Attacks on time-of-flight distance bounding channels

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review

71 Scopus Citations
View graph of relations

Author(s)

Detail(s)

Original languageEnglish
Title of host publicationWiSec'08: Proceedings of the 1st ACM Conference on Wireless Network Security
Pages194-202
Publication statusPublished - 2008
Externally publishedYes

Conference

TitleWiSec'08: 1st ACM Conference on Wireless Network Security
PlaceUnited States
CityAlexandria, VA
Period31 March - 2 April 2008

Abstract

Cryptographic distance-bounding protocols verify the proximity of two parties by timing a challenge-response exchange. Such protocols rely on the underlying communication channel for accurate and fraud-resistant round-trip-time measurements, therefore the channel's exact timing properties and low-level implementation details become security critical. We practically implement 'late-commit' attacks, against two commercial radio receivers used in RFID and sensor networks, that exploit the latency in the modulation and decoding stages. These allow the attacker to extend the distance to the verifier by several kilometers. We also discuss how 'overclocking' a receiver can make a prover respond early. We practically implement this attack against an ISO 14443A RFID token and manage to get a response 10 μs earlier than normal. We conclude that conventional RF channels can be problematic for secure distance-bounding implementations and discuss the merits and weaknesses of special distance-bounding channels that have been proposed for RFID applications. Copyright 2008 ACM.

Research Area(s)

  • Data modulation, Distance-bounding protocols, Location-based authentication, Low-latency communication, Radio channels, RFID, Round-trip time measurement, Speed of light, Wireless communication

Citation Format(s)

Attacks on time-of-flight distance bounding channels. / Hancke, Gerhard P.; Kuhn, Markus G.
WiSec'08: Proceedings of the 1st ACM Conference on Wireless Network Security. 2008. p. 194-202.

Research output: Chapters, Conference Papers, Creative and Literary WorksRGC 32 - Refereed conference paper (with host publication)peer-review