@InProceedings{BJRS13b, author = { Kevin D. Bowers and Ari Juels and Ronald L. Rivest and Emily Shen }, title = { Drifting Keys: Impersonation Detection for Constrained Devices }, booktitle = { Proc. INFOCOM 2013 }, date = { 2013-04-14 }, OPTyear = { 2013 }, OPTmonth = { April 14--19,}, eventtitle = { INFOCOM 2013 }, eventdate = { 2013-04-14/2013-04-19 }, venue = { Turin, Italy }, OPTeditor = {}, OPTvolume = {}, OPTnumber = {}, OPTseries = {}, OPTpages = {}, OPTaddress = {}, OPTorganization = {}, publisher = { IEEE }, urla = { INFOCOM'13 }, abstract = { We introduce {\em Drifting Keys} (DKs), a simple new approach to detecting device impersonation. DKs enable detection of {\em complete} compromise by an attacker of the device and its secret state, e.g., cryptographic keys. A DK evolves within a device randomly over time. Thus a clone device created by the attacker will emit DKs that randomly diverge from those in the original, valid device over time, alerting a trusted verifier to the attack. \par DKs may be transmitted unidirectionally from a device, eliminating interaction between the device and verifier. Device emissions of DK values can be quite compact---even just a single bit---and DK evolution and emission require minimal computation. Thus DKs are well suited for highly constrained devices, such as sensors and hardware authentication tokens. \par We offer a formal adversarial model for DKs, and present a simple scheme that we prove essentially optimal (undominated) for a natural class of attack timelines. We explore application of this scheme to one-time passcode authentication tokens. Using the logs of a large enterprise, we experimentally study the effectiveness of DKs in detecting the cloning of such tokens. }, }