds in a single protocol all these desirable features. We prove, with respect to the previous protocols, that our proposal is the best one in terms of security, privacy, tag computational overhead, and fault tolerance. We also point out a weakness in Tu and Piramuthus protocol, which was considered up to now as one of the most efficient distance bounding protocol.

Robust Object Watermarking: Application to Code

In this paper, we focus on a step of the watermarking process whose importance has been disregarded so far. In this perspective, we introduce the vector extraction paradigm which is the transformation between digital data and an abstract vector representation of these data. As an application, we propose a new, robust technique in order to insert watermarks in executable code.

Compact implementation and performance evaluation of block ciphers in ATtiny devices

The design of lightweight block ciphers has been a very active research topic over the last years. However, the lack of comparative source codes generally makes it hard to evaluate the extent to which implementations of different ciphers actually reach their low-cost goals on various platforms. This paper reports on an initiative aiming to relax this issue. First, we provide implementations of 12 block ciphers on an ATMEL AVR ATtiny45 8-bit microcontroller, and make the corresponding source code available on a web page. All implementations are made public under an open-source license. Common interfaces and design goals are followed by all designers to achieve comparable implementation results. Second, we evaluate performance figures of our implementations with respect to different metrics, including energy-consumption measurements and show our improvements compared to existing implementations.

Biometrics, access control, smart cards: a not so simple combination

Although biometrics can be an useful component for access control, the security they procure is often overestimated, as if they were a magic tool whose simple use will automatically prevent each and every type of attack. Biometrics are not secure unless they are embedded in a strong cryptographic protocol, whose design pays special attention to their specificities. In particular, smart card reveals to be an useful and efficient partner of biometrics for such a protocol. This paper reviews and discusses the most important issues raised by biometrics and presents a secure authentication protocol skeleton.

How to Compare Profiled Side-Channel Attacks?

Side-channel attacks are an important class of attacks against cryptographic devices and profiled side-channel attacks are the most powerful type of side-channel attacks. In this scenario, an adversary first uses a device under his control in order to build a good leakage model. Then, he takes advantage of this leakage model to exploit the actual leakages of a similar target device and perform a key recovery. Since such attacks are divided in two phases (namely profiling and online attack), the question of how to best evaluate those two phases arises. In this paper, we take advantage of a recently introduced framework for the analysis of side-channel attacks to tackle this issue. We show that the quality of a profiling phase is nicely captured by an information theoretic metric. By contrast, the effectiveness of the online key recovery phase is better measured with a security metric. As an illustration, we use this methodology to compare the two main techniques for profiled side-channel attacks, namely template attacks and stochastic models. Our results confirm the higher profiling efficiency of stochastic models when reasonable assumptions can be made about the leakages of a device.

A tutorial on physical security and side-channel attacks

A recent branch of cryptography focuses on the physical constraints that a real-life cryptographic device must face, and attempts to exploit these constraints (running time, power consumption, ...) to expose the devices secrets. This gave birth to implementation-specific attacks, which often turned out to be much more efficient than the best known cryptanalytic attacks against the underlying primitive as an idealized object. This paper aims at providing a tutorial on the subject, overviewing the main kinds of attacks and highlighting their underlying principles.

A Practical Implementation of the Timing Attack

When the running time of a cryptographic algorithm is non-constant, timing measurements can leak information about the secret key. This idea, first publicly introduced by Kocher, is developed here to attack an earlier version of the CASCADE smart card. We propose several improvements on Kocher’s ideas, leading to a practical implementation that is able to break a 512-bit key in few hours, provided we are able to collect 300000 timing measurements (128-bit keys can be recovered in few seconds using a personal computer and less than 10000 samples). We therefore show that the timing attack represents an important threat against cryptosystems, which must be very seriously taken into account.

Improving Divide and Conquer Attacks against Cryptosystems by Better Error Detection / Correction Strategies

Divide and conquer attacks try to recover small portions of cryptographic keys one by one. Usually, a wrong guess makes subsequent ones useless. Hence possible errors should be detected and corrected as soon as possible. In this paper we introduce a new (generic) error detection and correction strategy. Its efficiency is demonstrated at various examples, namely at a power attack, two timing attacks against RSA implementations with and without Chinese Remainder Theorem, and a timing attack against the future AES (Rijndael). As the design of efficient countermeasures requires a good understanding of an attacks actual power, the possible improvement induced by sophisticated error detection and correction should not be neglected. Although divide and conquer attacks are typical for side-channel attacks, we would like to stress that they are not restricted to that field, as will be illustrated by Siegenthalers attack.

A new type of timing attack: Application to GPS

We investigate side-channel attacks where the attacker only needs the Hamming weights of several secret exponents to guess a long-term secret. Such weights can often be recovered by SPA, EMA, or simply timing attack. We apply this principle to propose a timing attack on the CPS identification scheme. We consider implementations of CPS where the running time of the exponentiation (commitment phase) leaks the exponents Hamming weight, which is typical of a square and multiply algorithm for example. We show that only 800 time measures allow the attacker to find the private key in a few seconds on a PC with a success probability of 80%. Besides its efficiency, two other interesting points in our attack are its resistance to some classical countermeasures against timing attacks, and the fact that it works whether the Chinese Remainder Technique is used or not.

SWISH: Secure WiFi sharing

The fast increase of mobile Internet use motivates the need for WiFi sharing solutions, where a mobile user connects to the Internet via a nearby foreign network while its home network is far away. This situation creates security challenges which are only partially solved by existing solutions like VPNs. Such solutions neglect the security of the visited network, and private users or organizations are thus reluctant to share their connection. In this paper, we present and implement SWISH, an efficient, full scale solution to this problem. SWISH is based on establishing a tunnel from the visited network to the users home network. All the data from the mobile is then forwarded through this tunnel. Internet access is therefore provided without endangering the visited network. We also propose protocol extensions that allow the visited network to charge for the data it forwards, and to protect the privacy of the mobile user while preventing abuse. SWISH was successfully deployed on university networks, demonstrating that it can be conveniently implemented in existing networks with a minimal impact on performance.