Mind your nonces : cryptanalysis of a privacy-preserving distance bounding protocol

Distance bounding protocols enable a device to establish an upper bound on the physical distance to a communication partner so as to prevent location spoofing, as exploited by relay attacks. Recently, Rasmussen and Čapkun (ACM-CCS’08) observed that these protocols leak information on the location of the parties to external observers, which is undesirable in a number of applications—for example if the leaked information leads to the identification of the parties among a group of devices. To remedy this problem, these authors proposed a “privacypreserving” distance bounding protocol, i.e. that leaks no information on the location of the parties. The present paper reports results from an in-depth security analysis of that new protocol. The main result is an attack that recovers the ephemeral secrets as well as the location information of the two parties. The efficiency of the attack depends on the parameters of the protocol, and we provide realistic examples of parameters that make the attack practical. Although the attack exploits collisions of (unpredictable) challenge numbers, we show that the protocol would be less secure with unique and partially predictable challenges. We present simple, cost-efficient, modifications to the protocol to thwart our attack for all choices of parameters and to enhance its overall security. We also evaluate the security of the Rasmussen-Čapkun protocol against distance, mafia, and terrorist frauds, showing that the latter attack is efficiently applicable. Overall, our results do not contradict the preliminary security analysis by the designers, but rather extends it to other parts of the attack surface.

[1]  Robert A. Scholtz,et al.  Ranging in a dense multipath environment using an UWB radio link , 2002, IEEE J. Sel. Areas Commun..

[2]  D. Bernstein Better price-performance ratios for generalized birthday attacks , 2007 .

[3]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[4]  Laurent Bussard,et al.  Distance-Bounding Proof of Knowledge to Avoid Real-Time Attacks , 2005, SEC.

[5]  David A. Wagner,et al.  Secure verification of location claims , 2003, WiSe '03.

[6]  Erik Zenner Nonce Generators and the Nonce Reset Problem , 2009, ISC.

[7]  Rafail Ostrovsky,et al.  Position-Based Quantum Cryptography: Impossibility and Constructions , 2011, IACR Cryptol. ePrint Arch..

[8]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[9]  Srdjan Capkun,et al.  SECTOR: secure tracking of node encounters in multi-hop wireless networks , 2003, SASN '03.

[10]  Srdjan Capkun,et al.  Secure neighborhood discovery: a fundamental element for mobile ad hoc networking , 2008, IEEE Communications Magazine.

[11]  Heinrich Luecken,et al.  UWB impulse radio based distance bounding , 2010, 2010 7th Workshop on Positioning, Navigation and Communication.

[12]  Juan Manuel González Nieto,et al.  Detecting relay attacks with timing-based protocols , 2007, ASIACCS '07.

[13]  Srdjan Capkun,et al.  Secure positioning of wireless devices with application to sensor networks , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[14]  Markus G. Kuhn,et al.  So Near and Yet So Far: Distance-Bounding Attacks in Wireless Networks , 2006, ESAS.

[15]  Srdjan Capkun,et al.  Location privacy of distance bounding protocols , 2008, CCS.

[16]  Jorge Munilla,et al.  Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels , 2008, Wirel. Commun. Mob. Comput..

[17]  Gildas Avoine,et al.  The Swiss-Knife RFID Distance Bounding Protocol , 2008, ICISC.

[18]  Andreas F. Molisch,et al.  Localization via Ultra- Wideband Radios , 2005 .

[19]  Catherine A. Meadows,et al.  Towards More Efficient Distance Bounding Protocols for Use in Sensor Networks , 2006, 2006 Securecomm and Workshops.

[20]  Adi Shamir,et al.  An optimal sorting algorithm for mesh connected computers , 1986, STOC '86.

[21]  Yih-Chun Hu,et al.  Packet leashes: a defense against wormhole attacks in wireless networks , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[22]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[23]  Yuanfei Tu RFID Distance Bounding Protocols , 2007 .

[24]  Bart Preneel,et al.  Location verification using secure distance bounding protocols , 2005, IEEE International Conference on Mobile Adhoc and Sensor Systems Conference, 2005..

[25]  Cédric Lauradoux,et al.  Distance Bounding Protocols on TH-UWB Radios , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[26]  Robert S. Boyer,et al.  A fast string searching algorithm , 1977, CACM.