On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols

Boureanu, Ioana; Mitrokotsa, Aikaterini; Vaudenay, Serge

doi:10.1007/978-3-642-33481-8_6

Cited by 26 publications

(44 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Table 1 gives the probability of success of the best known attacks. This table does not consider possibly bad pseudorandom function (PRF) instances [5] nor any terrorist fraud based on noise tolerance [19]. These aspects will be discussed later in the present paper.…”

Section: Why Distance-bounding?mentioning

confidence: 99%

“…2 which we call DBENC in [5]. Here, only a 1 is derived from the initial nonces and a 2 is set to a 1 ⊕ x.…”

Section: Towards a Secure Protocolmentioning

confidence: 99%

“…2. The DBENC Distance-Bounding protocol [34,5] the verifier, thanks to x. Other instances of DBENC where a 2 = a 1 ⊕ x are replaced by addition modulo some q or addition with a random factor, can also be broken, as shown in [4].…”

Section: Towards a Secure Protocolmentioning

confidence: 99%

“…Unfortunately, this assumption alone is not enough to guarantee the security and some related security results from the literature are incorrect. Indeed, as shown in [5], we can artificially construct PRFs which make the protocol insecure. The PRF construction is done by PRF programming.…”

Section: Verifiermentioning

confidence: 99%

“…The idea is that a prover holding a key x proves to a verifier that he is close to him. Ideally, this notion should behave like a traditional interactive proof system in the sense that it must satisfy:-completeness (i.e., an honest prover close to the verifier will pass the protocol with high probability)This invited paper summarizes results from [4,5,6,7,8]. …”

mentioning

confidence: 99%

See 4 more Smart Citations

Towards Secure Distance Bounding

Boureanu

Mitrokotsa

Vaudenay

2014

Fast Software Encryption

Self Cite

View full text Add to dashboard Cite

Abstract. Relay attacks (and, more generally, man-in-the-middle attacks) are a serious threat against many access control and payment schemes. In this work, we present distance-bounding protocols, how these can deter relay attacks, and the security models formalizing these protocols. We show several pitfalls making existing protocols insecure (or at least, vulnerable, in some cases). Then, we introduce the SKI protocol which enjoys resistance to all popular attack-models and features provable security. As far as we know, this is the first protocol with such all-encompassing security guarantees. Why Distance-Bounding?It is well known that a chess beginner can win against a chess grand-master easily by defeating two grand-masters concurrently, taking different colors in both games, and relaying the move of one master to the other. This is a pure relay attack where two masters play against each other while each of them thinks he is playing against a beginner.In real life, relay attacks find applications in access control. For instance, a car with a wireless key can be opened by relaying the communication between the key (the token) and the car. RFID-based access control to buildings can also be subject to relay attacks [21]. The same goes for (contactless) credit-card payments: a customer may try to pay for something on a malicious terminal which relays to a fake card paying for something more expensive [15].To defeat relay attacks, Brands and Chaum [9] introduced the notion of distance bounding protocol. This relies on the fact that information is local and it cannot travel faster than light. So, an RFID reader can identify when participants are close enough because the round-trip communication time has been small enough. The idea is that a prover holding a key x proves to a verifier that he is close to him. Ideally, this notion should behave like a traditional interactive proof system in the sense that it must satisfy:-completeness (i.e., an honest prover close to the verifier will pass the protocol with high probability)This invited paper summarizes results from [4,5,6,7,8].

show abstract

Section: Why Distance-bounding?mentioning

confidence: 99%

“…2 which we call DBENC in [5]. Here, only a 1 is derived from the initial nonces and a 2 is set to a 1 ⊕ x.…”

Section: Towards a Secure Protocolmentioning

confidence: 99%

Section: Towards a Secure Protocolmentioning

confidence: 99%

Section: Verifiermentioning

confidence: 99%

mentioning

confidence: 99%

See 3 more Smart Citations

Towards Secure Distance Bounding

Boureanu

Mitrokotsa

Vaudenay

2014

Fast Software Encryption

Self Cite

View full text Add to dashboard Cite

show abstract

From Relay Attacks to Distance-Bounding Protocols

Avoine

Boureanu

Gerault

et al. 2021

Security of Ubiquitous Computing Systems

View full text Add to dashboard Cite

We present the concept of relay attacks, and discuss distance-bounding schemes as the main countermeasure. We give details on relaying mechanisms, we review canonical distance-bounding protocols, as well as their threat-model (i.e., covering attacks beyond relaying) stemming from the authentication dimension in distance bounding. Advanced aspects of distance-bounding security are also covered. We conclude by presenting what we consider to be the most important challenges in distance bounding.

show abstract

Optimal Proximity Proofs

Boureanu¹,

Vaudenay

2015

Information Security and Cryptology

Self Cite

View full text Add to dashboard Cite

Abstract. Provably secure distance-bounding is a rising subject, yet an unsettled one; indeed, very few distance-bounding protocols, with formal security proofs, have been proposed. In fact, so far only two protocols, namely SKI (by Boureanu et al.) and FO (by Fischlin and Onete), offer all-encompassing security guaranties, i.e., resistance to distance-fraud, mafia-fraud, and terrorist-fraud. Matters like security, alongside with soundness, or added tolerance to noise do not always coexist in the (new) distance-bounding designs. Moreover, as we will show in this paper, efficiency and simultaneous protection against all frauds seem to be rather conflicting matters, leading to proposed solutions which were/are sub-optimal. In fact, in this recent quest for provable security, efficiency has been left in the shadow. Notably, the tradeoffs between the security and efficiency have not been studied. In this paper, we will address these limitations, setting the "security vs. efficiency" record straight. Concretely, by combining ideas from SKI and FO, we propose symmetric protocols that are efficient, noise-tolerant and-at the same time-provably secure against all known frauds. Indeed, our new distancebounding solutions outperform the two aforementioned provably secure distance-bounding protocols. For instance, with a noise level of 5%, we obtain the same level of security as those of the pre-existent protocols, but we reduce the number of rounds needed from 181 to 54.

show abstract

On the Pseudorandom Function Assumption in (Secure) Distance-Bounding Protocols

Cited by 26 publications

References 11 publications

Towards Secure Distance Bounding

Towards Secure Distance Bounding

From Relay Attacks to Distance-Bounding Protocols

Optimal Proximity Proofs

Contact Info

Product

Resources

About