Security with Noisy Data
description
Transcript of Security with Noisy Data
Security with Noisy Data
Boris ŠkorićTU EindhovenEi/Ψ anniversary, 24 April 2009
1
OUTLINE
1.Private biometrics
2.Physical Unclonable Functions (PUFs)
• PUFs for anti-counterfeiting
• PUFs for secure key storage
3.Fuzzy extractors
4.General remarks
2
Private biometrics: intro
What's so private?•fingerprints everywhere•easily photographed•no secrecy!
Biometrics database•access control•identification
Insider attacks• db encryption not enough!
How to abuse the database? • impersonation• identity theft• cross-db linking• detectable pathologies• ... yet undiscovered attacks
3
How to preserve privacy?
•Don't store biometric itself
•Store a one-way hash(like UNIX password file)
•Attacker has to invert hash
Problem: noise
•Measurement never the same twice
•Any bit flip ⇒hash totally changed
•Need error correction
•Redundancy data may leak!
one-wayfunction
00101101011110111001...
4
Private biometrics: noisy biometrics
SecureSketch
Recover
hash compare
Gen
[Dodis et al., 2003]
"Fuzzy Extractor"
Uniform string:
• Efficient storage
• Quick db search
• Efficient processing
5
HelperData Reproduce
"extractedstring"
compare
Gen
Private biometrics: secure error correction
6
OUTLINE
1.Private biometrics
2.Physical Unclonable Functions (PUFs)
• PUFs for anti-counterfeiting
• PUFs for secure key storage
3.Fuzzy extractors
4.General remarks
The counterfeiting problem
Frightening numbers:10% of all medication10% aircraft spare parts
Short history of paper money• 800 AD: China, first bills•1450 AD: China abolishes paper money•1601 AD: introduction in Sweden
7
Anti-counterfeiting: introduction
8
Anti-counterfeiting: think big
[Source: Kirovski 2007]
Anti-counterfeiting, more voodoo than science
Lots of obscurity
9
Traditional approach:
• add authenticity mark to product
• hard to forge
• all marks are identicalEr, ... WTF?
10
Alternative: [Bauder, Simmons < 1991]
• unique marks
- uncontrollable process
- even manufacturer cannot clone
• digitally signed
• two-step verification
- check sig., then check mark
• forgery ← cloning / fake signature
• allows "open" approach
- product info- expiry date- mark details
Digital signatureby Authority XYZ
- product info- expiry date- mark details
Digital signatureby Authority XYZ
Anti-counterfeiting: a new approach
Physical Unclonable Function (PUF) [Pappu et al. 2001]
•physical object
•unpredictable challenge-response behaviour
•hard to scrutinize without damaging
•hard to model mathematically
•hard ($) to clone physically, even for manufacturer
Use PUF as anti-counterfeiting mark
Anti-counterfeiting: PUFs
Examples of anti-counterfeiting PUFs
Kirovski et al. 2006Microsoft research
Škorić et al. 2008Philips research
Pappu et al. 2001Buchanan et al. 2005MIT, Ingenia,Philips research
Anti-counterfeiting: PUF types
Simplest case:
•mark is not secret
•use "distance" between measurements
•no error correction
Just like biometrics.
Use fuzzy extractor!
Without added mark:
•mark is part of product
•mark not really secret
•but ... preserve "privacy" of product
•noisy measurements
Anti-counterfeiting: analogy with biometrics
OUTLINE
1.Private biometrics
2.Physical Unclonable Functions (PUFs)
• PUFs for anti-counterfeiting
• PUFs for secure key storage
3.Fuzzy extractors
4.General remarks
Secure key storage: intro
Problem:
• Many devices need secret keys
- authentication
- encryption / decryption
- signing
• Digital key storage
- 0/1 often distinguishable
- invasive attacks
Alternative approach: Derive key from PUF
•more opaque than digital memory
•extract key when needed, then wipe from RAM
•invasive attack ⇒ key destroyed
Physical Unclonable Function (PUF)•physical object
•unpredictable challenge-response behaviour
•hard to scrutinize without damaging•hard to model mathematically
•hard ($) to clone physically, even for manufacturer
"Physically Obscured Key" (POK)[Gassend et al. 2003]
16
EEPROM
- Helper data
- EK[Device secrets]
PUF
Sensor
reproduce
K
Crypto processor
Inte
gra
ted
Secure key storage: PUFs
TiN
TiO2
S-RAM PUF[Guajardo et al., Su et al. 2007]
Coating PUF[Posch 1998; Tuyls et al. 2006]
Integrated optical PUF[Ophey et al. 2006]
Silicon PUF[Gassend et al. 2002]
FPGA "butterfly"[Kumar et al. 2008]
Secure key storage: PUF types
OUTLINE
1.Private biometrics
2.Physical Unclonable Functions (PUFs)
• PUFs for anti-counterfeiting
• PUFs for secure key storage
3.Fuzzy extractors
4.General remarks
Required for e.g.
•privacy preserving biometrics
•anti-counterfeiting with "product privacy"
•PUF-based key storage
Properties
• Secrecy and uniformity: Δ(WS; WU) ≤ ε.
"S given W is almost uniform"
• Correctness: If X' sufficiently close to X, then S'=S.
• Robustness [Boyen et al. 2005]:Detection of active attack against W
noisy
Dodis et al. 2003Juels+Wattenberg 1999Linnartz+Tuyls 2003
Fuzzy Extractors: intro
Fuzzy Extractors: high-level look at helper data
X
W
Enrolment phase
X: measurement W: helper data S: region index (extracted secret)
S
Gen(X) = {S, W}
X sufficiently "smooth" ⇒ W reveals little or nothing about S
Fuzzy Extractors: high-level look at helper data
X'
Reproduction phase
W
S
Rep(X',W) = S
You need helper data.
You really do.
Fuzzy Extractors: necessity of helper data
• Enrolments happen after fixing grid
• Some X inevitably on boundary
- noise can go either way
• Helper data removes the ambiguity
Fuzzy Extractors: active attacks
Active Attack: Modify Waccept wrong X'accept key S' ≠ S
Defense:
1.TTP's signature on W.
2.But ... what if there's no PKI?Use secret S itself to authenticate W !
a. hash(W||S). [Boyen 2005]
• random oracle assumption
b. Sacrifice part of S as authentication key.
• S = S1 || S2.
• MAC(S1, W) (sort of) [Dodis et al. 2006]
• information-theoretic security if X has sufficient entropy rate
24
Fuzzy Extractors & PUFs: variety of disciplines
FUZZYEXTRACTION
FROM PUF
physics informatio
n theory
crypto
error-correcting codes
security engineerin
g
OUTLINE
1.Private biometrics
2.Physical Unclonable Functions (PUFs)
• PUFs for anti-counterfeiting
• PUFs for secure key storage
3.Fuzzy extractors
4.General remarks
General remarks: PUF proliferation
optical PUF
coating PUF
Silicon PUF
optical fiber PUF
RF COA
LC-PUF
S-RAM PUF
Arbiter PUF
fluorescent PUF
Delay PUF
Butterfly PUF
diode breakdown PUF
reconfigurable PUF
acoustic PUF
controlled PUF
phosphor PUF
...
General remarks: PUF family tree
MvD
General remarks: after years of preaching the PUF gospel ...
29
General remarks: ¥€££$
Making money from security with noisy data
Philips spin-off
Philips spin-off
MIT spin-off
Imperial College Londonspin-off
• Noisy sources of key material
- privacy preserving storage of biometric data
- anti-counterfeiting
- secure key storage with PUFs
• Fuzzy extractors
- extract key from noisy source
- reproducibility
- secrecy of output
- resilience against attacks on helper data
• Subject becoming more popular
• Not just theory, also $$$
Summary