Ioana Boureanu, Tom Chothia, Alexandre Debant, and Stéphanie Delaune. Security Analysis and Implementation of Relay-Resistant Contactless Payments. In Proceedings of the 27th ACM Conference on Computer and Communications Security (CCS'20), ACM Press, Virtual conference, November 2020.
Contactless systems, such as the EMV (Europay, Mastercard and Visa)payment protocol, are vulnerable to relay attacks. The typical countermeasure to this relies on so-called proximity checking or distance bounding protocols, whereby the reader estimates an upper bound on its physical distance from the card by doing round-trip time (RTT) measurements. However, these protocols are trivially broken in the presence of roguereaders. At Financial Crypto 2019, two novel EMV-based relay-resistant protocols were proposed: they integrate distance-bounding with the use of hardware roots of trust (HWRoT) in such a way that correct RTT-measurements can no longer be bypassed.Our contributions are threefold. First, we design a calculus to model this advanced type of distance-bounding protocols integrated with HWRoT; as an additional novelty, our calculus is also the first to allow for mobility of cards andreaders within a proximity-checking primitive. Second, to be ableto analyse these protocols via more standard mechanismsand tools, we consider a 2018 characterisation of distance-boundingsecurity which does away with physical aspects and resides only oncausality of events; we cast it in our richer calculus and extend itstheoretical guarantees to our more expressive models (with mobility,potentially rogue readers, and HWRoT). Due to this extension, we canthen legitimately carry out the security analysis in the standardprotocol-verification tool ProVerif. Third, we provide the first implementation ofMastercard's relay-resistant EMV protocol RRP, as well as one of its 2019extension with HWRoT called PayBCR. We evaluate their efficiency and their robustness to relay attacks, in presence of both honest and rogue readers. Last but not least, our experiments are the first to show that Mastercard's RRP and its HWRoT-based extension PayBCR are both practical in preventing relay attacks of the magnitude shown thus-far in EMV.
@inproceedings{BCDD-ccs20,
abstract = {Contactless systems, such as the EMV (Europay, Mastercard and Visa)
payment protocol, are vulnerable to relay attacks. The typical
countermeasure to this relies on so-called proximity checking or distance bounding protocols, whereby the reader
estimates an upper bound on its physical distance from the card by doing round-trip time (RTT) measurements.
However, these protocols are trivially broken in the presence of rogue
readers. At Financial Crypto 2019, two
novel EMV-based relay-resistant protocols were proposed: they integrate
distance-bounding with the use of hardware roots of trust (HWRoT) in such a way that correct RTT-measurements can no longer be bypassed.
Our contributions are threefold. First, we design a calculus to model this advanced type of distance-bounding protocols integrated with HWRoT; as an additional novelty,
our calculus is also the first to allow for mobility of cards and
readers within a proximity-checking primitive. Second, to be able
to analyse these protocols via more standard mechanisms
and tools, we consider a 2018 characterisation of distance-bounding
security which does away with physical aspects and resides only on
causality of events; we cast it in our richer calculus and extend its
theoretical guarantees to our more expressive models (with mobility,
potentially rogue readers, and HWRoT). Due to this extension, we can
then legitimately carry out the security analysis in the standard
protocol-verification tool ProVerif.
Third, we provide the first implementation of
Mastercard's relay-resistant EMV protocol RRP, as well as one of its 2019
extension with HWRoT called PayBCR. We evaluate their efficiency and their robustness
to relay attacks, in presence of both honest and rogue readers. Last but not least, our experiments
are the first to show that Mastercard's RRP and its HWRoT-based extension PayBCR are both practical
in preventing relay attacks of the magnitude shown thus-far in EMV.
},
address = {Virtual conference},
author = {Boureanu, Ioana and Chothia, Tom and Debant, Alexandre and Delaune, St{\'e}phanie},
booktitle = {{P}roceedings of the 27th {ACM} {C}onference on
{C}omputer and {C}ommunications {S}ecurity
({CCS}'20)},
OPTeditor = {Katz, Jonathan and Vigna, Giovanni},
month = nov,
OPTpages = {},
publisher = {ACM Press},
title = {Security Analysis and Implementation of Relay-Resistant Contactless Payments},
year = {2020},
acronym = {{CCS}'20},
nmonth = {11},
lsv-category = {intc},
}