Opinion: Distance Bounding Under Diferent Assumptions David Gerault david@gerault.net Nanyang Technological University, Singapore Ioana Boureanu i.boureanu@surrey.ac.uk University of Surrey, UK ABSTRACT Distance-bounding protocols were introduced in 1993 as a coun- termeasure to relay attacks, in which an adversary fraudulently forwards the communication between a verifer and a distant prover. In the more than 40 diferent protocols that followed, assumptions were taken on the structure of distance-bounding protocols and their threat models. In this paper, we survey works disrupting these assumptions, and discuss the remaining challenges. CCS CONCEPTS · Security and privacy → Authentication; Security protocols; Formal security models; Cryptanalysis and other attacks; · Net- works → Mobile and wireless security. ACM Reference Format: David Gerault and Ioana Boureanu. 2019. Opinion: Distance Bounding Under Diferent Assumptions. In 12th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec ’19), May 15ś17, 2019, Miami, FL, USA. ACM, New York, NY, USA, 4 pages. https://doi.org/10.1145/3317549.3319729 1 INTRODUCTION In relay attacks, an adversary forwards back and forth the commu- nications between a a verifer (e.g., an RFID reader) and a prover (e.g., an RFID card) found outside the verifer’s range; the adversary does this in a fraudulent manner, in order to gain illicit access to a service. Distance-bounding (DB) protocols were introduced by Brands and Chaum in 1993 to counteract relay attacks. In these protocols a verifer measures the round-trip times (RTTs) of its exchanges with a prover, to estimate the distance between the two; if the RTTs are greater than a certain threshold, then relay attacks are probable and the verifer rejects the transaction. Relay attacks against contactless payments [36] triggered Mastercard to add relay protection through distance bounding [20]; so, after 25 years of research, distance bounding is fnally adopted by the industry. The threats [4] considered in łacademicž distance bounding are: Mafa Fraud (MF). Two collaborating adversaries impersonate a distant prover in front of a verifer. Typically, one of the adversaries presents a fake verifer to the victim prover, while the other presents a fake prover to the legitimate verifer. Distance Fraud (DF). A distant dishonest prover authenticates from afar by misleading the verifer in its measurements. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for proft or commercial advantage and that copies bear this notice and the full citation on the frst page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specifc permission and/or a fee. Request permissions from permissions@acm.org. WiSec ’19, May 15ś17, 2019, Miami, FL, USA © 2019 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-6726-4/19/05. . . $15.00 https://doi.org/10.1145/3317549.3319729 Distance Hijacking (DH). Distance hijacking is a generalisa- tion of distance fraud; in a DF, no prover is close to the verifer, whereas in a DH, honest provers are to be found close to the verifer. Terrorist Fraud (TF). A distant prover, helped by an accomplice located close to the verifer, tries to authenticate. To exclude trivial attacks where the prover gives his secret key to his accomplice, the fraud is considered successful only if the accomplice cannot authenticate on his own, once the prover no longer helps him. A wide range of variations of these attacks have appeared, e.g., see [14]. Indeed, the threat model for DB is in constant evolu- tion [23], and new attacks appear regularly: [4, 11] present more than 40 protocols, most of which are vulnerable to at least one at- tack. In particular, the notion of terrorist fraud and how to provably resist it lead to numerous publications, e.g., [5, 21, 24, 39]. Contributions. 1. We critically survey works that, in a quest for better results, have challenged the well-established assumptions in distance-bounding. 2. We discuss what could be achieved by lifting more assumptions. 2 DISRUPTING CLASSICAL ASSUMPTIONS The main assumptions for academic distance-bounding protocols were introduced in [10] and further extended in [15]. They are mostly related to physical-layer constraints to obtain reliable time measurements. Following these assumptions, most protocols are divided in two: a). a phase which is not time-critical and bares hardly any restrictions; b) a timed phase, in which 1-bit messages are exchanged and no expensive computation can be is performed. This section surveys approaches that bypass traditional assumptions. Assumption 1: Single-bit challenges and responses. During the timed phases, only single-bit messages should be exchanged. This assumption has been widely adopted in most academic distance-bounding protocols, except for a few exceptions, such as [31]. The assumption is however challenged by practical imple- mentations: new relay-counteractions by 3DB [16], Mastercard’s relay resistance protocol [20] and NXP’s distance-bounding proto- col [37]. These practical protocols share a similar design: during the timed phase, the verifer sends a bitstring nonce and the prover replies with another bitstring nonce. Afterwards, the prover sends a message authenticating the transcript (including both nonces), either via a signature or a MAC. Assumption 2: Error tolerance. Distance-bounding protocols must account for the bit errors that occur during the timed phases. Tolerance of transmission-errors is typically provided by grant- ing authentication even if not all responses are correct, but no more than a given proportion/number are incorrect. Yet, enforcing such tolerances generally lowers DB security. For instance, the DB3 pro- tocol [24] with noise tolerance generally requires 43 rounds for a security-level equivalent to 20 rounds of its noiseless version. Moreover, it was shown that noise-tolerance lead to terrorist frauds on some protocols that were otherwise secure [22]. 1