Multichannel protocols against relay attacks

January 26th, 2010 at 20:48 UTC by Frank Stajano

Until now it was widely believed that the only defense against relay attacks was distance bounding. In a paper presented today at Financial Cryptography 2010 we introduce a conceptually new approach for detecting and preventing relay attacks, using multichannel protocols.

We have been working on multichannel protocols since 2005. Different channels have different advantages and disadvantages and therefore one may build a better security protocol by combining different channels for different messages in the protocol trace. (For example a radio channel like Bluetooth has high bandwidth, low latency and good usability but leaves you in doubt as to whether the message really came from the announced sender; whereas a visual channel in which you acquire a barcode with a scanner or camera has low bandwidth and poorer usability but gives stronger assurance about where the message came from.)

In this new paper we apply the multichannel paradigm to the problem of countering relay attacks. We introduce a family of protocols in which at least one message is sent over a special “unrelayable” channel. The core idea is that one channel connects the verifier to the principal with whom she shares the prearranged secret K, while another channel (the unrelayable one) connects her to the prover who is actually in front of her; and the men in the middle, however much they relay, can’t get it right on both of these channels simultaneously.

We convey this idea with several stories. Don’t take them too literally but they let us illustrate and discuss all the key security points.

Don't let anyone else reuse this banknote!

This work is exciting for us because it opens up a new field. We look forward to other researchers following it up with implementations of unrelayable channels and with formal tools for the analysis of such protocols.

Frank Stajano, Ford-Long Wong, Bruce Christianson. Multichannel protocols to prevent relay attacks (preliminary; the final revised version of the full paper will be published in Springer LNCS)

Entry filed under: Academic papers, Protocols

2 comments Add your own

  • 1. P  |  January 29th, 2010 at 22:50 UTC

    Congratulations on getting classified by Websense as a “malicious web site”. That will stop those dirty bankers reading your paper at work. This paper is blocked but parts of the site are still reachable.

  • 2. Mike Bond  |  February 12th, 2010 at 10:40 UTC

    I got thinking about this for some time the other day, after finally finding some time to read the paper properly.

    I wonder whether a better abstract model for protocol analysis might be do redefine the boundary of the protocol participants. The original, conventional, model was to imagine the network interface of Alice’s computer to be the trusted boundary, and that both Alice’s computer and Alice were at one, both understanding each other entirely and fully aware of the other, together looking out for Alice, a perfect twinning of man and machine.

    Now that viruses/trojans have become an inevitable part of PC landscape, and now we understand how little the average user knows about their PC (and the protocols it runs), phrases like “Man in the Browser” and so forth have spawned, to capture the fact that the old trust boundary model is out of date.

    So Frank, Ford and Bruce have taken the approach of making new abstractions such as the “unrelayable channel”. It’s not a bad idea, I’ve made new abstractions myself such as the deniable channel.

    But, I wonder… rather than making yet more specialist abstractions like this, would we be better to stay in the information world, but move the boundary of trust to the perimeter of Alice’s brain? We would then say that each brain has five network links (two eyes, two ears, and a spine), and apply a conventional (to terribly abuse this technical term) Dolev-Yao attacker to each of these links. Such a model would for instance, capture the concept that sleight of hand could be used to surreptitiously substitute one accelerometer from another in the “shake together” protocol.

    This then got me thinking about how security might work in future in a world where proper virtual reality exists. Suppose some geezer hits you on the head, or you get disoriented by a nearby flashbang, and when you wake up, you’ve been surreptitiously connected to a virtual reality? Assuming sensory quality and physics in this virtual reality is perfect, the only problem is that the VR modellers can’t model what they dont know about (inside peoples private houses, inside peoples heads etc). After a few minutes or hours, you will figure out you’re not in real life, but can they trick you into performing a relayable authentication in the short duration of time youre in there?

    Just some musings.

    Mike

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

January 2010
M T W T F S S
« Dec   Feb »
 123
45678910
11121314151617
18192021222324
25262728293031