We show that many proposed distance bounding protocols are vulnerable to distance hijacking, and we propose solutions to make these protocols resilient to this type of attack. Distance bounding db protocols allow one entity, the verifier, to securely obtain an upperbound on the distance to another entity, the prover. Identify the characteristics of distance vector routing protocols. Authenticated ranging protocols are a set of protocols from the family of distance bounding protocols that provide authentication and protection against distance manipulation attacks on ranging performed between a pair of mutually trusted devices. Distance bounding protocol for mutual authentication. The prover shows that she is close enough to the veri er. How to crop pdf using ghostscript without entering. Pdf distancebounding protocols allow a verifier to both. The protocol succeeds only if the signature is valid.
Securecomm 2005 talk an rfid distance bounding protocol. Verification without time and location sjouke mauw cscsnt, university of luxembourg presented at the 2018 ieee symposium on s. Distance bounding identi cation protocols aim at impeding maninthe. We provide a detailed security analysis of a family of such protocols. Secure positioning of wireless devices with application to sensor networks. The agreed nonce na is then used in a distance bounding protocol. In these protocols, a verifier authenticates a user as well as estimating an upper bound for the physical distance between the user and itself. The use of backscatter communication enables lowcomplexity, powerefficient design of the prover which is critical for contactless smart cards. This is true for mutual distance bounding protocols 27. Motivated by this, many distance bounding protocols against relay attacks have been advanced in recent times. Cryptographic distance bounding protocols that measure accurately the roundtrip delay of the radio signal providea possible countermeasure. On selecting the nonce length in distance bounding protocols 3 table 1. Distance bounding protocols are usually composed of two phases. Damico, gianluca dini, pericle perazzo, lorenzo taponecco abstract distance bounding protocols make it possible to determine a trusted upper bound on the distance between two devices.
Distance hijacking attacks on distance bounding protocols. Nbpkb where mpka means message m encrypted using the public key of principal with name a, na andnb are nonces generatedby the respective principals, and we use the comma as message concatenation. Location verification using secure distance bounding protocols. Describe the network discovery process identify the conditions leading to a routing loop and explain the implications for router performance. Distance bounding protocols were first introduced by stefan brands and david chaum as a solution to distance fraud and mafia fraud attacks.
Keep arms start in stride position with one foot well in. On selecting the nonce length in distance bounding protocols. An rfid distance bounding protocol university of cambridge. Both protocols are then merged into one protocol that prevents both at tacks. While the protocol for mifare classic tolerated message delays of several seconds, and was therefore vulnerable to relay attacks, mifare plus ev1 now implements a basic iso compliant distance bounding protocol.
Distancebounding protocols current db protocols rely on the fact that transmission times are fundamentally bounded by the speed of light and on the difficulty of forging an authenticated message. Distance bounding protocols, which have been introduced by brands and chaum at eurocrypt93 to preclude distance fraud and mafia fraud attacks, are employed to. For example, distance bounding protocols return an upper bound on the measured distance, armed by the fact that an adversary would not succeed in guessing secret bit level information 5,6. Location privacy of distance bounding protocols oxford. Outsourcing data storage without outsourcing trust in. There has been no substantial prior work on secure db in group settings, where a set of provers interact with a set of verifiers. Distance bounding protocols have been proposed for many security critical applications as a means of getting an upper bound on the physical distance to a communication partner.
Pdf distancebounding db protocols are crosslayer authentication protocols that are based on the roundtriptime of challengeresponse. The distance bound computed by a radio frequency distance bounding protocol is very sensitive to even the slightest processing delay. Distance bounding protocols prevent maninthemiddle attacks by measuring response times. Wormholeresilient secure neighbor discovery in underwater. We go on to show how distance bounding can prevent frauds in which a party having access to the secret keys convinces a verifying party that he is within a certain distance whereas he is not. We analyze distance bounding protocols in terms of their loca. Secure distance bounding db protocols allow one entity, the verifier, to securely obtain an upperbound on the distance to another entity, the prover. It is a protocol used to transfer files between an ftp hostserver and an ftp client computer on the internet. Recognize that distance vector routing protocols are in use today 3 distance vector routing protocols. Outsourcing data storage without outsourcing trust in cloud. Distance bounding protocols become more and more important because they are the most accurate solution to defeat relay attacks. For simplicity i have separated answer into two files.
Section 4 discusses our implementation of a secure localization system. Proximity verification for contactless access control and. These protocols are of particular interest in contactless. Several distance bounding protocols are resistant to terrorist fraud attacks 7,9,10. Upon re ception of the challenge, the prover computes an authen ticated response fp n, and sends it to the veri. Passive db and mutual multiparty gdb a set of secure and ef. They are, however, seldom known and even more rarely used in practice. Background on secure distance bounding protocols and the used hardware is given in section 2. Because the speed of light is known, measuring response delay lets us bound the distance of a verifier. This is because any delay introduced, anywhere in the system, will be multiplied by approximately 299,792,458 ms the speed of light in order to convert time into distance. They infer an upper bound for the distance between the reader and the token from the fact that no information can propagate faster than at the speed of light. Security of distance bounding protocols springerlink.
Second, we show that prominent distance bounding protocols are vulnerable to distance hijacking and propose countermeasures. This paper addresses, for the first time, gdb protocols by utilizing the new passive db primitive and the novel mutual multiparty gdb protocol. Figure 1 shows the main principle of operation of distance bounding protocols. E cient publickey distance bounding protocol handan k l n. Distance bounding protocols these are special kind of cryptographic protocols, that can in theory protect against wormhole attacks 3. Ftp is most commonly used to download files from the world wide web. In addition, our distance bounding system enables the implementation of a majority of distance bounding protocols developed in prior art. Distance bounding protocols allow a verifier to both authenticate a prover and evaluate whether the latter is located in his vicinity. Their cornerstone principle is really nicely illustrated by the excellent, twosentencelong conclusion of beth and desmedt 2 1990. We discuss the properties of these protocols and show how to use it as a building block in a location verification scheme. The link to all protocols is a single, large pdf file that has all enls protocols in a single file. Abstractit is a popular challenge to design distance bounding protocols that are both secure and ef. The method is based on combining existing proofofstorage schemes with distance bounding protocols.
Vm is a secure localization technique that is related to the following techniques distance bounding techniques upper bounds the distance of one device to another compromised device authenticated ranging protocols enable two honest and trusted parties to measure their mutual distance in an authenticated manner. This puts tighter timing constraints on the permitted roundtrip delay during authentication, in order to make it harder to forward. Brandschaum protocol type i is a distance bounding protocol capable of resisting to mafia fraud external adversary with relay link p adv 12n brandschaum protocol type ii is a distance bounding protocol capable of resisting to mafia fraud and distance fraud dishonest prover that responds in advance mafia fraud. The adversary could build a relay link and actively anticipate the challenge and response.
Our secure distance bounding protocol is motivated and described in section 3. Distance bounding db protocols allow one entity, the veri. Publickey distance bounding and its application on contactless access control handan k. Rfid, distance bounding protocol, puf, security, ter rorist fraud. Secure positioning of wireless devices with application to. The main theme of this thesis is to allow the users of cloud services to outsource their data without the need to trust the cloud provider. How to crop pdf using ghostscript without entering manually bounding box ask question asked 5 years, 1 month ago. If prover authentication is required, public key signatures can be used to sign challenges and responses. This type of attack poses a serious threat in many practical scenarios. Mutually authenticated distance bounding mad capkun, buttyan and hubaux. Sastry, shankar and wagner 8 propose a new distance.
Reader tag adversary reader tag distance bounding does not avoid relay attacks. In a distance bounding protocol, an upper bound for the physical distance between two communication parties executing the protocol a verifier and a prover is computed by the verifier. It enables mutual device authentication through presence and establishes a session key between personal mobile devices which do not yet share any authenticated cryptographic material. Distancebounding protocols prevent maninthemiddle attacks by measuring response times. Mutual distance bounding protocol with its implementability over a noisy channel and its utilization for key agreement in peertopeer wireless networks. A distance bounding protocol enables one entity to determine an upper bound on the physical distance to the other entity as well as to. Key establishment using secure distance bounding protocols. Third, we extend a formal framework for reasoning about distance bounding. The core of all distance bounding protocols is the distance measurement phase shown in figure 1, wherein the veri. Distancebounding protocols were introduced in 1993 as a coun termeasure to relay.
A note on a privacypreserving distancebounding protocol. Enable a veri er v device to establish anupper boundon the physical distance to anuntrustedprover device p. Nfc and rfid are technologies that are more and more present in. Each protocol is formatted into a hyperlinked pdf file for portability and can be viewed on most devices. Within this method, for each one of the two communication parties, the produced mutual distance bounding protocol provides the performance and security level exactly equal to those of its own.
Distance hijacking attacks on distance bounding protocols cas cremers eth zurich kasper rasmussen, benedikt schmidt, srdjan capkun joint work with. The initialization phase is not time critical and usually in. Previous proposals for distance bounding protocols only analysed their protocols with respect to some speci c attack types, whose relations and problem coverage are unknown. These protocols are of particular interest in contactless systems, e. Characteristics of distance vector routing protocols.
Distance bounding protocols on thuwb link and their. Recently, distance bounding protocols, each with a mutual authentication, are proposed to increase the security level for such systems. Distancebounding protocols allow a verifier to both authenticate a prover and. Exploiting the characteristics of timehopping uwb radios to enhance distance bounding protocols leads to two design strategies. Provide same level of security as other distance bounding protocols should not be worse because it has hardware constraints implementation suggest practical ideas on how to implement our protocol protocol should supplement current rfid standards, not suggest wholesale changes an rfid distance bounding protocol p. Read an efficient mutual distance bounding protocol over a binary symmetric noisy communication channel, international journal of ad hoc and ubiquitous computing on deepdyve, the largest online rental service for scholarly research with thousands of academic publications available at. Distance bounding protocols current db protocols rely on the fact that transmission times are fundamentally bounded by the speed of light and on the difficulty of forging an authenticated message. Recently, two other secure distance bounding protocols were published. Advances in cryptology eurocrypt 93, lecture notes in computer science volume 765. The main layer of this model is the central layer and captures a static model, where the prover and veri er share a secret key, which is never updated. Distance bounding under different assumptions acm digital library. Introductionthe rasmussen capkun protocol attack against the r c protocol conclusions distance bounding protocols countermeasure against relay attacks distance bounding protocols. Distancebounding protocols form a family of challengeresponse authentication protocols that have been introduced to thwart relay attacks. Recently, mutual distance bounding protocols in which both communication parties play not only as a user but also as a verifier have been proposed to be deployed for secure positioning protocols.
In some applications such as payment systems, using publickey distance bounding protocols is practical. They can be thwarted by deploying distance bounding protocols on an uwb radio. How to crop pdf using ghostscript without entering manually. Distancebounding solutions 6, 7 are based on the principal that it is impossible for the attacker to relay a packet faster than the speed of light. This work also quanti ed and proved the security properties of an enhancement of the wellknown protocol due to. As such, distance bounding protocols are executed frequently, e. Thus far, db was considered mostly in the context of a single prover and a single verifier. Modeling enlargement attacks against uwb distance bounding protocols alberto compagno, mauro conti, antonio a. A formal approach to distancebounding rfid protocols. A primer on relay attacks and distancebounding protocols. Distance fraud attacks are attacks in which a prover pretends to be closer to the verifier than it really is, whereas mafia fraud attacks are those in which an attacker impersonates a party by relaying messages from that party to the verifier.
267 1026 736 1363 70 965 312 766 1309 544 1449 534 910 144 514 696 970 79 627 1232 722 623 1352 820 998 749 1426 393 1383 360 773 503 461 1345