Research
The Information Security Group deals with many aspects of information security especially applied cryptography. Ongoing research concerns cryptographic protocols, theoretical and practical attacks, time-memory trade-off, security analysis of radio frequency identification (RFID) solutions including (but not limited to) authentification, privacy, relay attacks, random generators, access control, and ePassport.
The relay attack, aka Mafia fraud, exhibited by Desmedt, Goutier, and Bengio in 1987 recently became a major issue of concern for RFID authentication protocols. The adversary pretends to be the legitimate prover by simply relaying the signal that is exchanged during the execution of the protocol. When it was first introduced in the late eighties, the relay attack appeared unrealistic. Nowadays, the relay attack is one of the most effective and feared attacks against RFID systems; it can be easily implemented since the reader and the tag communicate wirelessly, and it is not easily detectable by the victim because queried (passive) tags automatically answer to the requests without agreement of their bearers.
The GSI addresses this issue by designing distance bounding protocols that aim to thwart relay attacks during authentication processes.
Biometric passports possess a microchip that embeds personal data on the owner and can be remotely read at a distance of 10 cm with a common reader. Standard Doc9303 issued by the International Civil Aviation Organization (ICAO) includes the use of cryptographic means to prevent unauthorized remote access to this information and to prevent passport forgery.
The GSI is strongly involved in the security analysis of the biometric passport. It published several articles on its security and released a tool to read and check such biometric passports. The tool is already used by many laboratories and institutes.
Radio Frequency Identification (RFID) is getting more and more popular in access control, especially in mobile environments, such as sport events and public transportations. In such applications, the typical framework consists in customers who each holds an RFID ticket; some agents who carry an RFID
The common RFID-friendly authentication protocols all consider an adversary model where the communication channel between the tag and the reader is basically not secure, and the tag can be tampered with. The security policies are thus designed following the assumption that the readers and any other infrastructure are secured. This is not enough to enforce strong security. Indeed, readers carry some sensitive information, and the security of the whole system is threatened if an adversary can compromise some of them. Hence, it is critical for an access control system to be able to restore its integrity upon detection of such an event, without renewing all the delivered tickets.
GSI's challenge is to design authentication protocols that provide both security and privacy in this framework.
Malicious traceability is one of the components of privacy. It is often underestimated by advocates of the technology and sometimes exaggerated by its detractors. Whatever the true picture, this problem is a reality when it slows down the deployment of the RFID and some companies, being boycotted, have already abandoned its use. Using cryptographic primitives to thwart the traceability issues is an approach which has been explored for several years. However, the research carried out up to now has not provided satisfactory results as no universal formalism has been defined.
The GSI addresses the privacy problem in RFID and works on an adversary model suitable for most of the RFID environments.
The GSI considers various aspects of cryptographic protocols, especially authentication protocols. The GSI is involved in the design of theoretical (e.g. low-complexity protocols) and practical protocols (e.g. anti-counterfeiting protocols, secure collision-avoidance protocols).
The GSI also benefits from some strong skills and background in cryptanalysis of protocols, in terms of both security and privacy. Cryptanalysis are done either in a theoretical way or with a practical approach, possibly in the field.
Many cryptanalytic problems can be solved in theory using an exhaustive search in the key space, but are still hard to solve in practice because each new instance of the problem requires to restart the process from scratch. The basic idea of a time-memory trade-off is to carry out an exhaustive search once for all such that following instances of the problem become easier to solve. Thus, if there are N possible solutions to a given problem, a time-memory trade-off can solve it with T units of time and M units of memory. In the methods we are looking at, T is proportional to N2/M2 and a typical setting is T=M=N2/3.
Cryptanalytic time-memory trade-offs have been introduced in 1980 by Hellman and applied to DES. Given a plaintext D and a ciphertext C, the problem consists in recovering the key K such that C=EK(D) where E is an encryption function assumed to follow the behavior of a random function. Encrypting D under all possible keys and storing each corresponding ciphertext allows for immediate cryptanalysis but needs N elements of memory. The idea of a time-memory trade-off is to find a trade-off between the exhaustive search and the exhaustive storage. For that, an exhaustive search is carried out once (precomputation) and only a subset of generated values is kept.
In 2003, Oechslin introduced the trade-off based on
