Privacy Group Distance Bounding Protocol on TH ...

Download PDF
3 downloads 0 Views 198KB Size Report
Comment
broad range of consumers, enterprizes, industrials and public safety applications[1]. UWB was authorized for commercial use by a ground breaking ruling of the ...
Privacy Group Distance Bounding Protocol on TH-UWB based NTRU Public key Cryptosystem Jamel Miri

Bechir Nsiri

Ridha Bouallegue

Innov’COM Laboratory, Sup’Com Tunisia [email protected]

Sys’Com Laboratory, ENIT Tunisia [email protected]

Innov’COM Laboratory, Sup’Com Tunisia [email protected]

Abstract—In Time Hopping Ultra-WideBand Impulse Radio (TH-UWB-IR) communication systems, relay attacks represent nowadays a critical threat to authentication protocols. This risk can be mitigated through the use of Distance Bounding (DB) protocols. Some recent works have discussed many issues on the implementation of distance bounding protocols (DB) on UWB communication was considered in the context of single Prover and a single Verifier. In our work, we adapt the THSKI protocol to privacy Group Distance Bounding protocol with NTRU cryptography system. The security and the different merits of the proposed protocol are analyzed.

I. I NTRODUCTION Technology Ultra-WideBand (UWB) has aroused considerable interest to researchers in the field of wireless communications. This is due to its many assets related to the nature of transmitted waves, and wide possibilities in terms of through put. Currently, IR-UWB technology is a very relevant and promising solution for WSNs. This is motivated primarily by its low power consumption. Second, by its impulse nature, this makes it robust to fading multi-path. Third, by its high precision, which is used in the location based on the propagation time. With these advantages, IR-UWB has been selected as part of the IEEE 802.15.4a. First developed for military radar. Ultra-wideband (UWB) is a revolutionary wireless technology poised to find use in a broad range of consumers, enterprizes, industrials and public safety applications[1]. UWB was authorized for commercial use by a ground breaking ruling of the US FCC in 2002. These systems make use of ultra-short duration (ns) pulses which yield ultra-wideband width signals characterized by extremely low power spectral densities[1],[2]. Due to the nature of the shared radio channel, wireless communication suffers from different available attacks introduced by Desmedt et al.[3]. The most popular attacks which include mafia fraud, distance fraud and terrorist fraud, called relay attacks. The solution to this threat is Distance Bounding (DB) protocols as introduced by Brand and Chaum (BC)[4]. The UWB system is a favorable candidate for the implementation of these protocols[5], [6]. The choice of UWB system for implementation of DB protocol based in the Round Trip time (RTT) is due to the high precision of synchronization which can be exploited for distance and position measurement. Further more, GDB is useful in critical military MANETs generally operate in harsh environments and without any

infrastructure. Indeed, the use of symmetric (Secret) key cryptography in DB protocol, employs identical private keys for all users in the same network. The biggest obstacle in successfully deploying a symmetric key algorithm is the necessity for a proper exchange of secret keys in the network. This operation must be completed in a secure manner. As the number of participants in a transaction increases, both the risk of compromise and the consequences of such a compromise increase dramatically. The solution, is asymmetric (public key) cryptography allows it a sizable advantage over symmetric key algorithms. The unique private and public keys provided to each user allows them to conduct secure exchanges of information in network devices without first needing some way to secretly swap keys. For this reason we propose to use it in GDB protocol. this solution will be used for network communication using the proposed THSKI protocol[9]. This paper is organized as follows: In first section, we give an overview of DB protocol and our protocol THSKI for THUWB communication system. In section II, we define and describe GDB based in THSKI and how to make it more privacy with NTRU cryptography system. in section III, we study the performance analysis of the proposed idea. II. P RELIMINARY A. Distance Bounding Protocols The Distance Bounding protocols have been introduced by Brand and Chaum [4] to thread the wireless communication attacks defined by Desmedt et al[3]. The DB protocol is defined to verify the Euclidian distance between to active devices is upper bounded. The DB protocol ensures with cryptographic proof the maximum physical distance between two devices. The DB protocol is secure if the Verifier rejects a Prover when it is not legitimate and / or it is outside of the neighborhood using overwhelming probability[8]. But the Verifier accepts the Prover when it is valid and within the neighborhood. The distance between the prover and Verifier is calculated as follow:

c 978-1-5090-4663-8/17/$31.00 2017 IEEE

d = c(Tm − Td )/2

(1)

Where c is the propagation speed, Tm is the measured RTT and Td is the Prover processing delay. The measured RTT (Tm ) is defined in the following equation: Tm = 2.Tp + Td

described in[14],[15] and the Figure 2 shoos how this protocol works.

(2)

Where Tp is the one way propagation time between the transmitter and the receiver. The first RTT based Distance Bounding protocol proposed by Hancke and Khan[5] is composed of two steps. In the first step called initialization phase, the Prover and the Verifier compute a share state and in second phase, called f ast phase, the RTT is measured several times and the authentication process is carried out. The Hancke and Khan protocol is described in Figure 1.

Fig. 2. SKI Protocol.

B. Secure Distance Bounding Protocol on TH-UWB

Fig. 1. Hancke and Kuhan Protocol.

Many distance bounding protocol are designed every year and compared [4,5,10,11,12,13]. From different comparison methodology distance bounding protocols the SKI is provided the most appropriate protocol due to its resistance to attacks (distance fraud, mafia fraud and terrorist fraud) from a fraudulent Prover and malicious third party[7]. The result of comparison of the different protocols described in the Table I. TABLE I. D ISTANCE BOUNDING PROTOCOLS R ESISTANCE TO ATTACKS . Protocols BC HK SK SKI

P (Mf ) (1/2)n (3/4)n (1/2)n (t + 1/2t)n

P (Df ) (1/2)n (3/4)n (3/4)n < (3/4)n

P (Tf ) 1 1 (3/4)n (2t − 2/2t)n

Where t is the size of the messages exchanged in the RTT fast phase. In[9], we consider two identical capability UWB devices are used by the Prover and Verifier. The chosen distance bounding protocol is based on the work of SKI protocol due to its resistance to the most popular attacks. The SKI protocol is

For UWB distance bounding protocols, many researches are proposed in order to ameliorate the sensibility to thwart the most popular attacks. In[9], the protocol based Time Hopping are proposed (where the time hopping code is secret)and we called it: Secret Time Hopping SKI (THSKI) protocol Figure 3. The full function of THSKI protocol is describe bellow: 1) Protocol requirements: In THSKI protocol, P and V share secret key K {0, 1}m using secret sharing scheme named ”Leakage scheme”. The protocol should leak one bit of the secret key each time a malicious user provides the adversary with all vectors required for authentication. A linear function Lμ (K) {0, 1}n as defined as Lμ (K) = (μ.K μ.K ... μ.K). In which K {0, 1}s and μ.K is the inner product of μ and K. For each μ, Lμ (K) contains only one bit of information about the key K. For this case SKI resist to terrorist fraud. Let K  be the output of leakage scheme functionK  = μ.K. The relationship between a random vector a and K  is a linear function as in F (ci , ai , K  ). The F function is defined in SKI protocol which means Prover and Verifier agrees on the three vectors on a random vector called a and the leakage scheme output K  . The F scheme is defined in the following equation: F (1, ai , K) = a1,i F (2, ai , K) = a2,i F (3, ai , K) = a1,i ⊕ a2,i ⊕ K 

c 978-1-5090-4663-8/17/$31.00 2017 IEEE

(3)

In addition, V and P pick respectively an n bit random vector c and Z. The Verifier picks randomly an n.p.Nf bit vector q. The vector is decomposed into sequences qi of (p.Nf ) bits as S v and S p . 3) Fast phase: The fast phase consists of n rounds in which V sends a challenge bit ci to P . This challenge is transmitted using Nf pulses according to the public mapping code. Each pulse is in the time slot defined by CiV . The Prover replies with ri = Rici the ith bit of the register with the timehopping sequence, if the challenge ci is received in the correct time slots. Otherwise, the Prover detects an attack and replies randomly with zi from the register z with the TH sequence qi from the vector q . Reciprocally, the Verifier also assumes an attack if it receives an impulse in the wrong time slot and stops the protocol. Unless an attack is detected, the Verifier computes in each round the RTT, denoted δti , between the emission of the last impulse and the reception of the first impulse. The RTT includes the propagation time tp , the processing delay of the Prover td and the time-hopping sequence CiP by the equation: δti = 2.Tp + td + SiP .Tc

(4)

4) Verification phase: If all the responses ri sent by the Prover are correct and ∀i, δti ≤ tmax where tmax is an upperbound, so the protocol succeeds. Fig. 3. Secret Time Hopping SKI (THSKI).

The protocol is divided in to three steps: the Initialization phase, the fast phase and the verification of the RTT measurement and authentication. 2) Initialization phase: The protocol begins as follows: the Prover picks a nonce called Np and sends it to the Verifier. Reciprocally, the Verifier picks the random vector a, the linear function L and a nonce Nv , then computes K  = L(K) and finally sends the triple (L, Nv , M ) to prover. Where M is calculated using exclusive-or of a random value a and the output of pseudo random function. The Prover compute the same K  = L(K) and a = M ⊕ fk (Np , fk (Np , Nv , Lμ ) . V and P compute share state. H = M ⊕ fk (Np , Nv , Lμ ) is a bit string of length where n is a number of rounds in the fast phase of our protocol and p = log2 Ns . Finally, H is split in five parts: •

• • • •

      S V = H1 , ...Hp , Hp+1 , H2p ,...,HNf.p , ...Hn.Nf.p is the time hopping code of the Verifier where SiV of length (p.Nf ) bits defines the integer over Z/Ns Z corresponding to time slots used to emit a ith symbol, i ∈{1,...,n}.    S P = Hn.Nf.p+1 , ...H(n.Nf +1).p , ...H(n+1)Nf .p , ... is the time hopping code of the Prover. R0 = H2(n.Nf.p )+1 ...Hn(2Nf.p+1 ) a first register containing n bits. R1 = Hn(2.Nf.p +1)+1 ...H2n(Nf.p+1 ) a second register containing n bits. R2 = R0 ⊕ R1 ⊕ K  .

III. P RIVACY G ROUP D ISTANCE B OUNDING PROTOCOLS A. Group Distance Bounding protocols Group Distance Bounding (GDB) is the natural extension of the DB concept. The group settings with multiple provers and verifiers. Multiple verifiers provide several advantages including: higher attack resilience and improved availability (by avoiding a single point of compromise or failure), in addition to facilitating localization using multilateration[16]. Indeed, GDB is motivated by the following emerging wireless applications: automotive computer systems, military MANETs, internet of things... In GDB protocol, several devices must securely measure the distance between themselves or should only operate in the vicinity of each other[16]. GDB involves one or more Provers interfacing with one or more Verifiers. The goal of the verifiers is to accurately and securely establish distance bounds to the prover(s) and, optionally, authenticate them. We take into account mutual GDB protocols. We only consider the case of the N verifiers established a DB to the single prover from all GDB cases described in Figure 4.

Fig. 4. Group Distance Bounding Variants.

c 978-1-5090-4663-8/17/$31.00 2017 IEEE

Indeed, in the example of the GDB protocol with one initiator and three participants (a total of four parties) Figure 5. In this case, only seven messages are needed, since P1 , P2 and P3 do not need to compute DB-s to each other. The process can be generalized for M participant nodes, one initiator and n rounds, resulting in a protocol with n (2M + 1) messages without privacy and n (3M ) using privacy GDB.

developed for the NTRU cryptography system. As a further complication, recommended optimizations have come from various researchers and have been split between hardware and software implementation. At a high security level, NTRU is much faster than RSA and ECC for encryption and decryption. Further more, for message expansion NTRU is better thes RSA and ECC (4.5-1). C. NTRU cryptography system

Fig. 5. Group Distance Bounding one initiator and 3 participants.

So, it is unnecessary for every verifier to directly interact with the prover P to establish a DB. If at least one (active) verifier Va interacts with P , any other verifier Vp can deduce the DB between itself and P by observing messages between P and Va . Basically, we note that, if a verifier named passive verifier observes enough messages and uses their reception times to construct equations where the distance to P is unknown, it can solve the resulting system of equations for that unknown. In previous distance bounding protocols, an attacker can compute the distance between P and V just by listening on the channel. This can cause serious implications in applications where location and distance information is critical (as locationbased access control). B. Privacy of Group Distance bounding Protocol Indeed, to make DB secure we use cryptography algorithms. Cryptographic algorithms which take into account requirements for varying levels of security and reduced power consumption in embedded devices [17]. Many algorithms are developed for the time. In Table II, We compare the use of Asymmetric Key cryptography to make GDB THSKI protocol privacy [18]. Several implementation studies have shown that the NTRU algorithm is better adapted to the WSN with other encryption schemes, such as RSA and ECC. TABLE II. P ERFORMANCE COMPARAISON A SYMMETRIC K EY C RYPTOGRAPHY. Message expansion Plaintext Block size (bits) Public Key size (bits) Key generation speed (ms) Encryption speed (ms) Decryption speed (ms)

RSA 1024 1-1 1024 1024 1432 4.28 48.5

ECC 168 2-1 160 169 65 140 67

NTRU 263  4.5-1 416 1841 19.8 1.9 3.5

Although the underlying mathematical principles have not been questioned, stable recommended practices are still being

NTRU Encrypt [19] is based on arithmetic in a polynomial ring R = Z(x)/((xN − 1), q) set up by the parameter set (N, p, q) with the following properties: • All elements of the ring are polynomials of degree at most N − 1, where N is prime. • Polynomial coefficients are reduced either modp or modq, where p and q are relatively prime integers or polynomials. • p is considerably smaller than q, which lies between N/2 and N . • All polynomials are univariate over the variable x. Multiplication in the ring R is sometimes referred to as ”Star Multiplication” based on use of an asterisk  as operator symbol. It can be best described as the discrete convolution product of two vectors, where the coefficients of the polynomials form vectors are in the following way: a(x) = a0 + a1 x + a2 x2 + ... + aN − 1xN −1 = (a0 , a1 , a2 , ..., aN −1 ) Then the coefficients ck of c(x) = a(x)  b(x)modq, p are each computed as the summation of partial products ai bj with i + j ≡ kmodN . The modulus for reduction of each coefficient ck of the resulting polynomial is either q for Key Generation and Encryption, or p for Decryption, as briefly described below. A through description of these procedures along with an initial security analysis can be found in [20]. Key Generation The following steps generate the private key f (x): 1) Choose a random polynomial F(x) from the ring R. F (x) should have small coefficients, i.e. either binary from the set {0, 1} (if p = 2) or ternary from {−1, 1, 0} (if p = 3 or p = x + 2 [16, 17]). 2) Let f (x) = 1 + pF (x) to decrease the decryption failure rate. The public Key h(x) is derived from f (x) in the following way: 1) As before, choose a random polynomial g(x) from R. 2) Compute the inverse f −1 (x)(modq). 3) Compute the public key as h(x) = g(x)  f −1 (x)(modq). Encryption: 1) Encode the plaintext message into a polynomial m(x) with coefficients from either {0, 1} or {-1, 0, 1}. 2) Choose a random polynomial ø(x) from R as above. 3) Compute the ciphertext polynomial c(x) = pø(x)  h(x) + m(x)(modq).

c 978-1-5090-4663-8/17/$31.00 2017 IEEE

Decryption: 1) Use the private key f (x) to compute the message polynomial m (x) = c(x)  f (x)(modp). 2) Map the coefficients of the message polynomial to plaintext bits. D. Privacy GDB-THSKI In GDB-THSKI, the communication between Prover and all Verifiers need in the initialization phase the exchange of the public key between the Prover and all Verifiers, the negotiation of session key SKP V n , then the process of THSKI is applied with all verifier successively. The full function of GDB-THSKI is described in Figure 6 IV. PERFORMANCES ANALYSIS For simulating and comparing our privacy GDB-THSKI (mutual-DB) and GDB protocol. First, we consider the following attacks: passive distance fraud and node insertion are the best strategy for the adversary. Second, the metrics used to evaluate GDB protocols are: number of messages sent and received, overall time to run the GDB protocol, and protocol security [16]. Normally GDB protocol is based symmetric (secret key) cryptography, the transmission of key through public or insecure channels for the prover P to the Verifiers Vi in the network may compromise the overall security of the network. Indeed, the necessity of secure channel to exchange the master key (first session key). For privacy GDB-THSKI, the Prover P and the Verifiers Pi need to establish first Session key SKi using NTRU Asymmetric cryptography system: P (P kp , SKp ) and Vi (P Kvi , Skvi ) through public and insecure channels. This processus is the corner stone of the security to use public key. In Table III show the performance comparison between Privacy GDBTHSKI based NTRU public key cryptosystem and ordinary GDB based AES symmetric key cryptosystem. TABLE III. P ERFORMANCE COMPARISON P RIVACY GDB-THSKI PROTOCOL AND O RDINARY GDB. Cryptography system Initialization phase Security of network Number of Message

Privacy GDB-THSKI Asymmetric Public Handshake to generate SK High n(4M))

Ordinary GDB Symmetric Secure channel to exchange master Key (SK) Low n(3M + 1 )

The simulation result show that NTRU asymmetric algorithm for GDB-THSKI has better performance than AES symmetric encryption algorithms for ordinary GDB. Since NTRU has not any known security weak points till now, it can be considered as an excellent standard encryption algorithm. AES show poor performance results as compared to NTRU algorithm, since it requires more processing power Figure 7. For privacy GDB-THSKI, the Prover P and the Verifiers Vi need to establish first Session key SKi using NTRU Asymmetric cryptography system: P (P kp , SKp ) and Vi (P Kvi , Skvi ) through public and insecure channels. This processus is the corner stone of the security to use public key.

Fig. 7. Comparison Encryption/Decryption Time of NTRU, AES algorithms.

V. C ONCLUSION In this paper, first we overview Distance bounding protocols and the best DB THSKI protocol adapted to TH-UWB radio. Second, GDB defines and shows that a straightforward extension of previous (single prover/single verifier) DB protocols to GDB mutual multi-party protocol. We prove that Group Distance Bounding (GDB) protocol is the natural extension of the DB concept. Indeed, it is useful for military MANETs in hostile environments and automotive computer systems, without any infrastructure. Our work consists of in implementing the privacy GDB protocol on TH-UWB communication network. We compare the performances of the ordinary GDB based AES symmetric algorithm and our privacy GDB-THSKI based NTRU asymmetric algorithm. Further more, the selection of NTRU algorithm is not arbitrary but we show that algorithm is faster in encryption, decryption... and with less power consumption of RSA and ECC algorithms. From the obtained results, it is clear that the proposed privacy GDB-THSKI protocol can achieve the highest security level as compared to ordinary GDB. Theses results are obtained due to the propriety security of the NTRU asymmetric cryptography. Although our study is focused on the case of one Prover to Multi-Verifiers. Future work will investigate the importance of our protocol privacy GDB-THSKI if it used on the other cases: multi-party M Provers and N Verifiers for both possibilities mutuel GDB and one way GDB in UWB-IR network radio.

c 978-1-5090-4663-8/17/$31.00 2017 IEEE

Fig. 6. Privacy GDB-THSKI.

c 978-1-5090-4663-8/17/$31.00 2017 IEEE

R EFERENCES [1] The UWB Forum, (Online): http://www.uwbforum.org/aboutds/aboutdsuwb.asp. [2] S.S.Kolenchery, J. K. Townsend, and J. A. Free bersyer, ”A novel impulse radio network for tactical military wireless communications,” in Proc. MILCOM’98, Boston, MA, Oct. 18-21, 1998, pp. 59-65. [3] Y. Desmedt, C. Goutier, and S. Bengio, ”Special Uses and Abuses of the Fiat-Shamir Passport Protocol,” in Advances in Cryptology CRYPTO’87, ser.Lecture Notes in Computer Science 293. Santa Barbara, California, USA: Springer-Verlag,1988,pp.21-39. [4] S.Brands and D.Chaum, ”Distance-Bounding Protocols,” in Advances in Cryptology-EUROCRYPT’93, ser .Lecture Notes in Computer Science765. Springer-Verlag,1993 ,pp.344-359. [5] G.Hancke and M.Kuhn, ”An RFID Distance Bounding Protocol,” in Conference on Security and Privacy for Emerging Areas in Communication Networks-Secure Comm 2005. IEEE Computer Society, 2005, pp.67-73. [6] N.O.Tippenhauer and S.Capkun, ”ID-Based Secure Distance Bounding And Localization,” in European Symposium on Research in Computer Security ESORICS2009, ser. Lecture Notes in ComputerScience5789. Springer Verlag, 2009, pp.621-636. [7] Gildas Avoine. Sjouke Mauw, Rolando Trujillo-Rasua ” Comparing Distance Bounding Protocols: a Critical Mission Supported by Decision Theory,” Preprint submitted to Elsevier March 17,2015. [8] A. Benfarah, B. Miscopein, J.-M. Gorce, C. Lauradoux, and B. Roux, ”Distance Bounding Protocols on TH-UWB Radios,” in Proceedings of the 2010 IEEE Global Telecommunications Conference (Globecom), December 2010. pp 16. [9] J.Miri, B.Nsiri, R.Bouallegue, ”Secure distance bounding on TH-UWB,” in proceedings of the 6th International Conference on IT Convergence and Security. September 2016 pp. 301-307 [10] Tu, Y.J., Piramuthu, S, ”RFID Distance Bounding Protocols,”In First International EURASIP Workshop on RFID Technology. Vienna, Austria September 2007. [11] Rasmussen, K.B., Capkun, S, ”Realization of RF Distance Bounding,”In Proceedings of the 19th USENIX Security Symposium. Aug 2010 pp. 389-402. [12] Munilla, J., Ortiz, A., Peinado, A. ”Distance bounding protocols with voidchallenges for RFID” 2006, printed handout at the Workshop on RFID Security (RFIDSec). [13] Bussard, L., Bagga, W. ”Distance-Bounding Proof of Knowledge to Avoid Real-Time Attacks,” in Proceedings of 20th International Conference on Security and Privacy in the Age of Ubiquitous Computing, May 2005, pp. 223-238. [14] I. Boureanu, A. Mitrokotsa, and S. Vaudenay, ”Secure and lightweight distance-bounding,” in Lightweight Cryptography for Security and Privacy, ed : Springer,2013, pp. 97-113. [15] C.H. Kim, G. Avoine, F. Koeune, F.-X. Standaert, O. Pereira. The SwissKnife RFID Distance Bounding Protocol. In Information Security and Cryptology ICISC08, Seoul, Korea, Lecture Notes in Computer Science 5461, Springer-Verlag, 2009.pp, 98115. [16] Karim El Defrawy ”Security and Privacy in Location-Based Mobile AdHoc Networks” Ph.D. dissertation, UNIVERSITY OF CALIFORNIA, IRVINE, 2010. [17] Kyle Wilhelm ”Aspects of hardware methodologies for the NTRU public-key cryptosystem” Ph.D. dissertation, Rochester Institute of Technology, juin 2008. [18] Priit Karu, Jonne Loikkanen, ”Practical Comparision of Fast Public-Key Cryptosystems”, Tik-110.501 Seminar on Network Secrity, 2000 [19] J.-P. Kaps, ”Cryptography for ultra-low power devices,” Ph.D. dissertation, Worcester Polytechnic Institute, 2006. [20] G.Gaubatz, J.Kaps, B.Sunar, ”Public Key Cryptography in Sensor Networks,” In 1st European Workshop on Security in Ad-Hoc and Sensor Networks ESAS 2004,pages 2-18

c 978-1-5090-4663-8/17/$31.00 2017 IEEE