Practical and Provably Secure Distance-Bounding

From contactless payments to remote car unlocking, many applications are vulnerable to relay attacks. Distance bounding protocols are the main practical countermeasure against these attacks. In this paper, we present a formal analysis of SKI, which recently emerged as the first family of lightweight and provably secure distance bounding protocols. More precisely, we explicate a general formalism for distance-bounding protocols, which lead to this practical and provably secure class of protocols (and it could lead to others). We prove that SKI and its variants are provably secure, even under the real-life setting of noisy communications, against the main types of relay attacks: distance-fraud and generalised versions of mafia- and terrorist-fraud. To attain resistance to terrorist-fraud, we reinforce the idea of using secret sharing, combined with the new notion of a leakage scheme. In view of resistance to generalised mafia-frauds (and terrorist-frauds), we present the notion of circular-keying for pseudorandom functions (PRFs); this notion models the employment of a PRF, with possible linear reuse of the key. We also identify the need of PRF masking to fix common mistakes in existing security proofs/claims. Finally, we enhance our design to guarantee resistance to terrorist-fraud in the presence of noise

Short paper:making contactless EMV robust against rogue readers colluding with relay attackers

It is possible to relay signals between a contactless EMV card and a shop’s EMV reader and so make a fraudulent payment without the card-owner’s knowledge. Existing countermeasures rely on proximity checking: the reader will measure round trip times in message-exchanges, and rejects replies that take longer than expected (which suggests they have been relayed). However, it is the reader that would receive the illicit payment from any relayed transaction, so a rogue reader has little incentive to enforce the required checks. Furthermore, cases of malware targeting point-of-sales systems are common.We propose three novel proximity-checking protocols that use a trusted platform module (TPM) to ensure that the reader performs the time measurements correctly. After running one of our proposed protocols, the bank can be sure that the card and reader were in close proximity, even if the reader tries to subvert the protocol. Our first protocol makes changes to the cards and readers, our second protocol modifies the readers and the banking backend, and our third protocol allows the detection of relay attacks, after they have happened, with only changes to the readers

Authentication under Constraints

Authentication has become a critical step to gain access to services such as on-line banking, e-commerce, transport systems and cars (contact-less keys). In several cases, however, the authentication process has to be performed under challenging conditions. This thesis is essentially a compendium of five papers which are the result of a two-year study on authentication in constrained settings. The two major constraints considered in this work are: (1) the noise and (2) the computational power. For what concerns authentication under noisy conditions, Paper A and Paper B ad- dress the case in which the noise is in the authentication credentials. More precisely, the aforementioned papers present attacks against biometric authentication systems, that exploit the inherent variant nature of biometric traits to gain information that should not be leaked by the system. Paper C and Paper D study proximity- based authentication, i.e., distance-bounding protocols. In this case, both of the constraints are present: the possible presence of noise in the channel (which affects communication and thus the authentication process), as well as resource constraints on the computational power and the storage space of the authenticating party (called the prover, e.g., an RFID tag). Finally, Paper E investigates how to achieve reliable verification of the authenticity of a digital signature, when the verifying party has limited computational power, and thus offloads part of the computations to an untrusted server. Throughout the presented research work, a special emphasis is given to privacy concerns risen by the constrained conditions

Another Look at Relay and Distance-based Attacks in Contactless Payments

Relay attacks on contactless e-payments were demonstrated in 2015. Since, countermeasures have been proposed and Mastercard has recently adopted a variant of these in their specifications. These relay-counteractions are based on the payment-terminal checking that the card is close-by. To this end, several other EMV-adaptations have emerged, with the aim to impede dishonest cards cheating on their proximity-proofs. However, we argue that both the former and the latter measures are ineffective. We only sketch possible designs in the right directions, with the idea to pass on the message that these problems should be look at much more carefully. We shortly debate what should and should not be the case w.r.t. confirmation of EMV contactless payments. We also discuss alternative views onto making contactless payments secure against relay-attacks via proximity-checking

Circular Security Reconsidered

The notion of circular security of pseudorandom functions (PRF) was introduced in Distance Bounding Protocols. So far, only a construction based on a random oracle model was proposed. Circular security stands between two new notions which we call Key Dependent Feedback (KDF) security and Leak security. So far, only a construction based on a random oracle was proposed. We give an algebraic construction based on a q-DDH assumpsion. We first prove that a small-domain Verifiable Random Functions (VRF) from Dodis-Yampolskiy is a circular secure PRF. We then use the extension to large-domain VRF by augmented cascading by Boneh et. al. This gives the first construction in the standard model

Optimal Proximity Proofs Revisited

Distance bounding protocols become important since wireless technologies become more and more common. Therefore, the security of the distance bounding protocol should be carefully analyzed. However, most of the protocols are not secure or their security is proven informally. Recently, Boureanu and Vaudenay defined the common structure which is commonly followed by most of the distance bounding protocols: answers to challenges are accepted if they are correct and on time. They further analyzed the optimal security that we can achieve in this structure and proposed DBopt which reaches the optimal security bounds. In this paper, we define three new structures: when the prover registers the time of a challenge, when the verifier randomizes the sending time of the challenge, and the combined structure. Then, we show the optimal security bounds against distance fraud and mafia fraud which are lower than the bounds showed by Boureanu and Vaudenay for the common structure. Finally, we adapt the DBopt protocol according to our new structures and we get three new distance bounding protocols. All of them are proven formally. In the end, we compare the performance of the new protocols with DBopt and we see that we have a better efficiency. For instance, we can reduce the number of rounds in DB2 (one of the instances of DBopt) from $123$ to $5$ with the same security