Towards Secure Distance Bounding

Abstract. This paper looks at relay attacks against contactless payment cards, which could be used to wirelessly pickpocket money from victims. We discuss the two leading contactless EMV payment protocols (Visa's payWave and MasterCard's PayPass). Stopping a relay attack against cards using these protocols is hard: either the overhead of the communication is low compared to the (cryptographic) computation by the card or the messages can be cached before they are requested by the terminal. We propose a solution that fits within the EMV Contactless specification to make a payment protocol that is resistant to relay attacks from commercial off-the-shelf devices, such as mobile phones. This solution does not require significant changes to the cards and can easily be added to existing terminals. To prove that our protocol really does stop relay attacks, we develop a new method of automatically checking defences against relay attacks using the applied pi-calculus and the tool ProVerif.

Section: Introductionmentioning

confidence: 99%

Relay Cost Bounding for Contactless EMV Payments

Chothia

Garcia

Ruiter

et al. 2015

“…We compare with other distance bounding protocols. The parameters in pufDB, SKI [5,6], FO [14,33] and DBopt [7] are taken such that the protocols achieve 99% completeness with a noise of 5% as it is described in [7]. (I.e., we adjust E max to have 99% completeness and obtain different figures than in the previoous table.)…”

Section: Resultsmentioning

confidence: 99%

“…Most of the proposed protocols are vulnerable to TF attacks but a few protocols provide security against all types of threats: the protocol of Fischlin and Onete [14], the SKI protocol [5,6], DBopt protocols [7], the public-key DB protocols ProProx [35] and eProProx [34], and the anonymous DB protocol SPADE [9]. However, all these proofs are made on the assumption that in TF, the prover does not want to give his credential to the adversary for further application.…”

Section: Introductionmentioning

confidence: 99%

Distance Bounding Based on PUF

Igier

Vaudenay

2016

Self Cite

Abstract. Distance Bounding (DB) is designed to mitigate relay attacks. This paper provides a complete study of the DB protocol of Kleber et al. based on Physical Unclonable Functions (PUFs). We contradict the claim that it resists to Terrorist Fraud (TF). We propose some slight modifications to increase the security of the protocol and formally prove TF-resistance, as well as resistance to Distance Fraud (DF), and Man-In-the-Middle attacks (MiM) which include relay attacks.

“…to [11,10, Table 1]). The protocols left standing in front of this attack are the SKI protocols [11,10] to be studied herein and the Fischlin-Onete protocol [24].…”

Section: Introductionmentioning

confidence: 99%

Practical and Provably Secure Distance-Bounding

Boureanu

Mitrokotsa

Vaudenay

2015

Self Cite

From contactless payments to remote car unlocking, many applications are vulnerable to relay attacks. Distance bounding protocols are the main practical countermeasure against these attacks. In this paper, we present a formal analysis of SKI, which recently emerged as the first family of lightweight and provably secure distance bounding protocols. More precisely, we explicate a general formalism for distance-bounding protocols, which lead to this practical and provably secure class of protocols (and it could lead to others). We prove that SKI and its variants are provably secure, even under the real-life setting of noisy communications, against the main types of relay attacks: distance-fraud and generalised versions of mafia-and terrorist-fraud. To attain resistance to terrorist-fraud, we reinforce the idea of using secret sharing, combined with the new notion of a leakage scheme. In view of resistance to generalised mafia-frauds (and terrorist-frauds), we present the notion of circular-keying for pseudorandom functions (PRFs); this notion models the employment of a PRF, with possible linear reuse of the key. We also identify the need of PRF masking to fix common mistakes in existing security proofs/claims. Finally, we enhance our design to guarantee resistance to terrorist-fraud in the presence of noise.