16
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
Distance Bounding: A Practical Security Solution for Real-Time Location Systems Adnan Abu-Mahfouz, Member, IEEE, and Gerhard P. Hancke, Senior Member, IEEE
Abstract—The need for implementing adequate security services in industrial applications is increasing. Verifying the physical proximity or location of a device has become an important security service in ad-hoc wireless environments. Distance-bounding is a prominent secure neighbor detection method that cryptographically determines an upper bound for the physical distance between two communicating parties based on the round-trip time of cryptographic challenge-response pairs. This paper gives a brief overview of distance-bounding protocols and discusses the possibility of implementing such protocols within industrial RFID and real-time location applications, which requires an emphasis on aspects such as reliability and real-time communication. The practical resource requirements and performance tradeoffs involved are illustrated using a sample of distance-bounding proposals, and some remaining research challenges with regards to practical implementation are discussed. Index Terms—Distance-bounding, proximity authentication, real-time location, RFID, secure neighbor detection (SND), secure ranging, wireless.
I. INTRODUCTION
T
HE security of industrial applications has become a topic of increasing significance with the importance of basic security services such as authentication, integrity, and confidentiality generally being recognized. In some application, however, there is also a need for additional services that are not immediately obvious. For example, in wireless communication, it is commonly assumed that a communication neighbor, i.e., a device reachable for communication, is the same as a physical neighbor. This assumption is based on the fact that these devices are within communication range and that communication range is location limited, which implicitly proves physical proximity [1]. In a hostile environment, this assumption no longer holds as a fraudulent device can manipulate the communication range and pretend to be a neighbor. As a result, a device might interact with a fraudulent device pretending to be its neighbor, placing it in a privileged position from where it could adversely affect the intended services. Verifying the physical proximity
Manuscript received September 22, 2011; revised January 02, 2012, March 30, 2012, and June 10, 2012; accepted June 14, 2012. Date of publication September 11, 2012; date of current version December 19, 2012. Paper no. TII-11-559. A. Abu-Mahfouz is with the University of Pretoria, Pretoria, Gauteng, 0002, South Africa (e-mail:
[email protected]). G. P. Hancke is with the University of Pretoria and the Information Security Group (ISG), Royal Holloway, University of London, Egham TW20 0EX, U.K. (e-mail:
[email protected]). Color versions of one or more of the figures in this paper are available online at http://ieeexplore.ieee.org. Digital Object Identifier 10.1109/TII.2012.2218252
of another device, through the use of secure neighbor detection (SND) method, has therefore become important in wireless network environments [1]. Supply chain and item tracking using radio frequency identification (RFID) technology and related real-time location (RTLS) systems are further examples of industrial applications that rely heavily on the notion of device proximity [2]–[7], [70]. The operational range of typical RFID tags used in such applications are known to be between 10 cm, for high-frequency (HF) tags, to 10 m for ultrahigh-frequency (UHF) devices. The assumption is therefore made that, if a reader manages to communicate with a tag, then the location of the tags in close physical proximity to the location of the reader [66]. Suppose a fraudulent party removed a valuable asset and replaced it with an inexpensive radio transceiver that simply relays the commands from an RFID reader to the real tag embedded in the asset and then forward the real tag’s response back to the reader. In this case, the reader will still consider the asset to be in close proximity, as there is still an entity that appears exactly the same as the real tag from a communication perspective. This scenario, discusses further in Section II, has been practically demonstrated against real-world RFID systems [8]. The secure verification of a devices’s location relative to another device, so-called secure neighbor detection, is therefore crucial to the secure and reliable operation of industrial real-time location applications [9]. Distance bounding determines an upper bound for the physical distance between two communicating parties based on the round-trip time (RTT) of cryptographic challenge-response pairs, thereby cryptographically verifying the physical proximity of two devices. Brands and Chaum proposed the first true distance-bounding protocol [10] and numerous new protocols have been proposed since, a number of which place particular emphasis on the fact that distance-bounding protocols should be implemented in RFID applications, e.g., [11], [12]. In the RFID environment, it can be used to cryptographically prove the proximity of a RFID token to a reader, while in RTLSs its ability to verify the physical proximity of an “item” makes it a key building block in secure localization methods. Although there has been extensive theoretical work on constructing distance-bounding protocols in recent years, the question of whether this approach is ready to be implemented in realworld RFID an RTLS applications still remains largely unanswered. Distance bounding would provide security benefits and facilitate a range of dependable services, but at what extra cost to resources, real-time performance, and reliability? There are also multiple protocol designs to choose from, and system engineers should be made aware of possible tradeoffs and be able
1551-3203/$31.00 © 2012 IEEE
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS
to effectively evaluate existing proposals with the purpose of choosing the best solution for their application. The purpose of this paper is not to provide an in-depth, theoretical analysis and state-of-the-art survey of different distancebounding protocol designs. Rather, this should be seen as a position paper that highlights the importance of securely determining device proximity in industrial RFID and RTLS applications, provides a short tutorial on the theoretical concepts and use of distance-bounding protocols, and discusses the aspects of practical implementation along with unresolved issues for future research. A short overview of SND methods and motivation for the use of distance-bounding in industrial applications are provided in Section II. The basic technical concepts of distancebounding protocols are covered in Section III. In Section IV, possible industrial requirements of distance-bounding protocols are defined, a selection of protocols is evaluated against these requirements, and remaining practical challenges are addressed. II. SECURE NEIGHBOR DETECTION (SND) There are a number of possible approaches to implementing SND, such as directional antennas, RF fingerprinting, centralized systems, location-based systems, and distance bounding [1]. Directional antennas triangulate position using angle-of-arrival (AoA), which requires static reference nodes with antenna arrays providing fixed reference directions, e.g., [14]. To be secure, these nodes must also have synchronized clocks to ensure that a transmission was made to multiple reference nodes at the same time, i.e., from the same location. Time synchronization to the accuracy required for distance estimation is a challenge in wireless networks. To determine the distance to another node would also require the node to be covered by at least two reference nodes. This limits the topology and the connection structures to a network “cloud,” where all nodes are covered by multiple reference nodes, which does not allow for the point-to-point connection between a RFID reader and tag. Centralized approaches work on the assumption that there are many nodes that can collaborate and aggregate data to a central system controller, which can check for suspicious node placement by building and analyzing system-wide node connectivity graphs. For example, if two nodes receive the same transmission it is impossible for that transmitting node to be within the communication range of both, e.g., [15], [16]. The effectiveness of these approaches relies on the network consisting of a large number of nodes capable of providing simple ancillary measurements This method is therefore not as effective when a limited number of nodes, e.g., a point-to-point RFID link or device localization using RTLS with only three reference nodes. RF fingerprinting characterizes the physical communication channel aspects of a node to generate a unique identifier that is difficult to forge, e.g., [17]. This is a promising approach to uniquely identifying nodes. However, each device needs to be characterized and, if nodes are mobile and subject to varying multi-path and path-loss effects, the fingerprint might need to be revised often. This reduces the practicality of using fingerprinting in ad-hoc environments where connections are often made to new nodes, i.e. new RFID-tagged item entering supply chain.
17
Location-based methods require that the physical location of each node is known at node level, e.g., each node is equipped with a GPS unit, or at a system level using a localization scheme. Examples of such systems are described in [18]. Determining the location at a node level requires additional network infrastructure and resources, especially indoors where GPS is not as effective, and a system-wide localization scheme has the same disadvantages as previously discussed for centralized approaches. Localization schemes still rely on accurate neighbor detection, and several secure localization proposals use, or could use, distance-bounding protocols for the underlying distance estimation between nodes [19], [67]–[69]. Distance bounding provides assurance as to the physical proximity of two nodes. A distance-bounding protocol can be performed locally between any two nodes with no collaboration with other network entities. Although this approach requires a node that can make RTT measurements, i.e., needs a suitable RF channel and an accurate albeit unsynchronized clock, it requires minimal prior relationship between participating entities and is effective within any communication topology. For example, it would be as suitable for a RTLS with multiple reference nodes bounding the distance to a device and for conventional RFID where only two entities, the reader and tag, need to verify their proximity. III. DISTANCE-BOUNDING PROTOCOLS Distance bounding only involves two parties, a prover and a verifier, and provides the verifier with cryptographic proof as to the maximum physical distance to the prover. The verifier relies exclusively on information gained from executing the protocol with the prover. As the verifier requires a reliable and secure estimate of the distance to the prover, distance-bounding protocols should be integrated into the underlying communication channel. The security of the protocol therefore not only depends on the cryptographic mechanisms but also on the physical attributes of the communication channel that are used to measure proximity. This section starts by explaining the need for distance bounding. Distance-estimation methods are discussed next, followed by protocol design aspects. This section serves only to introduce the basic principles of distance bounding. For a more formal analysis framework and extended overview of these protocols, the reader could refer to [20] and [21]. A. Need for Distance Bounding in Industrial Applications As discussed in Section IV and stated in [9], the verification of a node’s physical proximity to another node is crucial to the secure and reliable operation of industrial RFID and RTLS applications. Here, we discuss the attacks addressed by distance bounding and demonstrates the threats posed by these attacks by means of providing practical examples of security issues that can arise in RFID and RTLS applications. It is also shown that basic security services such as authentication and confidentiality do not sufficiently address these threats. There are three main types of attacks, shown in Fig. 1, which can be prevented by distance-bounding protocols—distance fraud, mafia fraud, and terrorist fraud. Distance fraud occurs when a fraudulent prover wants to convince the verifier that it is in close proximity, although this is not actually the case.
18
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
Fig. 3. Mafia fraud (relay attack) in RFID asset tracking system. Fig. 1. Main attacks that distance-bounding protocols aim to prevent. (a) distance fraud, (b) mafia fraud, and (c) terrorist fraud.
Fig. 2. Distance fraud in RTLS.
A practical example of how this could affect a RTLS with three reference nodes is shown in Fig. 2. In this example, three nodes , , and are required to report the location of node P based on the received signal strength of their respective communication with node P. If P was fraudulent, it could easily pretend to be at position by attenuating its signal when communicating with (appearing further away) and increasing the signal when communicating with (appearing closer). Encrypting data or authenticating P does not prevent this fraud as P is seen as a legitimate node in the network and in possession of the key material to both correctly encrypt/decrypt data and authenticate itself to the other nodes. Distance bounding detects whether a fraudulent prover is pretending to be closer to the verifier than is the case. If the localization system used distance bounding, P would not be able to appear closer to and would therefore be unable to effectively spoof a chosen location. In mafia fraud, the prover and the verifier are honest and far apart, and a third party attacker makes it appear as if they are in close proximity. The attacker used a proxy prover and proxy verifier interacting with the honest verifier and prover, respectively. These proxies simply relay all communication between and , thereby creating an extended the communication link between them. If the verifier operates on the plain assumption that prover is in close proximity if it can successfully be reached for communication, and then that attacker succeeds in convincing the verifier that the prover is in close proximity. Conventional security services cannot prevent this attack as the proxies do not need to decrypt or encrypt communication, they forward on data as is, nor do the proxies need to authentication themselves to the prover and verifier, as they are effectively a transparent communication link. Mafia fraud was first described by Desmedt [22], but this attack scenario has also been described as a wormhole or a relay attack [8],
[10], [23]. Mafia fraud is detected by distance-bounding protocols as the attacker introduces additional delay into the RTT measurement, e.g., even if theoretically the attacker’s hardware introduces no delay the time taken for the relayed data to propagate the extra distance will add to the RTT. Mafia fraud has already been successfully demonstrated in real-world RFID applications [10]. This has security implications for industrial supply chain and real-time location systems based on RFID technology, as illustrated in Fig. 3. Since the reader operates on the assumption that it can only read tags in close proximity, based on the expected operating distance of RFID systems, an attacker, using two relaying proxies, can convince a RFID reader that a tagged item is in close proximity, even though a tagged item is actually at another physical location. This compromises the reliability and accuracy of the system, and, in effect, this would allow an attacker to remove a valuable item from location it is meant to be without this action being detected. Reader-tag authentication does not prevent this threat. The proxy tag does not need to authenticate itself to the reader as an authentication request will be relayed to the real tag, and the legitimate response will be relayed back to the reader. In terrorist fraud, a third party attacker and a dishonest prover collaborate in attacking the system. The fraudulent prover, who is far from the honest verifier, assists an attacker, who is located close to the verifier, to masquerade as the prover by providing the attacker with selected cryptographic information [24]. In order to discourage terrorist fraud, some distance-bounding protocols ensure that in revealing the response the fraudulent prover will inherently reveal valuable information, such as a long term secret key, about itself, a principle first suggested in [25]. Terrorist fraud is a more theoretical attack, with limited practical significance in the context of industrial RFID and RTLS applications. 1) Practical Use Case: Real-Time Location Systems (RTLS): RTLS are automated systems that determine the locations of assets. RTLS systems are being increasingly relied upon to continually monitor items of high value within industrial applications. ‘High Value Asset Security’, as it is referred to by the Association for Automatic Identification and Mobility (AIM), is important for secure and efficient supply chain management and manufacturing, where it is used to keep track of expensive parts, equipment and final products. In some cases, an RTLS is directly integrated within other industrial processes, e.g., the Eximia Meerkat1 monitoring systems integrates real-time location information with distributed control systems (DCS) and supervisory control and data acquisition (SCADA) information. Beyond core “industrial” use, RTLS is used extensively in health 1[Online].
Available: www.eximia.it
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS
applications [57] where a similar importance is attached to reliability and security. A RTLS basically consists of a number of tags, attached to items, which are localized with the assistance of several observation nodes placed at known locations. A RTLS system can be implemented using a variety of underlying technologies. Examples of current commercial implementations include conventional passive RFID technology2 and system architecture, wireless network architecture using IEEE 802.113, Ultra-Wideband (UWB)4 or IEEE 802.15.45, or a combination of these technologies6. Even though location systems provide a security service, e.g., ensuring assets remain in authorized areas, these systems incorporate minimal, if any, security mechanisms. In recent times, the security of location systems has come under increasing scrutiny and several practical attacks have been demonstrated against real-world systems. For example, it has been shown that it is practical to circumvent the IEEE 802.11 location system in iPhones and iPads [58], allowing an attacker spoof a location of his choice. Distance fraud and mafia fraud are two attacks, which are detected through the use of distance bounding, of particular interest to RTLS applications. The basic characteristics of these attacks were discussed in the previous section, so here we discuss only how they could be applied to a RTLS. An attacker uses distance fraud to appear closer, or further away, from an observing node. As was shown in Fig. 2, this could allow an attacker to spoof the location of an asset. This results in the RTLS losing track of the item’s real location and allows the asset to be removed from its intended location. It has been shown [27], as can be seen in Fig. 2, that an entity localized through trilateration cannot successfully misrepresent its location without “decreasing” the distance to at least one of the observing nodes. For example, this could be achieved in a system basing distance estimates on received signal strength (RSS) by attenuating the signal to a chosen observer. Distance-bounding protocols prevent an attacker from appearing closer to the verifier, thereby detecting an attack of this nature. Mafia fraud, as previously shown in Fig. 3, have become increasingly feasible and have been practically demonstrated against a number of real-world systems [8], [54], [59], [60]. In each case, it was shown that an attacker could construct an inexpensive “proxy” of the item using either custom or off-the-shelf hardware. This proxy continues to relay communication between the item and the observing node/s even though the item has been removed, resulting in the RTLS reporting the location of the proxy as the location of the legitimate item. Distance-bounding protocols would detect the use of the proxy, based on the increased RTT to the legitimate item. Studies, such as [61], have shown that RTLS offers significant benefits in terms of cost and efficiency. These benefits can only be derived if there is an assurance as to the integrity of the RTLS information. Considering the importance of RTLS to industrial applications and the current feasibility 2[Online].
Available: www.odinrfid.com
3[Online].
Available: www.ekahau.com
4[Online].
Available: www.ubisense.net
5[Online].
Available: www.locatingtech.com
6[Online].
Available: www.aeroscout.com
19
of attacks, industrial system engineers should follow the trend in other sectors and start addressing security issues in location systems. B. Securely Estimating Physical Distance There are a number of approaches and proposals for estimating the distance between devices, but these are not necessarily designed to be secure, e.g., [26]. Time-of-flight (ToF) and received signal strength (RSS) are often used for distance estimation between two nodes. However, RSS is not a secure method since attackers can easily alter the perceived distance by either amplifying or attenuating a signal. ToF measures elapsed time for a message exchange and then estimates the distance based on the communication medium’s propagation speed. Both radio frequency (RF) and ultrasound channels (US) have been used in ToF systems. The propagation speed of sound is much slower than that of radio waves. As a result, an attacker can intercept the U.S. communication and forward it over a faster radio or optical communication medium to an accomplice closer to the verifier or prover, thereby reducing the time measurement and decreasing the distance estimate. RF channels are therefore proposed as the channel of choice for implementing distance-bounding systems. There are two well-known examples of how ToF is generally used to determine distance: time of arrival (ToA) and RTT. In ToA systems, the estimate is made purely on data transmitted in one direction from the prover to the verifier. The distance between two devices can be calculated as , where is the propagation speed and is the one-way propagation time between the transmitter and the receiver. A distance-bounding protocol using this approach could possibly be implemented as follows if both the verifier and the prover share a common, high-precision time base, e.g., secure GPS receivers: The verifier sends out a challenge at time , which the prover receives at time . The prover then replies with a message-authenticated data packet , where is the challenge he received. The verifier checks the message-authentication code of this packet with the shared key and also whether , where is the upper bound for the distance and is the speed of light. An attacker relaying the challenge would introduce extra propagation delay, which would be reflected in , and, as a result, the verifier would conclude that the prover is outside the allowable distance bound. There are, however, some problems with this implementation. An accurate time-base shared between devices is difficult to achieve so this method is not practically feasible, especially in RFID. This protocol also assumes that the prover is a trusted entity, thus making the prover responsible for taking the time measurement. There are no measures in place to prevent the prover from committing distance fraud by lying about and appearing closer to the verifier as a result. From a security perspective this is not acceptable, as a distance-bounding protocol should provide the verifier with reliable proof that the prover is actually within a certain distance, even in cases where the prover is not trusted. The problem of maintaining a shared time-base in both the verifier and the prover could be addressed by making distance
20
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
measurements based on RTT. In RTT systems, only the verifier is required to maintain an accurate time-base and the prover is also no longer responsible for providing the security critical time measurements. The distance between the prover and verifier can be calculated as with where is the propagation speed, is the one-way propagation time, is the measured total RTT and is the prover’s processing delay between receiving a challenge and sending a response. A distance-bounding protocol using RTT could possibly be implemented as follows. The verifier again sends a challenge at time , which the prover receives at times . Once the challenge is received, the prover sends a response in the opposite direction at time , which the verifier receives at time . The verifier determines , checks that the response is correct, and finally confirms that , where is once again the upper bound for the distance. Although this protocol is an improvement on the first example, extra care must be taken to specify the nature of the response. If the prover simply echoed the challenge received , it would provide limited security as any attacker, who controlled a proxy device close to the verifier, would be able to do this and achieve an acceptable measurement . Ideally, the response should depend on the challenge, i.e., . If this was not the case, and was merely a random nonce agreed on beforehand between the prover and verifier, a fraudulent prover could send before receiving and thus decrease the RTT. Specifying that is a function of forces the prover to wait until he receives the challenge and prevents him from preemptively transmitting its response. C. Protocol Design Since Brands and Chaum first described distance-bounding protocols in 1993 [10], a number of protocols have been published that allow a verifier to determine an upper bound on the physical distance to a specific prover. These proposals can be classified by how they implement different stages of the distance-bounding process, with most protocols consisting of three basic stages: The setup stage where the verifier and prover prepare for the exchange stage, the timed exchange of challenge and response data, and the verification stage that ensures that the exchange step has been executed faithfully. In the literature, three different types of distance bounding proposals can be identified [21], [27], described as follows. Timed authentication protocols are the simplest form of ToF-based distance bounding, with the verifier timing normal, authenticated data exchanges. The basic idea is to execute a challenge-response authentication protocol under a very tight time-out constraint, which was a concept first proposed by [71{]. For example, a verifier transmits a random -bit nonce to the prover , who replies with a message-authentication code , where is a keyed pseudorandom function and is a shared secret key. These protocols generally time an exchange without considering variations in the processing time of the response or the format of the challenge and response [13], [28]. The possible variations in the processing delay therefore affects the time measurement, which in turn causes the distance bound to be unreliable. For example, a node that usually takes 100 ms to
Fig. 4. Brands and Chaum’s protocol.
compute a public-key signature and has a 1% (1 ms) processing time variation could theoretically cause a 333-km error in the distance estimate when an RF channel is used. Furthermore, a fraudulent prover has scope to speed up the processing time and transmit its response earlier than expected. In contrast, pre-commitment or pre-computation protocols aim to reduce or accurately predict the processing delay by making the prover decide on possible responses before the exchange stage. As a result, the prover only has to choose a response based on the challenge received from the verifier during the exchange stage, so is significantly reduced. These protocols generally propose that the function is implemented using a simple XOR or lookup table (LUT) operations to minimize variation in . In protocols using pre-commitment, the prover prepares possible responses during the setup stage. For example, the verifier generates a random challenge bit string, , while the prover generates a response string . The prover commits to , e.g., by transmitting a collision-resistant message authentication code . The verifier then sends one after another, which the prover receives as . It then instantly replies with a bit , which is calculated by XOR-ing each received challenge bit with the corresponding bit of . Finally, the prover reveals and authenticates , i.e., prover sends message authentication code to the verifier. An example of this approach is the protocol [10], shown in Fig. 4. In protocols using pre-computation the prover and the verifier calculates the possible response strings before the exchange stage starts. For example, the verifier and the prover first exchange nonces and . Both the prover and the verifier then use a pseudorandom function and a shared key in order to calculate two -bit response strings and Since the verifier also knows and at this stage, the prover is effectively committed to two response strings without explicitly making a commitment during setup. As a result, the
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS
prover does not have to open its commitment during the verification stage, thereby decreasing the transmitted data and the execution time. An example of this approach is presented in [11], where generates and sends an unpredictable random challenge bit , to which respond instantly with a bit from either or based on the value of . During the verification stage, the verifier checks that the received responses match the possible responses it calculated during the setup stage. IV. EVALUATING AND CHOOSING DISTANCE-BOUNDING PROTOCOLS FOR YOUR APPLICATION The implementation of distance-bounding protocols can differ in a number of ways. As a result, characteristics like attack resistance, resource requirements and execution time varies for each protocol. Here, the proposed protocols by Brands and Chaum (BC) [10], Čapkun et al. (CBH) [65], Hancke and Kuhn (HK) [11], Reid et al. (RNTS) [29], Tu and Piramuthu’s (TP) [30], Munilla and Peinado (MP) [12], Kim and Avoine (KA) [31], Kim et al. (KAKSP) [32], Meadows et al. (MSC) [33], Avoine et al. (MUSE) [34], Avoine and Tchamkerten (AT) [35], and Peris-Lopez et al. (Hitomi) [36] are evaluated with regard to industrial application. All of these protocols adhere to the principles of secure distance bounding, as defined in [27]. The basic evaluation requirements with regard to industrial applications are security [37], [38], reliability [39], [40], resource cost [41], [42], energy efficiency [52], [53], and execution time [43], [44]. The intention is not to provide a complete list of distance-bounding protocols in literature, but rather a cross section or sample that illustrates the capabilities of this protocol family with regards to industrial applications. Security-sensitive industrial applications are likely to implement services such as authentication, integrity, and confidentiality in addition to secure neighbor detection. For the purpose of generating quantitative results for evaluation and discussion, a device is assumed to already implement standardized cryptographic algorithms, as set out below, which will simply be reused for distance bounding. Similarly, it is assumed that the key management infrastructure used for generating and distributing keys for authentication, integrity, and confidentiality services could also support shared symmetric keys for distance bounding. Therefore, distance bounding does not introduce any additional algorithms or key management requirements beyond what is already reasonably available in a security sensitive application. Although certain devices, e.g., resource-constrained nodes or RFID tags, might currently be incapable of performing such functions it is in our opinion necessary to evaluate practical implementation issues based on the cryptographic parameters that are most likely to be used within secure, industrial applications in the long term. The recommendations for choosing secure algorithms through to the year 2030 by the National Institute of Standards and Technology (NIST) [47] is therefore used as a benchmark. For a symmetric encryption operation AES128 is recommended so a shared key, , and a result are 128 bits in length, and data are encrypted in blocks of 128 b. The pseudorandom function is implemented as a SHA-256 hash function, which has equivalent 128-b security and an output of length 256 b. It is unlikely that low-resource devices will contain a true random
21
number generator. It is therefore assumed that a pseudorandom number generator is available, which will have similar resource requirements as an optimized hash function or symmetric cipher. A summary of the protocol characteristics using these parameter values are shown in Table I. If required, the reader can calculate the transmitted data (TD) and memory needed for a different system design by assigning that system’s cryptographic parameter values and substituting these values into the equations given in Table II. Table II summarizes the maximum amount of memory required and the amount of data bits required to be sent by the prover and verifier for each protocol. The figures provided here for attack success probability, memory use, and transmitted data bits are as provided in listed literature sources and have not been subjected to further analysis. A. Reliability Industrial applications are required to be reliable, and any related protocols need to be suitably robust to operate in harsh environments. It should be noted that all of the protocols evaluated in this section require the transmission of a single data symbol during the timed exchange stage. The reason behind this choice is that conventional communication channels introduce latency at the physical, e.g., demodulation and decoding, and packet, e.g., framing bits, layers. It is possible for an attacker to take advantage of this latency to obscure distance and mafia fraud attempts, as demonstrated in [27] and [48]. A distance-bounding protocol therefore needs to implement a special channel for the exchange stage or, alternatively, accept the risk of attack and use a single, multi-bit symbol exchange. Both of these aspects are discussed further in Section V. In harsh environments, communication during the setup and verification stages can be transmitted via robust communication channels. However, taking into account the channel constraints, it is likely that bit errors will occur during the exchange stage. Without sufficient error-handling the protocol will fail, and it will either require that the protocol executes again or cause the disruption of subsequent services. These scenarios are not acceptable in systems delivering critical services, often with associated real-time constraints. Hancke and Kuhn [11] proposed that protocols simply handle errors by defining a bit-error threshold and that the protocol therefore successfully completes even if some responses are incorrect. Although this method can be applied to precomputation protocols, with no verification stage, without any modification, these authors also pointed out that other protocol designs can also implement the threshold method, as long as the challenge bits received by the prover and the response bits sent by the prover are transmitted over an error-corrected channel during the verification stage. An alternative for precommitment protocols is to use error-correcting codes (ECC) as proposed by Singelée and Preneel [49]. is applied to the generated strings’ response string and this results in a new string. The protocol now continues exactly as before except that there are now timed bit exchanges instead of . After the bit exchanges, the verifier reconstructs from the challenges it sent and the correct any bit errors in the reconstructed . The
22
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
TABLE I COMPARISON OF SELECTED DISTANCE-BOUNDING PROTOCOLS
Functions required, number of times each functions must be calculated and total number of clock cycles needed to execute the protocol from prover’s side. Memory optimized (multi-tree) version with a trees of depth , instead of single memory tree with depth . Require 4080 bits to populate trees for , so 16 256-b iterations of required.
verification stage then proceeds as normal. The disadvantage of using ECC for error resistance is that it increases the protocol execution time. This is a result of the node performing additional ECC calculations and also transmitting additional redundant bits, which is used to detect and correct bit errors in the challenge and response strings. Recently, Munilla and Peinado [50] proposed two effective attacks against the Singelée and Preneel’s (SP) protocol. These two attacks increase the adversary’s success probability. Moreover, they showed that as the number of allowed failures increases, the false acceptance probability of the ECC method is higher than that of the threshold method. All results in Section IV assume that the protocols incur the extra overhead to implement the threshold method for error resistance. Table I indicates which protocols can implement this method as is, and which need to transmit additional data during the verification stage.
B. Resource Cost Real-world industrial applications are cost sensitive. As discussed in earlier sections, secure proximity services would be of most benefit to RTLS and RFID applications where tags are meant to be plentiful and inexpensive. It is therefore important to consider the hardware resources required by distancebounding protocols. The first hardware cost incurred is resources dedicated to implementing the basic cryptographic functions. From Table I, it is evident that all of the protocols require at least a pseudorandom function (hash or encryption) and a random number generator. Some of the protocols also require a symmetric encryption function. These functions are found in devices with limited resources, such as contactless smart cards [51], so it is
not infeasible to implement these functions on hardware platforms that are optimized for cost, such as sensor nodes or certain RFID tokens. Implementing cryptographic functions in severely constrained environments, such as disposable RFID tags, remain a challenge, but there is significant research addressing this area, e.g., [42]. The second tangible resource is that of data memory, i.e., the maximum amount of data that needs to be stored. During the protocol execution several values, such as nonces, keys, challenges, and possible responses must be stored in working memory. As can be seen from the results in Table I, memory requirement vary between 40 and 548 bytes, with nine out of 12 protocols needing less than 128 bytes. These are not negligible values in embedded processors, but memory requirements are also directly proportional to the number of bits exchanged, as is evident from Table II, so a system engineer would be able to tailor the protocol implementation to the memory available by choosing the right protocol and/or decreasing the level of security. C. Energy Efficiency In some applications, system engineers need to optimize the design to preserve limited power sources. For example, RFID tags’ power is limited to the harvesting of energy off the reader’s transmitted carrier while an active RTLS tag needs to optimize its power use to increase its lifetime. Table I shows the minimum amount of bits that are transmitted between the verifier and the prover during each protocol execution. This considers only data transmission essential to protocol execution and does not take into account any formatting or integrity verification data that might be added by the underlying communication channel during the setup and verification stage. The data transmitted for the sample protocols vary between 256 and 1408 b. Furthermore, Table II clearly shows
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS
TABLE II MEMORY AND TRANSMITTED DATA
Memory optimized (multi-tree) version with instead of single memory tree with depth
trees of depth
23
TABLE III EXECUTION TIME
,
that the number of bits transmitted is proportional to the number of bits exchanged so if the application is energy sensitive the transmission can be optimized by choosing a suitable protocol and/or decreasing the level of security. D. Execution Time Industrial systems often have real-time requirements, where the application’s capability to adhere to timing constraints is critical to the reliability of the system. For example, an RFIDenabled supply chain system might need to determine the proximity of each item-level tag, while these items are moving past in a vehicle, or on a conveyor belt. RFID readers should therefore be capable of reading tags within a limited time, which would place constraints on time taken to execute the tag communication protocol. The main factors influencing execution time is the transmission time, i.e., the time required to transmit data, and the processing time, i.e., the time needed to perform the cryptographic functions. Quantifying the relative execution time in terms of the transmission time is relatively simple as it is the transmitted bit period times the total number of bits transmitted, as discussed in Section IV-D. Accurately quantifying the processing time is not straight forward as this depends on a number of factors, which are difficult to generalize. Such factors include: • platform capability—processor architecture, memory, and system clock; • cryptographic algorithm implementation—designs can be optimized for speed, memory consumption, or cost/area, i.e., physical integrated circuit space. As a result, a simplified approach is taken whereby the basic protocol functions required are classified as a pseudorandom
number generation process, as a pseudorandom manipulation process or as an encryption process. To illustrate the relative complexity of each process, the number of computational cycles needed for each process is listed, as shown in the benchmarking figures for the widely used Crypto++ open-source library. As defined earlier in Section IV, SHA-256 is used as the pseudorandom function F, requiring 512 cycles for a 256-b result, and AES-128 is used for encryption, requiring 718 cycles for a 128-b result. Pseudorandom number generation in embedded systems are often implemented using a linear feedback shift register (LFSR) design [52]. As the core component is a shift register, it is realistic to estimate that an -bit number generator would require instruction cycles. How this relates to execution time depends on the device in question, e.g., an FPGA could update the LFSR once a clock cycle whereas a single instruction cycle on an embedded microcontroller will take clock cycles, where depends on the device architecture. Table I provides a summary of the processes computed by the prover for each protocol and the total number of cycles needed. Taking into consideration a very prudent estimate of device capability, assuming a 1-MHz processing clock x and 25-kbps communication channel, the execution time of the protocols are as shown in Table III. E. Security The primary purpose of implementing a distance-bounding protocol in any application is to provide a security service. In order to illustrate the security of distance-bounding protocols given a fixed number of challenge-response exchanges, we compute the respective success probabilities of an adversary to perform distance, mafia, and terrorist fraud with the number of exchanges . The successful attack probability equations for each protocol are shown in Table I, and the resultant probabilities in the benchmark system are shown in Table IV. Protocol proposals often do not consider all three main attacks to have equal priority. The majority of the protocols do not address terrorist fraud, although this is to be expected since this attack is impossible to prevent as such. The protocol can only discourage the prover from participating in this attack by
24
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
TABLE IV SUCCESS PROBABILITY OF AN ADVERSARY (SPA)
ensuring that the collaborating prover reveals its longterm secret key to the third party attacker he assists. The attack success results listed in these proposals are therefore not the probability that the verifier is fooled, but rather the probability that the prover can assist in the attack without losing its secret. It should also be noted that two protocols, MP and KA, are explicitly designed to have good mafia fraud resistance, at the expense of distance fraud resistance. The probability of an attack succeeding obviously decreases as the number of challenge-response exchanges increase, although this introduces a tradeoff with both memory used and the amount of data transmitted, which also affects execution time as discussed previously. F. Choosing a Suitable Protocol There is no single protocol that is ideal under all design conditions. Each of the sample protocols has advantages and disadvantages, and, given the right design conditions, any of these protocols can be argued to be “most suitable.” For example, when choosing a protocol for an RFID system, more emphasis might be placed on computational resource constraints and execution time. A protocol for a RTLS might have the benefit of executing on an active tag with more computational resources but will nevertheless need to minimize transmission to conserve an exhaustible power source. Given the basic tradeoffs and results presented in this section, a system engineer should get a good indication of which protocol aspects to consider in a system design and be in a position to evaluated proposals in literature against chosen requirements. For example, the simple tradeoff between security and execution time for is shown in Fig. 5. V. FUTURE RESEARCH DIRECTIONS There are several of active research directions related to the concept of distance-bounding protocols. Despite the number of protocol proposals in literature, there is still scope for improvement in theoretical protocol design with regard to resource requirements, attack success probability and optimized protocols for specific applications or operational environments. There is also a need for formal analysis of protocols, using a
Fig. 5. Graph of attack success probability versus execution time ( distance fraud mafia fraud terrorist fraud).
clearly defined framework for comparison, to identify generic design principles crucial to protocol security, explain design decisions, and discuss subtle aspects of implementation requirements. There is already progress in this area of formal analysis [20], although a comprehensive survey and analysis of existing protocol designs has not been done. As was briefly mentioned in Section IV-A, an attacker could obscure mafia and distance fraud attempts by exploiting the underlying communication channel, even if the cryptographic part of the distance-bounding protocol is seemingly secure. Accordingly, Principle 2 of the “Principles of Secure Distance-Bounding” as defined by Clulow et al. [27] states that all of these protocol would require a special bit-exchange channel for maximum security. Communication channels usually transmit multi-bit data packets rather than single bits, so exchanging multibit bit streams is easier to implement with off-the-shelf components. The problem is that these channels usually add some extra formatting information, such as trailers, headers, and error-correction measures that introduce latency. An attacker is not required to adhere to the “rules” of the communication channel. For example, an attacker could ignore packet framing and start to calculate its response before receiving the complete packet trailer. As a result, the attacker is in a position to respond earlier than expected. A verifier expecting the prover to wait until it received all of the transmitted bits before starting to calculate the response would therefore measure a reduced RTT and the resultant distance estimation would be incorrect [27]. Even if a multibit nonce was exchanged without any formatting, or error correction, an attacker could still gain a timing advantage from tolerances introduced in the modulation and encoding stages, while also having the option of decreasing the decoding process of a legitimate device if the data recovery clock is derived from the transmitted data [48]. The exchange of multibit data packets over normal communication channels does therefore not achieve a timing measurement that is unconditionally secure. In contrast, a multiple single-bit exchange provides the highest time resolution, as it depends only on
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS
propagation time, pulse width, and processing delay of a single bit. Implementing channels for distance-bounding protocols is an ongoing research area, which can be approached from either a theoretical or computational security perspective. Using special channels for distance bounding is needed if protocols are to be theoretically secure, i.e., if the protocol provides the stated security even if an attacker is assumed to have infinite resources. A practical example of such an attacker would be one that introduces no delay, apart from the propagation delay, when relaying the communication between a legitimate verifier and prover during a mafia fraud attack. Currently, there are several publications detailing practical implementations of such distance-bounding channels in the HF band for RFID/contactless tokens [53], for contact smart cards [54], and in the super HF band (3.5–4 GHz) [63]. These channels exhibit desirable security properties and demonstrate that implementation complexity and cost for can be low enough to be feasible in current hardware, e.g., [54] implements a reliable channel with only a few inexpensive, discrete components. Although these channels serve as promising proof-of-concept designs on which further research could be based, the widespread use of such channels is still some way off in the future. An alternative approach is to implement distance-bounding protocols on existing channels and to try to and achieve computational security, i.e., assume that the protocol provides the stated security against an attacker that has limited resources. This approach requires that the extent to which an attacker could potentially alter the distance estimate for a particular channel or protocol must be determined, and that any potential attacks must be taken into account with regards to the specific system risk model, i.e., the designer is aware of the weakness and needs to make a judgment as to the feasibility of an attacker exploiting the weaknesses. A practical example of this approach is that an attacker executing a mafia fraud is assumed to introduce an additional delay, in addition to only the propagation delay, when relaying communication between the legitimate verifier and the prover. This is a practical and reasonable assumption as attackers are in practice computationally limited and will introduce a time delay each time data is received and then retransmitted by a proxy device. For example, the practical mafia fraud attacks in [8] and [59] against HF and LF/UHF passive RFID systems introduced approximately 20- s and 250-ns additional delay, respectively, even though the propagation was less than 6 ns (0–2 m). In both of these cases, it is therefore not necessary to achieve an RTT measurement resolution of the order of 6 ns, as the attack could be detected by looking for a response that is much more significantly delayed. Considering computational security simplifies channel design, without necessarily compromising on security, and therefore allows distance bounding to be more easily integrated into current technology. For example, the recently released NXP Mifare Plus RFID/contactless token implements distance bounding as a mafia fraud countermeasure. There are designs for low-cost UWB transceivers suitable for distance bounding [64] and also an example of a distance-bounding protocol successfully implemented using offthe-shelf UWB equipment [55]. From these developments it is reasonable to conclude that distance-bounding could be practically implemented into RFID and UWB systems today, using
25
existing equipment. There are also detailed security analyses for IEEE 802.15.4 channels in addition to proposals using this channel for secure distance bounding [56], [62], which could form the basis for a successful implementation using this radio technology in the near future. VI. CONCLUSION The reliability of industrial applications is crucial and the need for adequate security measures is increasing. Verifying the physical proximity or location of a device is becoming an important security requirement in industrial applications relying RTLS and RFID technology. Distance-bounding provides cryptographic assurance as to the upper bound for the physical distance between two communicating parties, without requiring additional device characterization or information from third parties. As a result, this method is adaptable to provide SND services in a variety of communication architectures, including point-to-point device communication in proximity identification systems, such as RFID-enabled supply chains or a RTLS with multiple reference nodes. The evaluation of a sample set of distance-bounding protocol proposals, using industry-standardized cryptographic algorithms, showed that the practical requirements with regard to hardware cost, energy efficiency, and execution time are reasonable for industrial implementation. By choosing an appropriate protocol and adjusting the number of exchanged challenge-responses these requirements can be optimized to suit all but the most restricted devices and applications. The attack success probability of the sample proposals are relatively low and resistance to communication errors are already built in. The underlying channel implementation also affects the accuracy and security of the distance estimate of the protocol and affects the cost of practical implementation. Distance-bounding protocols have already been implemented in commercial RFID products and with off-the-shelf UWB equipment, achieving a level of computational security against practically demonstrated attacks. Nevertheless, as attacks improve and if distance-bounding is to become theoretically secure in real-world applications then existing work on suitable channels would need to be continued, by investigating cost effective means of implementing new channels and/or approaches that mitigate security issues in conventional channels. REFERENCES [1] P. Papadimitratos, M. Poturalski, P. Schaller, P. Lafourcade, D. Basin, S. Capkun, and J. P. Hubaux, “Secure neighborhood discovery: A fundamental element for mobile ad hoc networking,” IEEE Commun. Mag., vol. 46, no. 10, pp. 132–139, Oct. 2008. [2] S. S. Saad and Z. S. Nakadv, “A standalone RFID indoor positioning system using passive tags,” IEEE Trans. Ind. Electron., vol. 58, no. 5, pp. 1961–1970, Jul. 2010. [3] G. M. Gaukler, “Item-level RFID in a retail supply chain with stock-out-based substitution,” IEEE Trans. Ind. Inf., vol. 7, no. 2, pp. 362–370, May. 2011. [4] S. Han, H.-S. Lim, and J.-M. Lee, “An efficient localization scheme for a differential-driving mobile robot based on RFID system,” IEEE Trans. Ind. Electron., vol. 54, no. 6, pp. 3362–3369, Nov. 2007. [5] M. Henseler, M. Rossberg, and G. Schaefer, “Credential management for automatic identification solutions in supply chain management,” IEEE Trans. Ind. Inf., vol. 4, no. 4, pp. 303–314, Nov. 2008.
26
IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
[6] A. Soylemezoglu, M. J. Zawodniok, and S. Jagannathan, “RFID-Based smart freezer,” IEEE Trans. Ind. Electron., vol. 56, no. 7, pp. 2347–2356, 2009. [7] S. Park and S. Hashimoto, “Autonomous mobile robot navigation using passive RFID in indoor environment,” IEEE Trans. Ind. Electron., vol. 56, no. 7, pp. 2366–2373, 2009. [8] G. P. Hancke, K. E. Mayes, and K. Markantonakis, “Confidence in smart token proximity: Relay attacks revisited,” Comput. Security, vol. 28, pp. 615–627, 2009. [9] D. Lui, M.-C. Lee, and D. Wu, “A node-to-node location verification method,” IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1526–1537, May 2010. [10] S. Brands and D. Chaum, “Distance-bounding protocols,” in Advances in Cryptology—EUROCRYPT ’93, T. Helleseth, Ed. Berlin, Germany: Springer, 1994, pp. 344–359. [11] G. P. Hancke and M. G. Kuhn, “An RFID distance bounding protocol,” in Proc. 1st Int. Conf. Security Privacy for Emerging Areas in Commun., Athens, Greece, 2005, pp. 67–73. [12] J. Munilla and A. Peinado, “Distance bounding protocols for RFID enhanced by using void-challenges and analysis in noisy channels,” Wireless Commun. Mobile Computing, vol. 8, pp. 1227–1232, 2008. [13] C. Tang, D. O. Wu, T. Syst, and L. Oswego, “Distance-bounding based defense against relay attacks in wireless networks,” IEEE Trans. Wireless Commun., vol. 6, no. 11, pp. 4071–4078, Nov. 2007. [14] L. Hu and D. Evans, “Using directional antennas to prevent wormhole attacks,” in Proc. 11th Network Distrib. Syst. Security Symp., San Diego, CA, 2004, pp. 131–141. [15] Z. Li, W. Trappe, Y. Zhang, and B. Nath, “Robust statistical methods for securing wireless localization in sensor networks,” in Proc. 4th IEEE In. Symp. Inf. Process. Sensor Networks, Los Angeles, CA, 2005, pp. 91–98. [16] R. Maheshwari, J. Gao, and S. R. Das, “Detecting wormhole attacks in wireless networks using connectivity information,” in Proc. 26th IEEE Int. Conf. Comput. Commun., Anchorage, AL, 2007, pp. 107–115. [17] K. B. Rasmussen and S. Capkun, “Implications of radio fingerprinting on the security of sensor networks,” in Proc. 3rd IEEE Int. Conf. Security Privacy Commun. Networks, Nice, France, 2007, pp. 331–340. [18] A. Boukerche, H. Oliveira, E. F. Nakamura, and A. A. Loureiro, “Secure localization algorithms for wireless sensor networks,” IEEE Commun. Mag., vol. 46, pp. 96–101, 2008. [19] S. Capkun and J. P. Hubaux, “Secure positioning in wireless networks,” IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 221–232, Feb. 2006. [20] G. Avoine, M. A. Bingol, S. Kardas, C. Lauradoux, and B. Martin, “A framework for analyzing RFID distance bounding protocols,” J. Comput. Security, vol. 19, no. 2, pp. 289–317, Apr. 2011. [21] G. P. Hancke, “Security of proximity identification systems” Ph.D. dissertation, Comput. Lab., Univ. of Cambridge, Cambridge, U.K., Feb. 2008 [Online]. Available: http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-752.pdf [22] Y. Desmedt, C. Goutier, and S. Bengio, “Special uses and abuses of the fiat-shamir passport protocol,” in Advances in Cryptology—CRYPTO ’87, C. Pomerance, Ed. Berlin, Germany: Springer, 1988, pp. 21–39. [23] Y. C. Hu, A. Perrig, and D. B. Johnson, “Rushing attacks and defense in wireless ad hoc network routing protocols,” in Pro. 2nd ACM Workshop Wireless Security, San Diego, CA, 2003, pp. 30–40. [24] Y. Desmedt, “Major security problems with the “unforgeable” (feige)Fiat_Shamir proofs of identity and how to overcome them,” in Proc. 6th Worldwide Congress Comput. Commun. Security Protection, 1988, pp. 147–159. [25] L. Bussard and W. Bagga, “Distance-bounding proof of knowledge to avoid real-time attacks,” in Security and Privacy in the Age of Ubiquitous Computing, R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura, Eds. Berlin, Germany: Springer, 2005, pp. 223–238. [26] J. Hightower and G. Borriello, “Location systems for ubiquitous computing,” IEEE Computer, vol. 34, pp. 57–66, 2001. [27] J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore, “So near and yet so far: Distance-bounding attacks in wireless networks,” in Security and Privacy in Ad-Hoc and Sensor Networks, L. Buttyan, V. Gligor, and D. Westhoff, Eds. Berlin, Germany: Springer, 2006, pp. 83–97. [28] B. Waters and E. Felten, “Secure, Private Proofs of Location,” Princeton Univ., Tech. Rep. TR-667-03, 2003. [29] J. Reid, J. M. G. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with timing-based protocols,” in Proc. 2nd ACM Symp. Inf., Comput. Commun. Security, Singapore, 2007, pp. 204–213.
[30] Y. J. Tu and S. Piramuthu, “RFID distance bounding protocols,” in Proc. 1st Int. EURASIP Workshop RFID Technology, Vienna, Austria, 2007. [31] C. H. Kim and G. Avoine, “RFID distance bounding protocol with mixed challenges to prevent relay attacks,” in Cryptology and Network Security—CANS ’09, J. A. Garay, A. Miyaji, and A. Otsuka, Eds. Berlin, Germany: Springer, 2009, pp. 119–133. [32] C. H. Kim, G. Avoine, F. Koeune, F. X. Standaert, and O. Pereira, “The swiss-knife RFID distance bounding protocol,” in Information Security and Cryptology–ICISC 2008, P. J. Lee and J. H. Cheon, Eds. Berlin, Germany: Springer, 2009, pp. 98–115. [33] C. Meadows, P. Syverson, and L. W. Chang, “Towards more efficient distance bounding protocols for use in sensor networks,” in Proc. 2nd Int. Conf. Security Privacy Commun. Networks, Baltimore, MD, 2006, pp. 1–5. [34] G. Avoine, C. Floerkemeier, and B. Martin, “RFID distance bounding multistate enhancement,” in Progress in Cryptology—INDOCRYPT ’09, B. Roy and N. Sendrier, Eds. Berlin, Germany: Springer, 2009, pp. 290–307. [35] G. Avoine and A. Tchamkerten, “An efficient distance bounding RFID authentication protocol: Balancing false-acceptance rate and memory requirement,” in Information Security, P. Samarati, M. Yung, F. Martinelli, and C. A. Ardagna, Eds. Berlin, Germany: Springer, 2009, pp. 250–261. [36] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, and J. C. A. van der Lubbe, “Shedding Some Light on RFID Distance Bounding Protocols and Terrorist Attacks,” Jun. 20, 2010. [Online]. Available: http://arxiv.org/PS_cache/arxiv/pdf/0906/0906.4618v2.pdf [37] W. Granzer, F. Praus, and W. Kastner, “Security in building automation systems,” IEEE Trans. Ind. Electron., vol. 57, no. 11, pp. 3622–3630, Nov. 2011. [38] M. Cheminod, A. Pironti, and R. Sisto, “Formal vulnerability analysis of a security system for remote fieldbus access,” IEEE Trans. Ind. Inf., vol. 7, no. 1, pp. 30–40, Feb. 2011. [39] B. Zhao, H. Aydin, and D. Zhu, “On maximizing reliability of real-time embedded applications under hard energy constraint,” IEEE Trans. Ind. Inf., vol. 6, no. 3, pp. 316–328, Aug. 2010. [40] Y. Yang, Y. Xu, X. Li, and C. Chen, “A loss inference algorithm for wireless sensor networks to improve data reliability of digital ecosystems,” IEEE Trans. Ind. Electron., vol. 58, no. 6, pp. 2126–2137, Jun. 2011. [41] Y. Wu, G. Buttazzo, E. Bini, and A. Cervin, “Parameter selection for real-time controllers in resource-constrained systems,” IEEE Trans. Ind. Inf., vol. 6, no. 4, pp. 610–620, Nov. 2010. [42] Y.-J. Huang, C.-C. Yuan, M.-K. Chen, W.-C. Lin, and H.-C. Teng, “Hardware implementation of RFID mutual authentication protocol,” IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1573–1582, May 2010. [43] J. Ploennigs, V. Vasyutynskyy, and K. Kabitzsch, “Comparative study of energy-efficient sampling approaches for wireless control networks,” IEEE Trans. Ind. Inf., vol. 6, no. 3, pp. 416–424, Aug. 2010. [44] J.-W. Lee, B.-S. Choi, and J.-J. Lee, “Energy-efficient coverage of wireless sensor networks using ant colony optimization with three types of pheromones,” IEEE Trans. Ind. Inf., vol. 7, no. 3, pp. 419–427, Aug. 2011. [45] M. Cereia, I. Cibrario-Bertolotti, and S. Scanzio, “Performance of a real-time EtherCAT master under Linux,” IEEE Trans. Ind. Inf., vol. 7, no. 4, pp. 679–687, Nov. 2011. [46] Y.-S. Chen, C.-Y. Yang, and T.-W. Kuo, “Energy-efficient task synchronization for real-time systems,” IEEE Trans. Ind. Inf., vol. 6, no. 3, pp. 287–301, Aug. 2010. [47] E. Barker and A. Roginsky, “Recommendation for the transitioning of cryptographic algorithms and key sizes,” CiteSeerx. USA, Jan. 2010. [Online]. Available: http://csrc.nist.gov/publications/drafts/800-131/draft-800-131_transition-paper.pdf [48] G. P. Hancke and M. G. Kuhn, “Attacks on time-of-flight distance bounding channels,” in Proc. 1st ACM Conf. Wireless Network Security, Alexandria, VA, 2008, pp. 194–202. [49] D. Singelée and B. Preneel, “Distance bounding in noisy environments,” in Security and Privacy in Ad-Hoc and Sensor Networks, F. Stajano, C. Meadows, S. Capkun, and T. Moore, Eds. Berlin, Germany: Springer, 2007, pp. 101–115. [50] J. Munilla and A. Peinado, “Attacks on a distance bounding protocol,” Computer Commun., vol. 33, pp. 884–889, 2010.
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS
[51] G. P. Hancke, “RFID and Contactless Technology,” in Smart Cards, Tokens, Security and Applications, Mayes and Markantonakis, Eds. Berlin, Germany: Springer, 2008. [52] Z. Moghadam, I. Rostami, A. S. Tanhatalab, and M. R. Ferdowsi, “Designing a random number generator with novel parallel LFSR substructure for key stream ciphers,” in Proc. Int. Conf. Comput. Design Applic., Jun. 2010, pp. 598–601. [53] G. P. Hancke, “Design of a secure distance-bounding channel for RFID,” J. Network Comput. Applic., vol. 34, pp. 877–887, 2011. [54] S. Drimer and S. J. Murdoch, “Keep your enemies close: Distance bounding against Smartcard relay attacks,” in Proc. 16th USENIX Security Symp., Boston, MA, 2007, pp. 87–102. [55] N. O. Tippenhauer and S. Capkun, “ID-based secure distance bounding and localization,” in Proc. Computer Security–ESORICS , 2009, pp. 621–636. [56] M. Flury, M. Poturalski, P. Papadimitratos, J. P. Hubaux, and J. Y. Le Boudec, “Effectiveness of distance-decreasing attacks against impulse radio ranging,” in Proc. 3rd ACM Conf. Wireless Network Security, Hoboken, NJ, 2010, pp. 117–128. [57] I. D’Souza, M. Wei, and C. Notobartolo, “Real-time location systems for hospital emergency response,” IEEE IT Professional, vol. 13, no. 2, pp. 37–43, April 2011. [58] N. O. Tippenhauer, K. B. Rasmussen, C. Pöpper, and S. Capkun, “Attacks on public WLAN-based positioning systems,” in Proc. ACM/ Usenix Conf. Mobile Syst., Applic. and Services (MobiSys), Jun. 2009, pp. 29–40. [59] A. Francillon, B. Danev, and S. Capkun, “Relay attacks on passive keyless entry and start systems in modern cars,” in Proc. Network Distrib. Syst. Security Symp., Feb. 2011. [60] L. Francis, G. P. Hancke, K. E. Mayes, and K. Markantonakis, “Practical relay attack on contactless transactions by using NFC mobile phones,” Cryptology ePrint Archive, Report 2011/618, Nov. 2011. [61] Y. Zang and L. Wu, “Application of RFID and RTLS technology in supply chain enterprise,” in Proc. Wireless Commun. Networking Mobile Computing, Sep. 2010, pp. 1–4. [62] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y. Le Boudec, “Distance bounding with IEEE 802.15.4a: Attacks and countermeasures,” IEEE Trans. Wireless Commun., vol. 10, no. 4, pp. 1334–1344, Apr. 2011. [63] K. B. Rasmussen and S. Capkun, “Realization of RF distance bounding,” in Proc. USENIX Security Symp., 2010. [64] M. Kuhn, H. Luecken, and N. O. Tippenhauer, “UWB impulse radio based distance bounding,” in Proc. Workshop Positioning, Navigation Commun., 2010. [65] S. Čapkun, L. Buttyán, and J. P. Hubaux, “SECTOR: Secure tracking of node encounters in multi-hop wireless networks,” in Proc. 1st ACM Workshop Security of Ad-Hoc and Sensor Network, Fairfax, VA, 2003, pp. 21–32.
27
[66] G. P. Hancke, “Practical eavesdropping and skimming attacks on high-frequency RFID tokens,” J. Comput. Security, vol. 19, no. 2, pp. 259–288, January 2011. [67] A. M. Abu-Mahfouz and G. P. Hancke, “An efficient distributed localization algorithm for wireless sensor networks: Based on smart reference-selection method,” Intersci. J. Sensor Networks, 2012. [68] S. Lee, B. Kim, H. Kim, R. Ha, and H. Cha, “Inertial sensor-based indoor pedestrian localization with minimum 802.15.4a configuration,” IEEE Trans. Ind. Inf., vol. 7, no. 3, pp. 455–466, Aug. 2011. [69] S. Ivanov and E. Nett, “Localization-based radio model calibration for fault-tolerant wireless mesh networks,” IEEE Trans. Ind. Inf., vol. PP, no. 99, 2012. [70] B. Wang and M. MaAn, “Server independent authentication scheme for RFID systems,” IEEE Trans. Ind. Inf., vol. PP, no. 99, 2012. [71] T. Beth and Y. Desmedt, “Identification tokens—or: Solving the chess grandmaster problem,” in Proc. Adv. Cryptol., Aug. 1990, pp. 169–177.
Adnan Abu-Mahfouz (S’11–M’12) received the B.S. degree in information engineering from the University of Baghdad, Baghdad, Iraq, in 2000, and the M.Eng. and Ph.D. degrees in computer engineering from the University of Pretoria, Pretoria, South Africa, in 2005 and 2011, respectively. He is currently a Senior Research Engineer with the CSIR Meraka Institute, Pretoria, South Africa. His professional work experience includes network administration, software engineering, research assistantship, lecturer, as well as being a faculty coordinator/head at Emirates College of Technology. His research interests are wireless sensor networks, localization systems and energy conservation.
Gerhard P. Hancke (S’99–M’07–SM’11) received the B.S. and M.Eng. degrees in computer engineering from the University of Pretoria, Pretoria, South Africa, in 2002 and 2003, respectively, and the Ph.D. degree in computer science from the University of Cambridge, Cambridge, U.K., in 2008. Subsequently, he was with the ISG Smart Card Centre as a Post-Doctoral Researcher/Lead Engineer, where he managed the RF/Hardware Laboratory and was involved in the evaluation, development, and integration of smartcard systems. He is currently a Fellow with the Information Security Group (ISG), Royal Holloway, University of London, London, U.K. His main interest is the security of smart tokens and their applications, embedded/pervasive systems, and mobile platforms.
