International Association for Cryptologic Research

International Association
for Cryptologic Research


Avishai Wool


CRUST: Cryptographic Remote Untrusted Storage without Public Keys
Erel Geron Avishai Wool
This paper presents CRUST, a stackable file system layer designed to provide secure file sharing over remote untrusted storage systems. CRUST is intended to be layered over insecure network file systems without changing the existing systems. In our approach, data at rest is kept encrypted, and data integrity and access control are provided by cryptographic means. Our design completely avoids public-key cryptography operations and uses more efficient symmetric-key alternatives to achieve improved performance. As a generic and self-contained system, CRUST includes its own in-band key distribution mechanism and does not rely on any special capabilities of the server or the clients. We have implemented CRUST as a Linux file system and shown that it performs comparably with typical underlying file systems, while providing significantly stronger security.
How to Build a Low-Cost, Extended-Range RFID Skimmer
Ilan Kirschenbaum Avishai Wool
Radio-Frequency Identifier (RFID) technology, using the ISO-14443 standard, is becoming increasingly popular, with applications like credit-cards, national-ID cards, E-passports, and physical access control. The security of such applications is clearly critical. A key feature of RFID-based systems is their very short range: Typical systems are designed to operate at a range of 5-10cm. Despite this very short nominal range, Kfir and Wool predicted that a rogue device can communicate with an ISO-14443 RFID tag from a distance of 40-50cm, based on modeling and simulations. Moreover, they claimed that such a device can be made portable, with low power requirements, and can be built very cheaply. Such a device can be used as a stand-alone RFID skimmer, to surreptitiously read the contents of simple RFID tags. The same device can be as the ``leech'' part of a relay-attack system, by which an attacker can make purchases using a victim's RFID-enhanced credit card---despite any cryptographic protocols that may be used. In this study we show that the modeling predictions are quite accurate. We show how to build a portable, extended-range RFID skimmer, using only electronics hobbyist supplies and tools. Our skimmer is able to read ISO-14443 tags from a distance of ~25cm, uses a lightweight 40cm-diameter copper-tube antenna, is powered by a 12V battery---and requires a budget of ~$100. We believe that, with some more effort, we can reach ranges of ~35cm, using the same skills, tools, and budget. We conclude that (a) ISO-14443 RFID tags can be skimmed from a distance that does not require the attacker to touch the victim; (b) Simple RFID tags, that respond to any reader, are immediately vulnerable to skimming; and (c) We are about half-way toward a full-blown implementation of a relay-attack.
Cryptanalysis of the Bluetooth E0 Cipher using OBDD's
Yaniv Shaked Avishai Wool
In this paper we analyze the E0 cipher, which is the cipher used in the Bluetooth specifications. We adapted and optimized the Binary Decision Diagram attack of Krause, for the specific details of E0. Our method requires 128 known bits of the keystream in order to recover the initial value of the four LFSR's in the E0 system. We describe several variants which we built to lower the complexity of the attack. We evaluated our attack against the real (non-reduced) E0 cipher. Our best attack can recover the initial value of the four LFSR's, for the first time, with a realistic space complexity of 2^23 (84MB RAM), and with a time complexity of 2^87. This attack can be massively parallelized to lower the overall time complexity. Beyond the specifics of E0, our work describes practical experience with BDD-based cryptanalysis, which so far has mostly been a theoretical concept.
Picking Virtual Pockets using Relay Attacks on Contactless Smartcard Systems
Ziv Kfir Avishai Wool
A contactless smartcard is a smartcard that can communicate with other devices without any physical connection, using Radio-Frequency Identifier (RFID) technology. Contactless smartcards are becoming increasingly popular, with applications like credit-cards, national-ID, passports, physical access. The security of such applications is clearly critical. A key feature of RFID-based systems is their very short range: typical systems are designed to operate at a range of ~10cm. In this study we show that contactless smartcard technology is vulnerable to relay attacks: An attacker can trick the reader into communicating with a victim smartcard that is very far away. A ``low-tech'' attacker can build a pick-pocket system that can remotely use a victim contactless smartcard, without the victim's knowledge. The attack system consists of two devices, which we call the ``ghost'' and the ``leech''. We discuss basic designs for the attacker's equipment, and explore their possible operating ranges. We show that the ghost can be up to 50m away from the card reader---3 orders of magnitude higher than the nominal range. We also show that the leech can be up to 50cm away from the the victim card. The main characteristics of the attack are: orthogonality to any security protocol, unlimited distance between the attacker and the victim, and low cost of the attack system.
A Uniform Framework for Cryptanalysis of the Bluetooth $E_0$ Cipher
Ophir Levy Avishai Wool
In this paper we analyze the $E_0$ cipher, which is the encryption system used in the Bluetooth specification. We suggest a uniform framework for cryptanalysis of the $E_0$ cipher. Our method requires 128 known bits of the keystream in order to recover the initial state of the LFSRs, which reflects the secret key of this encryption engine. In one setting, our framework reduces to an attack of D. Bleichenbacher. In another setting, our framework is equivalent to an attack presented by Fluhrer and Lucks. Our best attack can recover the initial state of the LFSRs after solving $2^{86}$ boolean linear systems of equations, which is roughly equivalent to the results obtained by Fluhrer and Lucks.
One-Time Signatures Revisited: Have They Become Practical?
Dalit Naor Amir Shenhav Avishai Wool
One-time signatures have been known for more than two decades, and have been studied mainly due to their theoretical value. Recent works motivated us to examine the practical use of one-time signatures in high-performance applications. In this paper we describe FMTseq - a signature scheme that merges recent improvements in hash tree traversal into Merkle's one-time signature scheme. Implementation results show that the scheme provides a signature speed of up to 35 times faster than a 2048-bit RSA signature scheme, for about one million signatures, and a signature size of only a few kilobytes. We provide an analysis of practical parameter selection for the scheme, and improvements that can be applied in more specific scenarios.