Deakin University
Browse

File(s) under permanent embargo

Post-collusion security and distance bounding

conference contribution
posted on 2019-11-01, 00:00 authored by S Mauw, J Toro-Pozo, Z Smith, Rolando Trujillo RasuaRolando Trujillo Rasua
Verification of cryptographic protocols is traditionally built upon the assumption that participants have not revealed their long-term keys. However, in some cases, participants might collude to defeat some security goals, without revealing their long-term secrets. We develop a model based on multiset rewriting to reason about collusion in security protocols. We introduce the notion of post-collusion security, which verifies security properties claimed in sessions initiated after the collusion occurred. We use post-collusion security to analyse terrorist fraud on protocols for securing physical proximity, known as distance-bounding protocols. In a terrorist fraud attack, agents collude to falsely prove proximity, whilst no further false proximity proof can be issued without further collusion. Our definitions and the Tamarin prover are used to develop a modular framework for verification of distance-bounding protocols that accounts for all types of attack from literature. We perform a survey of over 25 protocols, which include industrial protocols such as Mastercard's contactless payment PayPass and NXP's MIFARE Plus with proximity check. For the industrial protocols we confirm attacks, propose fixes, and deliver computer-verifiable security proofs of the repaired versions.

History

Event

ACM Special Interest Group on Security, Audit and Control. Conference (2019 : London, Eng.)

Series

ACM Special Interest Group on Security, Audit and Control Conference

Pagination

941 - 958

Publisher

Association for Computing Machinery

Location

London, Eng.

Place of publication

New York, N.Y.

Start date

2019-11-11

End date

2019-11-15

ISSN

1543-7221

ISBN-13

9781450367479

Language

eng

Publication classification

E1 Full written paper - refereed

Editor/Contributor(s)

[Unknown]

Title of proceedings

CCS'19 : Proceedings of the ACM Conference on Computer and Communications Security