Home > Computer science essays > The emerging role of distance bounding protocol in aerospace systems

Essay: The emerging role of distance bounding protocol in aerospace systems

Essay details and download:

  • Subject area(s): Computer science essays
  • Reading time: 13 minutes
  • Price: Free download
  • Published: 29 October 2015*
  • File format: Text
  • Words: 3,799 (approx)
  • Number of pages: 16 (approx)

Text preview of this essay:

This page of the essay has 3,799 words. Download the full version above.

Abstract: RFID (Radio Frequency Identification) systems are vulnerable to replay attacks like mafia fraud, distance fraud and terrorist fraud. The distance bounding protocol is designed as a countermeasure against these attacks. These protocols ensure that the tags are in a distant area by measuring the round-trip delays during the rapid challenge response exchange. Distance Bounding protocols are cryptographic protocols which enable verifier to establish the upper bound on the physical distance to the prover. They are based on timing the delay between the sending out a challenge bit and receiving back the corresponding response bits. A timing based response followed by consecutive timing measurement provides more optimistic approach in authenticating the prover.
Index Terms: RFID, Mafia fraud, Distance fraud, Terrorist fraud, Distance Bounding protocol.
A famous story of the little girl who played against two Chess Grandmasters’ How was it possible to win one of the games? Annie-Louise played Black against Spassky. White against Fisher. Spassky moved first, and Ann-Louise just copied his move as the first move of her game against Fisher, then copied Fisher’s replay as her own reply to Spassky’s first move, and so on.
This problem exploited by Anne-Louise is known in the cryptographic community as mafia-fraud. Mafia fraud is a man in the middle attack against an authentication protocol where the adversary relays the exchanges between the verifier and prover, making them believe they directly communicate together. The mafia fraud is particularly powerful against the contactless technologies. The most threatening systems are Radio Frequency Identification (RFID) and Near Field Communication (NFC) because the devices answer to any solicitation without explicit agreement of their holder. The vulnerability of these technologies has already been illustrated by several practical attacks [10]. The two attacks related to mafia fraud are distance fraud and terrorist fraud. The distance fraud only involves a malicious prover, who cheats on his distance to the verifier. The terrorist fraud is an exotic variant of the mafia fraud where the prover is malicious and actively helps the adversary to succeed the attack.
Measuring the physical distance between communicating parties is important for communication security. For example, we can imagine a building security system that allows a visitor to open the door to the building only when the visitor has an authorized radio frequency Identification (RFID) tag for entering the building. When authenticating the tag, the security system should also verify the upper-bound distance between the door and the tag to thwart the remote attackers who may desire to open the door from a distance between communicating parties [4].
To solve the above problem, Brands and Chaum have proposed a distance-bounding protocol. In this protocol, a verifier V seeks to authenticate a prover P while measuring the distance d between V and P. For authentication, most of these protocols rely on multi-rounds of single-bit challenge and response, also known as a fast bit exchange phase. They are also lightweight in the sense that they do not require an additional (time and resources consuming) slow phase to terminate the protocol. A timing based response followed by the consecutive timing measurement provides more optimistic approach in authenticating the prover.
By using distance bounding protocols, a device (the verifier) can securely obtain an upper bound on its distance to another device (the prover). The security of distance-bounding protocols was so far mainly evaluated by analyzing their resilience to three types of attacks. For historical reasons, these are known as Distance Fraud, Mafia Fraud and Terrorist Fraud. In Distance Fraud attacks, a sole dishonest prover convinces the verifier that he is at a different distance than he really is. In Mafia Fraud attacks, the prover is honest, but an attacker tries to modify the distance that the verifier establishes by interfering with their communication. In Terrorist Fraud attacks, the dishonest prover colludes with another attacker that is closer to the verifier, to convince the verifier of a wrong distance to the prover. So far, it was assumed that distance bounding protocols that are resilient against these three attack types can be considered secure. In case of hostile attackers, the dishonest prover can pretend to be closer to or further away from the verifier than it actually is by either jumping the gun or sending a response before the request, or pretend to be further away than it is by delaying its response. Hostile attacker could attach its own identity to the prover’s response, and pass off honest verifier’s location as its own [1], [13].
Finally, dishonest provers can conspire to mislead the verifier, one prover lending the other prover its identity so that the second prover can make the first prover look closer than it is. The idea is that the prover first commits to a nonce using a one-way function, the verifier sends a challenge consisting of another nonce, the prover responds with the exclusive-or of its and the verifier’s nonce’s, and then follows up with the authentication information.
Fig 1: System Architecture
METAR is constructed to analyze the Weather report and cloud base height of an airplane. These details or information is passed between the verifier and prover. METAR is Meteorological elements observed at an Airport at a specific time. The verifier uses the time elapsed between sending its nonce and receiving the prover’s rapid response to compute its distance from the prover, and then verifies the authenticated response when it receives it. Through the wireless, verifier raises an authentication query to the prover side. If the prover gives an exact answer to the question means he/she is able to receive the extracted information at the end.
RFID frequency identification (RFID) technology consists of small inexpensive computational device with wireless communication capabilities. Currently, the main application of RFID technology is in inventory control and supply chain management fields. In these areas, RFID tags are used to tag and track the physical goods. Within this context, RFID can be considered a replacement for barcodes. RFID technology is superior to barcodes in two aspects. First, RFID tags can store information than barcodes [3]. Unlike a barcode, the RFID tag, being a computational device, can be designed to process rather than just store data. Second, barcodes communicate through an optical channel, which require the careful positioning of the reading device with no obstacles in-between [12]. RFID uses a wireless channel for communication, and can be read without line-of-sight, increasing the read efficiency.
The pervasiveness of RFID technology in our everyday lives has led to concerns over these RFID tags pose any security risk. The future applications of RFID make the security of RFID networks and communications even more important than before. The ubiquity of RFID technology has made it an important component in the Internet-of-Things (IoT), a future generation Internet that seeks to mesh the physical world together with the cyber world. RFID is used within the IoT as a means of identifying physical objects [11]. For example, by attaching an RFID tag to medication bottles, we can design an RFID network to monitor whether patients have taken their medications.
Verifying the physical location of a device using an authentication protocol is an important security mechanism. Distance Bounding protocol aim to prove the proximity of two devices relative to each other. Distance bounding protocol determines an upper bound for the physical distance between two communicating parties based on the Round-Trip-Time (RTT) of cryptographic challenge response pairs. Brands and Chaum proposed a distance bounding protocol that could be used to verify a device’s proximity cryptographically. This design based on a channel where the prover can reply instantaneously to each single binary digit received from the verifier [1]. The number of challenge ‘response interactions is being determined by a chosen security parameter, Distance bounding protocol not only in the one-to-one proximity identification context but also as building blocks for secure location systems. After correct execution of the distance bounding protocol, the verifier knows that an entity having data is in the trusted network. Distance bounding protocol can be dividing in three phase: the Commitment Phase, the Fast Bit phase and signing phase.
The first DB protocol suitable for resource-constrained devices example: RFID tags. This protocol is considered lightweight in the sense that a single computation of a hash function and a call to a Pseudo Random Number Generator (PRNG) are the most costly operations required for its execution. The simplicity and efficiency of this protocol yield to similar designs for other DB protocols which modify how answers are calculated in order to improve the security performance. The protocol first contains a slow phase in which nonce are generated and exchanged [4], [7]. From this nonce and a secret value x, the possible response used in the first phase are computed via a function f. Then the fast phase consists of n consecutive rounds. In each of these rounds, the verifier picks a challenge ci, starts a timer and sends ci to the prover. When the prover receives the challenge he computes the answer ri and sends it back to the verifier as soon as possible. Upon reception of the answer, the verifier stores as well as the round trip time. Once the n rounds are elapsed, the verifier checks the validity of the answers, i.e., the n rounds, the protocol succeeds. Initialization, execution and decision steps are presented below and a general view is provided in Fig. 2.
Fig 2: Distance Bounding Protocol
Initialization. The prover (P) and the verifier (V ) agree on (a) a security parameter n, (b) a timing bound ‘tmax, (c) a pseudo random function P RF that outputs 3n bits, (d) a secret key x.
Execution. The protocol consists of a slow phase and a fast phase.
Slow Phase. P (respectively V ) randomly picks a nonce NP (respectively NV ) and sends it to V respectively P). Afterwards, P and V compute P RF (x, NP , NV ) and divide the result into three n-bit registers Q, R0 , and R1 . Both P and V create the function fQ : S ‘ {0, 1} where S is the set of all the bit-sequences of size at most n including the empty sequence. The function fQ is parameterized with the bit-sequence Q = q1 . . . qn, and it outputs 0 when the input is the empty sequence. For every non-empty bit-sequence Ci = c1 . . . ci where 1 ‘ i ‘ n, the function is defined as fQ(Ci) = Lij=1(cj ‘ qj ).
Fast Phase. In each of the n rounds, V picks a random challenge ci ‘R {0, 1}, starts a timer, and sends ci to P. Upon reception of ci , P replies with ri =Rcii ‘ fQ(Ci) where Ci = c1…ci. Once V receives ri , he stops the timer and computes the round-trip-time ‘ti .
Decis.ion. If ‘ti < ‘tmax and ri = Ri ci’ fQ(Ci) ‘ i ‘ {1, 2, …, n} then the protocol succeeds.
Being resistant to both mafia and distance fraud is the primary goal of a distance bounding protocol. An important lower-bound for both frauds is (1/2) n [6], which is the probability of an adversary who answers randomly to the n verifier’s challenges during the fast phase. However, this resistance is hard to attain for lightweight DB protocols. Therefore, our aim is to design a protocol that is close to this bound for both mafia and distance frauds, without requiring costly operations and an extra final slow phase[5],[2].
A. Mafia Fraud:
A mafia fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the verifier and honest tag located outside the prover.
Fig 2(a): Mafia fraud
Among the DB protocols without final slow phase, those achieving the best mafia fraud resistance are round dependent. The idea is that the correct answer at the ith round should depend on the ith challenge and also on the (i-1) previous challenges.
B. Distance Fraud:
A distance fraud is an attack where a dishonest and lonely prover supports to be in the neighborhood of the verifier.
Fig 2(b): Distance Fraud
In mafia fraud, the best protocols in terms of the distance fraud are round dependent. However, round dependency by means of predefined challenges fails to properly resist to distance fraud. Intuitively [9], [7], the higher control over the challenges the prover has, the lower the resistance to distance fraud is. For this reason, our proposal allows the verifier to have full and exclusive control over the challenges.
C. Terrorist Fraud
A terrorist fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and a dishonest tag located outside the neighborhood.
Such that the latter actively helps the adversary to maximize her attack success probability, without giving to her any advantage for future attacks. Terrorist fraud attack is not considered in our proposed system.
Fig 2(c): Terrorist Fraud
Different methods are used for prevention of these attacks. In the distance fraud the location will not be sufficient because the verifier does not trust the prover [5]. He wants to prevent a fraud prover claiming to be closer. Different type’s location mechanism that prevent these attacks are:
A. Measure the signal strength
Node can calculate distance from other node by sending it a message and see how long it takes to return. If response authenticated, fraud node can lie about being further away than it is, but not closer. Sender includes strength of transmitted message in message; Receiver compares received strength to compute distance.
B. Measure the Round Trip Time
Another solutions measure the round trip time. The round trip time is the time required for exchange a packet from a specific destination and back again. In this protocol the verifier sends out a challenge and starts a timer. After receiving the challenge, the prover does some elementary computations to construct the response. The response is sent back to the verifier and the timer is stopped. Multiplying this time with the propagation speed of the signal gives the distance.
C. Measure the Consecutive Time
Timing based input information followed by consecutive timing measurement provides more optimistic approach in authenticating the user. The verifier uses the time elapsed between sending its nonce and receiving the prover’s rapid response to compute its distance from the prover, and then verifies the authenticated response when it receives it. Our proposed system provides a proof breaks down concept if the prover is dishonest.
D. Validation and Identification
i. Validate the authentication information provided by the user
ii. Extract the MAC address to validate the request origin location
iii. Consecutive Execution time duration on the request processing.
Cipher Block Rivest Algorithm is used in our proposed system for encryption process. Fast symmetric block cipher. Same key used for encryption and decryption algorithm. Plaintext and cipher text are fixed-length bit sequences.
In cryptography, RC% is a symmetric-key block cipher notable for its simplicity. Designed by Ronald Rivest in 1994. RC stands for ‘Rivest Cipher’, or alternatively ‘Ron’s Code’ (compare RC2 and RC4). A key feature of RC5 is the use of data-dependent rotations; one of the goals of RC5 was to prompt the study and evaluation of such operations as a cryptographic primitive. RC5 also consists of a number of modular additions and exclusive OR (XOR). The general structure of the algorithm is a Fiestel-like network. The encryption and decryption routines can be specified in a few lines of code. The key schedule, however, is more complex, expanding the key using an essentially one-way function with the binary expansions of both e and the golden sources of nothing up my sleeve numbers.
The RC5 is basically denoted as RC5-w/r/b where
w = word size in bits,
r=number of rounds,
b= number of 8-bit in the key.
Cryptanalysis 12-round RC5 (with 64-bit blocks) is susceptible to a differential attack using 244 chosen plaintexts. 18-20 rounds are suggested as sufficient protection. Block Ciphers plaintext is divided into blocks of fixed length and every block is encrypted one at a time. The number of rounds can range from 0 to 255, while the key can range from 0 to 2040 bits in size [7]. Cipher text involves
C = E (PUB, E (PUA, M)
Cipher text can be generated by the encryption of public key with the private key associated in the source place. De-cipher text involves
M = D (PUA, D (PRB, C))
Actual message can be generated by public and private key followed by the consecutive timings.
Defined as a cryptosystem with large plaintext space
Typically n’64 bits
Round structure
Apply same function on the intermediate cipher text repeatedly Nr time.
Use different key Ki defined from K on ith round.
Pseudo code 1
1. INPUT: plaintext x, key K
2. OUTPUT: cipher text y=ek(x)
3. ASSUME: round function g, last function h, key scheduling procedure Ki
For i = 0 to Nr-1
wi = g (wi-1,Ki)
y = g (wNr-1, K Nr-1)
A. Error free environment
The first lightweight DB protocol was proposed by Hancke and Kuhn’s [11] in 2005. Its simplicity and suitability for resource-constrained devices have promoted the design of other DB protocols based on it [2], [13]. All these protocols share the same design: (a) there is a slow phase4 where both prover and verifier generate and exchange nonces, (b) the nonces and a keyed cryptographic hash function are used to compute the answers to be sent (resp. checked) by the prover (resp. verifier). Below, we provide the main characteristics of each of these protocols, especially the technique they use to compute the answers.
a) Mafia Fraud
Mafia Fraud
a) Tradeoff with memory constraint
Hancke and Kuhn’s protocol [11]. The answers are extracted from two n-bit registers such that any of the n 1-bit challenges determines which register should be used to answer.
Avoine and Tchamkerten’s protocol [2]. Binary trees are used to compute the prover answers: the verifier challenges define the unique path in the tree, and the prover answers are the vertex value on this path. There are several parameters impacting the memory consumption: l the number of trees and d the depth of these trees. It holds d ‘ l = n, where n is the number of rounds in the fast phase.
Trujillo-Rasua, Martin and Avoine’s protocol [12]. This protocol is similar to the previous one, except that it uses particular graphs instead of trees to compute the prover answers.
b) Distance Fraud
Mafia Fraud
b)Tradeoff without memory constraint
Kim and Avoine’s protocol [13]. This protocol, closer to the Hancke and Kuhn’s protocol [11] than [12], uses two registers to define the prover answers. An important additional feature is that the prover is able to detect a mafia fraud thanks to predefined challenges, that is, challenges known by both prover and verifier. The number of predefined challenges impacts the frauds resistance: the larger, the better the mafia fraud resistance, but the lower the resistance to distance fraud.
Mafia and distance fraud analysis in a noise free environment can be found in [12]. Fig. 3(a) and Fig. 3(b) show that the resistance to mafia fraud and distance frauds respectively for the five considered protocols in a single chart. For each of them, the configuration that maximizes its security has been chosen: this is particularly important for AT and KA2 because different configurations can be used.
In case of draw between two protocols, the one that is the less memory consuming is considered as the best protocol. Trade-off chart represents for every pair (x, y) the best protocol among the five considered ones. Fig. 4(a) shows that our protocol offers a good trade-off between resistance to mafia fraud and resistance to distance fraud, especially when high security level against distance fraud is expected. In other words, our protocol is better than the other considered protocols, except when the expected security levels for mafia fraud and distance frauds are unbalanced, which is meaningless in common scenarios.
Another interesting comparison takes into consideration the memory consumption of the protocols. Indeed, for n rounds of the fast phase, AT requires 2n+1 -1 bits of memory, which is prohibitive for most pervasive devices.
We can therefore compare protocols that require a linear memory with respect to the number of rounds n. For that, we consider a variant of AT [10], denoted n/3 trees of depth 3 instead of just one tree of depth n. The resulting trade-off chart shows that constraining the memory consumption considerably reduces the area where AT is the best protocol, but it also shows that our protocol provides the best trade-off in this scenario as well.
The time stamp based distance bounding protocol has been introduced in this paper which provides the optimistic approach to identify the relay attack. This protocol deals with both mafia and distance frauds with less computer memory and additional computation. The analytical expressions and experimental results show that the new protocol provides best trade-off between mafia and distance fraud resistance. Such a performance is achieved based on the round dependent design where the prover is unable to guess any challenge with a probability higher than the 1/2.
For computer-intensive systems, our consecutive timed response provides significantly better throughput for a broad variety of scenarios, including the mafia fraud, distance fraud and terrorist fraud attack. The encryption and decryption can use more than one different algorithm on each round of the resistance, which provides more confidential services in the system.
[1] Ronalndo Trujillo-Rasua, Benjamin Martin, and Gildas Avoine,’Disrance-bounding facing both mafia and distance frauds,’IEEE Transactions on Wireless Communications,vol 9, May 2014.
[2] Sangho Lee, Jin Seok Kim,Sung Je Hong, and Jong Kim, ‘Distance Bounding with Delayed Responses,’ IEEE Communications Letters, vol. 16, september 2012.
[3] Kapil Singh,’Security in RFID Networks and Protocols,’ International Journal of Information and Computation Technology, vol.3, pp.425-432, 2013.
[4] Ammar Alkassar,Christian Stuble,’Towards Secure IFF:Preventing Mafia Fraud Attacks,’Sirrix AG security technologies, Germany Saarland University,D-66123 Saarbrucken,Germany.
[5] Srikanth S P,Sunitha Tiwari,’A Survey on Distance Bounding Protocol for attacks and frauds in RTLS system,’International journal of Engineering and Innovative technology(IJEIT),vol.3,April 2014.
[6] J.H.Conway,’on numbers and games,’AK Peters,Ltd., 2000.
[7] Claus P.Schnorr,’Efficient signature generation by smart cards,’Journal of Cryptology, vol.4, no.3, pp. 161-174, 1991.
[8] Capkun, Srdjan and EI Defrawy,Karim and Tsudik, Gene. GDB: Group Distance Bounding Protocols, arXiv.org, 2010.
[9] S.Brands and D.Chaum, ‘Distance-bounding protocols,’in 1993 EUROCRYPT.
[10] G.Avoine, C.Lauradoux,B.Martin,How secret-sharing can defeat terrorist fraud, The 4th ACM Conference on Wireless Network Security,WiSec’11,pp.145-156.
[11] G.Avoine ‘RFID, Distance Bounding Multiple Enhancement’, progress in cryptography, pp.290- 307.
[12] J. Munilla, A.Painado, ‘Distance Bounding Ptotocol for RFID enhanced by using void challenges and analysis in noise channels’, compute 8(2008) 1227- 1232.
[13] J. Kelsey, B. Schneier, and D. Wagner. Protocol interactions and the chosen protocol attack. In Proc. 5th International Workshop on Security Protocols, volume 1361 of LNCS, pages 91{104. Springer, 1997.

...(download the rest of the essay above)

About this essay:

If you use part of this page in your own work, you need to provide a citation, as follows:

Essay Sauce, The emerging role of distance bounding protocol in aerospace systems. Available from:<https://www.essaysauce.com/computer-science-essays/essay-the-emerging-role-of-distance-bounding-protocol-in-aerospace-systems/> [Accessed 28-02-24].

These Computer science essays have been submitted to us by students in order to help you with your studies.

* This essay may have been previously published on Essay.uk.com at an earlier date.