Distance Bounding: A Practical Security Solution for Real-Time Location Systems

   October 21, 2013    Comments Off on Distance Bounding: A Practical Security Solution for Real-Time Location Systems    Posted in: Final year projects

16 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
Distance Bounding: A Practical Security Solution for
Real-Time Location Systems
Adnan Abu-Mahfouz, Member, IEEE, and Gerhard P. Hancke, Senior Member, IEEE
Abstract—The need for implementing adequate security services
in industrial applications is increasing.Verifying the physical proximity
or location of a device has become an important security
service in ad-hoc wireless environments. Distance-bounding is a
prominent secure neighbor detection method that cryptographically
determines an upper bound for the physical distance between
two communicating parties based on the round-trip time of
cryptographic challenge-response pairs. This paper gives a brief
overview of distance-bounding protocols and discusses the possibility
of implementing such protocols within industrial RFID and
real-time location applications, which requires an emphasis on aspects
such as reliability and real-time communication. The practical
resource requirements and performance tradeoffs involved
are illustrated using a sample of distance-bounding proposals, and
some remaining research challenges with regards to practical implementation
are discussed.
Index Terms—Distance-bounding, proximity authentication,
real-time location, RFID, secure neighbor detection (SND), secure
ranging, wireless.
I. INTRODUCTION
THE security of industrial applications has become a topic
of increasing significance with the importance of basic security
services such as authentication, integrity, and confidentiality
generally being recognized. In some application, however,
there is also a need for additional services that are not immediately
obvious. For example, in wireless communication, it
is commonly assumed that a communication neighbor, i.e., a
device reachable for communication, is the same as a physical
neighbor. This assumption is based on the fact that these devices
are within communication range and that communication range
is location limited, which implicitly proves physical proximity
[1]. In a hostile environment, this assumption no longer holds
as a fraudulent device can manipulate the communication range
and pretend to be a neighbor. As a result, a device might interact
with a fraudulent device pretending to be its neighbor,
placing it in a privileged position from where it could adversely
affect the intended services. Verifying the physical proximity
Manuscript received September 22, 2011; revised January 02, 2012, March
30, 2012, and June 10, 2012; accepted June 14, 2012. Date of publication
September 11, 2012; date of current version December 19, 2012. Paper no.
TII-11-559.
A. Abu-Mahfouz is with the University of Pretoria, Pretoria, Gauteng, 0002,
South Africa (e-mail: aabumahfouz@csir.co.za).
G. P. Hancke is with the University of Pretoria and the Information Security
Group (ISG), Royal Holloway, University of London, Egham TW20 0EX, U.K.
(e-mail: ghancke@ieee.org).
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TII.2012.2218252
of another device, through the use of secure neighbor detection
(SND) method, has therefore become important in wireless
network environments [1]. Supply chain and item tracking
using radio frequency identification (RFID) technology and related
real-time location (RTLS) systems are further examples
of industrial applications that rely heavily on the notion of device
proximity [2]–[7], [70]. The operational range of typical
RFID tags used in such applications are known to be between
10 cm, for high-frequency (HF) tags, to 10 m for ultrahigh-frequency
(UHF) devices. The assumption is therefore made that,
if a reader manages to communicate with a tag, then the location
of the tags in close physical proximity to the location of
the reader [66]. Suppose a fraudulent party removed a valuable
asset and replaced it with an inexpensive radio transceiver that
simply relays the commands from an RFID reader to the real tag
embedded in the asset and then forward the real tag’s response
back to the reader. In this case, the reader will still consider the
asset to be in close proximity, as there is still an entity that appears
exactly the same as the real tag from a communication
perspective. This scenario, discusses further in Section II, has
been practically demonstrated against real-world RFID systems
[8].
The secure verification of a devices’s location relative to
another device, so-called secure neighbor detection, is therefore
crucial to the secure and reliable operation of industrial
real-time location applications [9]. Distance bounding determines
an upper bound for the physical distance between two
communicating parties based on the round-trip time (RTT) of
cryptographic challenge-response pairs, thereby cryptographically
verifying the physical proximity of two devices. Brands
and Chaum proposed the first true distance-bounding protocol
[10] and numerous new protocols have been proposed since,
a number of which place particular emphasis on the fact that
distance-bounding protocols should be implemented in RFID
applications, e.g., [11], [12]. In the RFID environment, it can be
used to cryptographically prove the proximity of a RFID token
to a reader, while in RTLSs its ability to verify the physical
proximity of an “item” makes it a key building block in secure
localization methods.
Although there has been extensive theoretical work on constructing
distance-bounding protocols in recent years, the question
of whether this approach is ready to be implemented in realworld
RFID an RTLS applications still remains largely unanswered.
Distance bounding would provide security benefits and
facilitate a range of dependable services, but at what extra cost
to resources, real-time performance, and reliability? There are
also multiple protocol designs to choose from, and system engineers
should be made aware of possible tradeoffs and be able
1551-3203/$31.00 © 2012 IEEE
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS 17
to effectively evaluate existing proposals with the purpose of
choosing the best solution for their application.
The purpose of this paper is not to provide an in-depth, theoretical
analysis and state-of-the-art survey of different distancebounding
protocol designs. Rather, this should be seen as a position
paper that highlights the importance of securely determining
device proximity in industrial RFID and RTLS applications,
provides a short tutorial on the theoretical concepts and
use of distance-bounding protocols, and discusses the aspects
of practical implementation along with unresolved issues for future
research.A short overview of SNDmethods andmotivation
for the use of distance-bounding in industrial applications are
provided in Section II. The basic technical concepts of distancebounding
protocols are covered in Section III. In Section IV,
possible industrial requirements of distance-bounding protocols
are defined, a selection of protocols is evaluated against these requirements,
and remaining practical challenges are addressed.
II. SECURE NEIGHBOR DETECTION (SND)
There are a number of possible approaches to implementing
SND, such as directional antennas, RF fingerprinting, centralized
systems, location-based systems, and distance bounding
[1].
Directional antennas triangulate position using angle-of-arrival
(AoA), which requires static reference nodes with antenna
arrays providing fixed reference directions, e.g., [14]. To be secure,
these nodes must also have synchronized clocks to ensure
that a transmission was made to multiple reference nodes
at the same time, i.e., from the same location. Time synchronization
to the accuracy required for distance estimation is a
challenge in wireless networks. To determine the distance to another
node would also require the node to be covered by at least
two reference nodes. This limits the topology and the connection
structures to a network “cloud,” where all nodes are covered
by multiple reference nodes, which does not allow for the
point-to-point connection between a RFID reader and tag.
Centralized approaches work on the assumption that there are
many nodes that can collaborate and aggregate data to a central
system controller, which can check for suspicious node placement
by building and analyzing system-wide node connectivity
graphs. For example, if two nodes receive the same transmission
it is impossible for that transmitting node to be within the
communication range of both, e.g., [15], [16]. The effectiveness
of these approaches relies on the network consisting of a large
number of nodes capable of providing simple ancillarymeasurements
This method is therefore not as effective when a limited
number of nodes, e.g., a point-to-point RFID link or device localization
using RTLS with only three reference nodes.
RF fingerprinting characterizes the physical communication
channel aspects of a node to generate a unique identifier that
is difficult to forge, e.g., [17]. This is a promising approach to
uniquely identifying nodes. However, each device needs to be
characterized and, if nodes are mobile and subject to varying
multi-path and path-loss effects, the fingerprint might need to
be revised often. This reduces the practicality of using fingerprinting
in ad-hoc environments where connections are often
made to new nodes, i.e. new RFID-tagged item entering supply
chain.
Location-based methods require that the physical location of
each node is known at node level, e.g., each node is equipped
with a GPS unit, or at a system level using a localization
scheme. Examples of such systems are described in [18]. Determining
the location at a node level requires additional network
infrastructure and resources, especially indoors where GPS is
not as effective, and a system-wide localization scheme has the
same disadvantages as previously discussed for centralized approaches.
Localization schemes still rely on accurate neighbor
detection, and several secure localization proposals use, or
could use, distance-bounding protocols for the underlying
distance estimation between nodes [19], [67]–[69].
Distance bounding provides assurance as to the physical
proximity of two nodes. A distance-bounding protocol can be
performed locally between any two nodes with no collaboration
with other network entities. Although this approach requires a
node that can make RTT measurements, i.e., needs a suitable
RF channel and an accurate albeit unsynchronized clock,
it requires minimal prior relationship between participating
entities and is effective within any communication topology.
For example, it would be as suitable for a RTLS with multiple
reference nodes bounding the distance to a device and for
conventional RFID where only two entities, the reader and tag,
need to verify their proximity.
III. DISTANCE-BOUNDING PROTOCOLS
Distance bounding only involves two parties, a prover and a
verifier, and provides the verifier with cryptographic proof as to
the maximum physical distance to the prover. The verifier relies
exclusively on information gained from executing the protocol
with the prover. As the verifier requires a reliable and secure
estimate of the distance to the prover, distance-bounding protocols
should be integrated into the underlying communication
channel. The security of the protocol therefore not only depends
on the cryptographic mechanisms but also on the physical attributes
of the communication channel that are used to measure
proximity. This section starts by explaining the need for distance
bounding. Distance-estimation methods are discussed next, followed
by protocol design aspects. This section serves only to
introduce the basic principles of distance bounding. For a more
formal analysis framework and extended overview of these protocols,
the reader could refer to [20] and [21].
A. Need for Distance Bounding in Industrial Applications
As discussed in Section IV and stated in [9], the verification
of a node’s physical proximity to another node is crucial to the
secure and reliable operation of industrial RFID and RTLS applications.
Here, we discuss the attacks addressed by distance
bounding and demonstrates the threats posed by these attacks
by means of providing practical examples of security issues that
can arise in RFID and RTLS applications. It is also shown that
basic security services such as authentication and confidentiality
do not sufficiently address these threats.
There are three main types of attacks, shown in Fig. 1, which
can be prevented by distance-bounding protocols—distance
fraud, mafia fraud, and terrorist fraud. Distance fraud occurs
when a fraudulent prover wants to convince the verifier that
it is in close proximity, although this is not actually the case.
18 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
Fig. 1. Main attacks that distance-bounding protocols aim to prevent. (a) distance
fraud, (b) mafia fraud, and (c) terrorist fraud.
Fig. 2. Distance fraud in RTLS.
A practical example of how this could affect a RTLS with
three reference nodes is shown in Fig. 2. In this example, three
nodes , , and are required to report the location of
node P based on the received signal strength of their respective
communication with node P. If P was fraudulent, it could
easily pretend to be at position by attenuating its signal
when communicating with (appearing further away) and
increasing the signal when communicating with (appearing
closer). Encrypting data or authenticating P does not prevent
this fraud as P is seen as a legitimate node in the network and
in possession of the key material to both correctly encrypt/decrypt
data and authenticate itself to the other nodes. Distance
bounding detects whether a fraudulent prover is pretending
to be closer to the verifier than is the case. If the localization
system used distance bounding, P would not be able to appear
closer to and would therefore be unable to effectively spoof
a chosen location.
In mafia fraud, the prover and the verifier are honest
and far apart, and a third party attacker makes it appear as if
they are in close proximity. The attacker used a proxy prover
and proxy verifier interacting with the honest verifier
and prover, respectively. These proxies simply relay all communication
between and , thereby creating an extended the
communication link between them. If the verifier operates on
the plain assumption that prover is in close proximity if it
can successfully be reached for communication, and then that
attacker succeeds in convincing the verifier that the prover is in
close proximity. Conventional security services cannot prevent
this attack as the proxies do not need to decrypt or encrypt communication,
they forward on data as is, nor do the proxies need
to authentication themselves to the prover and verifier, as they
are effectively a transparent communication link. Mafia fraud
was first described by Desmedt [22], but this attack scenario
has also been described as a wormhole or a relay attack [8],
Fig. 3. Mafia fraud (relay attack) in RFID asset tracking system.
[10], [23]. Mafia fraud is detected by distance-bounding protocols
as the attacker introduces additional delay into the RTT
measurement, e.g., even if theoretically the attacker’s hardware
introduces no delay the time taken for the relayed data to propagate
the extra distance will add to the RTT.
Mafia fraud has already been successfully demonstrated in
real-world RFID applications [10]. This has security implications
for industrial supply chain and real-time location systems
based on RFID technology, as illustrated in Fig. 3. Since the
reader operates on the assumption that it can only read tags in
close proximity, based on the expected operating distance of
RFID systems, an attacker, using two relaying proxies, can convince
a RFID reader that a tagged item is in close proximity,
even though a tagged item is actually at another physical location.
This compromises the reliability and accuracy of the
system, and, in effect, this would allow an attacker to remove
a valuable item from location it is meant to be without this action
being detected. Reader-tag authentication does not prevent
this threat. The proxy tag does not need to authenticate itself
to the reader as an authentication request will be relayed to the
real tag, and the legitimate response will be relayed back to the
reader.
In terrorist fraud, a third party attacker and a dishonest prover
collaborate in attacking the system. The fraudulent prover, who
is far from the honest verifier, assists an attacker, who is located
close to the verifier, to masquerade as the prover by providing
the attacker with selected cryptographic information [24]. In
order to discourage terrorist fraud, some distance-bounding protocols
ensure that in revealing the response the fraudulent prover
will inherently reveal valuable information, such as a long term
secret key, about itself, a principle first suggested in [25]. Terrorist
fraud is a more theoretical attack, with limited practical
significance in the context of industrial RFID and RTLS applications.
1) Practical Use Case: Real-Time Location Systems (RTLS):
RTLS are automated systems that determine the locations of assets.
RTLS systems are being increasingly relied upon to continually
monitor items of high value within industrial applications.
‘High Value Asset Security’, as it is referred to by the Association
for Automatic Identification and Mobility (AIM), is important
for secure and efficient supply chain management and
manufacturing, where it is used to keep track of expensive parts,
equipment and final products. In some cases, an RTLS is directly
integrated within other industrial processes, e.g., the Eximia
Meerkat1 monitoring systems integrates real-time location
information with distributed control systems (DCS) and supervisory
control and data acquisition (SCADA) information. Beyond
core “industrial” use, RTLS is used extensively in health
1[Online]. Available: www.eximia.it
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS 19
applications [57] where a similar importance is attached to reliability
and security. A RTLS basically consists of a number
of tags, attached to items, which are localized with the assistance
of several observation nodes placed at known locations. A
RTLS system can be implemented using a variety of underlying
technologies. Examples of current commercial implementations
include conventional passive RFID technology2 and system architecture,
wireless network architecture using IEEE 802.113,
Ultra-Wideband (UWB)4 or IEEE 802.15.45, or a combination
of these technologies6.
Even though location systems provide a security service,
e.g., ensuring assets remain in authorized areas, these systems
incorporate minimal, if any, security mechanisms. In
recent times, the security of location systems has come under
increasing scrutiny and several practical attacks have been
demonstrated against real-world systems. For example, it has
been shown that it is practical to circumvent the IEEE 802.11
location system in iPhones and iPads [58], allowing an attacker
spoof a location of his choice. Distance fraud and mafia fraud
are two attacks, which are detected through the use of distance
bounding, of particular interest to RTLS applications. The basic
characteristics of these attacks were discussed in the previous
section, so here we discuss only how they could be applied
to a RTLS. An attacker uses distance fraud to appear closer,
or further away, from an observing node. As was shown in
Fig. 2, this could allow an attacker to spoof the location of an
asset. This results in the RTLS losing track of the item’s real
location and allows the asset to be removed from its intended
location. It has been shown [27], as can be seen in Fig. 2, that
an entity localized through trilateration cannot successfully
misrepresent its location without “decreasing” the distance to
at least one of the observing nodes. For example, this could
be achieved in a system basing distance estimates on received
signal strength (RSS) by attenuating the signal to a chosen
observer. Distance-bounding protocols prevent an attacker
from appearing closer to the verifier, thereby detecting an
attack of this nature.Mafia fraud, as previously shown in Fig. 3,
have become increasingly feasible and have been practically
demonstrated against a number of real-world systems [8],
[54], [59], [60]. In each case, it was shown that an attacker
could construct an inexpensive “proxy” of the item using
either custom or off-the-shelf hardware. This proxy continues
to relay communication between the item and the observing
node/s even though the item has been removed, resulting in
the RTLS reporting the location of the proxy as the location
of the legitimate item. Distance-bounding protocols would
detect the use of the proxy, based on the increased RTT to the
legitimate item. Studies, such as [61], have shown that RTLS
offers significant benefits in terms of cost and efficiency. These
benefits can only be derived if there is an assurance as to the
integrity of the RTLS information. Considering the importance
of RTLS to industrial applications and the current feasibility
2[Online]. Available: www.odinrfid.com
3[Online]. Available: www.ekahau.com
4[Online]. Available: www.ubisense.net
5[Online]. Available: www.locatingtech.com
6[Online]. Available: www.aeroscout.com
of attacks, industrial system engineers should follow the trend
in other sectors and start addressing security issues in location
systems.
B. Securely Estimating Physical Distance
There are a number of approaches and proposals for estimating
the distance between devices, but these are not necessarily
designed to be secure, e.g., [26]. Time-of-flight (ToF)
and received signal strength (RSS) are often used for distance
estimation between two nodes. However, RSS is not a secure
method since attackers can easily alter the perceived distance by
either amplifying or attenuating a signal. ToF measures elapsed
time for a message exchange and then estimates the distance
based on the communicationmedium’s propagation speed. Both
radio frequency (RF) and ultrasound channels (US) have been
used in ToF systems. The propagation speed of sound is much
slower than that of radiowaves.As a result, an attacker can intercept
the U.S. communication and forward it over a faster radio
or optical communication medium to an accomplice closer to
the verifier or prover, thereby reducing the time measurement
and decreasing the distance estimate. RF channels are therefore
proposed as the channel of choice for implementing distance-
bounding systems.
There are two well-known examples of how ToF is generally
used to determine distance: time of arrival (ToA) and RTT. In
ToA systems, the estimate is made purely on data transmitted in
one direction from the prover to the verifier. The distance between
two devices can be calculated as , where is
the propagation speed and is the one-way propagation time
between the transmitter and the receiver. A distance-bounding
protocol using this approach could possibly be implemented
as follows if both the verifier and the prover share a common,
high-precision time base, e.g., secure GPS receivers: The verifier
sends out a challenge at time , which the prover receives
at time . The prover then replies with a message-authenticated
data packet , where is the challenge he
received. The verifier checks the message-authentication code
of this packet with the shared key and also whether ,
where is the upper bound for the distance and is the speed
of light. An attacker relaying the challenge would introduce
extra propagation delay, which would be reflected in , and,
as a result, the verifier would conclude that the prover is outside
the allowable distance bound. There are, however, some problems
with this implementation. An accurate time-base shared
between devices is difficult to achieve so thismethod is not practically
feasible, especially in RFID. This protocol also assumes
that the prover is a trusted entity, thusmaking the prover responsible
for taking the time measurement. There are no measures
in place to prevent the prover from committing distance fraud
by lying about and appearing closer to the verifier as a
result. From a security perspective this is not acceptable, as a
distance-bounding protocol should provide the verifier with reliable
proof that the prover is actually within a certain distance,
even in cases where the prover is not trusted.
The problem of maintaining a shared time-base in both the
verifier and the prover could be addressed by making distance
20 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
measurements based on RTT. In RTT systems, only the verifier
is required to maintain an accurate time-base and the prover
is also no longer responsible for providing the security critical
time measurements. The distance between the prover and verifier
can be calculated as with
where is the propagation speed, is the one-way propagation
time, is the measured total RTT and is the prover’s processing
delay between receiving a challenge and sending a response.
Adistance-bounding protocol using RTT could possibly
be implemented as follows. The verifier again sends a challenge
at time , which the prover receives at times . Once
the challenge is received, the prover sends a response in the
opposite direction at time , which the verifier
receives at time . The verifier determines
, checks that the response is correct, and finally confirms
that , where is once again the upper bound for
the distance. Although this protocol is an improvement on the
first example, extra care must be taken to specify the nature of
the response. If the prover simply echoed the challenge received
, it would provide limited security as any attacker, who controlled
a proxy device close to the verifier, would be able to do
this and achieve an acceptable measurement . Ideally,
the response should depend on the challenge, i.e., .
If this was not the case, and was merely a random nonce
agreed on beforehand between the prover and verifier, a fraudulent
prover could send before receiving and thus decrease
the RTT. Specifying that is a function of forces the prover
to wait until he receives the challenge and prevents him from
preemptively transmitting its response.
C. Protocol Design
Since Brands and Chaum first described distance-bounding
protocols in 1993 [10], a number of protocols have been published
that allow a verifier to determine an upper bound on the
physical distance to a specific prover. These proposals can be
classified by how they implement different stages of the distance-
bounding process, with most protocols consisting of three
basic stages: The setup stage where the verifier and prover prepare
for the exchange stage, the timed exchange of challenge
and response data, and the verification stage that ensures that
the exchange step has been executed faithfully. In the literature,
three different types of distance bounding proposals can be identified
[21], [27], described as follows.
Timed authentication protocols are the simplest form of
ToF-based distance bounding, with the verifier timing normal,
authenticated data exchanges. The basic idea is to execute a
challenge-response authentication protocol under a very tight
time-out constraint, which was a concept first proposed by
[71{]. For example, a verifier transmits a random -bit
nonce to the prover , who replies with a
message-authentication code , where is a keyed
pseudorandom function and is a shared secret key. These
protocols generally time an exchange without considering
variations in the processing time of the response or the format
of the challenge and response [13], [28]. The possible variations
in the processing delay therefore affects the time
measurement, which in turn causes the distance bound to be
unreliable. For example, a node that usually takes 100 ms to
Fig. 4. Brands and Chaum’s protocol.
compute a public-key signature and has a 1% (1 ms) processing
time variation could theoretically cause a 333-km error in the
distance estimate when an RF channel is used. Furthermore,
a fraudulent prover has scope to speed up the processing time
and transmit its response earlier than expected.
In contrast, pre-commitment or pre-computation protocols
aim to reduce or accurately predict the processing delay
by making the prover decide on possible responses before the
exchange stage. As a result, the prover only has to choose
a response based on the challenge received from the
verifier during the exchange stage, so is significantly reduced.
These protocols generally propose that the function
is implemented using a simple XOR or lookup table
(LUT) operations to minimize variation in . In protocols
using pre-commitment, the prover prepares possible responses
during the setup stage. For example, the verifier generates a
random challenge bit string, , while the
prover generates a response string . The
prover commits to , e.g., by transmitting a collision-resistant
message authentication code . The verifier then sends
one after another, which the prover receives as . It then
instantly replies with a bit , which is calculated
by XOR-ing each received challenge bit with the corresponding
bit of . Finally, the prover reveals and authenticates ,
i.e., prover sends message authentication code to
the verifier. An example of this approach is the protocol [10],
shown in Fig. 4.
In protocols using pre-computation the prover and the
verifier calculates the possible response strings before the
exchange stage starts. For example, the verifier and the prover
first exchange nonces and . Both the prover and the
verifier then use a pseudorandom function and a shared key
in order to calculate two -bit response strings and
Since the verifier also knows and at this stage, the
prover is effectively committed to two response strings without
explicitly making a commitment during setup. As a result, the
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS 21
prover does not have to open its commitment during the verification
stage, thereby decreasing the transmitted data and the execution
time. An example of this approach is presented in [11],
where generates and sends an unpredictable random challenge
bit , to which respond instantly with a bit from either
or based on the value of . During the verification
stage, the verifier checks that the received responses match the
possible responses it calculated during the setup stage.
IV. EVALUATING AND CHOOSING DISTANCE-BOUNDING
PROTOCOLS FOR YOUR APPLICATION
The implementation of distance-bounding protocols can
differ in a number of ways. As a result, characteristics like
attack resistance, resource requirements and execution time
varies for each protocol. Here, the proposed protocols by
Brands and Chaum (BC) [10], Čapkun et al. (CBH) [65],
Hancke and Kuhn (HK) [11], Reid et al. (RNTS) [29], Tu and
Piramuthu’s (TP) [30], Munilla and Peinado (MP) [12], Kim
and Avoine (KA) [31], Kim et al. (KAKSP) [32], Meadows
et al. (MSC) [33], Avoine et al. (MUSE) [34], Avoine and
Tchamkerten (AT) [35], and Peris-Lopez et al. (Hitomi) [36]
are evaluated with regard to industrial application. All of these
protocols adhere to the principles of secure distance bounding,
as defined in [27]. The basic evaluation requirements with
regard to industrial applications are security [37], [38], reliability
[39], [40], resource cost [41], [42], energy efficiency
[52], [53], and execution time [43], [44]. The intention is not
to provide a complete list of distance-bounding protocols in
literature, but rather a cross section or sample that illustrates
the capabilities of this protocol family with regards to industrial
applications. Security-sensitive industrial applications are
likely to implement services such as authentication, integrity,
and confidentiality in addition to secure neighbor detection. For
the purpose of generating quantitative results for evaluation
and discussion, a device is assumed to already implement
standardized cryptographic algorithms, as set out below, which
will simply be reused for distance bounding. Similarly, it is
assumed that the key management infrastructure used for generating
and distributing keys for authentication, integrity, and
confidentiality services could also support shared symmetric
keys for distance bounding. Therefore, distance bounding does
not introduce any additional algorithms or key management
requirements beyond what is already reasonably available in a
security sensitive application. Although certain devices, e.g.,
resource-constrained nodes or RFID tags, might currently be
incapable of performing such functions it is in our opinion
necessary to evaluate practical implementation issues based
on the cryptographic parameters that are most likely to be
used within secure, industrial applications in the long term.
The recommendations for choosing secure algorithms through
to the year 2030 by the National Institute of Standards and
Technology (NIST) [47] is therefore used as a benchmark. For
a symmetric encryption operation AES128 is recommended so
a shared key, , and a result are 128 bits in length,
and data are encrypted in blocks of 128 b. The pseudorandom
function is implemented as a SHA-256 hash function, which
has equivalent 128-b security and an output of length 256 b. It
is unlikely that low-resource devices will contain a true random
number generator. It is therefore assumed that a pseudorandom
number generator is available, which will have similar resource
requirements as an optimized hash function or symmetric
cipher. A summary of the protocol characteristics using these
parameter values are shown in Table I. If required, the reader
can calculate the transmitted data (TD) and memory needed
for a different system design by assigning that system’s cryptographic
parameter values and
substituting these values into the equations given in Table II.
Table II summarizes the maximum amount of memory required
and the amount of data bits required to be sent by the prover
and verifier for each protocol. The figures provided here for
attack success probability, memory use, and transmitted data
bits are as provided in listed literature sources and have not
been subjected to further analysis.
A. Reliability
Industrial applications are required to be reliable, and any related
protocols need to be suitably robust to operate in harsh environments.
It should be noted that all of the protocols evaluated
in this section require the transmission of a single data symbol
during the timed exchange stage. The reason behind this choice
is that conventional communication channels introduce latency
at the physical, e.g., demodulation and decoding, and packet,
e.g., framing bits, layers. It is possible for an attacker to take
advantage of this latency to obscure distance and mafia fraud attempts,
as demonstrated in [27] and [48]. A distance-bounding
protocol therefore needs to implement a special channel for the
exchange stage or, alternatively, accept the risk of attack and use
a single, multi-bit symbol exchange. Both of these aspects are
discussed further in Section V.
In harsh environments, communication during the setup and
verification stages can be transmitted via robust communication
channels. However, taking into account the channel constraints,
it is likely that bit errors will occur during the exchange stage.
Without sufficient error-handling the protocol will fail, and it
will either require that the protocol executes again or cause the
disruption of subsequent services. These scenarios are not acceptable
in systems delivering critical services, often with associated
real-time constraints.
Hancke and Kuhn [11] proposed that protocols simply handle
errors by defining a bit-error threshold and that the protocol
therefore successfully completes even if some responses are incorrect.
Although this method can be applied to precomputation
protocols, with no verification stage, without any modification,
these authors also pointed out that other protocol designs can
also implement the threshold method, as long as the challenge
bits received by the prover and the response bits sent by the
prover are transmitted over an error-corrected channel during
the verification stage. An alternative for precommitment protocols
is to use error-correcting codes (ECC) as proposed by
Singelée and Preneel [49]. is applied to the
generated strings’ response string and this results in a new
string. The protocol now continues exactly as before except that
there are now timed bit exchanges instead of . After the
bit exchanges, the verifier reconstructs from the challenges it
sent and the correct any bit errors in the reconstructed . The
22 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
TABLE I
COMPARISON OF SELECTED DISTANCE-BOUNDING PROTOCOLS
Functions required, number of times each functions must be calculated and total number of clock cycles needed to execute the protocol from prover’s side.
Memory optimized (multi-tree) version with a trees of depth , instead of single memory tree with depth . Require 4080 bits to populate
trees for , so 16 256-b iterations of required.
verification stage then proceeds as normal. The disadvantage
of using ECC for error resistance is that it increases the protocol
execution time. This is a result of the node performing
additional ECC calculations and also transmitting additional
redundant bits, which is used to detect and correct bit errors
in the challenge and response strings. Recently, Munilla and
Peinado [50] proposed two effective attacks against the Singelée
and Preneel’s (SP) protocol. These two attacks increase
the adversary’s success probability. Moreover, they showed
that as the number of allowed failures increases, the false
acceptance probability of the ECC method is higher than that
of the threshold method.
All results in Section IV assume that the protocols incur the
extra overhead to implement the threshold method for error resistance.
Table I indicates which protocols can implement this
method as is, and which need to transmit additional data during
the verification stage.
B. Resource Cost
Real-world industrial applications are cost sensitive. As discussed
in earlier sections, secure proximity services would be
of most benefit to RTLS and RFID applications where tags are
meant to be plentiful and inexpensive. It is therefore important
to consider the hardware resources required by distancebounding
protocols.
The first hardware cost incurred is resources dedicated to implementing
the basic cryptographic functions. From Table I, it
is evident that all of the protocols require at least a pseudorandom
function (hash or encryption) and a random number
generator. Some of the protocols also require a symmetric encryption
function. These functions are found in devices with
limited resources, such as contactless smart cards [51], so it is
not infeasible to implement these functions on hardware platforms
that are optimized for cost, such as sensor nodes or certain
RFID tokens. Implementing cryptographic functions in severely
constrained environments, such as disposable RFID tags,
remain a challenge, but there is significant research addressing
this area, e.g., [42].
The second tangible resource is that of data memory, i.e.,
the maximum amount of data that needs to be stored. During
the protocol execution several values, such as nonces, keys,
challenges, and possible responses must be stored in working
memory. As can be seen from the results in Table I, memory
requirement vary between 40 and 548 bytes, with nine out of
12 protocols needing less than 128 bytes. These are not negligible
values in embedded processors, but memory requirements
are also directly proportional to the number of bits exchanged,
as is evident from Table II, so a system engineer would be able
to tailor the protocol implementation to the memory available
by choosing the right protocol and/or decreasing the level of
security.
C. Energy Efficiency
In some applications, system engineers need to optimize the
design to preserve limited power sources. For example, RFID
tags’ power is limited to the harvesting of energy off the reader’s
transmitted carrier while an active RTLS tag needs to optimize
its power use to increase its lifetime.
Table I shows the minimum amount of bits that are transmitted
between the verifier and the prover during each protocol
execution. This considers only data transmission essential to
protocol execution and does not take into account any formatting
or integrity verification data that might be added by the underlying
communication channel during the setup and verification
stage. The data transmitted for the sample protocols vary
between 256 and 1408 b. Furthermore, Table II clearly shows
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS 23
TABLE II
MEMORY AND TRANSMITTED DATA
Memory optimized (multi-tree) version with trees of depth ,
instead of single memory tree with depth
that the number of bits transmitted is proportional to the number
of bits exchanged so if the application is energy sensitive the
transmission can be optimized by choosing a suitable protocol
and/or decreasing the level of security.
D. Execution Time
Industrial systems often have real-time requirements, where
the application’s capability to adhere to timing constraints is
critical to the reliability of the system. For example, an RFIDenabled
supply chain system might need to determine the proximity
of each item-level tag, while these items are moving past
in a vehicle, or on a conveyor belt. RFID readers should therefore
be capable of reading tags within a limited time, which
would place constraints on time taken to execute the tag communication
protocol.
The main factors influencing execution time is the transmission
time, i.e., the time required to transmit data, and the processing
time, i.e., the time needed to perform the cryptographic
functions. Quantifying the relative execution time in terms of
the transmission time is relatively simple as it is the transmitted
bit period times the total number of bits transmitted, as discussed
in Section IV-D. Accurately quantifying the processing time is
not straight forward as this depends on a number of factors,
which are difficult to generalize. Such factors include:
• platform capability—processor architecture, memory, and
system clock;
• cryptographic algorithm implementation—designs can be
optimized for speed, memory consumption, or cost/area,
i.e., physical integrated circuit space.
As a result, a simplified approach is taken whereby the basic
protocol functions required are classified as a pseudorandom
TABLE III
EXECUTION TIME
number generation process, as a pseudorandom manipulation
process or as an encryption process. To illustrate the relative
complexity of each process, the number of computational cycles
needed for each process is listed, as shown in the benchmarking
figures for the widely used Crypto++ open-source library. As
defined earlier in Section IV, SHA-256 is used as the pseudorandom
function F, requiring 512 cycles for a 256-b result,
and AES-128 is used for encryption, requiring 718 cycles for
a 128-b result. Pseudorandom number generation in embedded
systems are often implemented using a linear feedback shift register
(LFSR) design [52]. As the core component is a shift register,
it is realistic to estimate that an -bit number generator
would require instruction cycles. How this relates to execution
time depends on the device in question, e.g., an FPGA could
update the LFSRonce a clock cycle whereas a single instruction
cycle on an embedded microcontroller will take clock cycles,
where depends on the device architecture.
Table I provides a summary of the processes computed by
the prover for each protocol and the total number of cycles
needed. Taking into consideration a very prudent estimate of
device capability, assuming a 1-MHz processing clock x
and 25-kbps communication channel, the execution time of the
protocols are as shown in Table III.
E. Security
The primary purpose of implementing a distance-bounding
protocol in any application is to provide a security service. In
order to illustrate the security of distance-bounding protocols
given a fixed number of challenge-response exchanges,we compute
the respective success probabilities of an adversary to perform
distance, mafia, and terrorist fraud with the number of exchanges
. The successful attack probability equations for
each protocol are shown in Table I, and the resultant probabilities
in the benchmark system are shown in Table IV.
Protocol proposals often do not consider all three main attacks
to have equal priority. The majority of the protocols do
not address terrorist fraud, although this is to be expected since
this attack is impossible to prevent as such. The protocol can
only discourage the prover from participating in this attack by
24 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
TABLE IV
SUCCESS PROBABILITY OF AN ADVERSARY (SPA)
ensuring that the collaborating prover reveals its longterm secret
key to the third party attacker he assists. The attack success
results listed in these proposals are therefore not the probability
that the verifier is fooled, but rather the probability that the
prover can assist in the attack without losing its secret. It should
also be noted that two protocols, MP and KA, are explicitly designed
to have good mafia fraud resistance, at the expense of
distance fraud resistance.
The probability of an attack succeeding obviously decreases
as the number of challenge-response exchanges increase, although
this introduces a tradeoff with bothmemory used and the
amount of data transmitted, which also affects execution time as
discussed previously.
F. Choosing a Suitable Protocol
There is no single protocol that is ideal under all design conditions.
Each of the sample protocols has advantages and disadvantages,
and, given the right design conditions, any of these
protocols can be argued to be “most suitable.” For example,
when choosing a protocol for an RFID system, more emphasis
might be placed on computational resource constraints and execution
time. A protocol for a RTLS might have the benefit of executing
on an active tag with more computational resources but
will nevertheless need to minimize transmission to conserve an
exhaustible power source. Given the basic tradeoffs and results
presented in this section, a system engineer should get a good indication
ofwhich protocol aspects to consider in a system design
and be in a position to evaluated proposals in literature against
chosen requirements. For example, the simple tradeoff between
security and execution time for is shown in Fig. 5.
V. FUTURE RESEARCH DIRECTIONS
There are several of active research directions related to the
concept of distance-bounding protocols. Despite the number
of protocol proposals in literature, there is still scope for
improvement in theoretical protocol design with regard to resource
requirements, attack success probability and optimized
protocols for specific applications or operational environments.
There is also a need for formal analysis of protocols, using a
Fig. 5. Graph of attack success probability versus execution time ( distance
fraud mafia fraud terrorist fraud).
clearly defined framework for comparison, to identify generic
design principles crucial to protocol security, explain design
decisions, and discuss subtle aspects of implementation requirements.
There is already progress in this area of formal
analysis [20], although a comprehensive survey and analysis
of existing protocol designs has not been done. As was briefly
mentioned in Section IV-A, an attacker could obscure mafia
and distance fraud attempts by exploiting the underlying
communication channel, even if the cryptographic part of the
distance-bounding protocol is seemingly secure. Accordingly,
Principle 2 of the “Principles of Secure Distance-Bounding” as
defined by Clulow et al. [27] states that all of these protocol
would require a special bit-exchange channel for maximum
security. Communication channels usually transmit multi-bit
data packets rather than single bits, so exchanging multibit
bit streams is easier to implement with off-the-shelf components.
The problem is that these channels usually add some
extra formatting information, such as trailers, headers, and
error-correction measures that introduce latency. An attacker
is not required to adhere to the “rules” of the communication
channel. For example, an attacker could ignore packet framing
and start to calculate its response before receiving the complete
packet trailer. As a result, the attacker is in a position to respond
earlier than expected. A verifier expecting the prover to wait
until it received all of the transmitted bits before starting to
calculate the response would therefore measure a reduced
RTT and the resultant distance estimation would be incorrect
[27]. Even if a multibit nonce was exchanged without any
formatting, or error correction, an attacker could still gain a
timing advantage from tolerances introduced in the modulation
and encoding stages, while also having the option of decreasing
the decoding process of a legitimate device if the data recovery
clock is derived from the transmitted data [48]. The exchange
of multibit data packets over normal communication channels
does therefore not achieve a timing measurement that is unconditionally
secure. In contrast, a multiple single-bit exchange
provides the highest time resolution, as it depends only on
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS 25
propagation time, pulse width, and processing delay of a single
bit. Implementing channels for distance-bounding protocols is
an ongoing research area, which can be approached from either
a theoretical or computational security perspective.
Using special channels for distance bounding is needed if protocols
are to be theoretically secure, i.e., if the protocol provides
the stated security even if an attacker is assumed to have infinite
resources. A practical example of such an attacker would be
one that introduces no delay, apart from the propagation delay,
when relaying the communication between a legitimate verifier
and prover during a mafia fraud attack. Currently, there are
several publications detailing practical implementations of such
distance-bounding channels in the HF band for RFID/contactless
tokens [53], for contact smart cards [54], and in the super
HF band (3.5–4 GHz) [63]. These channels exhibit desirable
security properties and demonstrate that implementation complexity
and cost for can be low enough to be feasible in current
hardware, e.g., [54] implements a reliable channel with only a
few inexpensive, discrete components. Although these channels
serve as promising proof-of-concept designs on which further
research could be based, the widespread use of such channels is
still some way off in the future.
An alternative approach is to implement distance-bounding
protocols on existing channels and to try to and achieve computational
security, i.e., assume that the protocol provides the
stated security against an attacker that has limited resources.
This approach requires that the extent to which an attacker could
potentially alter the distance estimate for a particular channel
or protocol must be determined, and that any potential attacks
must be taken into account with regards to the specific system
risk model, i.e., the designer is aware of the weakness and needs
to make a judgment as to the feasibility of an attacker exploiting
the weaknesses. A practical example of this approach is that
an attacker executing a mafia fraud is assumed to introduce
an additional delay, in addition to only the propagation delay,
when relaying communication between the legitimate verifier
and the prover. This is a practical and reasonable assumption as
attackers are in practice computationally limited and will introduce
a time delay each time data is received and then retransmitted
by a proxy device. For example, the practical mafia fraud
attacks in [8] and [59] against HF and LF/UHF passive RFID
systems introduced approximately 20- s and 250-ns additional
delay, respectively, even though the propagation was less than 6
ns (0–2 m). In both of these cases, it is therefore not necessary
to achieve an RTT measurement resolution of the order of 6 ns,
as the attack could be detected by looking for a response that
is much more significantly delayed. Considering computational
security simplifies channel design, without necessarily compromising
on security, and therefore allows distance bounding to
be more easily integrated into current technology. For example,
the recently released NXP Mifare Plus RFID/contactless token
implements distance bounding as a mafia fraud countermeasure.
There are designs for low-cost UWB transceivers suitable
for distance bounding [64] and also an example of a distance-
bounding protocol successfully implemented using offthe-
shelf UWB equipment [55]. From these developments it is
reasonable to conclude that distance-bounding could be practically
implemented into RFID and UWB systems today, using
existing equipment. There are also detailed security analyses
for IEEE 802.15.4 channels in addition to proposals using this
channel for secure distance bounding [56], [62], which could
form the basis for a successful implementation using this radio
technology in the near future.
VI. CONCLUSION
The reliability of industrial applications is crucial and the
need for adequate security measures is increasing. Verifying the
physical proximity or location of a device is becoming an important
security requirement in industrial applications relying
RTLS and RFID technology. Distance-bounding provides cryptographic
assurance as to the upper bound for the physical distance
between two communicating parties, without requiring
additional device characterization or information from third parties.
As a result, this method is adaptable to provide SND services
in a variety of communication architectures, including
point-to-point device communication in proximity identification
systems, such as RFID-enabled supply chains or a RTLS
with multiple reference nodes.
The evaluation of a sample set of distance-bounding protocol
proposals, using industry-standardized cryptographic algorithms,
showed that the practical requirements with regard to
hardware cost, energy efficiency, and execution time are reasonable
for industrial implementation. By choosing an appropriate
protocol and adjusting the number of exchanged challenge-
responses these requirements can be optimized to suit all
but the most restricted devices and applications. The attack success
probability of the sample proposals are relatively low and
resistance to communication errors are already built in.
The underlying channel implementation also affects the accuracy
and security of the distance estimate of the protocol and
affects the cost of practical implementation. Distance-bounding
protocols have already been implemented in commercial RFID
products and with off-the-shelf UWB equipment, achieving
a level of computational security against practically demonstrated
attacks. Nevertheless, as attacks improve and if distance-
bounding is to become theoretically secure in real-world
applications then existing work on suitable channels would
need to be continued, by investigating cost effective means of
implementing new channels and/or approaches that mitigate
security issues in conventional channels.
REFERENCES
[1] P. Papadimitratos, M. Poturalski, P. Schaller, P. Lafourcade, D. Basin,
S. Capkun, and J. P. Hubaux, “Secure neighborhood discovery: A
fundamental element for mobile ad hoc networking,” IEEE Commun.
Mag., vol. 46, no. 10, pp. 132–139, Oct. 2008.
[2] S. S. Saad and Z. S. Nakadv, “A standalone RFID indoor positioning
system using passive tags,” IEEE Trans. Ind. Electron., vol. 58, no. 5,
pp. 1961–1970, Jul. 2010.
[3] G. M. Gaukler, “Item-level RFID in a retail supply chain with
stock-out-based substitution,” IEEE Trans. Ind. Inf., vol. 7, no. 2, pp.
362–370, May. 2011.
[4] S. Han, H.-S. Lim, and J.-M. Lee, “An efficient localization scheme
for a differential-driving mobile robot based on RFID system,” IEEE
Trans. Ind. Electron., vol. 54, no. 6, pp. 3362–3369, Nov. 2007.
[5] M. Henseler,M. Rossberg, and G. Schaefer, “Credential management
for automatic identification solutions in supply chain management,”
IEEE Trans. Ind. Inf., vol. 4, no. 4, pp. 303–314, Nov. 2008.
26 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 9, NO. 1, FEBRUARY 2013
[6] A. Soylemezoglu, M. J. Zawodniok, and S. Jagannathan, “RFID-Based
smart freezer,” IEEE Trans. Ind. Electron., vol. 56, no. 7, pp.
2347–2356, 2009.
[7] S. Park and S. Hashimoto, “Autonomousmobile robot navigation using
passive RFID in indoor environment,” IEEE Trans. Ind. Electron., vol.
56, no. 7, pp. 2366–2373, 2009.
[8] G. P. Hancke, K. E. Mayes, and K. Markantonakis, “Confidence in
smart token proximity: Relay attacks revisited,” Comput. Security, vol.
28, pp. 615–627, 2009.
[9] D. Lui, M.-C. Lee, and D. Wu, “A node-to-node location verification
method,” IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1526–1537,
May 2010.
[10] S. Brands and D. Chaum, “Distance-bounding protocols,” in Advances
in Cryptology—EUROCRYPT ’93, T. Helleseth, Ed. Berlin, Germany:
Springer, 1994, pp. 344–359.
[11] G. P. Hancke and M. G. Kuhn, “An RFID distance bounding protocol,”
in Proc. 1st Int. Conf. Security Privacy for Emerging Areas in
Commun., Athens, Greece, 2005, pp. 67–73.
[12] J. Munilla and A. Peinado, “Distance bounding protocols for RFID
enhanced by using void-challenges and analysis in noisy channels,”
Wireless Commun. Mobile Computing, vol. 8, pp. 1227–1232, 2008.
[13] C. Tang, D. O.Wu, T. Syst, and L. Oswego, “Distance-bounding based
defense against relay attacks in wireless networks,” IEEE Trans. Wireless
Commun., vol. 6, no. 11, pp. 4071–4078, Nov. 2007.
[14] L. Hu and D. Evans, “Using directional antennas to prevent wormhole
attacks,” in Proc. 11th Network Distrib. Syst. Security Symp., San
Diego, CA, 2004, pp. 131–141.
[15] Z. Li, W. Trappe, Y. Zhang, and B. Nath, “Robust statistical methods
for securing wireless localization in sensor networks,” in Proc. 4th
IEEE In. Symp. Inf. Process. Sensor Networks, Los Angeles, CA, 2005,
pp. 91–98.
[16] R. Maheshwari, J. Gao, and S. R. Das, “Detecting wormhole attacks in
wireless networks using connectivity information,” in Proc. 26th IEEE
Int. Conf. Comput. Commun., Anchorage, AL, 2007, pp. 107–115.
[17] K. B. Rasmussen and S. Capkun, “Implications of radio fingerprinting
on the security of sensor networks,” in Proc. 3rd IEEE Int. Conf. Security
Privacy Commun. Networks, Nice, France, 2007, pp. 331–340.
[18] A. Boukerche, H. Oliveira, E. F. Nakamura, and A. A. Loureiro,
“Secure localization algorithms for wireless sensor networks,” IEEE
Commun. Mag., vol. 46, pp. 96–101, 2008.
[19] S. Capkun and J. P.Hubaux, “Secure positioning inwireless networks,”
IEEE J. Sel. Areas Commun., vol. 24, no. 2, pp. 221–232, Feb. 2006.
[20] G. Avoine, M. A. Bingol, S. Kardas, C. Lauradoux, and B. Martin,
“A framework for analyzing RFID distance bounding protocols,” J.
Comput. Security, vol. 19, no. 2, pp. 289–317, Apr. 2011.
[21] G. P. Hancke, “Security of proximity identification systems” Ph.D.
dissertation, Comput. Lab., Univ. of Cambridge, Cambridge, U.K.,
Feb. 2008 [Online]. Available: http://www.cl.cam.ac.uk/techreports/
UCAM-CL-TR-752.pdf
[22] Y. Desmedt, C. Goutier, and S. Bengio, “Special uses and abuses of the
fiat-shamir passport protocol,” in Advances in Cryptology—CRYPTO
’87, C. Pomerance, Ed. Berlin, Germany: Springer, 1988, pp. 21–39.
[23] Y. C.Hu,A. Perrig, andD. B. Johnson, “Rushing attacks and defense in
wireless ad hoc network routing protocols,” in Pro. 2ndACMWorkshop
Wireless Security, San Diego, CA, 2003, pp. 30–40.
[24] Y. Desmedt, “Major security problems with the “unforgeable” (feige)-
Fiat_Shamir proofs of identity and how to overcome them,” in Proc.
6th Worldwide Congress Comput. Commun. Security Protection, 1988,
pp. 147–159.
[25] L. Bussard and W. Bagga, “Distance-bounding proof of knowledge to
avoid real-time attacks,” in Security and Privacy in the Age of Ubiquitous
Computing, R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura,
Eds. Berlin, Germany: Springer, 2005, pp. 223–238.
[26] J. Hightower and G. Borriello, “Location systems for ubiquitous computing,”
IEEE Computer, vol. 34, pp. 57–66, 2001.
[27] J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore, “So near and yet
so far: Distance-bounding attacks in wireless networks,” in Security
and Privacy in Ad-Hoc and Sensor Networks, L. Buttyan, V. Gligor,
and D. Westhoff, Eds. Berlin, Germany: Springer, 2006, pp. 83–97.
[28] B. Waters and E. Felten, “Secure, Private Proofs of Location,”
Princeton Univ., Tech. Rep. TR-667-03, 2003.
[29] J.Reid, J.M. G. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks
with timing-based protocols,” in Proc. 2nd ACM Symp. Inf., Comput.
Commun. Security, Singapore, 2007, pp. 204–213.
[30] Y. J. Tu and S. Piramuthu, “RFID distance bounding protocols,” in
Proc. 1st Int. EURASIP Workshop RFID Technology, Vienna, Austria,
2007.
[31] C. H. Kim and G. Avoine, “RFID distance bounding protocol with
mixed challenges to prevent relay attacks,” in Cryptology and Network
Security—CANS ’09, J. A. Garay, A. Miyaji, and A. Otsuka, Eds.
Berlin, Germany: Springer, 2009, pp. 119–133.
[32] C. H. Kim, G. Avoine, F. Koeune, F. X. Standaert, and O. Pereira, “The
swiss-knife RFID distance bounding protocol,” in Information Security
and Cryptology–ICISC 2008, P. J. Lee and J. H. Cheon, Eds. Berlin,
Germany: Springer, 2009, pp. 98–115.
[33] C. Meadows, P. Syverson, and L. W. Chang, “Towards more efficient
distance bounding protocols for use in sensor networks,” in Proc. 2nd
Int. Conf. Security Privacy Commun. Networks, Baltimore, MD, 2006,
pp. 1–5.
[34] G. Avoine, C. Floerkemeier, and B. Martin, “RFID distance bounding
multistate enhancement,” in Progress in Cryptology—INDOCRYPT
’09, B. Roy and N. Sendrier, Eds. Berlin, Germany: Springer, 2009,
pp. 290–307.
[35] G. Avoine and A. Tchamkerten, “An efficient distance bounding RFID
authentication protocol: Balancing false-acceptance rate and memory
requirement,” in Information Security, P. Samarati,M. Yung, F. Martinelli,
and C. A. Ardagna, Eds. Berlin, Germany: Springer, 2009, pp.
250–261.
[36] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, and J. C.
A. van der Lubbe, “Shedding Some Light on RFID Distance Bounding
Protocols and Terrorist Attacks,” Jun. 20, 2010. [Online]. Available:
http://arxiv.org/PS_cache/arxiv/pdf/0906/0906.4618v2.pdf
[37] W. Granzer, F. Praus, andW.Kastner, “Security in building automation
systems,” IEEE Trans. Ind. Electron., vol. 57, no. 11, pp. 3622–3630,
Nov. 2011.
[38] M. Cheminod, A. Pironti, and R. Sisto, “Formal vulnerability analysis
of a security system for remote fieldbus access,” IEEE Trans. Ind. Inf.,
vol. 7, no. 1, pp. 30–40, Feb. 2011.
[39] B. Zhao, H. Aydin, and D. Zhu, “On maximizing reliability of real-time
embedded applications under hard energy constraint,” IEEE Trans. Ind.
Inf., vol. 6, no. 3, pp. 316–328, Aug. 2010.
[40] Y. Yang, Y. Xu, X. Li, and C. Chen, “A loss inference algorithm for
wireless sensor networks to improve data reliability of digital ecosystems,”
IEEE Trans. Ind. Electron., vol. 58, no. 6, pp. 2126–2137, Jun.
2011.
[41] Y. Wu, G. Buttazzo, E. Bini, and A. Cervin, “Parameter selection for
real-time controllers in resource-constrained systems,” IEEE Trans.
Ind. Inf., vol. 6, no. 4, pp. 610–620, Nov. 2010.
[42] Y.-J. Huang, C.-C. Yuan, M.-K. Chen, W.-C. Lin, and H.-C. Teng,
“Hardware implementation of RFID mutual authentication protocol,”
IEEE Trans. Ind. Electron., vol. 57, no. 5, pp. 1573–1582, May 2010.
[43] J. Ploennigs, V. Vasyutynskyy, and K. Kabitzsch, “Comparative
study of energy-efficient sampling approaches for wireless control
networks,” IEEE Trans. Ind. Inf., vol. 6, no. 3, pp. 416–424, Aug.
2010.
[44] J.-W. Lee, B.-S. Choi, and J.-J. Lee, “Energy-efficient coverage of
wireless sensor networks using ant colony optimization with three
types of pheromones,” IEEE Trans. Ind. Inf., vol. 7, no. 3, pp. 419–427,
Aug. 2011.
[45] M. Cereia, I. Cibrario-Bertolotti, and S. Scanzio, “Performance of a
real-time EtherCAT master under Linux,” IEEE Trans. Ind. Inf., vol. 7,
no. 4, pp. 679–687, Nov. 2011.
[46] Y.-S. Chen, C.-Y. Yang, and T.-W. Kuo, “Energy-efficient task synchronization
for real-time systems,” IEEE Trans. Ind. Inf., vol. 6, no.
3, pp. 287–301, Aug. 2010.
[47] E. Barker and A. Roginsky, “Recommendation for the transitioning
of cryptographic algorithms and key sizes,” CiteSeerx.
USA, Jan. 2010. [Online]. Available: http://csrc.nist.gov/publications/
drafts/800-131/draft-800-131_transition-paper.pdf
[48] G. P. Hancke and M. G. Kuhn, “Attacks on time-of-flight distance
bounding channels,” in Proc. 1st ACM Conf. Wireless Network Security,
Alexandria, VA, 2008, pp. 194–202.
[49] D. Singelée and B. Preneel, “Distance bounding in noisy environments,”
in Security and Privacy in Ad-Hoc and Sensor Networks,
F. Stajano, C. Meadows, S. Capkun, and T. Moore, Eds. Berlin,
Germany: Springer, 2007, pp. 101–115.
[50] J. Munilla and A. Peinado, “Attacks on a distance bounding protocol,”
Computer Commun., vol. 33, pp. 884–889, 2010.
ABU-MAHFOUZ AND HANCKE: DISTANCE BOUNDING: PRACTICAL SECURITY SOLUTION FOR REAL-TIME LOCATION SYSTEMS 27
[51] G. P. Hancke, “RFID and Contactless Technology,” in Smart Cards,
Tokens, Security and Applications, Mayes and Markantonakis, Eds.
Berlin, Germany: Springer, 2008.
[52] Z. Moghadam, I. Rostami, A. S. Tanhatalab, andM. R. Ferdowsi, “Designing
a random number generator with novel parallel LFSR substructure
for key stream ciphers,” in Proc. Int. Conf. Comput. Design Applic.,
Jun. 2010, pp. 598–601.
[53] G. P. Hancke, “Design of a secure distance-bounding channel for
RFID,” J. Network Comput. Applic., vol. 34, pp. 877–887, 2011.
[54] S. Drimer and S. J. Murdoch, “Keep your enemies close: Distance
bounding against Smartcard relay attacks,” in Proc. 16th USENIX Security
Symp., Boston, MA, 2007, pp. 87–102.
[55] N. O. Tippenhauer and S. Capkun, “ID-based secure distance bounding
and localization,” in Proc. Computer Security–ESORICS , 2009, pp.
621–636.
[56] M. Flury,M. Poturalski, P. Papadimitratos, J. P. Hubaux, and J. Y. Le
Boudec, “Effectiveness of distance-decreasing attacks against impulse
radio ranging,” in Proc. 3rd ACM Conf. Wireless Network Security,
Hoboken, NJ, 2010, pp. 117–128.
[57] I. D’Souza, M. Wei, and C. Notobartolo, “Real-time location systems
for hospital emergency response,” IEEE IT Professional, vol. 13, no.
2, pp. 37–43, April 2011.
[58] N. O. Tippenhauer, K. B. Rasmussen, C. Pöpper, and S. Capkun, “Attacks
on public WLAN-based positioning systems,” in Proc. ACM/
Usenix Conf. Mobile Syst., Applic. and Services (MobiSys), Jun. 2009,
pp. 29–40.
[59] A. Francillon, B. Danev, and S. Capkun, “Relay attacks on passive keyless
entry and start systems in modern cars,” in Proc. Network Distrib.
Syst. Security Symp., Feb. 2011.
[60] L. Francis, G. P. Hancke, K. E. Mayes, and K. Markantonakis, “Practical
relay attack on contactless transactions by using NFC mobile
phones,” Cryptology ePrint Archive, Report 2011/618, Nov. 2011.
[61] Y. Zang and L. Wu, “Application of RFID and RTLS technology in
supply chain enterprise,” in Proc. Wireless Commun. Networking Mobile
Computing, Sep. 2010, pp. 1–4.
[62] M. Poturalski, M. Flury, P. Papadimitratos, J.-P. Hubaux, and J.-Y.
Le Boudec, “Distance bounding with IEEE 802.15.4a: Attacks and
countermeasures,” IEEE Trans. Wireless Commun., vol. 10, no. 4, pp.
1334–1344, Apr. 2011.
[63] K. B. Rasmussen and S. Capkun, “Realization of RF distance
bounding,” in Proc. USENIX Security Symp., 2010.
[64] M. Kuhn, H. Luecken, and N. O. Tippenhauer, “UWB impulse radio
based distance bounding,” in Proc. Workshop Positioning, Navigation
Commun., 2010.
[65] S. Čapkun, L. Buttyán, and J. P. Hubaux, “SECTOR: Secure tracking
of node encounters in multi-hop wireless networks,” in Proc. 1st ACM
Workshop Security of Ad-Hoc and Sensor Network, Fairfax, VA, 2003,
pp. 21–32.
[66] G. P. Hancke, “Practical eavesdropping and skimming attacks on
high-frequency RFID tokens,” J. Comput. Security, vol. 19, no. 2, pp.
259–288, January 2011.
[67] A. M. Abu-Mahfouz and G. P. Hancke, “An efficient distributed localization
algorithm for wireless sensor networks: Based on smart reference-
selection method,” Intersci. J. Sensor Networks, 2012.
[68] S. Lee, B. Kim, H. Kim, R. Ha, and H. Cha, “Inertial sensor-based indoor
pedestrian localization with minimum 802.15.4a configuration,”
IEEE Trans. Ind. Inf., vol. 7, no. 3, pp. 455–466, Aug. 2011.
[69] S. Ivanov and E. Nett, “Localization-based radio model calibration for
fault-tolerant wireless mesh networks,” IEEE Trans. Ind. Inf., vol. PP,
no. 99, 2012.
[70] B. Wang and M. MaAn, “Server independent authentication scheme
for RFID systems,” IEEE Trans. Ind. Inf., vol. PP, no. 99, 2012.
[71] T. Beth and Y. Desmedt, “Identification tokens—or: Solving the chess
grandmaster problem,” in Proc. Adv. Cryptol.,Aug. 1990, pp. 169–177.
Adnan Abu-Mahfouz (S’11–M’12) received the
B.S. degree in information engineering from the
University of Baghdad, Baghdad, Iraq, in 2000, and
the M.Eng. and Ph.D. degrees in computer engineering
from the University of Pretoria, Pretoria,
South Africa, in 2005 and 2011, respectively.
He is currently a Senior Research Engineer with
the CSIR Meraka Institute, Pretoria, South Africa.
His professional work experience includes network
administration, software engineering, research assistantship,
lecturer, as well as being a faculty coordinator/
head at Emirates College of Technology. His research interests are wireless
sensor networks, localization systems and energy conservation.
Gerhard P. Hancke (S’99–M’07–SM’11) received
the B.S. and M.Eng. degrees in computer engineering
from the University of Pretoria, Pretoria,
South Africa, in 2002 and 2003, respectively, and
the Ph.D. degree in computer science from the
University of Cambridge, Cambridge, U.K., in 2008.
Subsequently, he was with the ISG Smart Card
Centre as a Post-Doctoral Researcher/Lead Engineer,
where he managed the RF/Hardware Laboratory and
was involved in the evaluation, development, and
integration of smartcard systems. He is currently a
Fellow with the Information Security Group (ISG), Royal Holloway, University
of London, London, U.K. His main interest is the security of smart tokens and
their applications, embedded/pervasive systems, and mobile platforms.

  

Comments are closed.