Breaking and Fixing the HB+DB Protocol
| Title | Breaking and Fixing the HB+DB Protocol |
| Publication Type | Conference Paper |
| Year of Publication | 2017 |
| Authors | Boureanu, Ioana, Gérault, David, Lafourcade, Pascal, Onete, Cristina |
| Conference Name | Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-5084-6 |
| Keywords | deterrence, distance-bounding, Human Behavior, human factors, lightweight authentication, pubcrawl, resilience, Resiliency, Scalability |
| Abstract | HB+ is a lightweight authentication scheme, which is secure against passive attacks if the Learning Parity with Noise Problem (LPN) is hard. However, HB+ is vulnerable to a key-recovery, man-in-the-middle (MiM) attack dubbed GRS. The HB+DB protocol added a distance-bounding dimension to HB+, and was experimentally proven to resist the GRS attack. We exhibit several security flaws in HB+DB. First, we refine the GRS strategy to induce a different key-recovery MiM attack, not deterred by HB+DB's distancebounding. Second, we prove HB+DB impractical as a secure distance-bounding (DB) protocol, as its DB security-levels scale poorly compared to other DB protocols. Third, we refute that HB+DB's security against passive attackers relies on the hardness of LPN; moreover, (erroneously) requiring such hardness lowers HB+DB's efficiency and security. We also propose anew distance-bounding protocol called BLOG. It retains parts of HB+DB, yet BLOG is provably secure and enjoys better (asymptotical) security. |
| URL | http://doi.acm.org/10.1145/3098243.3098263 |
| DOI | 10.1145/3098243.3098263 |
| Citation Key | boureanu_breaking_2017 |