Muhammed Ali Bingöl

A framework for analyzing RFID distance bounding protocols

Many distance bounding protocols appropriate for the RFID technology have been proposed recently. Unfortunately, they are commonly designed without any formal approach, which leads to inaccurate analyzes and unfair comparisons. Motivated by this need, we introduce a unified framework that aims to improve analysis and design of distance bounding protocols. Our framework includes a thorough terminology about the frauds, adversary and prover, thus disambiguating many misleading terms. It also explores the adversarys capabilities and strategies, and addresses the impact of the provers ability to tamper with his device. It thus introduces some new concepts in the distance bounding domain as the black-box and white-box models, and the relation between the frauds with respect to these models. The relevancy and impact of the framework is finally demonstrated on a study case: Munilla-Peinado distance bounding protocol.

A novel RFID distance bounding protocol based on physically unclonable functions

Radio Frequency Identification (RFID) systems are vulnerable to relay attacks (i.e., mafia, terrorist and distance frauds) when they are used for authentication purposes. Distance bounding protocols are particularly designed as a countermeasure against these attacks. These protocols aim to ensure that the tags are in a distant area by measuring the round-trip delays during a rapid challenge-response exchange of short authenticated messages. Terrorist fraud is the most challenging attack to avoid, because a legitimate user (a tag owner) collaborates with an attacker to defeat the authentication system. Many RFID distance bounding protocols have been proposed recently, with encouraging results. However, none of them provides the ideal security against the terrorist fraud. Motivated by this need, we first introduce a strong adversary model for Physically Unclonable Functions (PUFs) based authentication protocol in which the adversary has access to volatile memory of the tag. We show that the security of Sadeghi et al. s PUF based authentication protocol is not secure in this model. We provide a new technique to improve the security of their protocol. Namely, in our scheme, even if an adversary has access to volatile memory she cannot obtain all long term keys to clone the tag. Next, we propose a novel RFID distance bounding protocol based on PUFs which satisfies the expected security requirements. Comparing to the previous protocols, the use of PUFs in our protocol enhances the system in terms of security, privacy and tag computational overhead. We also prove that our extended protocol with a final signature provides the ideal security against all those frauds, remarkably the terrorist fraud. Besides that, our protocols enjoy the attractive properties of PUFs, which provide the most cost efficient and reliable means to fingerprint chips based on their physical properties.

Optimal security limits of RFID distance bounding protocols

In this paper, we classify the RFID distance bounding protocols having bitwise fast phases and no final signature. We also give the theoretical security bounds for two specific classes, leaving the security bounds for the general case as an open problem. As for the classification, we introduce the notion of k-previous challenge dependent (k-PCD) protocols where each response bit depends on the current and k-previous challenges and there is no final signature. We treat the case k = 0, which means each response bit depends only on the current challenge, as a special case and define such protocols as current challenge dependent (CCD) protocols. In general, we construct a trade-off curve between the security levels of mafia and distance frauds by introducing two generic attack algorithms. This leads to the conclusion that CCD protocols cannot attain the ideal security against distance fraud, i.e. 1/2, for each challenge-response bit, without totally losing the security against mafia fraud. We extend the generic attacks to 1-PCD protocols and obtain a trade-off curve for 1-PCD protocols pointing out that 1-PCD protocols can provide better security than CCD protocols. Thereby, we propose a natural extension of a CCD protocol to a 1-PCD protocol in order to improve its security. As a study case, we give two natural extensions of Hancke and Kuhn protocol to show how to enhance the security against either mafia fraud or distance fraud without extra cost.

A New Security and Privacy Framework for RFID in Cloud Computing

RFID is a leading technology that has been rapidly deployed in several daily life applications that require strong security and privacy mechanisms. However, RFID systems commonly have limited computational capacity and inefficient data management. There is a demanding urge to address these issues in the light of some mechanism which can make the technology excel. Cloud computing is one of the fastest growing segments of IT industry that provides cost effective solutions for handling and using data collected with RFID. As more and more information on companies and individuals is placed in the cloud, concerns are beginning to escalate about just how safe an environment it is. Therefore, while integrating RFID into the cloud, the security and privacy of the tag owner must be considered. Motivated by this, we first provide a new security and privacy model for RFID technology integrated to the cloud computing. In this model, we define the capabilities of the adversary and give the formal definitions. After that we propose a cloud-based RFID authentication protocol to illustrate our model. The protocol utilizes symmetric-key based cryptography. We prove that the protocol achieves destructive privacy according to our model.

DKEM: Secure and efficient Distributed Key Establishment Protocol for Wireless Mesh Networks☆

In this paper, we propose an efficient and secure key establishment protocol that is tailored for Wireless Mesh Networks. The protocol is based on identity-based key establishment, but without the utilization of a trusted authority for private key generation. Instead, this task is performed by the collaboration of mesh nodes; a number of users exceeding a certain threshold form a coalition to generate private keys for the network users. We performed simulative performance evaluation in order to show the effect of both the threshold value and the network size, i.e., total number of nodes, on the latency of key establishment and on the success percentage of user private key generation. Results reveal a trade-off between resiliency and efficiency; increasing the threshold value also increases the resiliency of the network, but negatively effects its latency and success percentage. For the threshold values that are smaller than 10 and for a minimum of 40 mesh nodes, at least 93% of the user private keys can be computed within at most 2 min. We also discuss the security of our protocol. We show that our protocol is secure against both outsider malicious and insider semi-honest adversaries.

Deploying OSK on Low-Resource Mobile Devices

It is a popular challenge to design authentication protocols that are both privacy-friendly and scalable. A large body of literature in RFID is dedicated to that goal, and many inventive mechanisms have been suggested to achieve it. However, to the best of our knowledge, none of these protocols have been tested so far in practical scenarios. In this paper, we present an implementation of the OSK protocol, a scalable and privacy-friendly authentication protocol, using a variant by Avoine and Oechslin that accommodates it to time-memory trade-offs. We show that the OSK protocol is suited to certain real-life scenarios, in particular when the authentication is performed by low-resource mobile devices. The implementation, done on an NFC-compliant cellphone and a ZC7.5 contactless tag, demonstrates the practicability and efficiency of the OSK protocol and illustrates that privacy-by-design is achievable in constrained environments.

Norwegian internet voting protocol revisited: ballot box and receipt generator are allowed to collude

Norway experienced internet voting in 2011 and 2013 for municipal and parliamentary elections, respectively. Its security depends on the assumptions that the involving organizations are completely independent, reliable, and the receipt codes are securely sent to the voters. In this paper, we point out the following aspects: The vote privacy of the Norwegian scheme is violated if Ballot Box and Receipt Generator cooperate because the private key of Decryption Service can be obtained by the two former players. We propose a solution to avoid this issue without adding new players. To assure the correctness, the receipt codes are sent to the voters over a pre-channel (postal service) and a post-channel (Short Message Service [SMS]). However, by holding both SMS and the postal receipt code, a voter can reveal his vote even after the elections. Albeit revoting is a fairly well solution for coercion or concealment, intentional vote revealing is still a problem. We suggest SMS only for notification of vote submission. In case the codes are falsely generated or the pre-channel is not secure, a vote can be counted for a different candidate without detection. We propose a solution in which voters verify the integrity of the postal receipt codes. Copyright