Private and Secure Public-Key Distance Bounding

Vaudenay, Serge

doi:10.1007/978-3-662-47854-7_12

Cited by 17 publications

(28 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Though they addressed the classical MF, DF and IF attacks, they did not at consider TF. Recently, Vaudenay [24] proposed a generic solution to add the privacy property to DB protocols with respect to external eavesdroppers, which relies on an authenticated keyexchange added on top of a one-time secure DB protocol. Unfortunately, it does not provide TF resistance nor anonymity against honest-but-curious or malicious verifiers.…”

Section: Protocolmentioning

confidence: 99%

A Terrorist-fraud Resistant and Extractor-free Anonymous Distance-bounding Protocol

Avoine

Bultel

Gambs

et al. 2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

International audienceDistance-bounding protocols have been introduced to thwart relay attacks against contactless authentication protocols. In this context, veri-fiers have to authenticate the credentials of untrusted provers. Unfortunately , these protocols are themselves subject to complex threats such as terrorist-fraud attacks, in which a malicious prover helps an accomplice to authenticate. Provably guaranteeing the resistance of distance-bounding protocols to these attacks is a complex task. The classical countermeasures usually assume that rational provers want to protect their long-term authentication credentials, even with respect to their accomplices. Thus, terrorist-fraud resistant protocols generally rely on artificial extraction mechanisms, ensuring that an accomplice can retrieve the credential of his partnering prover. In this paper, we propose a novel approach to obtain provable terrorist-fraud resistant protocols without assuming that provers have any long-term secret key. Instead, the attacker simply has to replay the information that he has received from his accomplice. Based on this, we present a generic construction for provably secure distance-bounding protocols, and give three instances: (1) an efficient symmetric-key protocol, (2) a public-key protocol protecting the identities of the provers against external eavesdroppers, and finally (3) a fully anonymous protocol protecting the identities of the provers even against malicious verifiers trying to profile them

show abstract

Section: Protocolmentioning

confidence: 99%

A Terrorist-fraud Resistant and Extractor-free Anonymous Distance-bounding Protocol

Avoine

Bultel

Gambs

et al. 2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…If the distance of a prover is close enough, the verifier will be sure of the nonexistence of relay attack during the protocol execution. Apparently, it is necessary to utilize a secure distance bounding [20,26,25,27,12,6,24,9,10] in contactless payment.…”

Section: Introductionmentioning

confidence: 99%

Secure Contactless Payment

Kılınç

Vaudenay

2018

Information Security and Privacy

Self Cite

View full text Add to dashboard Cite

A contactless payment lets a card holder execute payment without any interaction (e.g., entering PIN or signing) between the terminal and the card holder. Even though the security is the first priority in a payment system, the formal security model of contactless payment does not exist. Therefore, in this paper, we design an adversarial model and define formally the contactless-payment security against malicious cards and malicious terminals including relay attacks. Accordingly, we design a contactless-payment protocol and show its security in our security model. At the end, we analyze EMV-contactless which is a commonly used specification by most of the mobile contactless-payment systems and credit cards in Europe. We find that it is not secure against malicious cards. We also prove its security against malicious terminals in our model. This type of cryptographic proof has not been done before for the EMV specification.

show abstract

“…The verifier only knows a public key. However, so far, only the following distance-bounding protocols are in the public key model: the Brands-Chaum protocol [11], the Bussard-Bagga protocol [12], the Hermans-Peeters-Onete (HPO) protocol [22] 1 , and PrivDB [26]. The BussardBagga protocol was broken by Bay et al [3] and none of the others protect against terrorist fraud.…”

mentioning

confidence: 99%

“…In Table 1 we update the list from [26] with all known public-key distance bounding protocols and the proven status of their security with respect to Manin-the-Middle (MiM), Distance Fraud (DF), Distance Hijacking (DH), Collusion Fraud (CF), Privacy, and Strong privacy.…”

mentioning

confidence: 99%

“…-We construct ProProx, the very first sound PoPoK. It is based on the quadratic residuosity problem, using the Goldwasser-Micali encryption [20,21] [11] secure secure insecure insecure insecure insecure DBPK-Log [12] insecure insecure insecure insecure HPO [22] secure secure insecure secure insecure GOR [19] secure secure insecure insecure insecure insecure privDB [26] secure secure secure insecure secure secure ProProx (this paper) secure secure secure secure insecure insecure eProProx [27] secure secure secure secure secure secure as a homomorphic perfectly binding commitment Com(b; ρ) and the FiatShamir protocol [17]. We also use a function H which is assumed to be such that x → (Com(b 1 ; H(x, 1)), .…”

mentioning

confidence: 99%

See 1 more Smart Citation

Sound Proof of Proximity of Knowledge

Vaudenay

2015

Provable Security

Self Cite

View full text Add to dashboard Cite

Abstract. Public-key distance bounding schemes are needed to defeat relay attacks in payment systems. So far, only five such schemes exist, but fail to fully protect against malicious provers. In this paper, we solve this problem. We provide a full formalism to define the proof of proximity of knowledge (PoPoK). Protocols should succeed if and only if a prover holding a secret is within the proximity of the verifier. Like proofs of knowledge, these protocols must satisfy completeness, soundness (protection for the honest verifier), and security (protection for the honest prover). We construct ProProx, the very first sound PoPoK.

show abstract

Private and Secure Public-Key Distance Bounding

Cited by 17 publications

References 16 publications

A Terrorist-fraud Resistant and Extractor-free Anonymous Distance-bounding Protocol

A Terrorist-fraud Resistant and Extractor-free Anonymous Distance-bounding Protocol

Secure Contactless Payment

Sound Proof of Proximity of Knowledge

Contact Info

Product

Resources

About