Comparing distance bounding protocols: A critical mission supported by decision theory
Introduction
Distance bounding protocols are the most popular countermeasures against relay attacks. In a relay attack on an authentication protocol, an adversary aims to convince the verifier that he directly communicates with the genuine prover, while the adversary is actually in the middle and relays the messages exchanged between the two parties. Typically, a relay attack makes the verifier believe the prover is located within his neighborhood while he is far away.
Conway [15] introduced in 1976 the concept of a relay attack through the Chess Grandmaster problem where a little girl is challenged to defeat a Chess Grandmaster in correspondence chess. The solution suggested by Conway to allow the little girl to be successful is to perform a relay attack between two Chess Grandmasters: the attack consequently consists in relaying the moves received between the two Chess Grandmasters, which results for the little girl in either a won or two draws.
Relay attacks also apply to authentication protocols as originally proposed by Desmedt, Goutier, and Bengio at Crypto 87 [17], whose work was later extended by Brassard and Quisquater in [7]. In their papers, the authors refuted Shamir’s claims about the Fiat–Shamir protocol [18] when he says that the protocol is secure even when being executed one million times in a Mafia-owned store [21]. Desmedt et al. indeed raised that a relay attack is still possible, and they consequently named the suggested relay attack mafia fraud. Since then, both terms, relay attack and mafia fraud, are used interchangeably in the literature. Note however that Avoine et al. [1] distinguish mafia fraud from relay attacks by considering that the adversary cannot modify the forwarded messages in a relay attack. This distinction allows for representing an adversary who does not know the specifications of the considered protocol.
Although mafia fraud was suggested late in the 1980s, practical implementations of this type of fraud appeared much later. Mafia fraud actually became a real threat with the ubiquity of contactless technologies. For example, practical attacks were developed against Radio Frequency IDentification (RFID) [22], [23], Near Field Communication (NFC) [20], and Passive Keyless Entry and Start Systems (PKES) in modern cars [19]. For example, off-the-shelves devices to perform relay attacks against PKES can be bought on Internet [12].
Mafia fraud does not rely on exploiting security protocol vulnerabilities. Conventional security mechanisms are thus ineffective against it. Based on an idea from Beth and Desmedt [8], Brands and Chaum suggested a countermeasure to mafia fraud that consists in measuring the Round-Trip-Time (RTT) of 1-bit messages exchanged between the parties, using a dedicated communication channel [10]. In their solution, the verifier measures the round-trip time tm between the moment he sends a challenge and the moment he receives the response from the prover. The verifier can consequently estimate a tight upper-bound on the distance between the prover and the verifier by computing where c is the speed of light and td is the delay induced by the prover to compute the response, given the challenge.
Note that distance bounding protocols do not detect relay attacks in a strict sense. Instead, they detect unexpected delays, and conclude in such a case that a mafia fraud attack might have occurred. As a consequence, neither the communication channel, nor the calculation should introduce flexible timing during the protocol execution, since that could be exploited by an adversary. For example, requiring the prover to perform heavy computations in passive contactless systems may allow an adversary to significantly reduce td by overclocking the prover’s device, which in turn may allow the adversary to increase tm without making d above the expected upper-bound. Since Desmedt et al.’s seminal work [8], a conservative assumption for designing distance bounding protocols consists in considering minimally sized messages (typically 1-bit messages) and lightweight computations during the time-measurement phase.
Avoine et al. introduced in [1] a Framework for analyzing distance bounding protocols. This widely used Framework defines four types of fraud that should be considered in the security evaluation of distance bounding protocols. For the sake of accuracy, the fraud definitions from [1] are provided in-extenso below.
- •
Given a distance bounding protocol, an impersonation fraud attack is an attack where a lonely prover purports to be another one.
- •
A mafia fraud attack is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood.
- •
Given a distance bounding protocol, a distance fraud attack is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier.
- •
A terrorist fraud attack is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and a dishonest tag located outside of the neighborhood, such that the latter actively helps the adversary to maximize her attack success probability, without giving to her any advantage for future attacks.
The security evaluation of a distance bounding protocol then consists in computing the resistance of the protocol for every type of fraud, which is done by computing the probability for an adversary to successfully perform the considered fraud.
Since Brands and Chaum’s breakthrough, many distance-bounding protocols have been proposed,1 which deliver improvements in terms of security (see Section 2). These proposals also introduce new requirements on the protocols, e.g., to be usable on noisy channels, and properties, e.g., to be more computationally efficient or to require less memory. Given the various requirements and properties, a fair methodology to compare distance bounding protocols is strongly needed.
This paper introduces a methodology based on concepts from the decision making field to perform a multi-criteria comparison of distance bounding protocols. The methodology identifies the most desirable protocols, given a set of required properties, and disqualifies protocols that are dominated by better solutions whatever the considered properties. Even though the methodology can be understood without difficulty, applying it on a large set of distance bounding protocols may be time-consuming. As a consequence, an open-source computer tool was released in order to easily include into the comparison future distance bounding protocols and new criteria.
Section snippets
Background
Distance bounding protocols are authentication protocols that, in addition, compute an upper bound on the distance between the prover and the verifier. Since we focus on the distance bounding properties of such protocols, we ignore any such protocol that does not even achieve authentication, e.g., due to impersonation attacks or key-recovery attacks [30]. The considered protocols are briefly introduced and classified according to their main features, which are the features that occur most
Methodology
Multi-criteria decision-making actually consists in making a decision, namely selecting the best solution(s) in a set of possible solutions, when the evaluation of solutions depends on several criteria. For example, buying a car is a multi-criteria decision making problem, because price, size, horsepower, color, etc. are different criteria that influence the decision. Similarly, choosing a distance bounding protocol is a multi-criteria decision-making problem where several security and
Methodology applied to current protocols
This section reports on the results obtained after applying our methodology to the protocols listed in Table 1. Instead of computing raw data to be served as input to a state-of-the-art decision making tool, the methodology has been implemented and published as an open source Java project.5 The computer tool, based on Table 2, comprises the thirteen distance bounding protocols listed in Table 1 so as to
Conclusion
In this article, we have proposed a methodology to evaluate and compare distance bounding protocols. The methodology benefits from experiences in the decision making field, and defines the most relevant attributes that ought to be considered in terms of security and implementability. An open-source computer software implementing our methodology has been released, which supported the evaluation and comparison of thirteen state-of-the-art distance bounding protocols. Among the evaluated
References (34)
- et al.
A framework for analyzing RFID distance bounding protocols
J. Comput. Secur. – Spec. Issue RFID Syst. Secur.
(2011) - et al.
RFID distance bounding multistate enhancement
The 10th International Conference on Cryptology in India – Indocrypt’09
(2009) - et al.
Mutual distance bounding protocols
IEEE Trans. Mobile Comput.
(2013) - et al.
How secret-sharing can defeat terrorist fraud
The 4th ACM Conference on Wireless Network Security – WiSec’11
(2011) - et al.
An efficient distance bounding RFID authentication protocol: balancing false-acceptance rate and memory requirement
Information Security Conference – ISC’09
(2009) - et al.
The Bussard-Bagga and other distance-bounding protocols under attacks
The 8th China International Conference on Information Security and Cryptology – Inscrypt’12
(2012) - et al.
Secure implementation of identification systems
J. Cryptol.
(1991) - et al.
Identification tokens - or: solving the chess grandmaster problem
Advances in Cryptology – CRYPTO ’90
(1990) - et al.
Secure and lightweight distance-bounding
The 2nd International Workshop on Lightweight Cryptography for Security and Privacy – LightSec’13
(2013) - et al.
Distance-bounding protocols
Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology – EUROCRYPT’93
(1994)
Distance-bounding proof of knowledge to avoid real-time attacks
Security and Privacy in the Age of Ubiquitous Computing
Bundpol security systems
Car Locksmith Tools
SECTOR: secure tracking of node encounters in multi-hop wireless networks
The 1st ACM Workshop on Security of Ad Hoc and Sensor Networks, SASN
Graphical Methods for Data Analysis
On Numbers and Games
Distance hijacking attacks on distance bounding protocols
The 2012 IEEE Symposium on Security and Privacy
Special uses and abuses of the Fiat-Shamir passport protocol
Advances in Cryptology – CRYPTO’87
Cited by (11)
On the optimal resistance against mafia and distance fraud in distance-bounding protocols
2023, Computer CommunicationsPerforming and mitigating force and terrorist fraud attacks against two RFID distance-bounding protocols
2018, Journal of Information Security and ApplicationsCitation Excerpt :This protocol is not secure against terrorist fraud attack. Distance-bounding protocols are evaluated with respect to various characteristics [12]. These characteristics are categorized in two groups: security-related and implementation-related [14].
Investigating Distance Bounding for Delegated Proof-of-Proximity Consensus within IIoT
2022, IEEE International Symposium on Industrial ElectronicsPost-collusion security and distance bounding
2019, Proceedings of the ACM Conference on Computer and Communications SecurityAn investigation of using time and ambient conditions to sense the unexpected removal of RFID tag
2019, Communications in Computer and Information Science