Automatic analysis of distance bounding protocols

Automatic analysis of distance bounding protocols Sreekanth Malladi∗, Bezawada Bruhadeshwar†, Kishore Kothapalli† ABSTRACT. Distance bounding protocols are used by nodes in wireless networks for the crucial purpose of es- timating their distances to other nodes. This typically involves sending a request by one node to another node, receiving a response, and then calculating an upper bound on the distance by multi- plying the round-trip time with the velocity of the signal. However, dishonest nodes in the network can turn the calculations both illegitimate and inaccurate when they participate in protocol execu- tions. Therefore, it is important to analyze protocols for the possibility of such violations. Past efforts to analyze distance bounding protocols have only been manual. However, automated approaches are important since they are quite likely to find flaws that manual approaches cannot, as witnessed many times in the literature of key establishment protocols. In this paper, we use the constraint solver tool to automatically analyze distance bound- ing protocols: We first formulate a new trace property called Secure Distance Bounding (SDB) that protocol executions must satisfy. We then classify the scenarios in which these protocols can operate considering the (dis)honesty of nodes and location of the attacker in the network. Finally, we ex- tend the constraint solver tool so that it can be used to test protocols for violations of SDB in those scenarios and illustrate our technique on several examples that include new attacks on published protocols. We also hosted an on-line demo for the reader to check out our implementation. 1 Introduction A distance bounding (DB) protocol is used by a “verifier” node in wireless networks to calculate an upper bound on the distance to a “prover” node in the network. Distance bounding helps in crucial applications such as localization, location discovery and time synchronization. Hence, the security of DB protocols is an important and critical problem.

Figure 1: (a) Extended Echo protocol P1 (b) Man-in-the-Middle Attack on P1 ∗Dakota State University, USA, Email: malladis@pluto.dsu.edu †International Institute of Information Technology, India, Email: {bbruhadeshwar,kkothapalli}@iiit.ac.in arXiv:1003.5383v1 [cs.CR] 28 Mar 2010 2 As an example of a DB protocol, consider a simple extension of the Echo protocol (Fig. 1.a) presented in [11]. In the figure, V is the verifier, P is the prover; NV is a nonce; Sigpk(P)([NV, V, P]) is the signature of P to be verified with it’s public-key, denoted pk(P). Let ti be the time on the clock when event i occurs. Then, V can calculate the bound ‘d’ on the distance to P as: d = (t4−t1) −(t3−t2) 2 × s, where ‘s’ is the speed of the signal. In the presence of attackers, DB protocols can fail to achieve their main goal of establish- ing a valid distance bound. For instance, the above protocol has a possible attack wherein an attacker i plays Man-In-The-Middle and succeeds in showing p as being closer to v‡ than it really is (Fig. 1.b). Analysis of DB protocols involves examining whether it is possible to make a party ap- pear closer than it really is, to an honest verifier. The problem is different and difficult com- pared to standard Dolev-Yao analysis of protocols that only consider whether an attacker can generate messages required to violate some security property. Here, we need to factor in the time required for message generation as well, which can vary based on the input size and cryptographic parameters. Automated analysis is much desired, given the problems and distrust in manual analysis of protocols that have been reported in literature [5]. There have been numerous instances when automated techniques found attacks on protocols that manual, hand-based techniques could not (e.g. [6, 7, 9]). Past work. The few published efforts to analyze DB protocols have been largely incom- plete: The classical work of Brands and Chaum [2] is mostly informal and specific to the protocols introduced in that paper. Sastry et al. [11] show that in their “Echo” protocol, the prover cannot respond before receiving the verifier’s nonce but the protocol is used only for “in-range” verification and also too simple without any authentication. Meadows et al. [8] give a method to analyze both distance bounding and authentication aspects, but the method like the previous two, is manual, not automated. Our contribution. To address these concerns, we will show a method to automatically an- alyze DB protocols using the constraint solving technique of Millen-Shmatikov. Our method is based on formal modeling of timed protocols and distance bounding properties. Further, it is fully automated with minor changes to the existing constraint solver§. Some highlights of our contribution are:

1. Like many past strand space extensions, our formal modeling and framework give a simple, clean and useful geometric flavor to the study of DB protocol

…(Full text truncated)…

This content is AI-processed based on ArXiv data.