This thesis represents a building block towards attaining a complete overview of provable security in distance-bounding protocols. In this section we conclude by showing how far this thesis comes to meeting the ultimate goal of completely describing distance-bounding security, and we outline directions for future work.
Models. On the one hand, we contribute towards this overview by setting up an exact and formal security model, disproving previous beliefs regarding the interdependency of the key properties in distance-bounding protocols: mafia fraud, terrorist fraud, distance fraud, and impersonation security. We also investigate aspects such as authentication privacy and location privacy, and further look into flavours of mafia and terrorist fraud attacks. By relating these notions we provide a cohesive and comprehensive picture of the security of distance-bounding protocols.
However, though our model is very comprehensive, we do not claim it is complete. Indeed, an important next step is to investigate a scenario where multiple provers interact with the verifier, and subsequently, the multiple-prover-multiple- verifier scenario. We note that the attack by Cremers et al. [22] shows that it is possible for one dishonest prover to commit distance fraud if it is in the presence of an honest prover within the verifier’s proximity. Thus, an analysis of the multiple-prover-multiple-verifier case is paramount to understanding the effect of large-scale deployment of provers and verifiers. Furthermore, we note that our model leaves a few open questions such as: we know that the key update compiler does not preserve SimTF security. Does it, however, preserve GameTF security, which seems to be the notion that most protocols in the literature attain? Similarly, an interesting open question is whether we can design a location privacy achieving compiler that also preserves other security properties.
A further, very interesting direction concerns our timed/timeless channel model in Chapter 6: in particular, it would be interesting to investigate in how far our round-based results transfer to this different setting. Finally, a third direction would be to investigate distance-bounding in an asymmetric setting, where the prover and verifier — rather than sharing
a symmetric key K — possess a private/public key pair. This scenario is applicable to newer generations of RFID tags, which can run elliptic curve (EC) computations and can support public key cryptography.
Constructions. Our second main contribution in this thesis is providing concrete tools and constructions, which can be employed in practice to achieve properties such as: SimTF security, location privacy, KLMF and strMF security, and narrow-destructive privacy. As we have stressed before, key-learning attacks are very easily implementable in authentication, thus also in distance-bounding scenarios, and we believe that it is paramount to achieve KLMF resistance (see Fig. 40). Our KLMF compiler is particularly suitable towards that goal, since it enables us to reuse existing protocols in order to achieve better security properties. This also holds for our two other compilers, the strMF compiler and the key update compiler. We also provide proof techniques and constructive tricks that enable cryptographers to easily use our model and relate security notions, and that also enable designers to more easily build secure constructions.
An interesting and thus-far unexplored field for future work is to consider designing distance-bounding protocols that use the efficiency and highly-desirable properties of newer RFID hardware, which are able to perform EC computations at a lower cost than implementing HMACs. In view of recent discussions regarding the practical security of HMACs, we are further motivated to seek efficient authentication, and then efficient distance-bounding on dedicated EC processors. There are a few other research directions one can consider. In particular, our proofs for the key update and resp. strMF compilers are not tight, since the adversary loses a polynomial factor in guessing which authentication key was used in a successful authentication attempt. We are on the one hand interested in tight proofs (if these exist), and on the other hand we should attempt to find also different compilers, which, perhaps at the cost of some computation efficiency, can be tightly reduced to the security properties of the underlying distance-bounding protocol. Another research direction is to design from scratch constructions attaining full mafia fraud and strMF security, and directly reducing their security to that of the underlying primitives. In this fashion we could obtain a much better bound than by employing the compiler (whose reduction is loose).
Implementations. Finally, most of our work has been theoretic. We note that the efficiency of our constructions is easily compared to that of other protocols in the literature; however, in order to be deployed in practice, distance-bounding protocols must be implemented on real-life hardware, such that the properties of the schemes are assessed. Already some ground work has been laid in this field by e.g. [42, 41, 70, 21] in the context of RFID, and the conclusion seems to be that distance-bounding can only be implemented in low-latency channels. An open question is whether different RFID architectures can support distance-bounding protocols and, in fact, which general architectures, RFID or otherwise, would support such schemes.
References
[1] Abyneh, M.R.S.: Security analysis of two distance-bounding protocols. In: RFID. Security and Privacy. Lecture Notes in Computer Science, vol. 7055, pp. 94–107. Springer-Verlag (2012)
[2] Armknecht, F., Sadeghi, A.R., Scafuro, A., visconti, I., Wachsmann, C.: Impossibility Results for RFID Privacy Notions. In: Gavrilova, M., Tan, C., Moreno, E. (eds.) Transactions on Computational Science XI, Lecture Notes in Computer Science, vol. 6480, pp. 39–63. Springer-Verlag (2010)
[3] Aumasson, J.P., Mitrokotsa, A., Peris-Lopez, P.: A Note on a Privacy-preserving Distance Bounding Protocol. In: 13th International Conference on Information and Communications Security. Springer (2011)
[4] Avoine, G., Bingol, M.A., Karda, S., Lauradoux, C., Martin, B.: A formal framework for analyzing RFID distance bounding protocols. In: Journal of Computer Security - Special Issue on RFID System Security, 2010 (2010) [5] Avoine, G., Lauradoux, C., Martin, B.: How secret-sharing can defeat terrorist fraud. In: Proceedings of the Fourth
ACM Conference on Wireless Network Security WISEC 2011. pp. 145–156. ACM Press (2011)
[6] Avoine, G., Tchamkerten, A.: An efficient distance bounding RFID authentication protocol: Balancing false- acceptance rate and memory requirement. In: 12th International Conference on Information Security (ISC) 2009. Lecture Notes in Computer Science, vol. 5735, pp. 250–261. Springer-Verlag (2009)
[7] Bellare, M., Goldreich, O.: Proving computational ability. http://www.wisdom.weizmann.ac.il/∼oded/ PS/poa.ps (1992)
[8] Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Advances in Cryptology — EUROCRYPT 2000. Lecture Notes in Computer Science, vol. 1807, pp. 139–155. Springer-Verlag (2000)
[9] Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Advances in Cryptology — CRYPTO ’93. Lecture Notes in Computer Science, vol. 773, pp. 232–249. Springer-Verlag (1994)
[10] Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M.J., Seurin, Y.: Hash functions and RFID tags: Mind the gap. In: Cryptographic Hardware and Embedded Systems - CHES 2008. Lecture Notes in Computer Science, vol. 5154, pp. 283–299. Springer-Verlag (2008)
[11] Boureanu, I., Mitrokotsa, A., Vaudenay, S.: On the pseudorandom function assumption in (secure) distance-bounding protocols (2012)
[12] Brands, S.: Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy. MIT Press (2000) [13] Brands, S., Chaum, D.: Distance-bounding protocols. In: Advances in Cryptology — EUROCRYPT’93. pp. 344–359.
Lecture Notes in Computer Science, Springer-Verlag (1993)
[14] Bringer, J., Chabanne, H.: Trusted-HB: A low-cost version of HB + secure against man-in-the-middle attacks. Transactions on Information Theory 54(9), 4339–4342 (2008)
[15] Bussard, L., Bagga, W.: Distance-bounding proof of knowledge to avoid real-time attacks. IFIP International Feder- ation for Information Processing, vol. 181, pp. 222–238. Springer-Verlag (2005)
[16] Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Advances in Cryptology — EUROCRYPT 2001. Lecture Notes in Computer Science, vol. 2045, pp. 93–118. Springer-Verlag (2001)
[17] Carluccio, D., Kasper, T., Paar, C.: Implementation details of a multi purpose ISO 14443 rfidtool. In: Printed handout of Workshop on RFID Security - RFIDSec 06 (July 2006)
[18] Chandran, N., Goyal, V., Moriarty, R., Ostrovsky, R.: Position based cryptography. In: Advances in Cryptology — CRYPTO 2009. Lecture Notes in Computer Science, vol. 5677, pp. 391–407. Springer-Verlag (2009)
[19] Chatmon, C., van Le, T., Burmester, M.: Secure anonymous RFID authentication protocols. Florida State University, Department of Computer Science, Tech Report (2006)
[20] Clulow, J., Hancke, G.P., Kuhn, M.G., Moore, T.: So near and yet so far: Distance-bounding attacks in wireless networks. In: European Workshop on Security and Privacy in Ad-Hoc and Sensor Networks. Lecture Notes in Computer Science, vol. 4357, pp. 83–97. Springer-Verlag (2006)
[22] Cremers, C., Rasmussen, K.B., ˇCapkun, S.: Distance hijacking attacks on distance bounding protocols. Cryptology ePrint Archive, Report 2011/129 (2011), http://eprint.iacr.org/2011/129.pdf
[23] Deng, R.H., Li, Y., Yung, M., Zhao, Y.: A new framework for RFID privacy. In: Proceedings of the 15th European Symposium on Research in Computer Security, (ESORICS’10). Lecture Notes in Computer Science, vol. 6514, pp. 1–18. Springer-Verlag (2010)
[24] Desmedt, Y.: Major security problems with the ’unforgeable’ (feige)-fiat-shamir proofs of identity and how to overcome them. In: SecuriCom. pp. 15–17. SEDEP Paris, France (1988)
[25] Drimer, S., Murdoch, S.J.: Keep your enemies close: distance bounding against smartcard relay attacks. In: Proc. of the 16-th USENIX Security Symposium on USENIX Security Symposium, article no. 7. ACM (2007)
[26] Duc, D., Kim, K.: Securing HB+ against GRS man-in-the-middle attack. In: Symposium on Cryptography and Information Security (SCIS). The Institute of Electronics, Information and Communication Engineers (2007) [27] D¨urholz, U., Fischlin, M., Kasper, M., Onete, C.: A formal approach to distance bounding RFID protocols. In:
Proceedings of the 14th Information Security Conference ISC 2011. Lecture Notes in Computer Science, vol. 7001, pp. 47–62. Springer-Verlag (2011)
[28] Dwork, C., Lotspiech, J.B., Naor, M.: Digital signets: Self-enforcing protection of digital information (preliminary version). In: STOC. pp. 489–498 (1996)
[29] Feldhofer, M., Rechberger, C.: A case against currently used hash functions in RFID protocols. In: On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. LNCS, vol. 4277, pp. 372–381. Springer-Verlag (2006) [30] Fischlin, M., Onete, C.: RFID distance-bounding: What is wrong and how to fix it. In: accepted at 5th MPICC
Interdisciplinary Conference on Current Issues in IT Security. Interdisciplinary series of the Max Planck Institute for Foreign and International Criminal Law
[31] Fischlin, M., Onete, C.: Distance-bounding and terrorist fraud: Simulation and game-based notions. In Submission (2012)
[32] Fischlin, M., Onete, C.: Provably secure distance-bounding: an analysis of prominent protocols. Cryptology ePrint Archive, Report 2012/128 (2012), http://eprint.iacr.org/2012/128.pdf
[33] Francillon, A., Danev, B., ˇCapkun, S.: Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars (2010), http://eprint.iacr.org/2010/332
[34] Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC peer-to-peer relay attack using mobile phones. In: RFIDSec’10 Proceedings of the 6thinternational conference on Radio frequency Identification: security and privacy issues. pp. 47–62. Springer-Verlag (2010)
[35] Gilbert, H., Robshaw, M., Sibert, H.: An active attack against HB+ - a provably secure lightweight authentication protocol. Cryptology ePrint Archive, Report 2005/237 (2005), http://eprint.iacr.org/2005/237.pdf
[36] Goldreich, O., Pfitzmann, B., Rivest, R.L.: Self-delegation with controlled propagation - or - what if you lose your laptop. In: Advances in Cryptology — CRYPTO’98. Lecture Notes in Computer Science, vol. 1462, pp. 153–168. Springer-Verlag (1998)
[37] H-Security, T.: Chip-based ID cards pose security risk at airports. http://www.h-online.com/security/news/item/Chip-based-ID-cards-pose-security-risk- at-airports-905662.html (2010)
[38] Haataja, K., Toivanen, P.: Two practical man-in-the-middle attacks on bluetooth secure simple pairing and counter- measures. Transactions on Wireless Communications 9(1), 384–392 (2010)
[39] Hancke, G.P.: A practical relay attack on ISO 14443 proximity cards. http://www.cl.cam.ac.uk/gh275/relay.pdf (2005)
[40] Hancke, G.P.: Practical Attacks on Proximity Identification Schemes (2006)
[41] Hancke, G.P.: Design of a secure distance-bounding channel for RFID. Journal of Network and Computer Applications (2010)
[42] Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Conference on Security and Privacy for Emer- gency Areas in Communication Networks (SecureComm) 2005. pp. 67–73. IEEE (2005)
[43] Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Proceedings of the 16th European Symposium on Research in Computer Security, (ESORICS) 2011. Lecture Notes in Computer Science, vol. 6879, pp. 568–587. Springer-Verlag (2011)
[44] Hlav´aˇc, M., Tom´aˇc, R.: A Note on the Relay Attacks on e-Passports (2007), http://eprint.iacr.org/2007/244.pdf [45] Hopper, N.J., Blum, M.: Secure human identification protocols. In: Proceedings of the 7thInternational Conference on
the Theory and Application of Cryptology and Information Security (ADVCRYPTO) 2001. Lecture Notes in Computer Science, vol. 2248, pp. 52–66. Springer-Verlag (2001)
[46] Juels, A.: RFID security and privacy: a research survey. IEEE Journal on Selected Areas in Communications 24(2), 381–394 (2006)
[47] Juels, A., Weis, S.A.: Defining strong privacy for RFID. In: International Conference on Pervasive Computing and Communications - Workshops (PerCom Workshops). pp. 342–347. IEEE (2007)
[48] Kfir, Z., Wool, A.: Picking virtual pockets using relay attacks on contactless smartcard systems. In: Conference on Security and Privacy for Emergency Areas in Communication Networks – SecureComm 2005. pp. 47 – 58. IEEE (2005) [49] Kim, C.H., Avoine, G.: RFID distance bounding protocol with mixed challenges to prevent relay attacks. In: Pro- ceedings of the 8th International Conference on Cryptology and Networks Security (CANS) 2009. Lecture Notes in Computer Science, vol. 5888, pp. 119–131. Springer-Verlag (2009)
[50] Kim, C.H., Avoine, G., Koeune, F., Standaert, F., Pereira, O.: The swiss-knife RFID distance bounding protocol. In: Information Security and Cryptology (ICISC) 2008. pp. 98–115. Lecture Notes in Computer Science, Springer-Verlag (2008)
[51] Koblitz, N., Menezes, A.: Another look at HMAC. Cryptology ePrint Archive, Report 2012/074 (2012), http://eprint.iacr.org/2012/074
[52] Lee, Y., Sakiyama, K., Batina, L., Verbauwhede, I.: Elliptic curve based security processors for RFID. In: IEEE Transactions on Computers. vol. 57, pp. 1514–1527. IEEE (2008)
[53] Leinweber, L., Papachristou, C., Wolff, F.G.: A case against currently used hash functions in rfid protocols. In: 2009 IEEE International Conference on Computer Design. pp. 372–377. IEEE (2009)
[54] Leng, X., Mayes, K., Markantonakis, K.: HB-MP+ protocol: An improvement on the HB-MP protocol. In: Interna- tional Conference on RFID. pp. 118–124. IEEE Computer Society Press (2008)
[55] Levi, A., C¸ etintas, E., Aydos, M., Ko¸c, C¸ etin Kaya., C¸ aglayan, M.U.: Relay attacks on bluetooth authentication and solutions. In: International Symposium Computer and Information Sciences (ISCIS) 2004. Lecture Notes in Computer Science, vol. 3280, pp. 278 – 288. Springer-Verlag (2004)
[56] Ma, C., Li, Y., Deng, R.H., Li, T.: RFID privacy: relation between two notions, minimal condition, and efficient construction. In: Proceedings of the 16th ACM conference on Computer and communications security, (CCS’09). pp. 54–65. ACM (2009)
[57] Mitrokotsa, K., Onete, C., Vaudenay, S.: Location leakage in distance bounding: Why location privacy doesn’t work. In Submission (2012)
[58] Mitrokotsa, K., Onete, C., Vaudenay, S.: Mafia fraud attack against the RˇC distance-bounding protocol. In Submission (2012)
[59] Ng, C.Y., Susilo, W., Mu, Y., Safavi-Naini, R.: RFID privacy models revisited. In: Proceedings of the 13thEuropean Symposium on Research in Computer Security, (ESORICS) 2008. Lecture Notes in Computer Science, vol. 5283, pp. 251–266. Springer-Verlag (2008)
[60] Onete, C.: Key updates for RFID distance-bounding protocols: Achieving narrow-destructive privacy. Cryptology ePrint Archive, Report 2012/165 (2012), http://eprint.iacr.org/2012/165
[61] Onete, C.: Mafia fraud resistance revisited: Key-learning attacks. In Submission (2012)
[62] Oren, Y., Wool, A.: Relay attacks on RFID-based electronic voting systems. Cryptology ePrint Archive, Report 2009/442 (2009), http://eprint.iacr.org/2009/422.pdf
[63] Ouafi, K., Overbeck, R., Vaudenay, S.: On the security of HB# against a man-in-the-middle attack. In: Advances in Cryptology — Asiacrypt 2008. Lecture Notes in Computer Science, vol. 5350, pp. 108–124. Springer (2008) [64] Paise, R.I., Vaudenay, S.: Mutual authentication in RFID: Security and privacy. In: Proceedings on the 3rd ACM
symposium on information, computer and communications security (ASIACCS) 2008. pp. 292–299. ACM (2008) [65] Pelechrinis, K., Koufogiannakis, C., Krishnamurthy, S.V.: On the Efficacy of Frequency Hopping in Coping with
Jamming Attacks in 802.11 Networks. IEEE Transactions on Wireless Communications 9(10), 3258–3271 (October 2010)
[66] Ranganathan, A., Tippenhauer, N.O., Singel´ee, D., koric, B., Capkun, S.: Design and Implementation of a Terrorist Fraud Resilient Distance Bounding System. In: Foresti, S., Martinelli, F., Yung, M. (eds.) 2012nd European Sympo- sium on Research in Computer Security (ESORICS 2012). Lecture Notes in Computer Science, vol. 7459, pp. 415–432. Springer-Verlag, Pisa,Italy (2012)
[67] Rasmussen, K.B., ˇCapkun, S.: Realization of RF distance bounding. USENIX Security Symposium (2010) [68] Rasmussen, K.B., ˇCapkun, S.: Realization of RF Distance Bounding. In: USENIX 2010. pp. 389–402 (2010) [69] Rasmussen, K., ˇCapkun, S.: Location privacy of distance bounding. In: Proceedings of the Annual Conference on
Computer and Communications Security (CCS). pp. 149–160. ACM (2008)
[70] Reid, J., Nieto, J.M.G., Tang, T., Senadji, B.: Detecting relay attacks with timing-based protocols. In: Proceedings of the 2ndACM symposium on information, computer and communications security (ASIACCS) 2007. pp. 204–213.
ACM Press (2007)
[71] Sadeghi, A.R., Visconti, I., Wachsmann, C.: Anonymizer-enabled security and privacy for RFID. In: Advances in Cryptology — Asiacrypt 2008. Lecture Notes in Computer Science, vol. 5888, pp. 292–299. Springer-Verlag (2009) [72] Spil, D., Bittau, A.: Bluesniff: Eve Meets Alice and Bluetooth. In: Proceedings of the 1st USENIX Workshop on
Offensive Technologies (WOOT) 2007. USENIX Association Berkley, CA, USA (2007)
[73] Vaudenay, S.: On privacy models for RFID. In: Advances in Cryptology — Asiacrypt 2007. Lecture Notes in Computer Science, vol. 4883, pp. 68–87. Springer-Verlag (2007)
[74] ˇCapkun, S., Defrawi, K.E., Tsudik, G.: Group distance bounding protocols. In: Proceedings of the 4th international conference on Trust and trustworthy computing (TRUST) 2011. Lecture Notes in Computer Science, vol. 6740, pp. 302–312. Springer-Verlag (2011)
[75] Wenger, E., Hutter, M.: A hardware processor supporting elliptic curve cryptography for less than 9 kges. In: Pro- ceedings of the 10th Smart Card Research and Advanced Applications (CARDIS) 2011. Lecture Notes in Computer Science, vol. 7079, pp. 182–198. Springer-Verlag (2011)
[76] Yung, M.: Zero-knowledge proofs of computational power. In: Advances in Cryptology — EUROCRYPT ’89. Lecture Notes in Computer Science, vol. 434, pp. 196–207. Springer-Verlag (1990)