Towards Secure Distance Bounding

Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes. In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees. 1 Why Distance-Bounding? It is well known that a chess beginner can win against a chess grand-master easily by defeating two grand-masters concurrently, taking different colors in both games, and relaying the move of one master to the other. This is a pure relay attack where two masters play against each other while each of them thinks he is playing against a beginner. In real life, relay attacks find applications in access control. For instance, a car with a wireless key can be opened by relaying the communication between the key (the token) and the car. RFID-based access control to buildings can also be subject to relay attacks [21]. The same goes for (contactless) credit-card payments: a customer may try to pay for something on a malicious terminal which relays to a fake card paying for something more expensive [15]. To defeat relay attacks, Brands and Chaum [9] introduced the notion of distance bounding protocol. This relies on the fact that information is local and it cannot travel faster than light. So, an RFID reader can identify when participants are close enough because the round-trip communication time has been small enough. The idea is that a prover holding a key x proves to a verifier that he is close to him. Ideally, this notion should behave like a traditional interactive proof system in the sense that it must satisfy: – completeness (i.e., an honest prover close to the verifier will pass the protocol with high probability) ? This invited paper summarizes results from [4,5,6,7,8]. – soundness (i.e., if the verifier accepts the protocol, then it must be the case that the information held by all close participants includes x) – security (i.e., if the prover honestly runs the protocol, the provided information does not provide any advantage to defeat soundness). The last property is weaker than zero-knowledge and is generally required in identification protocols. In practice, the literature does not define distance-bounding like this but rather considers several popular threat models, as per the following summary. – Distance fraud [9]: a far-away malicious prover tries to pass the protocol. – Mafia fraud [14]: an adversary between a far-away honest prover and a verifier tries to get advantage of his position to make the verifier accept. (This generalizes relay attacks as the adversary may also modify messages.) – Terrorist fraud [14]: a far-away malicious prover, with the help of an adversary, tries to make the verifier accept, but without giving the adversary any advantage to later pass the protocol alone. For instance, the malicious prover wants to make the verifier accept, although he is far away, but does not want to give his secret x to the adversary. – Impersonation fraud [3]: An adversary tries to impersonate the prover and make the verifier accept. – Distance hijacking [13]: A far-away prover takes advantage of some honest provers running the protocol to make the verifier accept. In our model [8], we factor all these common threats into three possible frauds. – Distance fraud: this is the classical notion in which we also consider concurrency with many other participants. I.e., we include other possible provers (with other secrets) and verifiers. Consequently, our generalized distance fraud also includes distance hijacking. – Man-in-the-middle: we consider an adversary (maybe at several locations) who can interact with many honest provers (possibly with different keys) and verifiers during a learning phase. Then, the attack phase contains honest provers with the key x, far away from a verifier V , and possibly many other honest provers (with other keys) and other verifiers. The goal of the adversary is to makeV accept the prover holding x. Clearly, this generalizes mafia fraud and includes impersonation fraud. – Collusion fraud: A far-away prover holding x helps an adversary to make the verifier accept the proof. This might be in the presence of many other honest participants. However, there should be no man-in-the-middle attack constructed based on this malicious prover. I.e., the adversary should not extract from him any advantage to run (later) a man-in-the-middle attack. Ideally, we could just keep this last notion which includes all others and is closer to the soundness and the security notion in the interactive proof system. We summarize the best security results for many existing distance-bounding protocols. Table 1 gives the probability of success of the best known attacks. This table does not consider possibly bad pseudorandom function (PRF) instances [5] nor any terrorist fraud based on noise tolerance [19]. These aspects will be discussed later in the present paper. For collusion-frauds, we consider a prover leaking all but ν bits of his secret.