Security with Noisy Data

utterlypanoramicSecurity

Nov 30, 2013 (3 years and 10 months ago)

88 views

Security with Noisy Data

Boris Škorić

TU Eindhoven

Ei/Ψ anniversary, 24 April 2009

1

OUTLINE

1.
Private biometrics

2.
Physical Unclonable Functions (PUFs)


PUFs for anti
-
counterfeiting


PUFs for secure key storage

3.
Fuzzy extractors

4.
General remarks

2

Private biometrics: intro

What's so private?


fingerprints everywhere


easily photographed


no secrecy!

Biometrics database


access control


identification


Insider attacks


db encryption not enough!

How to abuse the database?


impersonation


identity theft


cross
-
db linking


detectable pathologies


... yet undiscovered attacks

3

How to preserve privacy?


Don't store biometric itself


Store a one
-
way hash

(like UNIX password file)


Attacker has to invert hash

Problem:
noise


Measurement never the same twice


Any bit flip

hash totally changed


Need error correction


Redundancy data may leak!

one
-
way

function

4

Private biometrics: noisy biometrics

Secure

Sketch

Recover

hash

compare

Gen

[Dodis et al., 2003]

"Fuzzy Extractor"

Uniform string:


Efficient storage


Quick db search


Efficient processing

5

Helper

Data

Reproduce

"extracted

string"

compare

Gen

Private biometrics: secure error correction

6

OUTLINE

1.
Private biometrics

2.
Physical Unclonable Functions (PUFs)


PUFs for anti
-
counterfeiting


PUFs for secure key storage

3.
Fuzzy extractors

4.
General remarks

The counterfeiting problem

Frightening numbers
:

10% of all medication

10% aircraft spare parts


Short history of paper money



800 AD: China, first bills


1450 AD: China abolishes paper money


1601 AD: introduction in Sweden

7

Anti
-
counterfeiting: introduction

8

Anti
-
counterfeiting: think big

[Source: Kirovski 2007]

Anti
-
counterfeiting, more voodoo than science

Lots of obscurity

9

Traditional approach
:


add authenticity mark to product


hard to forge


all marks are identical

Er, ... WTF?

10

Alternative
:
[Bauder, Simmons < 1991]


unique marks

-
uncontrollable process

-
even manufacturer cannot clone


digitally signed


two
-
step verification

-
check sig., then check mark


forgery


cloning / fake
signature


allows "open" approach

-

product info

-

expiry date

-

mark details


Digital signature

by Authority XYZ

Anti
-
counterfeiting: a new approach

Physical Unclonable Function (PUF)

[Pappu et al. 2001]


physical object


unpredictable challenge
-
response behaviour


hard to scrutinize without damaging


hard to model mathematically


hard ($) to clone physically, even for manufacturer

Use PUF as anti
-
counterfeiting mark

Anti
-
counterfeiting: PUFs

Examples of anti
-
counterfeiting PUFs

Kirovski et al. 2006

Microsoft research

Škorić et al. 2008

Philips research

Pappu et al. 2001

Buchanan et al. 2005

MIT, Ingenia,

Philips research


Anti
-
counterfeiting: PUF types

Simplest case:


mark is not secret


use "distance" between measurements


no error correction

Just like biometrics.


Use fuzzy extractor!

Without added mark:


mark is part of product


mark not really secret


but ... preserve "privacy" of product


noisy measurements

Anti
-
counterfeiting: analogy with biometrics

OUTLINE

1.
Private biometrics

2.
Physical Unclonable Functions (PUFs)


PUFs for anti
-
counterfeiting


PUFs for secure key storage

3.
Fuzzy extractors

4.
General remarks

Secure key storage: intro

Problem
:


Many devices need secret keys

-
authentication

-
encryption / decryption

-
signing


Digital key storage

-
0/1 often distinguishable

-
invasive attacks

Alternative approach: Derive key from PUF


more opaque than digital memory


extract key when needed, then wipe from RAM


invasive attack


key destroyed


Physical Unclonable Function (PUF)


physical object


unpredictable challenge
-
response behaviour


hard to scrutinize without damaging


hard to model mathematically


hard ($) to clone physically, even for manufacturer

"Physically Obscured Key" (POK)

[Gassend et al. 2003]

16

EEPROM


-

Helper data


-

E
K
[Device secrets]

PUF

Sensor

reproduce

K

Crypto processor

Integrated

Secure key storage: PUFs

TiN

TiO
2

S
-
RAM PUF

[Guajardo et al., Su et al. 2007]


Coating PUF

[Posch 1998; Tuyls et al. 2006]

Integrated optical PUF

[Ophey et al. 2006]

Silicon PUF

[Gassend et al. 2002]

FPGA "butterfly"

[Kumar et al. 2008]

Secure key storage: PUF types

OUTLINE

1.
Private biometrics

2.
Physical Unclonable Functions (PUFs)


PUFs for anti
-
counterfeiting


PUFs for secure key storage

3.
Fuzzy extractors

4.
General remarks

Required for e.g.


privacy preserving biometrics


anti
-
counterfeiting with "product privacy"


PUF
-
based key storage

Properties


Secrecy and uniformity:
Δ(WS; WU) ≤ ε
.

"S given W is almost uniform"


Correctness:
If X' sufficiently close to X, then S'=S
.


Robustness
[Boyen et al. 2005]
:

Detection of active attack against W

noisy

Dodis et al. 2003

Juels+Wattenberg 1999

Linnartz+Tuyls 2003

Fuzzy Extractors: intro

Fuzzy Extractors: high
-
level look at helper data

X

W

Enrolment phase

X: measurement


W: helper data


S: region index (extracted secret)

S

Gen(X) = {S, W}

X sufficiently "smooth"


W reveals little or nothing about S

Fuzzy Extractors: high
-
level look at helper data

X'

Reproduction phase

W

S

Rep(X',W) = S

You need helper data.

You really do.

Fuzzy Extractors: necessity of helper data


Enrolments happen after fixing grid


Some X inevitably on boundary

-
noise can go either way


Helper data removes the ambiguity

Fuzzy Extractors: active attacks

Active Attack
: Modify W


accept wrong X'


accept key S' ≠ S

Defense
:

1.
TTP's signature on W.

2.
But ... what if there's no PKI?

Use secret S itself to authenticate W
!

a.
hash(W||S).
[Boyen 2005]


random oracle assumption

b.
Sacrifice part of S as authentication key.


S = S
1
|| S
2
.


MAC(S
1
, W) (sort of)
[Dodis et al. 2006]


information
-
theoretic security if X has sufficient entropy rate


24

Fuzzy Extractors & PUFs: variety of disciplines

FUZZY

EXTRACTION

FROM PUF

crypto

OUTLINE

1.
Private biometrics

2.
Physical Unclonable Functions (PUFs)


PUFs for anti
-
counterfeiting


PUFs for secure key storage

3.
Fuzzy extractors

4.
General remarks

General remarks: PUF proliferation

optical PUF

coating PUF

Silicon PUF

optical fiber PUF

RF COA

LC
-
PUF

S
-
RAM PUF

Arbiter PUF

fluorescent PUF

Delay PUF

Butterfly PUF

diode breakdown PUF

reconfigurable PUF

acoustic PUF

controlled PUF

phosphor PUF

...


General remarks: PUF family tree

MvD

General remarks: after years of preaching the PUF gospel ...

29

General remarks: ¥

££$

Making money from
security with noisy data


Philips spin
-
off

Philips spin
-
off

MIT spin
-
off

Imperial College London

spin
-
off


Noisy sources of key material

-
privacy preserving storage of biometric data

-
anti
-
counterfeiting

-
secure key storage with PUFs



Fuzzy extractors

-
extract key from noisy source

-
reproducibility

-
secrecy of output

-
resilience against attacks on helper data



Subject becoming more popular



Not just theory, also $$$

Summary