Security with Noisy Data

Security with Noisy Data

Boris ŠkorićTU EindhovenEi/Ψ anniversary, 24 April 2009

1

OUTLINE

1.Private biometrics

2.Physical Unclonable Functions (PUFs)

• PUFs for anti-counterfeiting

• PUFs for secure key storage

3.Fuzzy extractors

4.General remarks

2

Private biometrics: intro

What's so private?•fingerprints everywhere•easily photographed•no secrecy!

Biometrics database•access control•identification

Insider attacks• db encryption not enough!

How to abuse the database? • impersonation• identity theft• cross-db linking• detectable pathologies• ... yet undiscovered attacks

3

How to preserve privacy?

•Don't store biometric itself

•Store a one-way hash(like UNIX password file)

•Attacker has to invert hash

Problem: noise

•Measurement never the same twice

•Any bit flip ⇒hash totally changed

•Need error correction

•Redundancy data may leak!

one-wayfunction

00101101011110111001...

4

Private biometrics: noisy biometrics

SecureSketch

Recover

hash compare

Gen

[Dodis et al., 2003]

"Fuzzy Extractor"

Uniform string:

• Efficient storage

• Quick db search

• Efficient processing

5

HelperData Reproduce

"extractedstring"

compare

Gen

Private biometrics: secure error correction

6

OUTLINE





3.Fuzzy extractors

4.General remarks

The counterfeiting problem

Frightening numbers:10% of all medication10% aircraft spare parts

Short history of paper money• 800 AD: China, first bills•1450 AD: China abolishes paper money•1601 AD: introduction in Sweden

7

Anti-counterfeiting: introduction

8

Anti-counterfeiting: think big

[Source: Kirovski 2007]

Anti-counterfeiting, more voodoo than science

Lots of obscurity

9

Traditional approach:

• add authenticity mark to product

• hard to forge

• all marks are identicalEr, ... WTF?

10

Alternative: [Bauder, Simmons < 1991]

• unique marks

- uncontrollable process

- even manufacturer cannot clone

• digitally signed

• two-step verification

- check sig., then check mark

• forgery ← cloning / fake signature

• allows "open" approach

- product info- expiry date- mark details

Digital signatureby Authority XYZ

- product info- expiry date- mark details

Digital signatureby Authority XYZ

Anti-counterfeiting: a new approach

Physical Unclonable Function (PUF) [Pappu et al. 2001]

•physical object

•unpredictable challenge-response behaviour

•hard to scrutinize without damaging

•hard to model mathematically

•hard ($) to clone physically, even for manufacturer

Use PUF as anti-counterfeiting mark

Anti-counterfeiting: PUFs

Examples of anti-counterfeiting PUFs

Kirovski et al. 2006Microsoft research

Škorić et al. 2008Philips research

Pappu et al. 2001Buchanan et al. 2005MIT, Ingenia,Philips research

Anti-counterfeiting: PUF types

Simplest case:

•mark is not secret

•use "distance" between measurements

•no error correction

Just like biometrics.

Use fuzzy extractor!

Without added mark:

•mark is part of product

•mark not really secret

•but ... preserve "privacy" of product

•noisy measurements

Anti-counterfeiting: analogy with biometrics

OUTLINE





3.Fuzzy extractors

4.General remarks

Secure key storage: intro

Problem:

• Many devices need secret keys

- authentication

- encryption / decryption

- signing

• Digital key storage

- 0/1 often distinguishable

- invasive attacks

Alternative approach: Derive key from PUF

•more opaque than digital memory

•extract key when needed, then wipe from RAM

•invasive attack ⇒ key destroyed

Physical Unclonable Function (PUF)•physical object

•unpredictable challenge-response behaviour

•hard to scrutinize without damaging•hard to model mathematically

•hard ($) to clone physically, even for manufacturer

"Physically Obscured Key" (POK)[Gassend et al. 2003]

16

EEPROM

- Helper data

- EK[Device secrets]

PUF

Sensor

reproduce

K

Crypto processor

Inte

gra

ted

Secure key storage: PUFs

TiN

TiO2

S-RAM PUF[Guajardo et al., Su et al. 2007]

Coating PUF[Posch 1998; Tuyls et al. 2006]

Integrated optical PUF[Ophey et al. 2006]

Silicon PUF[Gassend et al. 2002]

FPGA "butterfly"[Kumar et al. 2008]

Secure key storage: PUF types

OUTLINE





3.Fuzzy extractors

4.General remarks

Required for e.g.

•privacy preserving biometrics

•anti-counterfeiting with "product privacy"

•PUF-based key storage

Properties

• Secrecy and uniformity: Δ(WS; WU) ≤ ε.

"S given W is almost uniform"

• Correctness: If X' sufficiently close to X, then S'=S.

• Robustness [Boyen et al. 2005]:Detection of active attack against W

noisy

Dodis et al. 2003Juels+Wattenberg 1999Linnartz+Tuyls 2003

Fuzzy Extractors: intro

Fuzzy Extractors: high-level look at helper data

X

W

Enrolment phase

X: measurement W: helper data S: region index (extracted secret)

S

Gen(X) = {S, W}

X sufficiently "smooth" ⇒ W reveals little or nothing about S

Fuzzy Extractors: high-level look at helper data

X'

Reproduction phase

W

S

Rep(X',W) = S

You need helper data.

You really do.

Fuzzy Extractors: necessity of helper data

• Enrolments happen after fixing grid

• Some X inevitably on boundary

- noise can go either way

• Helper data removes the ambiguity

Fuzzy Extractors: active attacks

Active Attack: Modify Waccept wrong X'accept key S' ≠ S

Defense:

1.TTP's signature on W.

2.But ... what if there's no PKI?Use secret S itself to authenticate W !

a. hash(W||S). [Boyen 2005]

• random oracle assumption

b. Sacrifice part of S as authentication key.

• S = S1 || S2.

• MAC(S1, W) (sort of) [Dodis et al. 2006]

• information-theoretic security if X has sufficient entropy rate

24

Fuzzy Extractors & PUFs: variety of disciplines

FUZZYEXTRACTION

FROM PUF

physics informatio

n theory

crypto

error-correcting codes

security engineerin

g

OUTLINE





3.Fuzzy extractors

4.General remarks

General remarks: PUF proliferation

optical PUF

coating PUF

Silicon PUF

optical fiber PUF

RF COA

LC-PUF

S-RAM PUF

Arbiter PUF

fluorescent PUF

Delay PUF

Butterfly PUF

diode breakdown PUF

reconfigurable PUF

acoustic PUF

controlled PUF

phosphor PUF

...

General remarks: PUF family tree

MvD

General remarks: after years of preaching the PUF gospel ...

29

General remarks: ¥€££$

Making money from security with noisy data

Philips spin-off

Philips spin-off

MIT spin-off

Imperial College Londonspin-off

• Noisy sources of key material

- privacy preserving storage of biometric data

- anti-counterfeiting

- secure key storage with PUFs

• Fuzzy extractors

- extract key from noisy source

- reproducibility

- secrecy of output

- resilience against attacks on helper data

• Subject becoming more popular

• Not just theory, also $$$

Summary

Security with Noisy Data

Documents

Transcript of Security with Noisy Data