Authenticating Pervasive Devices with Human Protocols Ari Juels
- Slides: 20
Authenticating Pervasive Devices with Human Protocols Ari Juels RSA Laboratories Stephen A. Weis MIT CSAIL
Pervasive Devices • Pervasive Devices: ‣ Low memory, few gates ‣ Low power, no clock, little state ‣ Low computational power • Billions of pervasive devices are deployed. • Billions on the way. Can such feeble devices authenticate themselves?
Example Technologies
“Billions and Billions. . . ” • Supply chain management, inventory control • Payment systems, building access • Prescription drug shipments • Retail checkout • Luxury goods • Currency Authenticating devices is a growing concern.
Attacks • Skimming: Reading legitimate tag data to produce fraudulent clones. • Swapping: Steal RFID-tagged products then replace with counterfeit-tagged decoys. • Denial of Service: Seeding a system with fake, but authentic acting tags.
Related Work • Low-Cost Access Control: • [SWE 02], [WSRE 03], [OSK 04] • Pervasive Privacy: • [JP 03], [JRS 03], [Avoine 04], [MW 04] • Human Authentication: [HB 01]
Our Contribution • A new authentication protocol that handles active malicious attacks. • Extremely hardware-efficient • Secure under same assumption as [HB 01]
Hopper-Blum Authentication Computer(x) Bob(x, η) a ∈ {0, 1}k Challenge z=(a⋅ x)? z=(a⋅x)⊕ν Response ν ∈R {0, 1} Repeat for q rounds. Authenticate Bob if he passes > (1 -η)q rounds.
Security Against Bad Bob Computer(x) Adversary a ∈ {0, 1}k Challenge z=(a⋅? ) Guess Response
Security Against Passive Eavesdroppers Computer(x) Bob(x, η) Eavesdropper ν ∈R {0, 1} (a 0, z 0), (a 1, z 1), . . . , (aq, zq) Find an x’ that allows you to answer a (1 -η) fraction of a challenges
Learning Parity with Noise (LPN) • Crypto and learning problems: [BFKL 93] • LPN algorithm: [BKW 03] • Shortest Vector Problem reduction: [Regev 05]
Concrete Security Key Size (k) 64 128 192 224 256 288 Best Attack 235 256 272 280 288 296 Obligatory grain of salt →□
Active Attack against HB Adversary a’ = 000. . . 001 z 0=(a’⋅x)⊕ν 0 Bob(x, η) . . . a’ zn=(a’⋅x)⊕νn Adversary takes majority of zi values to get noise-free parity bit
Our New Protocol: HB+ Reader(x, y) b ∈ {0, 1}k Tag(x, y, η) Blinding Factor a ∈ {0, 1}k Challenge z=(a⋅x)⊕(b⋅y)⊕ν z=(a⋅ x)⊕(b⋅ y)? Response ν ∈R {0, 1}
Security Against Bad Bob Reader(x, y) b’ Malicious Blinding Factor a Challenge z=(a⋅? )⊕(b’⋅? ) Guess Response Adversary
Security against Active Attacks Adversary b Tag(x, y, η) Blinding Factor a’ Malicious Challenge z=(a’⋅x)⊕(b⋅y)⊕ν Response ν ∈ {0, 1}
Detection Security Model Reader Alert ! Adversary Failed Authentications Assume valid readers will detect suspicious failures: No Reader oracles.
Skewing Randomness Adversary • What if the adversary can skew a tag’s random number generator? • All bets are off! Tag
Future Work • Two-round or parallel HB+(Rump Session) • Random Number Generation • Underlying hardness of LPN • Adapting other Human. Auth protocols
Questions? Ari Juels ajuels@rsasecurity. com www. ari-juels. com Stephen Weis sweis@mit. edu crypto. csail. mit. edu/~sweis
- Tero andu'yva
- X-trace: a pervasive network tracing framework
- Salesforce company overview
- Specific and pervasive boundaries for behavior
- Pervasive computing wikipedia
- Pervasive developmental disorder screening test
- Pervasive and mobile computing
- Pervasive computing ppt
- Mobile and pervasive computing
- Pdd
- Mit mobile wireless
- Pervasive mood
- Ari allyn-feuer
- Tekonivelinfektio
- Ari koskelainen
- Modifikasyon nedir
- Hamk raporttipohja
- Punto y modo articulatorio del fonema r
- Stationary and mobile sources of air pollution
- Army ari
- Ari myllyviita