An RFID Distance Bounding Protocol

An RFID Dstance Boundng Protocol Gerhard P. Hancke and Markus G. Kuhn May 22, 2006 An RFID Dstance Boundng Protocol p. 1

Dstance boundng Verfer d Prover Places an upper bound on physcal dstance Does not provde absolute locaton Operates on physcal characterstcs of the communcaton medum. Supplements exstng securty mechansms An RFID Dstance Boundng Protocol p. 2

RFID devces RFID Reader Power RFID Token Varous applcatons Clock Passve devces wth low resources Data Lmted range Used to lnk an tem or person to a locaton An RFID Dstance Boundng Protocol p. 3

Relay attack RFID Token Proxy Token Data Proxy Reader Smple, well known attack Crcumvents applcaton layer securty protocols RFID Reader An RFID Dstance Boundng Protocol p. 4

Relay attack demonstraton Proxy Token Proxy Reader 14443 A/B test card crcut Sgnal processng wth dscrete components Duplex RF lnk Commercal reader module Reprogrammed wth our frmware Prce $ 100 An RFID Dstance Boundng Protocol p. 5

Relay attack detecton Delay Could be reduced wth complex hardware Cannot be less than 3 ns/m Physcal layer Hgh-resoluton tmng Applcaton layer Tmng dfference between an actual token (top) and a Proxy token(bottom) response to a reader s REQA command. Tmng nformaton lost An RFID Dstance Boundng Protocol p. 6

Our Protocol Goals Suted to RFID envronment Verfer handles demandng processng functons Prover performs smple functons Provde same level of securty as other dstance boundng protocols Should not be worse because t has hardware constrants Implementaton Suggest practcal deas on how to mplement our protocol Protocol should supplement current RFID standards, not suggest wholesale changes An RFID Dstance Boundng Protocol p. 7

Protocol assumptons Securty target Places an upper bound on the dstance between Verfer and Prover Does not provde non-repudaton of locaton to a thrd party The Prover does not collude wth an attacker Crypto prmtves Shared secret key, K Shared pseudorandom functon, h Nonces N V,N P are of suffcent length and wll not be repeated An RFID Dstance Boundng Protocol p. 8

Protocol assumptons (2) Tme base Verfer s computatonally strong Perform accurate tmng operatons Prover s computatonally weak Cannot determne accurate tmng nformaton Uses external clock sgnal (receved carrer) Prover can detect large devatons n clock frequency Communcaton channels Low bandwdth error corrected channel Hgh bandwdth rapd bt exchange channel An RFID Dstance Boundng Protocol p. 9

Protocol descrpton Verfer (RFID reader) Generate nonce N V N V Prover (RFID token) An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 N V Prover (RFID token) Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 C 1 = 0 R C = 1 R C 1 1 = 1 Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 0 0 1 1 0 1 1 1 1 1 0 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 R C = 11 C 2 = 1 R C 2 2 = 1 Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 0 1 1 0 1 1 1 1 0 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 R C = 110 C 3 = 0 R C 3 3 = 0 Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 1 1 0 1 1 1 0 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 R C = 1101 C 4 = 0 R C 4 4 = 1 Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 1 0 1 1 0 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 R C = 11010 N V C 5 = 1 R C 5 5 = 0 Prover (RFID token) Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 0 1 1 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 R C = 110101 C 6 = 1 R C 6 6 = 1 Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 1 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 C 7 = 0 R C = 1101011 R C 7 7 = 1 Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 1 0 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) Generate nonce N V Generate random bts C 1,...,C n C = 01001100 R C = 11010111 N V C 8 = 0 R C 8 8 = 1 Prover (RFID token) Calculate h(k,n V ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer Attacker N V C = 01001100 C Expected R C 1 1 0 1 0 1 1 1 Receved R C 1 0 1 0 0 1 0 1 R C 1 0 1 0 1 0 0 1 R 0 1 0 1 0 0 1 1 0 R 1 Verfer Attacker 1 2 chance of guessng a response bt correctly An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer Malcous Prover N V C = 01001100 Expected R C 1 1 0 1 0 1 1 1 Receved R C 1 0 1 0 0 1 0 1 R C C 1 1 0 1 1 0 1 1 R 0 1 1 0 0 0 1 0 0 R 1 Verfer Malcous Prover 1 2 chance of guessng a response bt correctly An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer C = 01001100 Expected R C 1 1 0 1 0 1 1 1 Receved R C 1 1 0 0 0 1 0 1 N V C R C Attacker 1 0 0 0 1 0 0 1 R 0 0 1 0 1 0 1 0 0 R 1 Verfer Attacker Prover N V A C R A C Prover h(k,n V ) = R 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 3 4 chance of guessng a response bt correctly An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer C = 01001100 Expected R C 1 1 0 1 0 1 1 1 Receved R C 1 1 0 1 0 1 1 1 N V C R C Overclockng attack Attacker 0 1 0 0 1 0 1 1 R 0 0 1 1 1 1 0 1 0 R 1 0 1 1 1 0 1 1 0 R 1 N V A C R A C N V A C R A C Prover h(k,n V ) = R 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 h(k,n V ) = R 1 0 0 1 1 0 1 1 R 0 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 Prevented n hardware e.g. Bandpass flter An RFID Dstance Boundng Protocol p. 10

Protocol descrpton Verfer (RFID reader) N V Prover (RFID token) Generate nonce N V Generate random bts C 1,...,C n N P C = 01001100 C 1 = 0 R C = 1 R C 1 1 = 1 Overclockng attack Alternatve to hardware solutons Generate nonce N P Calculate h(k,n V,N P ) = R Splt R = R 0 R 1 1 0 0 1 1 0 1 1 R 0 0 1 1 1 0 1 1 0 R 1 0 0 1 1 0 1 1 1 1 1 0 1 1 0 An RFID Dstance Boundng Protocol p. 10

Nose Bt errors wll probably occur on the rapd exchange channel Accept f at least k bts out of n are correct False accept: p FA = n =k ( ) n ( ) 3 4 ( ) 1 n 4 False reject: p FR = k 1 =0 ( ) n (1 ǫ) ǫ n where ǫ s the bt-error probablty. An RFID Dstance Boundng Protocol p. 11

Nose (2) Example of parameter tradeoffs n the presence of nose 10 0 400 10 5 300 EER 200 k 10 10 ǫ =0.05 ǫ =0.10 ǫ =0.15 100 0 100 200 300 400 500 600 0 n An RFID Dstance Boundng Protocol p. 12

Related work t m = 2 t p + t d t m t p t d d v p d = v p tm t d 2 = round trp tme = one-way propagaton tme = processng delay = dstance = sgnal propagaton speed Dstance Boundng Protocols Beth and Desmedt (1991) Brands and Chaum (1993) An RFID Dstance Boundng Protocol p. 13

Brands and Chaum Verfer (RFID reader) Generate random bts C 1,...,C n commt(m) Prover (RFID token) Generate random bts m 1,...,m n Verfy commt Verfy sgn(m ) C R open commt sgn(m ) R = C m message M = C R... C n R n Tme round trp of sngle bt exchange Processng wth varable delay done beforehand Mnmal processng delay durng bt exchange An RFID Dstance Boundng Protocol p. 14

Brands and Chaum Verfer (RFID reader) Generate random bts C 1,...,C n commt(m) Prover (RFID token) Generate random bts m 1,...,m n Verfy commt Verfy sgn(m ) C R open commt sgn(m ),C,R R = C m message M = C R... C n R n Addtonal commt and sgn operatons Addtonal bts on slow channel In presence of nose C and R need to be transmtted An RFID Dstance Boundng Protocol p. 14

Performance vs Brands and Chaum For EER = 10 4 and ǫ = 0.1 Assume bt exchange rate = f carrer /4 Standard Tme (B and C) Tme (Our protocol) n = 70 n = 360 15693 fast 5.3237 ms 0.1062 ms 26.4 kbp/s, 13.56 MHz 15693 long 21.1687 ms 0.1062 ms 6.62 kbp/s, 13.56 MHz 14443 A/B 1.3414 ms 0.1062 ms 106 kbp/s, 13.56 MHz An RFID Dstance Boundng Protocol p. 15

Performance vs Brands and Chaum (2) For EER = 10 10 and ǫ = 0.05 Assume bt exchange rate = f carrer /4 Standard Tme (B and C) Tme (Our protocol) n = 125 n = 440 15693 fast 9.5066 ms 0.1298 ms 26.4 kbp/s, 13.56 MHz 15693 long 37.8012 ms 0.1298 ms 6.62 kbp/s, 13.56 MHz 14443 A/B 2.3954 ms 0.1298 ms 106 kbp/s, 13.56 MHz An RFID Dstance Boundng Protocol p. 16

Postonng technology Postonng Technology used today Rado Frequency Secure but complex Ultrasound Appear closer by relayng data wth faster RF lnk Receved Sgnal Strength Amplfed sgnal appears closer An RFID Dstance Boundng Protocol p. 17

Resoluton Estmate r B c, where B s the channel bandwdth RFID communcaton nadequate e.g. for ISO 14443 at 106 kbp/s, r 3 km Ultra Wdeband Pulses Hgher bandwdth equals better resoluton RFID mplementaton ssues Error free operaton requres hgh resources e.g. synchronzaton, bt placement Crude mplementaton possble but would allow bt errors Suffcent for bt exchange channel Not to be used for normal communcaton An RFID Dstance Boundng Protocol p. 18

Proposed bt exchange channel Carrer wave Use carrer for loose synchronzaton e.g. Zero crossng An RFID Dstance Boundng Protocol p. 19

Proposed bt exchange channel Carrer wave Challenge pulse C t t t r t p Reader (Verfer) adjusts t t to match samplng delay t r n the token (Prover) An RFID Dstance Boundng Protocol p. 19

Proposed bt exchange channel Carrer wave Challenge pulse C Response pulse R C t t t r t p t d t d s a predctable hardware delay An RFID Dstance Boundng Protocol p. 19

Proposed bt exchange channel Carrer wave Challenge pulse C Response pulse R C t t t r t p t s t d t p d = c (t s t t t d )/2 An RFID Dstance Boundng Protocol p. 19

Concluson Few more bt exchanges to acheve same cryptographc securty Chance of attacker guessng correct response 3 4 vs 1 2 Faster operaton Extra bts transmtted on faster bt exchange channel Much less data transmtted on slow error corrected channel Practcal mplementaton suted for RFID Low power and processng requrements for Prover Tmng-senstve measurements and adjustments done by the Verfer Faster completon of protocol suted for RFID envronment An RFID Dstance Boundng Protocol p. 20

Future work Practcal mplementaton Pseudorandom functons suted for RFID devce Rapd bt exchange channel UWB antennas for card form factor Mutual dstance boundng protocol For applcatons where llegtmate readng attempts are more common e.g e-passports An RFID Dstance Boundng Protocol p. 21