So near and yet so far - Symbolic verification of distance-bounding protocols

International audienceThe rise of new technologies, and in particular Near Field Communication (NFC) tags, offers new applications such as contactless payments, key-less entry systems, transport ticketing. .. Due to their security concerns, new security protocols, called distance-bounding protocols, have been developed to ensure physical proximity of the devices during a session. In order to prevent flaws and attacks, these protocols require formal verification. In this paper, we propose a new symbolic model allowing us to take into account the location of the agents and to model the fact that transmitting a message takes time. We propose two reduction results to render automatic verification possible relying on the existing verification tool ProVerif. Then, we perform a comprehensive case studies analysis (more than 25 protocols) relying on our new framework and its integration in ProVerif. We obtain new proofs of security for some protocols and detect attacks on some others

Modelling and Analysis of a Hierarchy of Distance Bounding Attacks

Contains fulltext : 195392.pdf (publisher's version ) (Open Access

Modelling and Analysis of a Hierarchy of Distance Bounding Attacks

Contains fulltext : 195392.pdf (publisher's version ) (Open Access

Protocol Analysis with Time

[EN] We present a framework suited to the analysis of cryptographic protocols that make use of time in their execution. We provide a process algebra syntax that makes time information available to processes, and a transition semantics that takes account of fundamental properties of time. Additional properties can be added by the user if desirable. This timed protocol framework can be implemented either as a simulation tool or as a symbolic analysis tool in which time references are represented by logical variables, and in which the properties of time are implemented as constraints on those time logical variables. These constraints are carried along the symbolic execution of the protocol. The satisfiability of these constraints can be evaluated as the analysis proceeds, so attacks that violate the laws of physics can be rejected as impossible. We demonstrate the feasibility of our approach by using the Maude-NPA protocol analyzer together with an SMT solver that is used to evaluate the satisfiability of timing constraints. We provide a sound and complete protocol transformation from our timed process algebra to the Maude-NPA syntax and semantics, and we prove its soundness and completeness. We then use the tool to analyze Mafia fraud and distance hijacking attacks on a suite of distance-bounding protocols.This paper was partially supported by the EU (FEDER) and the Spanish MCIU under grant RTI2018-094403-B-C32, by the Spanish Generalitat Valenciana under grant PROMETEO/2019/098 and APOSTD/2019/127, by the US Air Force Office of Scientific Research under award number FA9550-17-1-0286, and by ONR Code 311.Aparicio-Sánchez, D.; Escobar Román, S.; Meadows, C.; Meseguer, J.; Sapiña-Sanchis, J. (2020). Protocol Analysis with Time. Springer. 128-150. https://doi.org/10.1007/978-3-030-65277-7_7S128150Avoine, G., et al.: A terrorist-fraud resistant and extractor-free anonymous distance-bounding protocol. In Proceedings of the Asia Conference on Computer and Communications Security (AsiaCCS 2017), pp. 800–814. ACM Press (2017)Basin, D.A., Capkun, S., Schaller, P., Schmidt, B.: Formal reasoning about physical properties of security protocols. ACM Trans. Inf. Syst. Securi. 14(2), 16:1–16:28 (2011)Brands, S., Chaum, D.: Distance-bounding protocols. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 344–359. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_30Capkun, S., Buttyán, L., Hubaux, J.-P.: SECTOR: secure tracking of node encounters in multi-hop wireless networks. In: Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN 2003), pp. 21–32. Association for Computing Machinery (2003)Chothia, T., de Ruiter, J., Smyth, B.: Modelling and analysis of a hierarchy of distance bounding attacks. In: Proceedings of the 27th USENIX Security Symposium (USENIX Security 2018), pp. 1563–1580. USENIX (2018)Clavel, M., et al.: Maude Manual (Version 3.0). Technical report, SRI International Computer Science Laboratory (2020). http://maude.cs.uiuc.eduThe CVC4 SMT Solver (2020). https://cvc4.github.ioDebant, A., Delaune, S.: Symbolic verification of distance bounding protocols. In: Nielson, F., Sands, D. (eds.) POST 2019. LNCS, vol. 11426, pp. 149–174. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17138-4_7Debant, A., Delaune, S., Wiedling, C.: A symbolic framework to analyse physical proximity in security protocols. In: Proceedings of the 38th IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2018), Leibniz International Proceedings in Informatics (LIPIcs), vol. 122, pp. 29:1–29:20. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2018)Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: Symbolic protocol analysis with disequality constraints modulo equational theories. In: Bodei, C., Ferrari, G.-L., Priami, C. (eds.) Programming Languages with Applications to Biology and Security. LNCS, vol. 9465, pp. 238–261. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25527-9_16Hancke, G.P., Kuhn, M.G.: An RFID distance bounding protocol. In: Proceedings of the 1st IEEE International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005), pp. 67–73. IEEE Computer Society Press (2005)Kim, C.H., Avoine, G., Koeune, F., Standaert, F.-X., Pereira, O.: The Swiss-Knife RFID distance bounding protocol. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 98–115. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00730-9_7Wolfram Mathematica (2020). https://www.wolfram.com/mathematicaMauw, S., Smith, Z., Toro-Pozo, J., Trujillo-Rasua, R.: Distance-bounding protocols: verification without time and location. In: Proceedings of the 39th IEEE Symposium on Security and Privacy (S&P 2018), pp. 549–566. IEEE Computer Society Press (2018)Meadows, C., Poovendran, R., Pavlovic, D., Chang, L.W., Syverson, P.: Distance bounding protocols: authentication logic analysis and collusion attacks. In: Poovendran, R., Roy, S., Wang, C. (eds.) Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks: Advances in Information Security, vol. 30, pp. 279–298. Springer, Boston (2007). https://doi.org/10.1007/978-0-387-46276-9_12Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48Munilla, J., Peinado, A.: Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels. Wirel. Commun. Mob. Comput. 8(9), 1227–1232 (2008)Neumann, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos network authentication service (V5). Request Comments 4120, 1–37 (2005)Nieuwenhuis, R., Oliveras, A., Tinelli, C.: Solving SAT and SAT modulo theories: from an abstract Davis-Putnam-Logemann-Loveland procedure to DPLL(T). Commun. ACM 53(6), 937–977 (2006)Nigam, V., Talcott, C., Aires Urquiza, A.: Towards the automated verification of cyber-physical security protocols: bounding the number of timed intruders. In: Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C. (eds.) ESORICS 2016. LNCS, vol. 9879, pp. 450–470. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45741-3_23Nigam, V., Talcott, C., Urquiza, A.A.: Symbolic timed observational equivalence. Computing Research Repository, abs/1801.04066 (2018)Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6(1–2), 85–128 (1998)Perrig, A., Song, D., Canetti, R., Tygar, J.D., Briscoe, B.: Timed efficient stream loss-tolerant authentication (TESLA): multicast source authentication transform introduction. Request Comments 4082, 1–22 (2005)Rasmussen, K.B., Capkun, S.: Realization of RF distance bounding. In: Proceedings of the 19th USENIX Security Symposium (USENIX Security 2010), pp. 389–402. USENIX (2010)Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7(1), 191–230 (1999)Yang, F., Escobar, S., Meadows, C., Meseguer, J.: Strand spaces with choice via a process algebra semantics. Computing Research Repository, abs/1904.09946 (2019)Yang, F., Escobar, S., Meadows, C., Meseguer, J., Santiago, S.: Strand spaces with choice via a process algebra semantics. In: Proceedings of the 18th International Symposium on Principles and Practice of Declarative Programming (PPDP 2016), pp. 76–89. ACM Press (2016)The Yices SMT Solver (2020). https://yices.csl.sri.comThe Z3 SMT Solver (2020). https://github.com/Z3Prover/z