• No se han encontrado resultados

We apply our results to our improved variant of the RˇC protocol, assuming that the prover and verifier share a secret key K. Our resulting protocol is depicted in Figure 33.

We proceed to also describe the protocol in more detail. The scheme is again composed of two phases: the initialisation phase and the distance bounding phase.

• Initialisation Phase: The prover P generates a random nonce NP and sends it to the verifier V ˙The verifier V

generates a random nonce NV and sends it to the prover P. Both the prover and the verifier use as input the

concatenation of the nonces NP and NV as input to a keyed pseudorandom function (FK) and divide the output of

the prf into two parts, i.e.: M kRP ←− fK(NPkNV). Finally the verifier V generates another random value RV of

length n.

• Distance Bounding (DB) Phase: Distance bounding proceeds as follows:

Prover P Verifier V shared key K shared key K

Initialisation phase NP $ ←− {0, 1}n NP −−−−−−−−→ NV ←−−−−−−−− NV $ ←− {0, 1}n M kRP←− FK(NPkNV) M kRP←− FK(NPkNV) RV $ ←− {0, 1}n

Distance Bounding phase wait for delay ∆

compute streamV :=

streamV

←−−−−−−−−−−−−−− RandV1kRandV2kM kRVkRandV3

parse Rand∗

V1kRandV2k ˆM k ˆRVkRandV3

generate RandP7of random length

between 0 and B · f compute and send streamP:=

RandP5kRP⊕ ˆRVkRandP6kRandP7 stream

P

−−−−−−−−−−−−−−→

parse

RandP5kRP⊕ ˆRVkRandP6kRandP7

End of Distance Bounding phase

set t as the time difference between sending RV and

receiving RP⊕ RV

calculate upper bound on the distance to P.

Figure 33: A location-private distance-bounding protocol

following condition (as explained above):

B ≥ 2h+1tmax

After waiting for this delay ∆ if the prover P has still not received any bits from the verifier V it starts transmitting random bits RandP1. In total, if the maximal transmission frequency is f , the length of RandP1 is max((∆t(P, V) − ∆) · f, 0).

– While the prover P waits for a delay ∆ (see above), the verifier V transmits a continuous stream (streamV)

such that:

streamV:= RandV1kRandV2kM kRVkRandV3

Here, the length of RandV1 is exactly B · f bits, where f is the transmission frequency of the verifier (i.e.

the number of bits that it transmits during 1 time unit). The lengths of RandV2 and RandV3 are chosen uniformly in the range [0, R]13. We denote by L = |Rand

V1| + |RandV2| + |RandV3| the total length of the

randomness sent by the verifier. Then, the length of the verifier’s stream is exactly L + |M | + |NV1|, where

|M | is the length of the hidden marker and |RV| is the length of the verifier’s nonce RV. The values |M | and

|RV| are global invariants for the protocol, whereas L is session specific. Thus, the hidden marker M is sent

at a position Bf + |RandV2|.

13In [69], it is stated that having |Rand

V2| and |RandV3| random prevents the adversary from guessing the location of the marker

M . However, it is not clear that it would translate into a privacy leakage in our variant due to [58]. It seems that choosing R = 0 would work. We let this analysis as an open problem.

– As soon as P has waited its random delay, it parses the received values. In general, we denote by Shiftp(s) the

string s shifted by an offset p. If p is positive, it means we drop the p leading bits of s. Otherwise, it means that we prepend p zero bits to s. Then, P parses the received stream as: Shift−p(RandV1)kRandV2k ˆM || ˆRV||RandV3, where p = (∆t(P, V ) − ∆) · f . In other words, the shift accounts for the waiting time of ∆ time units and the distance it takes for each bit of the stream to get from V to P. We denote Shift−p(RandV1) = Rand∗V1. As the prover parses the received bits, it computes and sends the stream (streamP) such that:

streamP:= [(RandP1||RandP2)⊕(Rand

V1kRandV2)]k(RandP3⊕ ˆM )k ˆRV⊕ ˆRPk (RandP4⊕ RandV3)kRandP7

= RandP5kRP⊕ ˆRVkRandP6kRandP7

where we denote:

RandP5:=[(RandP1||RandP2) ⊕ (Rand

V1kRandV2)]k(RandP3⊕ ˆM ) and RandP6:= RandP4⊕ RandV3. Note that RandP7 has a random length between 0 and B · f to defeat location-privacy loss based on the analysis of the last stream bit reception.

– After the end of the distance bounding phase the verifier V calculates the time difference t between sending RV and receiving RV⊕ RP. The verifier authenticates the prover P iff. t ≤ tmax.

7

Significance and Impact of our Results

In this chapter we aim to put our results into a wider perspective. In particular, coming back to the motivation of having clear and formal security models for distance-bounding protocols, we explain in how far our definitions achieve this. In view of our results, security in distance-bounding protocols appears to be a much broader topic than initially thought of, as indeed our refinements of mafia and terrorist fraud resistance clearly show. We furthermore stress the idea that particular care should be taken to the distance-bounding scenario with multiple provers and multiple verifiers, which is an immediate direction for further work.

Before discussing the impact of our results in more detail, we first give in section 7.1 an overview of our contributions, matching them against previous or concurrent work. We divide our results into four categories: (1) Aspects of Modelling; (2) Exact Protocol Assessment and Security Breaches; (3) Tools; and (4) Constructions.

In the first category we include the notions we defined throughout the paper, from the initial framework of Chapter 2 to the notions of privacy (both authentication and location privacy), and to the refinements to mafia and terrorist fraud resistance in Chapters 4 and 5. We try to give here an overview of the various notions we introduced and how they relate to each other, also comparing them to previous or parallel results. Under the second category, we summarise our results and conclusions regarding various distance-bounding protocols in the literature: Brands and Chaum [13], Hancke and Kuhn [42], Avoine and Tchamkerten [6], Kim and Avoine [49], Bussard and Bagga [15], Reid et al. [70], and the Swiss-Knife Protocol [50]. Under attacks, we list our mafia fraud attack against the Rasmussen-ˇCapkun distance-bounding protocol, as well as key-learning attacks and the generic attack we give against the terrorist fraud resistance of the Bussard- Bagga and the Reid et al. schemes. Recall also that a direct consequence of the results of Boureanu et al. [11] is that most distance-bounding protocols in the literature are in fact not distance-fraud resistant. We also note that both these protocols attain an independent notion of privacy, i.e. GameTF security. We discuss in more detail the impact of this apparent contradiction and its consequences on general terrorist fraud resistant constructions. Furthermore, we note that key-learning attacks —which are very well known in the context of authentication— are usually not considered in distance bounding, although they seem easy to implement.

Categories (3) and (4), i.e., Tools and Constructions, are somewhat related, though not identical. Under tools we give mostly generic tools presented in this thesis, such as the key update compiler that adds narrow-destructive privacy to distance-bounding protocols. A further tool is the compiler presented in Chapter 4, which is discussed in the perspective of the property it achieves, namely strong mafia fraud resistance. Under Constructions, by contrast, we list the particular schemes we outline throughout this thesis, with particular emphasis on the terrorist fraud resistance scheme in Chapter 5 and the location private, enhanced RˇC protocol of Chapter 6. We do not count our improvement to the protocol due to Kim and Avoine, which we present in Chapter 2 as a construction, but rather list these modifications under the protocol analysis section.

Following the overview of our contributions we more extensively discuss, in Section 7.2, the impact of our results on present-day and future distance-bounding constructions and models. In particular, we give a classification of security notions, indicating which notions should be achieved by various practical deployment scenarios, such as public transport or personal identification. By relating this back to the protocol analysis we do throughout the thesis, we are able to indicate which distance-bounding protocols may be suitable in several scenarios. Finally we also discuss the impact of our models on distance bounding as a discipline, showing that the attacks we present serve as a motivation to encourage precise formalisation of security notions. We also briefly discuss the benefits of exact (as opposed) to asymptotic security statements.

Finally, we conclude this chapter with section 7.3, where we discuss directions for future work. Here we identify three main research directions, which can be seen as natural follow-ups of our research here: (1) Modelling, where we mention in particular the extension of the channel-based model in Chapter 6, and the treatment of multiple-prover-multiple-verifier distance-bounding scenarios; (2) Constructions, where an important next step would be to consider protocol design with respect to recent advances in the area of Elliptic-Curve processors for RFID hardware, which enables EC computations at a lower cost than PRF (HMAC) implementations; of further motivation in this respect are recent discussions about the practical security of HMACs [51], which indicate that in HMACs are not as secure in practice as they are assumed to be: thus, for RFID hardware it may be infeasible to implement secure HMACs; (3) Implementations, which would feature a comparison of the implemented schemes in the literature, followed by an analysis of the feasibility of deploying distance-bounding in practical scenarios.

7.1

Overview of Contributions