Subtle kinks in distance-bounding: an analysis of prominent protocols

Distance-bounding protocols prevent man-in-the-middle attacks by measuring response times. The four attacks such protocols typically address, recently formalized in [10], are: (1) mafia fraud, where the adversary must impersonate to a verifier in the presence of an honest prover; (2) terrorist fraud, where the adversary gets some offline prover support to impersonate; (3) distance fraud, where provers claim to be closer to verifiers than they really are; and (4) impersonations, where adversaries impersonate provers during lazy phases. Durholz et al. [10] also formally analyzed the security of (an enhancement of) the Kim-Avoine protocol [14]. In this paper we quantify the security of the following well-known distance-bounding protocols: Hancke and Kuhn [13], Reid et al. [16], the Swiss-Knife protocol [15], and the very recent proposal of Yang et al. [17]. Concretely, our main results show that (1) the usual terrorist-fraud countermeasure of relating responses to a long-term secret key may enable socalled key-learning mafia fraud attacks, where the adversary flips a single time-critical response to learn a key bit-by-bit; (2) though relating responses may allow mafia fraud, it sometimes enforces distance-fraud resistance by thwarting the attack of Boureanu et al. [5]; (3) none of the three allegedly terrorist-fraud resistant protocols, i.e. [15, 16, 17], is in fact terrorist fraud resistant; for the former two schemes this is a matter of syntax, attacks exploiting the strong formalization of [10]; the attack against the latter protocol of [17], however, is almost trivial; (4) unless key-update is done regardless of protocol completion, the protocol of Yang et al. is vulnerable to Denial-of-Service attacks. In light of our results, we also review definitions of terrorist fraud, arguing that, while the strong model in [10] may be at the moment more appropriate than mere intuition, it could be too strong to capture terrorist attacks.

[1]  Srdjan Capkun,et al.  Distance Hijacking Attacks on Distance Bounding Protocols , 2012, 2012 IEEE Symposium on Security and Privacy.

[2]  Cédric Lauradoux,et al.  A Formal Framework for Cryptanalyzing RFID Distance Bounding Protocols , 2009, IACR Cryptol. ePrint Arch..

[3]  Marc Fischlin,et al.  A Formal Approach to Distance-Bounding RFID Protocols , 2011, ISC.

[4]  Gildas Avoine,et al.  The Swiss-Knife RFID Distance Bounding Protocol , 2008, ICISC.

[5]  Juan Manuel González Nieto,et al.  Detecting relay attacks with timing-based protocols , 2007, ASIACCS '07.

[6]  Gildas Avoine,et al.  RFID Distance Bounding Protocol with Mixed Challenges to Prevent Relay Attacks , 2009, CANS.

[7]  Gildas Avoine,et al.  An Efficient Distance Bounding RFID Authentication Protocol: Balancing False-Acceptance Rate and Memory Requirement , 2009, ISC.

[8]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[9]  Damith C. Ranasinghe,et al.  Networked RFID Systems and Lightweight Cryptography: Raising Barriers to Product Counterfeiting , 2010 .

[10]  Duncan S. Wong,et al.  An Efficient Single-Slow-Phase Mutually Authenticated RFID Distance Bounding Protocol with Tag Privacy , 2012, ICICS.

[11]  Damith C. Ranasinghe,et al.  Networked RFID Systems and Lightweight Cryptography , 2008 .

[12]  B. E. Eckbo,et al.  Appendix , 1826, Epilepsy Research.

[13]  Serge Vaudenay,et al.  On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols - PRF-ness alone Does Not Stop the Frauds! , 2012, LATINCRYPT.

[14]  Mohammad Reza Sohizadeh Abyaneh,et al.  Security Analysis of Two Distance-Bounding Protocols , 2011, RFIDSec.

[15]  Yan Zhang,et al.  Security in RFID and Sensor Networks , 2009 .

[16]  Cédric Lauradoux,et al.  How secret-sharing can defeat terrorist fraud , 2011, WiSec '11.