ABSTRACT
In Mastercard's contactless payment protocol called RRP (Relay Resistant Protocol), the reader is measuring the round-trip times of the message-exchanges between itself and the card, to see if they do not take too long. If they do take longer than expected, a relay attack would be suspected and the transaction should be dropped. A recent paper of Financial Crypto 2019 (FC19) raises some questions w.r.t. this type of relay-protection in contactless payments. Namely, the authors point out that the reader has no incentive to protect against relaying, as it stands to gain from illicit payments. The paper defines the notion of such a rogue reader colluding with a MiM attacker, specifically in the context of contactless payments; the paper dubs this as collusive relaying. Two new protocols, PayBCR and PayCCR, which are closely based on Mastercard's RRP and aim to achieve resistance against collusive relaying, are presented therein. Yet, in the FC19 paper, there is no formal treatment of the collusive-relaying notion or of the security of the protocols. In this paper, we first lift the FC19 notions out of the specifics of RRP-based payments - to the generic case of distance bounding. Thus, we set to answer the wider question of what it would mean to catch if RTT-measuring parties (readers, cards, or others) cheat and collude with proximity-based attackers (i.e., relayers or other types). To this end, we give a new distance-bounding primitive (validated distance-bounding) and two new security notions: strong relaying and strong distance-fraud. We also provide a formal model that, for the first time in distance-bounding, caters for dishonest RTT-measurers. In this model, we prove that the new contactless payments in the FC19 paper, PayBCR and PayCCR attain secuity w.r.t. strong relaying. Finally, we define one other primitive (validated and audited distance-bounding), which, in fact, emulates more closely the PayCCR protocol in the Financial Crypto 2019 paper; this is because, contrary to the line introducing them, we note that PayBCR and PayCCR in fact differ in construction and security guarantees especially in those that go past relaying and into authentication.
Supplemental Material
- G. Avoine, M. Bingöl, I. Boureanu, S. Capkun, G. Hancke, S. Kardacs, C. Kim, C. Lauradoux, B. Martin, J. Munilla, A. Peinado, K. Rasmussen, D. Singelée, A. Tchamkerten, R. Trujillo Rasua, and S. Vaudenay. Security of distance-bounding: A survey. ACM Computing Surveys, 2018.Google ScholarDigital Library
- G. Avoine and C. H. Kim. Mutual distance bounding protocols. IEEE Trans. Mob. Comput., 12(5):830--839, 2013.Google ScholarDigital Library
- G. Bleumer. Selective Forgery. Springer US, Boston, MA, 2011.Google Scholar
- I. Boureanu, D. Gerault, and P. Lafourcade. Boxdb: Realistic adversary model for distance bounding. Cryptology ePrint Archive, Report 2018/1243, 2018. https://eprint.iacr.org/2018/1243.Google Scholar
- I. Boureanu and S. Vaudenay. Optimal proximity proofs. In International Conference on Information Security and Cryptology, pages 170--190. Springer, 2014.Google Scholar
- S. Brands and D. Chaum. Distance-bounding protocols. In Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology, EUROCRYPT '93, pages 344--359, Berlin, Heidelberg, 1994. Springer-Verlag.Google ScholarCross Ref
- T. Chothia, I. Boureanu, and L. Chen. Making contactless emv robust against rogue readers colluding with relay attackers. In 23rd International Conference on Financial Cryptography and Data Security (FC 19). International Financial Cryptography Association, February 2019.Google ScholarCross Ref
- T. Chothia, F. D. Garcia, J. de Ruiter, J. van den Breekel, and M. Thompson. Relay cost bounding for contactless EMV payments. In R. Bö hme and T. Okamoto, editors, Financial Cryptography and Data Security - 19th International Conference, FC 2015, San Juan, Puerto Rico, January 26--30, 2015, Revised Selected Papers, volume 8975 of Lecture Notes in Computer Science, pages 189--206, Puerto Rico, January 2015. Springer.Google ScholarCross Ref
- Y. Desmedt, C. Goutier, and S. Bengio. Special uses and abuses of the fiat-shamir passport protocol. In Advances in Cryptology - CRYPTO '87, A Conference on the Theory and Applications of Cryptographic Techniques, Santa Barbara, California, USA, August 16--20, 1987, Proceedings, pages 21--39, 1987.Google Scholar
- A. Dhar, I. Puddu, K. Kostiainen, and S. Capkun. ProximiTEE: Hardened SGX Attestation and Trusted Path through Proximity Verification. IACR Cryptology ePrint Archive, 2018:902, 2018.Google Scholar
- U. Dürholz, M. Fischlin, M. Kasper, and C. Onete. A formal approach to distance bounding RFID protocols. In Information Security Conference ISC 2011, volume 7001 of Lecture Notes in Computer Science, pages 47--62. Springer, 2011.Google ScholarCross Ref
- EMVCo. Book C-2 kernel 2 specification v2.7. EMV contactless specifications for payment system, Feb, 2018.Google Scholar
- M. Fischlin and C. Onete. Terrorism in distance bounding: Modeling terrorist-fraud resistance. In Applied Cryptography and Network Security, ACNS'13, pages 414--431, Berlin, Heidelberg, 2013. Springer.Google Scholar
- I. Boureanu, A. Mitrokotsa, and S. Vaudenay. Practical and provably secure distance-bounding. In Y. Desmedt, editor, Information Security, pages 248--258, Cham, 2015. Springer.Google ScholarDigital Library
- H. Kilincc and S. Vaudenay. Formal Analysis of Distance Bounding with Secure Hardware. In Applied Cryptography and Network Security - 16th International Conference, ACNS 2018, Leuven, Belgium, July 2--4, 2018, Proceedings, pages 579--597, 2018.Google Scholar
- H. Kilincc and S. Vaudenay. Secure contactless payment. In Information Security and Privacy - 23rd Australasian Conference, ACISP 2018, Wollongong, NSW, Australia, July 11--13, 2018, Proceedings, pages 579--597, 2018.Google Scholar
Index Terms
- Provable-Security Model for Strong Proximity-based Attacks: With Application to Contactless Payments
Recommendations
Security Analysis and Implementation of Relay-Resistant Contactless Payments
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityContactless systems, such as the EMV (Europay, Mastercard and Visa) payment protocol, are vulnerable to relay attacks. The typical countermeasure to this relies on distance bounding protocols, in which a reader estimates an upper bound on its physical ...
Security and Privacy Implications of NFC-enabled Contactless Payment Systems
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityNowadays, contactless payments are becoming increasingly common as new smartphones, tablets, point-of-sale (POS) terminals and payment cards (often termed "tap-and-pay" cards) are designed to support Near Field Communication (NFC) technology. However, ...
A systematic security analysis of EMV protocol
AbstractEMV is the leading and widely used international standard for payment with smart cards. The EMV specification defines a highly configurable toolkit for payment protocols, which allows different combinations of card authentication, ...
Highlights- Europay, MasterCard, and Visa developed a smart card standard called EMV.
- EMV ...
Comments