Paper 2018/1243

Implementation-Level Corruptions in Distance Bounding -- Exhibiting Faults and Provably-Secure Fixes in the Electronic Payment Protocol PayPass --

Ioana Boureanu and David Gerault and Pascal Lafourcade

Abstract

In relay attacks,a man-in-the-middle attacker gains access to a service by relaying the messages between two legitimate parties. Distance-bounding protocols are a countermeasure to relay attacks, whereby a verifier measures the round-trip time in exchanges with a prover. Inspired by application-security definitions, we propose a new security model, OracleDB, distinguishing two prover-corruption types: black-box and white-box. We use this distinction to settle the long-lasting arguments about terrorist-fraud resistance, by showing that it is irrelevant in both the black-box and white-box corruption models. We then exhibit a security flaw in the PayPass protocol with relay protection, used in EMV contactless payments. We propose an extension to this industry-standard protocol, with only small modifications, and prove its security in our strongest adversary model. Finally, we exhibit a new generalised distance-fraud attack strategy that defeats the security claims of at least 12 existing distance-bounding protocols.