Roel Peeters

Reverse Fuzzy Extractors: Enabling Lightweight Mutual Authentication for PUF-Enabled RFIDs

RFID-based tokens are increasingly used in electronic payment and ticketing systems for mutual authentication of tickets and terminals. These systems typically use cost-effective tokens without expensive hardware protection mechanisms and are exposed to hardware attacks that copy and maliciously modify tokens. Physically Unclonable Functions (PUFs) are a promising technology to protect against such attacks by binding security critical data to the physical characteristics of the underlying hardware. However, existing PUF-based authentication schemes for RFID do not support mutual authentication, are often vulnerable to emulation and denial-of service attacks, and allow only for a limited number of authentications.

A Survey on Lightweight Entity Authentication with Strong PUFs

Physically unclonable functions (PUFs) exploit the unavoidable manufacturing variations of an Integrated Circuit (IC). Their input-output behavior serves as a unique IC “fingerprint.” Therefore, they have been envisioned as an IC authentication mechanism, in particular the subclass of so-called strong PUFs. The protocol proposals are typically accompanied with two PUF promises: lightweight and an increased resistance against physical attacks. In this work, we review 19 proposals in chronological order: from the original strong PUF proposal (2001) to the more complicated noise bifurcation and system of PUF proposals (2014). The assessment is aided by a unified notation and a transparent framework of PUF protocol requirements.

Proper RFID Privacy: Model and Protocols

We approach RFID privacy both from modelling and protocol point of view. Our privacy model avoids the drawbacks of several proposed RFID privacy models that either suffer from insufficient generality or put forward unrealistic assumptions regarding the adversarys ability to corrupt tags. Furthermore, our model can handle multiple readers and introduces two new privacy notions to capture the recently discovered insider attackers. We analyse multiple existing RFID protocols, demonstrating the easy applicability of our model, and propose a new wide-forward-insider private RFID authentication protocol. This protocol provides sufficient privacy guarantees for most practical applications and is the most efficient of its kind, it only requires two scalar-EC point multiplications.

Efficient, secure, private distance bounding without key updates

We propose a new distance bounding protocol, which builds upon the private RFID authentication protocol by Peeters and Hermans [25]. In contrast to most distance-bounding protocols in literature, our construction is based on public-key cryptography. Public-key cryptography (specifically Elliptic Curve Cryptography) can, contrary to popular belief, be realized on resource constrained devices such as RFID tags. Our protocol is wide-forward-insider private, achieves distance-fraud resistance and near-optimal mafia-fraud resistance. Furthermore, it provides strong impersonation security even when the number of time-critical rounds supported by the tag is very small. The computational effort for the protocol is only four scalar-EC point multiplications. Hence the required circuit area is minimal because only an ECC coprocessor is needed: no additional cryptographic primitives need to be implemented.

Toward More Secure and Reliable Access Control

Conventional access control mechanisms, relying on a single security token to authenticate remote users, introduce a single point of failure and are vulnerable to relay attacks. A threshold-based distance-bounding protocol that distributes a users private key among various personal devices improves system security and reliability.

Balloon: A Forward-Secure Append-Only Persistent Authenticated Data Structure

We present Balloon, a forward-secure append-only persistent authenticated data structure. Balloon is designed for an initially trusted author that generates events to be stored in a data structure (the Balloon) kept by an untrusted server, and clients that query this server for events intended for them based on keys and snapshots. The data structure is persistent such that clients can query keys for the current or past versions of the data structure based upon snapshots, which are generated by the author as new events are inserted. The data structure is authenticated in the sense that the server can verifiably prove all operations with respect to snapshots created by the author. No event inserted into the data structure prior to the compromise of the author can be modified or deleted without detection due to Balloon being publicly verifiable. Balloon supports efficient (non-)membership proofs and verifiable inserts by the author, enabling the author to verify the correctness of inserts without having to store a copy of the Balloon. We formally define and prove that Balloon is a secure authenticated data structure.

Threshold Things That Think: Authorisation for Resharing

As we are evolving towards ubiquitous computing, users carry an increasing number of mobile devices with sensitive information. The security of this information can be protected using threshold cryptography, in which secret computations are shared between multiple devices. Threshold cryptography can be made more robust by resharing protocols, which allow recovery from partial compromises. This paper introduces user-friendly and secure protocols for the authorisation of resharing protocols. We present both automatic and manual protocols, utilising a group manual authentication protocol to add a new device. We analyse the security of these protocols: our analysis considers permanent and temporary compromises, denial of service attacks and manual authentications errors of the user.

Enhancing Transparency with Distributed Privacy-Preserving Logging

Transparency of data processing is often a requirement for compliance to legislation and/or business requirements. Furthermore, it has recognised as a key privacy principle, for example in the European Data Protection Directive. At the same time, transparency of the data processing should be limited to the users involved in order to minimise the leakage of sensitive business information and privacy of the employees (if any) performing the data processing.

Increased resilience in threshold cryptography: sharing a secret with devices that cannot store shares

Threshold cryptography increases security and resilience by sharing a private cryptographic key over different devices. Many personal devices, however, are not suited for threshold schemes, because they do not offer secure storage, which is needed to store shares of the private key. We present a solution that allows to include devices without them having to store their share. Shares are stored in protected form, possibly externally, which makes our solution suitable for low-cost devices with a factory-embedded key, e.g., car keys and access cards. By using pairings we achieve public verifiability in a wide range of protocols, which removes the need for private channels. We demonstrate how to modify existing discrete-log based threshold schemes to work in this setting. Our core result is a new publicly verifiable distributed key generation protocol that is provably secure against static adversaries and does not require all devices to be present.

Threshold things that think: usable authorization for resharing

People start carrying around more and more mobile devices that can contain sensitive data. To protect these devices, Desmedt et al. [1] proposed a threshold security architecture for Things That Think. These things are personal devices that are frequently in the user’s proximity and able to interact with each other. In the proposed architecture, security is the result of the cooperation of at least the threshold number of personal devices. For threshold security each personal device possesses a part of the shared key. When at least the threshold number of these devices cooperate, this shared key can be used to, for instance, place signatures or decrypt encrypted information. The advantages of deploying a threshold cryptography scheme are twofold: a user does not need all his personal devices (e.g. dead battery, device left at home) to access the shared key and an adversary does not gain any knowledge of the shared key when he does not compromise the threshold number of devices. For a threshold security architecture on Things That Think to be practical, a mechanism allowing the user to add or remove devices from the set of personal devices is essential. Refreshing the shared key enhances security. Adding a device, removing a device and refreshing the shared key are essentially the same in terms of the underlying “resharing” protocol. One example of a protocol for resharing can be found in [6]. Little attention has been paid to the problem of authorisation for resharing. Proper authorisation is necessary to prevent an adversary from altering the set of personal devices in such a way that he would be able to break the scheme. Moreover authorisation should not enable the adversary to succeed in a Denial of Service (DoS) attack and prevent the genuine user from signing and/or decrypting data. The authors developed a protocol to manually authorise resharing in [4]. This paper focuses on the usability aspect, an essential part of the protocol development. Although the proposed manual authorisation protocol is studied in the context of resharing, it could also be used to authorise signing data or as a bootstrapping mechanism. An overview of related work on usability regarding the pairing of two devices is given by Saxena et al. [5].