In this paper, we quantify the security of some other well-known distance-bounding protocols, i.e.: Brands and Chaum~\cite{BrandsChaum93}, Hancke-Kuhn~\cite{HanKuhn05}, Avoine and Tchamkerten~\cite{AvTcham09}; Reid et al.~\cite{ReidGonzTangSen07}, the Swiss-knife protocol~\cite{KimAvoKoeStaPer09}, and the very recent proposal of Yang, Zhuang, and Wong~\cite{YangZhuWong12}. In particular, our main results show that (1) relating responses to a long-term secret key, as is the case for most protocols aiming to thwart terrorist fraud attacks, may make protocols vulnerable to so-called key-learning mafia fraud attacks, where the adversary learns a key bit-by-bit, by flipping a single time-critical response; (2) though relating responses can be a bad idea for mafia fraud, it sometimes enforces distance-fraud resistance, by thwarting in particular the attack of Boureanu et al.~\cite{Vau12}; (3) none of the three allegedly terrorist-fraud resistant protocols, i.e.~\cite{KimAvoKoeStaPer09,ReidGonzTangSen07,YangZhuWong12}, is in fact terrorist fraud resistant; for two of these protocols this is a matter of syntax, i.e.~they do not meet the strong security requirements given by \Duerholz\ et al.; the attack against the third protocol, i.e.~\cite{YangZhuWong12}, however, is almost trivial; (4) due to the absence of a second authentication phase, the protocol of Yang, Zhuang, and Wong is vulnerable to Denial of Service attacks. In light of our results, we also review definitions of terrorist fraud, arguing that, while the strong model in~\cite{DueFisKasOne11} may be at the moment more appropriate than the weaker intuition, it may in fact be too strong to capture terrorist fraud resistance.
Category / Keywords: distance-bounding protocols, models, exact security Date: received 7 Mar 2012, last revised 24 Jan 2013 Contact author: cristina onete at gmail com Available formats: PDF | BibTeX Citation Version: 20130124:164932 (All versions of this report) Discussion forum: Show discussion | Start new discussion