Distance-bounding protocol is a useful primitive in resisting distance-based attacks. Currently, most of the existing distance-bounding protocols usually do not take the reuse of nonces in designing the protocols into consideration. However, there have been some literature studies showing that nonce repetition may lead to the leakage of the shared key between protocol participants. Aikaterini et al. introduced a countermeasure that could serve as a supplementary in most distance-bounding systems allowing nonce repetition. However, their proposal only holds against passive attackers. In this paper, we introduce an active attack model and show that their countermeasure is insecure under the proposed active attack model. We also discover that all existing distance-bounding protocols with mutual authentication are vulnerable to distance-based attacks if a short nonce is applied under the proposed active model. To address this security concern, we propose a new distance-bounding protocol with mutual authentication to prevent distance-based attacks under the active adversary model. A detailed security analysis is presented for the proposed distance-bounding protocol with mutual authentication.
With the rapid development of information technology like 5G, more and more people enjoy the convenience brought by various location-based services provided by service providers. Distance-based attacks enable dishonest users to cheat on their real locations and thus may cause serious economic losses to the merchants. Distance-bounding protocols play a significant role in resisting distance-based attacks since they enable one entity to decide an upper bound on the distance of the other entity contacting with him/her. Distance-bounding protocol is first proposed to preclude relay attack (mafia fraud attack) which is essentially one type of man-in-the-middle attacks by measuring the round-trip times of messages exchanged between the prover and the verifier. The relay attack could be further derived into two variants: one is a distance fraud attack, and the other is a terrorist fraud attack. The distance fraud and terrorist fraud attacks are mainly incurred by the unreasonable design of distance-bounding protocols. Unfortunately, distance-bounding protocol, which is the only primitive that we employ to achieve both identity and distance verification, will be still used in many different security applications in the long future.
The idea of measuring round-trip time to estimate the distance between parties was first proposed by Brands and Chaum in 1993 [
Aikaterini et al. proposed a novel research result that the security of certain distance-bounding protocols [9, 12, 17, 18] depends on the length of nonces [
Aikaterini et al.’s distance-bounding protocol: theoretically, the nonces used in designing distance-bounding protocols should never repeat. Due to practical application especially RFID tags that do use short nonces, we should consider the effects that repetition of nonces brings to the security of distance-bounding protocols. A detailed analysis of this is presented in [
Aikaterini et al.’s original protocol.
Compared with protocols in [
In the previous research, we all assume the verifier to be honest while the prover can be dishonest. It seems normal because it is the dishonest tags trying to cheat on their real location. After the research in [
The adversary is able to eavesdrop, modify, reroute, and insert messages during the execution of a cryptographic protocol. The adversary is able to obtain the value of any old session key. The adversary may start any number of parallel protocols. The adversary may be a legitimate protocol participant. The adversary does not have infinite computing ability.
Active attack by
We follow the analysis in [
As for
The probability of
According to (
Thus, the expected number of sessions when
Expected number of sessions with
The length of nonces | ||||
---|---|---|---|---|
Number of sessions | 320 | 5132 |
The primary cause of active attacks in [
Notations used in designing our protocol.
Notations | Explanations |
---|---|
Symmetric secret key | |
Pseudorandom function | |
Random numbers | |
Bits | |
Challenge bit in the | |
Response bit in the |
Our improved protocol with mutual authentication.
In this section, we provide a detailed analysis for our proposed protocol against distance fraud, mafia fraud, and terrorist fraud attacks. We first define some notations that will be used in this section. Let Let Let
We first evaluate the success probability of an active adversary on our improved protocol since the adversary has no knowledge of the secret key
In distance fraud attack, a dishonest prover tries to make the verifier believe that he is closer than he really is by providing advanced responses. Let us consider a single round in the RBE phase. Since a dishonest prover has all the knowledge about
Therefore, the success probability of a dishonest prover in launching a distance fraud attack is
In mafia fraud attack, both the verifier and prover are honest. An adversary tries to launch a mafia fraud attack between the verifier and prover by acting as the prover with the verifier and verifier with the prover. We say the adversary succeeds if she is successfully authenticated by either the verifier or prover. Therefore, we divide the attack into the following two situations, and the success probabilities The adversary first acts as the prover communicating with the verifier and then acts as the verifier using the information got from the verifier and communicates with the prover The adversary first acts as the verifier communicating with the prover and then acts as the prover using the information got from the prover and communicates with the verifier
In this case, the adversary possesses no knowledge about
In this case, the adversary has to guess the response bit
Therefore, the success probability of the adversary under Case II in
In terrorist fraud attack, a dishonest prover collaborates with an adversary trying to cheat on his real location. It is worth noticing that the dishonest prover should provide as much information as possible on the condition that that information will not reveal his secret key. Therefore, we first evaluate that information in our protocol that could be given to an adversary by a dishonest prover which is presented in Table
Information that could be accessed by an adversary in terrorist fraud attack.
Different cases | Information |
---|---|
Case I | |
Case II | |
Case III | |
Case IV | |
Case V | |
Case VI |
Further analysis shows that the adversary can recover
The success probability of the adversary under different cases.
Different cases | Success probability |
---|---|
Case II | |
Case III | |
Case IV | |
Case V | |
Case VI |
Therefore, the success probability of the dishonest prover and adversary in launching a terrorist fraud attack is
We compare our proposed distance-bounding protocol with some popular existing protocols and the result is presented in Table
Performance of existing distance-bounding protocols.
Protocols | M | T | M | NR | SA |
---|---|---|---|---|---|
[ | |||||
[ | |||||
[ | |||||
[ | |||||
[ | |||||
[ | |||||
Ours |
In this paper, we propose an active attack on the distance-bounding protocol proposed in [
The datasets used or analysed during the current study are available from the corresponding author on reasonable request.
The authors do not have any possible conflicts of interest.
Weiwei Liu is mainly responsible for the design of the protocol and the corresponding security analysis. Hua Guo is in charge of the comparison between the novel protocol and the previous ones while Yangguang Tian is responsible for the paper writing and feasibility analysis.
This work was partially sponsored by the project of youth talent promotion in Henan Province under grant no. 2021HYTP011.