Top

Published in:

2016 | OriginalPaper | Chapter

Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token

Authors : Ian Goldberg, Graeme Jenkinson, Frank Stajano

Published in: Applied Cryptography and Network Security

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Hardware tokens for user authentication need a secure and usable mechanism to lock them when not in use. The Pico academic project proposes an authentication token unlocked by the proximity of simpler wearable devices that provide shares of the token’s master key. This method, however, is vulnerable to a cold boot attack: an adversary who captures a running Pico could extract the master key from its RAM and steal all of the user’s credentials. We present a cryptographic countermeasure—bivariate secret sharing—that protects all the credentials except the one in use at that time, even if the token is captured while it is on. Remarkably, our key storage costs for the wearables that supply the cryptographic shares are very modest (256 bits) and remain constant even if the token holds thousands of credentials. Although bivariate secret sharing has been used before in slightly different ways, our scheme is leaner and more efficient and achieves a new property—cold boot protection. We validated the efficacy of our design by implementing it on a commercial Bluetooth Low Energy development board and measuring its latency and energy consumption. For reasonable choices of latency and security parameters, a standard CR2032 button-cell battery can power our prototype for 5–7 months, and we demonstrate a simple enhancement that could make the same battery last for over 9 months.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter A Cryptographic Analysis of UMTS/LTE AKA

next chapter Two More Efficient Variants of the J-PAKE Protocol

Available only for authorised users

In Pico, for additional security, some special shares are supplied by user biometrics and by a network server [2], and different shares may have different weights [6]. The work described in this paper is independent of these features and therefore for simplicity in what follows we shall ignore these aspects here and treat all shares equally unless otherwise noted.

We repeat these requirements in Sect. 2 for the convenience of the reader.

The number of devices compromised by the attacker can never go down (the attacker cannot “unlearn” the secrets of a device he previously compromised) and any Picosibling that he ever compromised counts towards the quota that cannot reach k in our adversary model.

Note that such protected storage would be needed by Pico to protect the communication keys with the Picosiblings regardless of cold boot protection, as acknowledged by Stannard and Stajano [8].

If \(N \le 256\) then each credential has its own bin and can be decrypted independently of the others. If \(N > 256\) then some bins may contain more than one credential, which will be encrypted and decrypted together.

This description is intended to capture the essential features of our implementation rather than act as a formal specification.

The communication key is diversified by performing a CBC-MAC (using the AES coprocessor) on two fixed values (1 and 2). The Picosibling does not possess a source of cryptographically strong randomness, and therefore is not trusted to generate random keys.

As an optimization, computation in \(GF(2^8)\) is performed with two precomputed 256-byte tables. The first provides provides a lookup \(i \mapsto g^i\) and the second \(g^i \mapsto i\) for a generator g. Note that although the CC2541 device contains 256 KB of flash, there is not a free 64 KB segment capable of holding a 256 * 256 B lookup table required for precomputing the entire multiplication table in \(GF(2^8)\).

As detailed in Kamath and Lindh [19], when sleeping the device enters Power Mode 2 where the current consumed is 1 \(\upmu \)A.

Measured as the voltage across a 1 K\(\Omega \) resistor.

This value was produced by applying the KLM-GOMS methodology (a modelling approach for predicting how long it takes an expert user to accomplish a task on a computing system) [22].

FIDO Alliance: FIDO UAF complete specifications FINAL 1.0, December 2014

Stajano, F.: Pico: no more passwords!. In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols XIX. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)CrossRef

Desmedt, Y., Burmester, M., Safavi-Naini, R., Wang, H.: Threshold Things That Think (T4): Security requirements to cope with theft of handheld/handless internet devices. In: Proceedings of Symposium on Requirements Engineering for Information Security (2001)

Corner, M.D., Noble, B.D.: Zero-interaction authentication. In: Proceedings of ACM MobiCom 2002, pp. 1–11, 23–28 September 2002

Halderman, J.A., Schoen, S.D., Heninger, N., Clarkson, W., Paul, W., Calandrino, J.A., Feldman, A.J., Appelbaum, J., Felten, E.W.: Lest we remember: Cold-boot attacks on encryption keys. Commun. ACM 52(5), 91–98 (2009)CrossRef

Stafford-Fraser, Q., Stajano, F., Warrington, C., Jenkinson, G., Spencer, M., Payne, J.: To have and have not: Variations on secret sharing to model user presence. In: Proceedings of UPSIDE workshop of UBICOMP 2014, September 2014

Stajano, F., Christianson, B., Lomas, M., Jenkinson, G., Payne, J., Spencer, M., Stafford-Fraser, Q.: Pico without public keys. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 195–211. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26096-9_21 CrossRef

Stannard, O., Stajano, F.: Am I in good company? A privacy-protecting protocol for cooperating ubiquitous computing devices. In: Christianson, B., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2012. LNCS, vol. 7622, pp. 223–230. Springer, Heidelberg (2012)CrossRef

Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Proceedings of IEEE SECURECOMM 2005, pp. 67–73. IEEE Computer Society, Washington, DC (2005)

10.

Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefMATH

11.

Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995)

12.

Krause, F.M.A.: Designing Secure & Usable Picosiblings: An exploration of potential pairing mechanisms. Master’s thesis, Wolfson College, University of Cambridge (2014)

13.

Müller, T., Freiling, F.C., Dewald, A.: TRESOR runs encryption securely outside RAM. In: 20th USENIX Security Symposium, USENIX (2011)

14.

Gomez, C., Oller, J., Paradells, J.: Overview and evaluation of bluetooth low energy: an emerging low-power wireless technology. Sensors 12(9), 11734–11753 (2012)CrossRef

15.

MacKenzie, C.M., Laskey, K., McCabe, F., Brown, P.F., Metz, R., Hamilton, B.A.: Reference model for service oriented architecture 1.0. OASIS Standard (2006)

16.

Ryan, M.: Bluetooth: with low energy comes low security. In: 7th USENIX Workshop on Offensive Technologies, Berkeley, CA, USENIX (2013)

17.

Stajano, F., Jenkinson, G., Payne, J., Spencer, M., Stafford-Fraser, Q., Warrington, C.: Bootstrapping adoption of the pico password replacement system. In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds.) Security Protocols 2014. LNCS, vol. 8809, pp. 172–186. Springer, Heidelberg (2014)

18.

Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 553–567. IEEE Computer Society, Washington, DC (2012)

19.

Kamath, S., Lindh, J.: Measuring Bluetooth Low Energy Power Consumption. Texas Instruments application note AN092, Dallas (2010)

20.

Heydon, R.: Bluetooth Low Energy The Developer’s Handbook. Prentice Hall, Upper Saddle River (2013)

21.

Sasse, M.A., Steves, M., Krol, K., Chisnell, D.: The great authentication fatigue – and how to overcome it. In: Rau, P.L.P. (ed.) CCD 2014. LNCS, vol. 8528, pp. 228–239. Springer, Heidelberg (2014)

22.

Card, S.K., Moran, T.P., Newell, A.: The keystroke-level model for user performance time with interactive systems. Commun. ACM 23(7), 396–410 (1980)CrossRef

23.

Laurie, B., Singer, A.: Choose the red pill and the blue pill: A position paper. In: Proceedings of the 2008 Workshop on New Security Paradigms, NSPW 2008, pp. 127–133. ACM, New York (2008)

24.

Alliance, F.: FIDO U2F Spec Package, May 2015

25.

Want, R., Hopper, A., Falcao, V., Gibbons, J.: The active badge location system. ACM Trans. Inf. Syst. 10(1), 91–102 (1992)CrossRef

26.

Landwehr, C.E.: Protecting unattended computers without software. In: Proceedings of the 13th Annual Computer Security Applications Conference, pp. 274–283. IEEE Computer Society, Washington, DC (1997)

27.

Landwehr, C.E., Latham, D.L.: Secure identification system US Patent 5,892,901, filed 1997–06-10, granted 1999–04-06 (1999)

28.

Peeters, R.: Security architecture for things that think. Ph.D. thesis, KU Leuven (2012)

29.

Simoens, K., Peeters, R., Preneel, B.: Increased resilience in threshold cryptography: sharing a secret with devices that cannot store shares. In: Joye, M., Miyaji, A., Otsuka, A. (eds.) Pairing 2010. LNCS, vol. 6487, pp. 116–135. Springer, Heidelberg (2010)CrossRef

30.

Cachin, C., Kursawe, K., Lysyanskaya, A., Strobl, R.: Asynchronous verifiable secret sharing and proactive cryptosystems. In: 9th ACM Conference on Computer and Communications Security, pp. 88–97 (2002)

31.

Tassa, T., Dyn, N.: Multipartite Secret Sharing by Bivariate Interpolation. In: 33rd International Colloquium on Automata, Languages and Programming, pp. 288–299 (2006)

32.

Schultz, D., Liskov, B., Liskov, M.: MPSS: Mobile proactive secret sharing. ACM Trans. Inf. Syst. Secur. 13(4), 34:1–34:32 (2010)CrossRef

33.

Instruments, T.: CC2541 SimpleLink Bluetooth Smart and Proprietary Wireless MCU. Web page

Title: Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token
Authors: Ian Goldberg
Graeme Jenkinson
Frank Stajano
Publisher: Springer International Publishing
Book: Applied Cryptography and Network Security
Print ISBN: 978-3-319-39554-8

Electronic ISBN: 978-3-319-39555-5

Copyright Year: 2016
DOI: https://doi.org/10.1007/978-3-319-39555-5_3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner