Trusted-HB: a low-cost version of HB+ secure against Man-in-The-Middle attacks

T rusted–HB: a lo w-cost v ersion of HB + secure against Man-in-The-Middle attac ks Julien Bringer and Herv ´ e Chabanne ∗ Abstract Since the in tro duction at Crypto’05 by Juels and W eis of the pro- to col HB + , a light weigh t proto col s e cure against active attacks but only in a detection ba sed-model, many works ha ve tried to enhance its secur ity . W e prop ose here a new approa c h to achiev e resista nce against Man-in- The - Middle attac ks. Our require men ts – in ter ms of extra communications and ha rdw are – are sur prisingly low. Keyw ords. RFID, HB + proto col, Low-cost cry ptograph y , Authenti- cation, Man- in-The-Middle attacks. 1 In tro duction Radio F requency IDen tification (RFID) sys tems are still a great c hallenge for researc hes in the fi eld of security and priv ac y . One m ai n problem is the need for ultra-ligh t w eigh t cryptographic proto co ls. A t Cr ypto’0 5, HB + , a no w famous cryptographic authentic ation p roto - col very well suited for lo w-cost hardware implemen tation, w as in tro duced b y Ju els and W eis [9]. It enables tags to identify themselv es to the reader. HB + is presen ted as an i mp r o v emen t of the Hopp er and Blum (HB) authen- ticatio n scheme [7]. T h e securit y of th ese proto cols relies on the hardness of the computational Learning Parit y with Noise (LPN) problem [1, 2, 5, 8, 13]. This p rotocol HB + is p ro v ed secure aga inst activ e attac ks, though pr eserv- ing HB’s adv antag es: mainly , r equiring so few r eso ur ce s to run that it can b e implemented with only a few gates on an RFID tag. Ho w eve r, at the ∗ J. Bringer and H. Chabanne are with Sagem S ´ ecurit´ e, Eragny , F rance. This w ork w as partially supp orted by the french A NR R NR T pro ject T2TIT. 1 same time, Gilb ert, Robsh a w and S iber t [6] describ e a Man-in-The-Middle (MiTM) attac k on HB + not co v ered by the corresp onding s ec urity mo del. Since this attac k, v arious mo difications of HB + ha v e b een prop osed to increase its securit y [3, 4, 14, 15, 16]. Ho w ev er, n o ne h as succeeded yet to state a formal securit y against MiTM attac ks. In this pap er, we tak e a new and very natural approac h. W e still u se the proto col HB + as an identi fication sc heme bu t also a w a y to initiate a confident ial c hann el to auth en tica te the tag in a more classical manner in a second p hase. 2 HB + proto col F ollo wing [7 ], the HB + proto col securit y is b ased on the Learning Parit y with Noise (LPN) pr oblem. Note that several algorithms [1, 2, 8] are known to solv e this problem and the recent s prop osal of [5, 13] are among the most efficien t. LPN Problem. Let A a rand om q × k binary matrix, ~ x a rand om k -bit v ector, 0 < η < 1 / 2 a noise p aramet er and ~ ν a rand om q -bit v ector of w eigh t wt H ( ~ ν ) ≤ η q . Given A , η and ~ z = A. t ~ x ⊕ ~ ν , find a k -bit v ector ~ x ′ suc h that wt H ( A. t ~ x ′ ⊕ ~ z ) ≤ η q . The HB + proto col is made of r successiv e iterations of a roun d – as describ ed in Fig. 1 where the t wo k -bit v ectors ~ x and ~ y are secret keys shared by the T ag and the Reader. T he T ag is successfully authen ticated if T ag ( ~ x, ~ y ) Reader ( ~ x, ~ y ) ν ∈ { 0 , 1 | Pr[ ν = 1] = η } Random blinding vector ~ b ∈ R { 0 , 1 } k ~ b − − − − − → ~ a ← − − − − − Random challenge ~ a ∈ R { 0 , 1 } k Compute z = ~ a · ~ x ⊕ ~ b · ~ y ⊕ ν z − − − − − → Check if ~ a · ~ x ⊕ ~ b · ~ y = z Figure 1: One roun d of HB + the c hec k f a ils at m ost u × r times for a give n threshold u . Moreov er, the Reader do es not need to kno w a pr io ri wh ich tags and secrets are in v olv ed for the p rotocol to w ork. Eve ntually , [13] highlight s that the sizes of ~ x and ~ a may differ from th e one of ~ y and ~ b as the first ones only need to b e 80-bit long to a vo id guesses whereas the second ones are us ed to r ely on th e LPN problem. 2 In [9], Ju el s and W eis pro v e that the proto co l is secure against passiv e and activ e atta c ks in their secur it y mo del, thanks to the d iffi cu lt y of the LPN problem. Un fortunately , their mo del do not tak e into accoun t th e extra information giv en b y th e result (p ositiv e or negativ e) of an authentica tion and this is exploited during the atta c k introd uced in [6]. The attac k of [6] is a linear-time MiTM atta c k where an adv ersary lo- cated b et wee n the R eader and the T ag is able to corrupt the c hallenge at ev ery round. The adv ersary c ho oses a v ector ~ δ in { 0 , 1 } k and when a c hallenge ~ a is sen t b y the Reader, he in tercepts the c hallenge and mak es a switc h to ~ a ⊕ δ . Hence, at the end of the round, the Reader will receiv e ˜ z = ( ~ a ⊕ δ ) · ~ x ⊕ ~ b · ~ y ⊕ ν from the T ag. T his is rep eated along almost all the rounds in order to dedu ce information fr om the result of the authen tication. If the auth en tica tion succeeds (resp. fails), we ha v e ~ δ · ~ x = 0 (resp. ~ δ · ~ x = 1) with a high prob ab ility . So one can reco v er ~ x “bit after b it ” by v arying ~ δ progressiv ely . The securit y of HB + has also b een exte nsively analyzed to extend the proto col to p a rallel and concurr en t executions in [10] and to explore further the large error case (1 / 4 < η < 1 / 2 ) in [11 ]. 3 Our prop osal 3.1 Preliminary definitions In order to resist to Man-in-Th e-M iddle atta c ks, a natur al idea is to send a pro of of in tegrit y of the different parameters to the Reader. The pr o blem is to find a light w eigh t alg orithm to ac hieve this. P articularly , classical MA C algorithms, obtained fr om cryptographic blo c k ciphers or cryptographic one- w a y hash fun cti ons seem to o hea vy in our case. In terestingly , we can rely on more traditional h ashing tec hniques f o llo w- ing the work of Carter and W egman [18] and sp ecifically on the ve ry simple construction prop osed by Kra wcz yk [12]. Kra wcz yk uses in [12] a family H of linear hash functions w hic h map { 0 , 1 } m to { 0 , 1 } n in a balanced w a y follo wing the next d efinition. Definition 1 A family H of hash functions is c a l le d ǫ -b alanc e d (or ǫ - a lmost universal) if ∀ ~ x ∈ { 0 , 1 } m , ~ x 6 = 0 , ~ c ∈ { 0 , 1 } n , Pr[ h ∈ H , h ( ~ x ) = ~ c ] ≤ ǫ. 3 No w we su pp ose that the parties sh are a common key w h ic h consists of the c hoice of a particular fu nction h ∈ H and a random pad ~ e of length n then the message authen tication of a message ~ x is computed as ~ t = h ( ~ x ) ⊕ ~ e . Here, an adv ersary w ill succeed in breaking the authentic ation if he fin ds ~ x ′ and ~ t ′ suc h that ~ t ′ = h ( ~ x ′ ) ⊕ ~ e . With resp ect to the simplicit y of this construction, it is imp ortan t that an adversary do es not learn which h or ~ e is in v olv ed. If H is a family of linear hash fun ctions and if H is ǫ -balanced then, it is pro v ed in [12] that the probabilit y of success of an adv ersary is lo w er than ǫ ; th e sc heme is then said ǫ -secure. This clearly emphasizes the in terest of this construction. F ollo wing the pr inciple of a one-time pad, the same h can b e reused but ~ e m ust b e differen t eac h time, i.e. i t is ǫ -secure against any adve rsary (unconditionaly) only if ~ e is a ran d om pad. LFSR-based T o eplitz construction. T o constru ct such h ash families, an efficien t s o lution is pro vided in [12 ]. The author simplifies the m ultipli- cation with a b o ol ean matrix b y restricting it to sp ecific T o eplitz matrices whic h can b e d escribed by a LFSR. Let th e LFSR represent ed by its feed- bac k p olynomial P , an irredu cible p olynomial o v er F 2 of degree n , and an initial state ~ s = ( s 0 , . . . , s n − 1 ) 6 = 0, then h P , ~ s ∈ H is defined b y the linear com binations h P ,s ( ~ x ) = L m − 1 j =0 x j . ~ S j where ~ S j is the j -th state of the LFSR (i.e. ~ S 0 = ~ s ). F ollo wing [12], this f amily H is then ǫ -balanced for at least a ǫ ≤ m 2 n − 1 . Moreo v er, a hash h P , ~ s is easily implemen ted in hardw are and a seco nd ad- v an tag e is that the m essa ge authent ication can be computed progressiv ely with an accumulato r register wh ic h is up dated after eac h message bit: the implemen tation do es not dep end on the size m of ~ x . 3.2 Description W e describ e here the imp ro v ed v ersion w e prop ose for HB + to thw art Man- in-The-Middle atta c ks. W e n ow supp ose th at the T ag and th e Reader share a k ey ( ~ x, ~ y , h ) with ~ x ∈ { 0 , 1 } k 1 , ~ y ∈ { 0 , 1 } k 2 and h ∈ H for H a linear and ǫ -bala nced hash fam- ily . Th e b eg innin g sta ys unchanged, r roun ds of HB + proto col are executed (see Fig. 1), i.e. for i from 0 to r − 1: • ~ b i ∈ R { 0 , 1 } k 2 is sent to the Reader; • ~ a i ∈ R { 0 , 1 } k 1 is sent to the T ag; 4 • ν i ∈ { 0 , 1 | Pr [ ν = 1] = η } is tak en; • z i = ~ a i · ~ x ⊕ ~ b i · ~ y ⊕ ν i is sent to th e Reader; • the R eader c hec ks whether if z i = ~ a i · ~ x ⊕ ~ b i · ~ y . Thereafter, if th e n umb er of in co rrect c hec ks is lo w er than the thresh ol d u × r , the R eader wa its for a last message to authentica te the T ag. This firs t p hase – co rresp ond in g to an execution of the HB + proto col – is interpreted as a w a y to reco ve r among a set of registered secrets { ( ~ x j , ~ y j , h j ) } j whic h ( ~ x, ~ y ) has b een used. Once the correct ( ~ x, ~ y ) is foun d, the T ag w ill authentica te itself with the asso ciated fu nctio n h . After the r rounds of this fir st p hase, the second p hase is the follo wing. 1. S tarting with a noise ~ ν = ( ν 0 , . . . , ν r − 1 ), the T ag computes ~ e = E ( ~ ν ) ∈ { 0 , 1 } n and send s ~ t = h  ~ a 0 , ~ b 0 , z 0 , . . . , ~ a r − 1 , ~ b r − 1 , z r − 1  ⊕ ~ e to the Reader, follo wing the pr inciples of [12] recalled in Sec. 3.1. 2. F or all i ∈ { 0 , . . . , r − 1 } , the Reader reco v ers ν i = z i ⊕ ~ a i · ~ x ⊕ ~ b i · ~ y , computes ~ e = E ( ~ ν ) ∈ { 0 , 1 } n and it c hec ks the v alidit y of the receiv ed tag ~ t with resp ect to the receiv ed words ~ a 0 , ~ b 0 , z 0 , . . . , ~ a r − 1 , ~ b r − 1 , z r − 1 . Here E maps a η -biased v ecto r in { 0 , 1 } r to a quasi-random v ector of { 0 , 1 } n (cf. section 3.4) and h is defined o v er { 0 , 1 } m with m = r . ( k 1 + k 2 + 1). If the v erification succeeds then the authen tication is done. Informally , the original HB + proto col helps to ident ify the T ag mean- while it enables to transmit a pseu d o-random pad ~ e to the Reader. This information enables us to construct a fin al message auth en tica tion which aim is to pr o v e the integ rit y of the communicat ions. 3.3 Securit y argumen ts First, the proto col is obviously correct as the last v erification is straigh tfor- w ard when there is no p erturbation of the comm unications. Secondly , with a goo d pseudo-rand om function E the la st iteration would brin g n o useful information for solving the LPN problem with secrets ( ~ x, ~ y ) so it seems to inherit the securit y of HB + against passiv e and activ e (not MiTM) attac ks. Moreo v er, w e ha v e: 5 Theorem 1 If the message authentic ation scheme induc e d by the hash fam- ily H is ǫ -se cur e and if the outp ut of E is r and om and unknown, then any MiTM adversary has a pr ob ability of suc c ess of at most ǫ . Sketch of the pr o of. Indeed, an ad versary h as a probabilit y at most ǫ of b eing authen ticated with mo dified comm unications. Su pp ose that the T ag has receiv ed alte red c hallenges ~ a ′ 0 , . . . , ~ a ′ r − 1 and that the Reader receiv ed mo dified answers ~ b ′ 0 , . . . , ~ b ′ r − 1 , z ′ 0 . . . , z ′ r − 1 and a message authentica tion tag ~ t ′ . T o b e v alid, ~ t ′ m ust b e equal to h  ~ a 0 , ~ b ′ 0 , z ′ 0 , . . . , ~ a r − 1 , ~ b ′ r − 1 , z ′ r − 1  ⊕ E ( ~ ν ′ ) with ν ′ i = z ′ i ⊕ ~ a i · ~ x ⊕ ~ b ′ i · ~ y . If ~ ν ′ is unkno wn from the adv ersary , then it happ ens only with a probab ility lo w er than ǫ thanks to [12]. ✷ Note that th e kno wledge of ~ ν ′ is conditioned by the difficulty to retriev e ~ x an d ~ y from the comm unications. 3.4 Implemen tation Here we only ad d one iteration to th e r iterations of HB + . Moreo v er as men tioned in sect ion 3.1, a LFSR-based T o eplitz hashing is easy to embed in hard ware circuits. It is still the case ev en with an imp ortan t n umber of rounds: w e can tak e adv an tage of the construction to compute progressiv ely the last authen tication message ~ t round after round thanks to an accum ula- tor whic h is up dated inp ut’s bit by inpu t’s b it. Th us th e computation cost is low. The main question r emai ns on the function E whic h must ensure a goo d randomness of its outpu t w it h the biased v ector ~ ν as inp ut. W e migh t use a randomness extractor to implement E . F or instance, if w e assume that the bit of ~ ν are ind epend en t and id en tica lly distribu ted (as it is for the analysis of the LPN solving algorithms suc h as [13]), the v on Neumann p r ocedure [17] outputs a sequence of statistically indep endent and equiprobable bits. On an input source x 1 , . . . , x N , it consid er s pairs ( x 2 i +1 , x 2 i +2 ) and outputs x 2 i +1 if th ey differ, nothing otherwise. F or a b ias η , fr om a source of length N , the outpu t has a mean length of N × η (1 − η ). Example of parameters. F ollo wing [13], we c ho ose for the un derlying HB + proto col η = 0 . 25 , k 1 = 80 and k 2 = 512 to ensur e 80 bits securit y with resp ect to the b est kn own algorithm to solve instances of the LPN 6 problem. In th is case, with a thr eshold u = 0 . 34 8 and r = 116 4 rounds, the probabilit y to r eje ct a genuine tag will b e ab out 2 − 40 and the pr ob ab ility of authen tication with rand om gu esses will b e close to 2 − 80 . The size m = r. ( k 1 + k 2 + 1) of the final message to auth en tica te is then sufficien tly large and if w e us e the von Neumann extracto r it leads to a mean output’s length 218 with a standard deviatio n ab out 13. In practice, w e r estrict ourselv es to the fir st n bits with n = 101. With a LFSR-based T o eplitz h ash family of [12], it en a bles us to ac hiev e an ǫ -secure message authen tication algorithm w it h ǫ ≤ 2 − 80 . Note that the pr obabilit y to extract less than 101 bits in this situation is lo w er than 2 − 72 so it is unlike ly to happ en (if it happ ens, the authentica tion pr ocess could restart). 4 Conclusion T raditional remedies to th e MiTM pr oblems of HB + w ork fin e. The add iti on of a cryptographic chec k of the comm unications preven ts an adv ersary to mo dify the exc hanges b et wee n a T ag and its Reader. The reuse of the tec hniques of Kra w czyk [12] f or enforcing integ rity is here determinan t as this enables us to prop ose a solution whic h is still suitable for lo w-cost T ags. References [1] A. Blum, M. L. F urst, M. J. Kearns, and R. J. L ipton. C ryptographic primitiv es based on hard learning problems. In A dva nc es in Cryptolo gy – CR YP TO’93 , Lecture Notes in Comp uter Science, pages 278–291. Springer-V erlag, 199 3. [2] A. Blum , A. Kalai, and H. W asserman. Noise-tol erant learning, the parit y pr oblem, and the statistical query mo del. In STOC 2000 , pages 435–4 40, 2000. [3] J. Bringer, H. Chabanne, and E. Dottax. HB ++ : a light weigh t au- then tication pr o to col secure against some attac ks. In Se cPerU , pages 28–33 . IEE E Computer So ciet y , 200 6. [4] D.N. Duc and K. Kim. Securing HB+ against GRS m an-in-the-middle attac k. Pro ceedings of the Sy m posium on Cryptography and Informa- tion Secur it y (SCIS2007), 2007. 7 [5] M. P . C. F ossorier, M. J. Mihaljevic , H. Imai, Y. Cui, and K. Mat- suura. An algorithm for solving the LP N problem and its application to s ec urity ev aluation of the HB proto co ls for RFID authen tication. In Rana Barua and T anj a Lange, editors, IN DOCR YPT , v olume 4329 of L e ctur e Notes in Computer Sc ienc e , p ag es 48–6 2. Sp ringer, 2006. [6] H. Gilb ert, M. Robsha w, and H. Sib ert. An activ e attac k against HB + - a pro v ably secure light w eigh t authen tication proto col. IEE Ele ctr onic L etters , 41(21):1 169–1170, 2005. [7] N. J. Hopp er and M. Blum. Secure human identifica tion pr ot o cols. In Colin Bo yd, editor, A dvanc es in Cryptolo gy - ASIACR YP T 200 1 , v ol- ume 2248 of L e ctur e Notes in Computer Scienc e , p ag es 52–66. Springer- V erlag, 2001. [8] J. H ˚ astad. Some optimal inappro ximabilit y results. In STOC 1997 , pages 1–10, 1997. [9] A. Juels and S. W eis. Authentica ting p erv asiv e devices with human p ro- to co ls. In Victor Shoup, editor, A dvanc es in Cryptolo gy – CR Y PTO’05 , v olume 3126 of L e ctur e Notes in Computer Scienc e , p a ges 293–308. Springer-V erlag, 200 5. [10] J. Katz and J. S. Shin. P arallel and concurrent security of th e HB and HB + proto cols. In Serge V audena y , editor, EU R OCR YPT , vol um e 4004 of L e ctur e N ot es i n Computer Scienc e , pages 73–87. Spr inger, 2006 . [11] J. Katz and A. Smith. Analyzing the HB and HB+ proto co ls in the “large error” case. Cryptology ePrin t Archiv e, Rep ort 2006 /326, 2006. [12] H. Kra wcz yk. LFSR-based hash in g and authentic ation. In Yvo Desmedt, editor, CR Y PTO , v olume 839 of L e ctur e N ot es in Computer Scienc e , pages 129–139. Springer, 1994. [13] E. L evi eil and P .-A. F ouque. An improv ed L P N algorithm. In Rob erto De Pr isco and Moti Y ung, editors, SCN , vo lume 4116 of L e c- tur e Notes in Computer Scienc e , pages 348–359. Springer, 2006. [14] J. Mun illa and A. P einado. HB- MP: A fur ther step in the HB-family of ligh t w eigh t authen ticatio n protocols. Computer Networks , 51(9):226 2– 2267, 2007. 8 [15] S. Piram uthu. HB an d related ligh t w eigh t authent ication proto cols for s ec ure RFID tag/reader authent ication. In Col lab or ative Ele ctr on ic Commer c e T e chnol o gy and R ese ar ch – Col lECT e R 2006 , Basel, Switzer- land, Jun e 2006. [16] S. Piramuth u and Y.-J. T u. Mo dified HB authen tication proto co l. W est- ern Eu ropean W orkshop on Researc h in Cryp tol ogy , WEW oRC, 2007. [17] J. v on Neumann. V arious tec hniques used in connection with random digits. A pp lie d Math Series , 12:36 –38, 1951. [18] M. N. W egman and L. Carter. New hash fun cti ons and their u se in authen tication and set equ al it y . J . Comput. Syst. Sci. , 22( 3):265–2 79, 1981. 9