Subtle kinks in distance-bounding: an analysis of prominent protocols

Distance-bounding protocols prevent man-in-the-middle attacks by measuring response times. The four attacks such protocols typically address, recently formalized in [10], are: (1) mafia fraud, where the adversary must impersonate to a verifier in the presence of an honest prover; (2) terrorist fraud, where the adversary gets some offline prover support to impersonate; (3) distance fraud, where provers claim to be closer to verifiers than they really are; and (4) impersonations, where adversaries impersonate provers during lazy phases. Durholz et al. [10] also formally analyzed the security of (an enhancement of) the Kim-Avoine protocol [14].

In this paper we quantify the security of the following well-known distance-bounding protocols: Hancke and Kuhn [13], Reid et al. [16], the Swiss-Knife protocol [15], and the very recent proposal of Yang et al. [17]. Concretely, our main results show that (1) the usual terrorist-fraud countermeasure of relating responses to a long-term secret key may enable socalled key-learning mafia fraud attacks, where the adversary flips a single time-critical response to learn a key bit-by-bit; (2) though relating responses may allow mafia fraud, it sometimes enforces distance-fraud resistance by thwarting the attack of Boureanu et al. [5]; (3) none of the three allegedly terrorist-fraud resistant protocols, i.e. [15, 16, 17], is in fact terrorist fraud resistant; for the former two schemes this is a matter of syntax, attacks exploiting the strong formalization of [10]; the attack against the latter protocol of [17], however, is almost trivial; (4) unless key-update is done regardless of protocol completion, the protocol of Yang et al. is vulnerable to Denial-of-Service attacks. In light of our results, we also review definitions of terrorist fraud, arguing that, while the strong model in [10] may be at the moment more appropriate than mere intuition, it could be too strong to capture terrorist attacks.