Elsevier

Computer Communications

Volume 67, 1 August 2015, Pages 92-102
Computer Communications

Comparing distance bounding protocols: A critical mission supported by decision theory

https://doi.org/10.1016/j.comcom.2015.06.007Get rights and content

Abstract

Distance bounding protocols are security countermeasures designed to thwart relay attacks. Such attacks consist in relaying messages exchanged between two parties, making them believe they communicate directly with each other. Although distance bounding protocols have existed since the early 1990s, this research topic resurrected with the deployment of contactless systems, against which relay attacks are particularly impactful. Given the impressive number of distance bounding protocols that are designed every year, it becomes urgent to provide researchers and engineers with a methodology to fairly compare the protocols in spite of their various properties. This paper introduces such a methodology based on concepts from the decision making field. The methodology allows for a multi-criteria comparison of distance bounding protocols, thereby identifying the most appropriate protocols once the context is provided. As a side effect, this paper clearly identifies the protocols that should no longer be considered, regardless of the considered scenario.

Introduction

Distance bounding protocols are the most popular countermeasures against relay attacks. In a relay attack on an authentication protocol, an adversary aims to convince the verifier that he directly communicates with the genuine prover, while the adversary is actually in the middle and relays the messages exchanged between the two parties. Typically, a relay attack makes the verifier believe the prover is located within his neighborhood while he is far away.

Conway [15] introduced in 1976 the concept of a relay attack through the Chess Grandmaster problem where a little girl is challenged to defeat a Chess Grandmaster in correspondence chess. The solution suggested by Conway to allow the little girl to be successful is to perform a relay attack between two Chess Grandmasters: the attack consequently consists in relaying the moves received between the two Chess Grandmasters, which results for the little girl in either a won or two draws.

Relay attacks also apply to authentication protocols as originally proposed by Desmedt, Goutier, and Bengio at Crypto 87 [17], whose work was later extended by Brassard and Quisquater in [7]. In their papers, the authors refuted Shamir’s claims about the Fiat–Shamir protocol [18] when he says that the protocol is secure even when being executed one million times in a Mafia-owned store [21]. Desmedt et al. indeed raised that a relay attack is still possible, and they consequently named the suggested relay attack mafia fraud. Since then, both terms, relay attack and mafia fraud, are used interchangeably in the literature. Note however that Avoine et al. [1] distinguish mafia fraud from relay attacks by considering that the adversary cannot modify the forwarded messages in a relay attack. This distinction allows for representing an adversary who does not know the specifications of the considered protocol.

Although mafia fraud was suggested late in the 1980s, practical implementations of this type of fraud appeared much later. Mafia fraud actually became a real threat with the ubiquity of contactless technologies. For example, practical attacks were developed against Radio Frequency IDentification (RFID) [22], [23], Near Field Communication (NFC) [20], and Passive Keyless Entry and Start Systems (PKES) in modern cars [19]. For example, off-the-shelves devices to perform relay attacks against PKES can be bought on Internet [12].

Mafia fraud does not rely on exploiting security protocol vulnerabilities. Conventional security mechanisms are thus ineffective against it. Based on an idea from Beth and Desmedt [8], Brands and Chaum suggested a countermeasure to mafia fraud that consists in measuring the Round-Trip-Time (RTT) of 1-bit messages exchanged between the parties, using a dedicated communication channel [10]. In their solution, the verifier measures the round-trip time tm between the moment he sends a challenge and the moment he receives the response from the prover. The verifier can consequently estimate a tight upper-bound on the distance between the prover and the verifier by computing d=c·(tmtd)/2, where c is the speed of light and td is the delay induced by the prover to compute the response, given the challenge.

Note that distance bounding protocols do not detect relay attacks in a strict sense. Instead, they detect unexpected delays, and conclude in such a case that a mafia fraud attack might have occurred. As a consequence, neither the communication channel, nor the calculation should introduce flexible timing during the protocol execution, since that could be exploited by an adversary. For example, requiring the prover to perform heavy computations in passive contactless systems may allow an adversary to significantly reduce td by overclocking the prover’s device, which in turn may allow the adversary to increase tm without making d above the expected upper-bound. Since Desmedt et al.’s seminal work [8], a conservative assumption for designing distance bounding protocols consists in considering minimally sized messages (typically 1-bit messages) and lightweight computations during the time-measurement phase.

Avoine et al. introduced in [1] a Framework for analyzing distance bounding protocols. This widely used Framework defines four types of fraud that should be considered in the security evaluation of distance bounding protocols. For the sake of accuracy, the fraud definitions from [1] are provided in-extenso below.

  • Given a distance bounding protocol, an impersonation fraud attack is an attack where a lonely prover purports to be another one.

  • A mafia fraud attack is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood.

  • Given a distance bounding protocol, a distance fraud attack is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier.

  • A terrorist fraud attack is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and a dishonest tag located outside of the neighborhood, such that the latter actively helps the adversary to maximize her attack success probability, without giving to her any advantage for future attacks.

The security evaluation of a distance bounding protocol then consists in computing the resistance of the protocol for every type of fraud, which is done by computing the probability for an adversary to successfully perform the considered fraud.

Since Brands and Chaum’s breakthrough, many distance-bounding protocols have been proposed,1 which deliver improvements in terms of security (see Section 2). These proposals also introduce new requirements on the protocols, e.g., to be usable on noisy channels, and properties, e.g., to be more computationally efficient or to require less memory. Given the various requirements and properties, a fair methodology to compare distance bounding protocols is strongly needed.

This paper introduces a methodology based on concepts from the decision making field to perform a multi-criteria comparison of distance bounding protocols. The methodology identifies the most desirable protocols, given a set of required properties, and disqualifies protocols that are dominated by better solutions whatever the considered properties. Even though the methodology can be understood without difficulty, applying it on a large set of distance bounding protocols may be time-consuming. As a consequence, an open-source computer tool was released in order to easily include into the comparison future distance bounding protocols and new criteria.

Section snippets

Background

Distance bounding protocols are authentication protocols that, in addition, compute an upper bound on the distance between the prover and the verifier. Since we focus on the distance bounding properties of such protocols, we ignore any such protocol that does not even achieve authentication, e.g., due to impersonation attacks or key-recovery attacks [30]. The considered protocols are briefly introduced and classified according to their main features, which are the features that occur most

Methodology

Multi-criteria decision-making actually consists in making a decision, namely selecting the best solution(s) in a set of possible solutions, when the evaluation of solutions depends on several criteria. For example, buying a car is a multi-criteria decision making problem, because price, size, horsepower, color, etc. are different criteria that influence the decision. Similarly, choosing a distance bounding protocol is a multi-criteria decision-making problem where several security and

Methodology applied to current protocols

This section reports on the results obtained after applying our methodology to the protocols listed in Table  1. Instead of computing raw data to be served as input to a state-of-the-art decision making tool, the methodology has been implemented and published as an open source Java project.5 The computer tool, based on Table  2, comprises the thirteen distance bounding protocols listed in Table  1 so as to

Conclusion

In this article, we have proposed a methodology to evaluate and compare distance bounding protocols. The methodology benefits from experiences in the decision making field, and defines the most relevant attributes that ought to be considered in terms of security and implementability. An open-source computer software implementing our methodology has been released, which supported the evaluation and comparison of thirteen state-of-the-art distance bounding protocols. Among the evaluated

References (34)

  • G. Avoine et al.

    A framework for analyzing RFID distance bounding protocols

    J. Comput. Secur. – Spec. Issue RFID Syst. Secur.

    (2011)
  • G. Avoine et al.

    RFID distance bounding multistate enhancement

    The 10th International Conference on Cryptology in India – Indocrypt’09

    (2009)
  • G. Avoine et al.

    Mutual distance bounding protocols

    IEEE Trans. Mobile Comput.

    (2013)
  • G. Avoine et al.

    How secret-sharing can defeat terrorist fraud

    The 4th ACM Conference on Wireless Network Security – WiSec’11

    (2011)
  • G. Avoine et al.

    An efficient distance bounding RFID authentication protocol: balancing false-acceptance rate and memory requirement

    Information Security Conference – ISC’09

    (2009)
  • A. Bay et al.

    The Bussard-Bagga and other distance-bounding protocols under attacks

    The 8th China International Conference on Information Security and Cryptology – Inscrypt’12

    (2012)
  • S. Bengio et al.

    Secure implementation of identification systems

    J. Cryptol.

    (1991)
  • T. Beth et al.

    Identification tokens - or: solving the chess grandmaster problem

    Advances in Cryptology – CRYPTO ’90

    (1990)
  • I. Boureanu et al.

    Secure and lightweight distance-bounding

    The 2nd International Workshop on Lightweight Cryptography for Security and Privacy – LightSec’13

    (2013)
  • S. Brands et al.

    Distance-bounding protocols

    Workshop on the Theory and Application of Cryptographic Techniques on Advances in Cryptology – EUROCRYPT’93

    (1994)
  • L. Bussard et al.

    Distance-bounding proof of knowledge to avoid real-time attacks

    Security and Privacy in the Age of Ubiquitous Computing

    (2005)
  • Bundpol security systems

    Car Locksmith Tools

    (2014)
  • S. Čapkun et al.

    SECTOR: secure tracking of node encounters in multi-hop wireless networks

    The 1st ACM Workshop on Security of Ad Hoc and Sensor Networks, SASN

    (2003)
  • J.M. Chambers et al.

    Graphical Methods for Data Analysis

    (1983)
  • J.H. Conway

    On Numbers and Games

    (2000)
  • C. Cremers et al.

    Distance hijacking attacks on distance bounding protocols

    The 2012 IEEE Symposium on Security and Privacy

    (2012)
  • Y. Desmedt et al.

    Special uses and abuses of the Fiat-Shamir passport protocol

    Advances in Cryptology – CRYPTO’87

    (1988)
  • Cited by (11)

    • Performing and mitigating force and terrorist fraud attacks against two RFID distance-bounding protocols

      2018, Journal of Information Security and Applications
      Citation Excerpt :

      This protocol is not secure against terrorist fraud attack. Distance-bounding protocols are evaluated with respect to various characteristics [12]. These characteristics are categorized in two groups: security-related and implementation-related [14].

    • Investigating Distance Bounding for Delegated Proof-of-Proximity Consensus within IIoT

      2022, IEEE International Symposium on Industrial Electronics
    • Post-collusion security and distance bounding

      2019, Proceedings of the ACM Conference on Computer and Communications Security
    View all citing articles on Scopus
    View full text