Private and Secure Public-Key Distance Bounding: Application to NFC Payment

Distance-Bounding is used to defeat relay attacks. For wireless payment systems, the payment terminal is not always online. So, the protocol must rely on a public key for the prover (payer). We propose a generic transformation of a (weakly secure) symmetric distance bounding protocol which has no post-verification into wide-strong-private and secure public-key distance bounding

Challenges in Distance Bounding

Smartcard-based protocols represent an increasingly large share of the wireless authentication market, from contactless payments to remote car unlocking. Unfortunately, relay attacks pose a significant threat to these wireless solutions. However, this risk can be mitigated through the use of distance-bounding protocols. In this paper, we discuss the core challenges for distance-bounding, in terms of both theoretical and practical considerations. We focus on their security, but we also explore the difficulties encountered in their design and implementation. Moreover, we present our vision of the future of these protocols and of the possible paths towards their secure deployment

Challenges in Distance Bounding

Smartcard-based protocols represent an increasingly large share of the wireless authentication market, from contactless payments to remote car unlocking. Unfortunately, relay attacks pose a significant threat to these wireless solutions. However, this risk can be mitigated through the use of distance-bounding protocols. In this paper, we discuss the core challenges for distance-bounding, in terms of both theoretical and practical considerations. We focus on their security, but we also explore the difficulties encountered in their design and implementation. Moreover, we present our vision of the future of these protocols and of the possible paths towards their secure deployment

Contactless Access Control Based on Distance Bounding

Contactless access control systems are critical for security but often vulnerable to relay attacks. In this paper, we define an integrated security and privacy model for access control using distance bounding (DB) which is the most robust solution to prevent relay attacks. We show how a secure DB protocol can be converted to a secure contactless access control protocol. Regarding privacy (i.e., keeping anonymity in strong sense to an active adversary), we show that the conversion does not always preserve privacy but it is possible to study it on a case by case basis. Finally, we provide two example protocols and prove their security and privacy according to our new models

Formal Analysis of Distance Bounding with Secure Hardware

A distance bounding (DB) protocol is a two-party authentication protocol between a prover and a verifier which is based on the distance between the prover and the verifier. It aims to defeat threats by malicious provers who try to convince that they are closer to the verifier or adversaries which seek to impersonate a far-away prover. All these threats are covered in several security definitions and it is not possible to have a single definition covering all. In this paper, we describe a new DB model with three parties where the new party is named hardware. In this model, called secure hardware model (SHM), the hardware is held by the prover without being able to tamper with. We define an all-in-one security model which covers all the threats of DB and an appropriate privacy notion for SHM. In the end, we construct the most efficient (in terms of computation by the prover-hardware and number of rounds) and secure DB protocols achieving the optimal security bounds as well as privacy

Proof of Proximity of Knowledge

Public-key distance bounding schemes are needed to defeat relay attacks in payment systems. So far, only two such schemes exist, but fail to fully protect against malicious provers. In this paper, we solve this problem. We provide a full formalism to define the proof of proximity of knowledge (PoPoK). Protocols should succeed if and only if a prover holding a secret is within the proximity of the verifier. Like proofs of knowledge, these protocols must satisfy completeness, soundness (protection for the honest verifier), and security (protection for the honest prover). We construct ProProx, the very first fully secure PoPoK

A Terrorist-fraud Resistant and Extractor-free Anonymous Distance-bounding Protocol

International audienceDistance-bounding protocols have been introduced to thwart relay attacks against contactless authentication protocols. In this context, veri-fiers have to authenticate the credentials of untrusted provers. Unfortunately , these protocols are themselves subject to complex threats such as terrorist-fraud attacks, in which a malicious prover helps an accomplice to authenticate. Provably guaranteeing the resistance of distance-bounding protocols to these attacks is a complex task. The classical countermeasures usually assume that rational provers want to protect their long-term authentication credentials, even with respect to their accomplices. Thus, terrorist-fraud resistant protocols generally rely on artificial extraction mechanisms, ensuring that an accomplice can retrieve the credential of his partnering prover. In this paper, we propose a novel approach to obtain provable terrorist-fraud resistant protocols without assuming that provers have any long-term secret key. Instead, the attacker simply has to replay the information that he has received from his accomplice. Based on this, we present a generic construction for provably secure distance-bounding protocols, and give three instances: (1) an efficient symmetric-key protocol, (2) a public-key protocol protecting the identities of the provers against external eavesdroppers, and finally (3) a fully anonymous protocol protecting the identities of the provers even against malicious verifiers trying to profile them