[HGI-News] HGI-Seminar, Dienstag 06.02.07: A diamond for a pint: relay attack and distance bounding defence

Newsletter des Horst Görtz Instituts hgi-news at lists.ruhr-uni-bochum.de
Mo Jan 29 15:47:26 CET 2007 

 	          Saar Drimer, Universität Cambridge

           Dienstag 6. Februar 2007, 13:15 Uhr IC 4 / 39-41

   A diamond for a pint: relay attack and distance bounding defence

Modern smartcards are capable of sophisticated cryptography and can
provide a high assurance of tamper resistance. Although tampering
with the smartcards themselves is difficult, the manner in which they
are used in practice can be exploited for fraud. Card holders authorize
transactions by presenting the card and entering a PIN into a terminal,
but have no assurance as to the value being charged and by whom, and
have no means to tell if the terminal is legitimate or not. Even the
most sophisticated smartcards can not protect customers from being
defrauded by the simple relaying of transaction details back-and-forth
from another location. In this paper, we describe how we developed such
an attack, and show results from real-world experiments on the "Chip &
PIN" payment system, the implementation of EMV in the UK. We also
discuss procedural improvements that could make it more difficult for
criminals to deploy this type of attack. We detail a new defence against
relay attacks, based on a distance bounding protocol. This requires no
change to the form factor of smartcards and only modest alterations to
the hardware and software implementations. We describe our prototype
implementation, lessons learned and present experimental results of its
use and resilience. We propose that our design would be a valuable
addition to future generations of smartcards, providing cost effective
resistance to the relay attack, a practical threat to deployed smartcard
applications.

-----------------------------

Ausserdem Montag 5. Februar 2007 13:15 Uhr:
Thorsten Holz, Universität Mannheim
Botnet Monitoring - Learning More About Botnets


_____________________________________________________________________________
Die Webseite des HGI-Seminars mit allen Informationen zu vergangenen und
zukünftigen Vorträgen: http://www.hgi.rub.de/deutsch/lehrangebot/seminar.html

Mehr Informationen über die Mailingliste Hgi-News-Deutschland