Title: Distance Bounding Protocols with Void Challenges for RFID
1Distance Bounding Protocols with Void
Challenges for RFID
Jorge Munilla Fajardo Dpto. Ingeniería de
Comunicaciones. E.T.S.I.Telecomunicación.
Universidad de Málaga (Spain)
2SECTIONS
1.- Attacks related to the location 2.-
Definition of Distance Bounding Protocols 3.-
Proposed protocol for RFID HKP (Hancke and
Kuhns protocol) 4.- Modification of the HKP
with void-challenges 5.- Novel low-cost proposal
Ingeniería de Comunicaciones, Universidad de
Málaga
31.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Characters
Legitimate prover
Legitimate prover acting in a bad way
Adversary
Ingeniería de Comunicaciones, Universidad de
Málaga
41.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-A
R-A
Ingeniería de Comunicaciones, Universidad de
Málaga
51.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-A
R-A
Ingeniería de Comunicaciones, Universidad de
Málaga
61.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-A
T-B
R-B
R-A
R-A
ATTACKER
Ingeniería de Comunicaciones, Universidad de
Málaga
71.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Range
T-B
T-A
R-A
R-A
Legitimate user collaborates with the adversary
giving him the necessary information to access to
the system but only once.
Ingeniería de Comunicaciones, Universidad de
Málaga
81.- Attacks related to the distance
Distance Fraud Attack
Mafia Fraud Attack
Terrorist Attack
Ingeniería de Comunicaciones, Universidad de
Málaga
91.- Attacks related to the distance
?Distance Fraud Attacks ?Relay Attacks or Mafia
Fraud Attacks ?Terrorist Attacks
Ingeniería de Comunicaciones, Universidad de
Málaga
102.- Distance Bounding Protocols
PROVER K
VERIFIER K
Challenge
Start Timer
Compute Response f(challenge, K)
Response
Stop Timer
n times
Ingeniería de Comunicaciones, Universidad de
Málaga
112.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K,N1,N2) R0H1H2Hn R1Hn1H
n2H2n
Compute H2n f(K,N1,N2) R0H1H2Hn R1Hn1H
n2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
122.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
132.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K,N1,N2) R0H1H2Hn R1Hn1H
n2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
142.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..CnR1)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
152.- Brand and Chaums protocol
The first distance bounding protocols based on
single-bits round trips
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
RELIABLE Signal goes through every layer
N2
For i1 to n do
C
Start Timer
UNRELIABLE Signal doesnt go through every layer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
RELIABLE Signal goes through every layer
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
163.- Hancke and Kuhns protocol
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
R
Stop Timer
End for
S
SMAC(K,C1C2..Cn)
Check S
Ingeniería de Comunicaciones, Universidad de
Málaga
173.- Hancke and Kuhns protocol
PROVER K
VERIFIER K
N1
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
Compute H2n f(K, N1,N2) R0H1H2Hn R1Hn1
Hn2H2n
N2
For i1 to n do
C
Start Timer
RR0i if C0 RR1i if C1
UWB Channel
R
Stop Timer
End for
Ingeniería de Comunicaciones, Universidad de
Málaga
183.- Hancke and Kuhns protocol
PROBLEMS
?Vulnerable to Terrorist Attack
Ingeniería de Comunicaciones, Universidad de
Málaga
19 Hancke and Kuhns protocol
PROBLEMS
?Vulnerable to Terrorist Attack
?Adversary succeeds with probability ¾
Ingeniería de Comunicaciones, Universidad de
Málaga
204.-Modification of the HKP with void challenges
Beside v0 and v1, a third random bit-string is
generated ? P P points out when the reader sends
a challenge and when he doesnt
Ingeniería de Comunicaciones, Universidad de
Málaga
214.-Modification of the HKP with void challenges
Using this vector P, card is able to detect an
adversary trying to get the responses in advance.
Ingeniería de Comunicaciones, Universidad de
Málaga
224.-Modification of the HKP with void challenges
Analysis Attacker has two possible strategies
? Asking in advance (taking the risk the card
uncovers him)
? Without asking in advance (trying to guess the
challenges)
Ingeniería de Comunicaciones, Universidad de
Málaga
234.-Modification of the HKP with void challenges
-Without asking in advance (trying to guess the
challenges)
No advantages!? It coincides with the
probability for the HKP
But this is true only in a noise-free
environment, when the unreliability of the
channel is taken into account this modified
protocol presents better features than HKP
Ingeniería de Comunicaciones, Universidad de
Málaga
244.-Modification of the HKP with void challenges
Anyway, in a noise-free environment if P is
generated in the following way
Compute H4n f(K, N1,N2) V0H1H2Hn V1Hn1
Hn2H2n Pf(H2n1, H2n2 )f(H2n3,
H2n4)f(H4n-1, H4n)
f(x1,x2) 1 if x1x200, 01, 10 f(x1,x2) 0
if x1x211
The probability for an interval to have a
challenge is three times higher than to be void
Ingeniería de Comunicaciones, Universidad de
Málaga
254.-Modification of the HKP with void challenges
Analysis when P is generating making the
probability for an interval to have a challenge
is three times higher than to be void
Ingeniería de Comunicaciones, Universidad de
Málaga
26Hancke and Kuhns protocol
PROBLEMS
?Vulnerable to Terrorist Attack
Void challenges
?Adversary succeeds with probability ¾
?Expensive
Sresolution c/BW
Ingeniería de Comunicaciones, Universidad de
Málaga
275.- Novel protocol with void-challenges
?Reduced processing delay (short and
invariant) ?Low cost solution to modify as less
as possible the ordinary cards.The complexity
must fall on the reader
Two targets
Ingeniería de Comunicaciones, Universidad de
Málaga
285.- Novel protocol with void-challenges
?Reduced processing delay (short and
invariant) ?Low cost solution modify as less as
possible the ordinary cards.The complexity must
fall on the reader
Two targets
Ingeniería de Comunicaciones, Universidad de
Málaga
295.- Novel protocol with void-challenges
?Reduced processing delay (short and
invariant) ?Low cost solution modify as less as
possible the ordinary cards.The complexity must
fall on the reader
Two targets
Ingeniería de Comunicaciones, Universidad de
Málaga
305.- Novel protocol with void-challenges
RFID-14443a - FEATURES ?Carrier
13.56MHz ?Inductive coupling to supply energy
and communication ? Up to 10cm ?Passive no
batteries, energy from the reader. ?Communication
106 kbps (fc/128).
Ingeniería de Comunicaciones, Universidad de
Málaga
315.- Novel protocol with void-challenges
V0 -points out when the reader sends the challenge
Two bit-string are generated
V1 -points out which must be the cards response
?Reader to the card communication
?Card to the reader communication
Ingeniería de Comunicaciones, Universidad de
Málaga
325.- Novel protocol with void-challenges
Example for V0001010011 and V11001
Ingeniería de Comunicaciones, Universidad de
Málaga
335.- Novel protocol with void-challenges
Reader monitories directly the amplitude of the
carrier (no side band)
? The key point is how fast the reader can
detect the state of the card.
? The longer is the distance worse is the
inductive coupling and more difficult will be to
detect the state
Ingeniería de Comunicaciones, Universidad de
Málaga
345.- Novel protocol with void-challenges
Resistant against terrorist attack
?K, V0, V1 are intermingled
?To avoid a eavesdropper could know the key K
the reader randomly leaves without sending some
challenges ? eavesdropper loses this information.
Ingeniería de Comunicaciones, Universidad de
Málaga
355.- Novel protocol with void-challenges
Security Analysis
? Vulnerable to distance fraud attack
?Resistant to relay attacks and terrorist attacks
The complexity of the attacks this protocol is
able to detect depends on the time the reader
needs to distinguish the state of the card. It
will depend on the distance between the card and
the reader but 1µs could be enough.
Simple attacks are easily detected (Hanckes
attack introduces 15-20µs)
Furthermore, to improve the system only the
reader has to be modified. Much cheaper than if
the cards had to be modified
Ingeniería de Comunicaciones, Universidad de
Málaga
366.-CONCLUSIONS
? Attacks related to the location ? The most
worrying is the mafia fraud attack. ?Distance
Bounding protocol are the only solution against
them. Tightly integrated in the physical
layer. ?Hancke and Kuhns protocol for
RFID. ?Vulnerable to terrorist attack ? K, v0 and
v1 Intermingled. ?High number of rounds ? Use of
void challenges. ?Expensive ? Use of the novel
distance bounding protocol to detect simple relay
attacks (1µs). The complexity falls on the reader.
Ingeniería de Comunicaciones, Universidad de
Málaga
37THANK YOU FOR YOUR ATTENTION
DISTANCE BOUNDING PROTOCOLS WITH VOID CHALLENGES
FOR RFID
Jorge Munilla. e-mailmunilla_at_ic.uma.es
Dpto. Ingeniería de Comunicaciones
UNIVERSIDAD DE MÁLAGA