I currently have to write a paper for university in my Network Security lecture about methods of secure location verification. Therefore, I chose to write about several distance bounding protocols, e.g. the one by Brands and Chaum and the Keyed Echo Protocol. Both these protocols are said to be secured against Mafia Fraud - or Man in the Middle - attacks.
I understand the concept behind this if an intruder I is in range of a verifier node V and relays a signal of an honest prover P that is outside of the valid range of V. V can simply measure the delay between the echo of the single-bit challenge-response messages that these protocols are based on and estimate an upper-bound of the location. If the real prover is outside the range of V the delay is too big even if the intruder relays the signal - the delay isn't shortened by doing this.
However, what I don't understand is the following: In several papers I read that by sending out a signed message in the end, V can be sure that he is communicating with P. In general that is true, but let's assume this situation:
- Prover P and the intruder are both in range of V
- The distance from P to I + I to V is not larger than the maximum valid range of V
According to my understanding, if the intruder simply passes on the messages from P to V it doesn't matter how many signed messages P sends to V because to V it appears that the intruder sends the correctly signed messages and therefore appears to be P. Also the intruder can track all the communication happening between P and V as he forwards all these messages. Therefore the intruder should be able to compute everything that P and V are able to compute except for the signed message that is sent by P in the end. However, I don't see any need for I to compute this signed message because he can simply forward it, it is accepted by V and the intruder gets access by V as V thinks the intruder is P.
In this paper it says:
In order for an external attacker to shorten the distance measured by the verifier, the attacker must respond before the prover during the distance bounding phase. However, because of the checks performed by the verifier at the end of (or during) the distance bounding phase, it is not sufficient to just reply before the prover, the attacker must also make the value of his nonce match the commitment sent by the prover in the beginning of the protocol. Since the attacker can not find a nonce to match the commitment sent by the prover, e.g., find a collision for the hash function used to generate the commitment, the attacker is forced to replace the provers commitment with his own, thereby passing the commitment check. However, the attacker cannot fake the prover’s signature in the final message so he cannot confirm the nonce.
I'm not entirely sure if this also applies if the attacker and the prover are both near V, but in this case there simply is no need for the intruder to reply before the prover and hence the intruder can simply wait for the correct response of P to forward it to V and thereby again match the commitment sent by V.
I feel completely lost in this topic and don't know how to find a simple explanation on this mechanism as it apparently seems to work somehow since it is widely used by several protocols. I'd be very grateful if anyone could provide any explanation on why exactly the mechanism described in the protocols is enough to prevent man-in-the-middle attacks.
