2011 International Conference on Instrumentation, Measurement, Computer, Communication and Control

A Distance Bounding Protocol Using Error State and Punishment

Wei Xin, Tao Yang, Cong Tang, Jianbin Hu and Zhong Chen
MoE Key Lab of Network and Software Security Assurance
Peking University
Beijing, China
{xinwei, ytao, tangcong,hujb, chen} @infosec.pku.edu.cn
AbstractThis Radio Frequency Identification (RFID) systems
suffer from different security and privacy problems, among
which relay attack is a hot topic recently. A relay attack is a
type of attack related to man-in-the-middle and replay attacks,
in which an attacker relays verbatim a message from the
sender to a valid receiver of the message. The sender may not
be aware of even sending the message to the attacker. The
main countermeasure against relay attack is the use of distance
bounding protocols measuring the round-trip time between the
reader and the tag. In this paper, we consider a modification of
these protocols using `error state' which stands for the number
of response bit errors that have already occurred. We set a
maximal error number to prevent adversary from malicious
queries, we also apply a punishment mechanism for error
responding, which to my best knowledge is proposed at the
first time in distance bounding protocols, if the tag sends one
error bit, it should respond one more challenge bit to
successfully finish the protocol. By using error state and
punishment mechanism, the success probability for an
adversary to access to the system decreases. Finally, we use the
Hancke and Kuhn's protocol as a comparison, to show the
improvements achieved when different cases are analyzed.

moves between two grand masters; the person will either win
against one, or draw against both. Desmedt et al. [2] showed
how such relay attacks could be applied to security protocols,
in their paper relay attack was called mafia fraud.
RFID systems are vulnerable to relay attack where the
attacker relays communication between the reader and the
tag. It is difficult to prevent these attacks since the adversary
does not change any data between the reader and the tag.
Therefore, relay attacks cannot be prevented by
cryptographic protocols that operate at the application layer.
Relay attack is not only exist in RFID system, Drimer and
Murdoch described a relay attack against contact Chip-andPin smart cards in electronic payment system [3].
To deploy relay attack, an attacker needs a tag agent and
a reader agent not only with ability of a real tag and real
reader, but also with ability of transferring communications.
The relay channel between the tag agent and the reader agent
must have a long distance in order to relay information
without being detected. The relay attack setup is shown in
Figure 1. Relay module in the dashed rectangular is made up
of three parts, a tag agent, a reader agent and a relay channel.
The reader agent and the tag agent are placed near the real
tag and reader. Any information transmitted from the real
reader to the real tag is received by the tag agent and relayed
to the reader agent, which will transmit the information to
the real tag. The tag mistakes the reader agent as the real
reader and responds. Response is then relayed back passing
the reader agent and the tag agent to the real reader. The
reader is unable to distinguish between the real tag and the
tag agent and will therefore assume that the tag is in the near
field and associated with owner. A possible relay attack
setup using modified NFC devices was presented by Kfir, et
al. [4]. Gerhard Hancke successfully executed a relay attack
against an ISO 14443A contactless smart card, up to a
distance of 50m [5]. Lishoy Francis [6] describes a relay
attack implementation using legitimate peer-to-peer NFC
communication by installing suitable MIDlets on NFCenabled mobile phones.

Keywords-RFID; Distance Bounding Protocol; Punishment

I.

INTRODUCTION

Radio Frequency Identification (RFID) technology

represents a fundamental change in the information
technology infrastructure. It is a non-contact, automatic
identification technology that uses radio signals to identify,
track, sort and detect a variety of objects including people,
vehicles, goods and assets without the need for direct contact.
These systems comprise Radio Frequency (RF) tags and RF
readers and sometime back-end server. Readers broadcast an
RF signal to access resistant data stored in tags.
Like all growing technologies, radio frequency
identification brings along its share of security related
problems, among which relay attack is a hot topic recently. A
relay attack is a type of attack related to man-in-the-middle
and replay attacks, in which an attacker relays verbatim a
message from the sender to a valid receiver of the message.
The sender may or may not be aware of even sending the
message to the attacker. Relay attacks were first introduced
by Conway [1], describe a person who know nothing about
chess could beat a Grandmaster. The secret is relaying
978-0-7695-4519-6/11 $26.00 2011 IEEE
DOI 10.1109/IMCCC.2011.115

436

Relay Module

Relay Channel
Tag

Relay Reader

Relay
Tag

Reader

Figure 1. Relay attack on an RFID system

Figure 2. Round Trip Time Measurement

In this paper, we propose a novel solution to implement

distance bounding protocols using error state and
punishment, the more error bits the tag sends, the lower
probability the tag successfully finishes the protocol. The
rest of the paper is organized as follows. In Section 2, we
describe the first distance bounding protocol introduced by
Brands and Chaum [7] and the most popular distance
bounding protocol designed by Hancke and Kuhn(HK) [8]
for RFID. Section 3 presents our novel protocol. Sections 4
compare the performances for different cases. And finally,
Section 5 concludes.
II.

In the last few years, many distance bounding protocols

have been proposed. In 2005, Hancke and Kuhn proposed a
distance bounding protocol (HKP) that has been chosen as a
reference-point since many schemes have been proposed
based on this protocol.
In 2006, Munilla et al. modied the Hancke and Kuhn's
protocol by applying void challenges [13]. Reid et al. [14]
eliminated HKP's vulnerability to the terrorist fraud attack.
In 2009, Avoine et al. [15] extended the void challenges to
p-symbols. In order to better understanding the process of
these proposals I divide the process into four basic phases as
follows:
x Initilization. The verifier and the prover share some
security parameters such as secret keys and hash
functions. The verifier also sets the maximum
expected RTT tmax in this phase.
x Slow Phase. The verifier and the prover do
preparations for the Fast Phase such as negotiating
the rules of generating correct response bits.
Generally, in this phase, the verifier and the prover
exchange more than one bit of data in each round.
x Fast Phase. This phase consists of n rounds, in each
round, the verifier picks a random bit challenge ci
and sends it to the prover. The latter immediately
responds with ri, the verifier records the time
between sending ci and receiving ri.
x Verification. The verifier ensures that the exchanges
in the Fast Phase has been executed faithfully and
can therefore use the RTT to calculate the distance.

DISTANCE BOUNDING PROTOCOLS

In order to resist relay attack, a myriad of approaches

have been proposed such as Faraday cage or using unique
fingerprint on communication channel [9] or adding hidden
information to the location data [10,11]. The main approach
to prevent relay attack was introduced by Beth and Desmedt
[12], called distance bounding, based on calculating the
round trip time (RTT) of the response after a challenge is
sent. The verifier checks the distance of a prover by
measuring the RTT given that the speed of the radio signal
cannot exceed that of light. The mechanism of RTT is shown
in Figure 2. To decide whether the prover is in the
neighborhood, the verifier needs to measure the RTT of a
single bit transmitted from the verifier to the prover and
return back for n times. Assuming that the signal propagation
speed is known, the verifier can define tmax that is the
maximum expected RTT including propagation and
processing delays. An RTT ti less than tmax demonstrate
that the prover stays in the verifier's neighborhood.

A. Brands and Chaum's Protocol

Brands and Chaum described the first distance-bounding
protocol based on timing the single-bit round-trip time in a
cryptographic challenge-response exchange was shown in
Figure 3.
x Initilization. Verifier and prover are sharing no
security parameters, so verifier just need to setup a
timing bound tmax.
x Slow Phase. The verifier generate a random bit
string of challenge C and the prover generate a

437

it to R. R and T then both compute H2n:=H(x,Na,Nb).

Let Hi(1 i 2n) denote the ith bit of H2n, and
HiHj(1 i < j 2n) denote the concatenation of
the bits from Hi to Hj. Then R and T split H2n into
two registers of length n: v0 := H1...Hn and v1 :=
Hn+1 . . .H2n.
x Fast Phase. The fast phase consists of n rounds. In
each of the rounds, R picks a random bit ci (the
challenge) and sends it to T. T responds immediately
with ri= vi0 if ci = 0 and ri= vi1 if ci = 1.
x Verification. After n rounds, R checks the
correctness of each ri and the propagation time that
for all i, 1 i n, ti tmax. If T meets these
two conditions, R will regard T as a legitimate tag.
The best known attack is based on querying the tag
with n 1-bit challenges between the slow and fast phases in
order to obtain a full register. In general, we can assume that
the adversary obtains v0 sending only 1-bit challenges equal
to zero. Afterwards, when she tries to trick the reader, two
cases occurs: (a) if ci = 0 she definitely knows the right
answer, (b) if ci = 1, she has no clue about the right answer
but she can try to guess it with probability1/2. Thereby, the
adversary success probability is (3/4)n.

random bit string of M which serves as one part of

response, both C and M have same length of n. The
prover then commits to the string M to verifier
before the Fast Phase starts. Prover's responses R are
based on string M and the challenges C, so prover
must wait until he received the challenge before
transmitting his responses.
x
Fast Phase. The verifier transmits one challenge bit
ci at a time (for all i = 1,..., n), to which the prover
responds immediately with ri = ci mi. The verifier
times the round-trip delay ti between sending each
bit ci and receiving the corresponding response bit ri.
x Verification. The prover reveals M and transmits a
digital signature of concatenating two bit strings C
and R. The verifier will check whether the prover
received the correct challenge bits by using the
digital signature. The verifier also checks that mi = ci
ri for i = 1 to n, thus confirming that the prover
sent the right response and used the string M he
committed to. Finally, the verifier checks that for all
i, 1 i n, ti tmax to make sure that prover is
in the neighborhood.
A fraudulent prover or a third party attacker that attempts
to preemptively guess all the response bits ri will succeed
with probability 2-n. The protocol fails if a single bit error
occurs during the exchange stage, since the verification
signature will be incorrect and not accepted by the verifier.

Figure 4. Hankce and Kuhns Protocol

III.
Figure 3. Brands and Chaums protocol

DISTANCE BOUNDING PROTOCOL USING ERROR

STATE AND PUNISHMENT

HK's protocol is claimed to be resistant to bit errors

during the Fast Phase. The reader checks whether at least k
of the n response bits that it received match the expected
response bits it calculated earlier. It has at least two
drawbacks:
One is that the reader has to check at the end of Fast
Phase to decide whether a tag is valid or not, another is that
adversary can make unlimited malicious queries. In order to
solve these problems, we propose that using the response bit
errors as a substitution. In initialization, the reader sets a
maximal response bit errors ne as a security parameter, when
the response bit errors exceed ne, the protocol will end.
In order to add ne into distance bounding protocol, we
must record the number of response bit errors that have
already occurred. So we introduce a new element called

B. Hankce and Kuhn's Protocol

The HK protocol [7], depicted in Figure 4, is the most
popular distance bounding protocol in the RFID systems.
HKP is a simple and fast protocol, but it suffers from a high
adversary success probability. The phases are described as
follows:
x Initialization. The Reader (R)and the Tag (T) share
a secret x and agree on a security parameter n and a
public pseudo random function H whose output size
is 2n. R sets a timing bound tmax which is the
maximum expected RTT.
x Slow Phase. R generates a random nonce Na and
sends it to T. In response, T generates Nb and sends

438

IV.

error state (e) to represent it. During the Fast Phase, if e

ne, the protocol continues to execute, if e>ne, the protocol
will terminate. We also introduce a punishment mechanism
when error happens, when one error happens, the tag needs
to respond one more challenge bit. e.g. ne=3, S0, S1, S2 and S3
stand for error state, which means no response bit error, one
response bit error and so on. At the beginning, the tag is at
the state of S0, when it responses one bit error, it will change
the state to S1, that means the tag can only make no more
than two mistakes to successively pass the verification,
meanwhile the tag has to respond one more challenge bit
from the reader. If e exceeds 3, the reader will break the
contact with the tag.
Now we use above-mentioned four stages to describe our
protocol in detail. The whole process of protocol was shown
in Figure 5.
x
Initialization. The Reader (R) and the Tag (T)
share a secret x and agree on a security parameter n
and a public pseudo random function H whose
output size is 2n. R sets a timing bound tmax and a
maximal response bit error ne.
x Slow Phase. R generates a random nonce Na and
sends it to T. In response, T generates Nb and sends
it to R. R and T then both compute H2(n+ne):=
H(x,Na,Nb). R and T split H2(n+ne) into two registers
of length n+ne: v0||a0:= H1...Hn||Hn+1...Hn+ne and
v1||a1:=Hn+ne+1...H2n+ne||H2n+ne+1...H2n+2ne. a0 and a1 will
be used for handling response bit errors.
x Fast Phase. The fast phase consists of two parts.
The first part is no different from HK's protocol, R
picks a random bit ci and sends it to T. T responds
immediately with ri= vi0 if ci = 0 and ri= vi1 if ci = 1,
this challenge-response lasts for n iterations. The
second part is as similar as the first part which is
used for punishment. Assuming e is the number of
response bit errors, e satisfies the condition e ne,
R picks a random bit ci and sends it to T. T responds
immediately with ri= ai0 if ci = 0 and ri= ai1 if ci = 1.
This iteration lasts for e times.
x Verification. After the Fast Phase, the reader checks
the correctness of ri's and the propagation time that
for all i, 1 i n+ne, ti tmax.

ANALYSIS

Ultra-Wideband (UWB) communication has already

proposed for passive RFID systems [16,17]. It appears to be
the most suitable communication for fast single bit
exchanges in distance bounding protocols. However, UWB
channel is very sensitive to the background noise. To
overcome this unreliability in real application, the distance
bounding protocols must be tolerant to some errors occur in
the communication between the reader and the tag. In this
section, we mainly discuss the adversary's probability of
success in the noisy case.
The adversary has two main attack strategies. First he can
guess the responses to the challenges without asking in
advance to the tag. Secondly he can ask in advance to the tag,
taking the risk that the tag uncovers him. We denote Pbno-ask
as success possibility for one bit without asking and Pbask as
possibility of asking. From [8] we know that in HK's
protocol Pbno-ask=1/2 and Pbask=3/4. In order to get a higher
success possibility, attackers tend to choose the strategy of
asking in advance, we will do analysis and comparison in
such case.
In HK's protocol, adversary's probability of success can
be calculated in the following way:
e

n 3

i ( 4 )
i 0

ni

1
( )i
4

(1)

In our protocol, we can use Figure 6 to illuminate. Si

stands for error state, which means i response bit errors
happen. Process starts at S0, we can use the movement of a
point to describe the protocol. When the tag responds one bit
correctly, the point moves one right step in the figure, when
it responds one bit error, the point moves one up step.
If the point arrives at one of the crosses on top which
means e>ne, process will terminate; If the point arrives at one
of the success places on the right, process will successfully
finish. We draw two paths in the figure stand for the case of
termination and success respectively.
If adversary want to arrive at success places from the
start with e, that is to say from point P(0,0) to point P(n,e),
he must pass P(n-1,e) to arrive P(n,e), that equals to the
number of paths from P(0,0) to P(n-1,e) which is equal to
$\binom{n-1+e}{e}$. So adversary's probability of success
can be calculated as follows:

n -1  i 3 n 1 i
( ) ( )
4
0
4

i
i

(2)

Figure 7 plots the average success probability of HKP

and our protocol for an adversary. From the Figure, we can
see that with same responding bit errors, our protocol has
lower success possibility than HKP, and performances are
better as e is increasing. Since most existing protocols did
not provide precise results about the adversary's probability
of success in noisy case, we do not compare our protocol
with other protocols. However, from the analysis we can
draw a conclusion that punishment mechanism is an efficient
method to decrease the adversary's probability of success.
Figure 5. Distance Bounding Protocol Using Error State and Punishment

439

[2]

[3]

[4]
[5]
[6]

[7]
[8]

Figure 6. Comparative of HKP and our protocol

V.

[9]

CONCLUSION

[10]

Relay attacks are increasingly become a troublesome to

RFID system. The solutions to resist relay attack are mainly
forcing on the use of distance bounding protocols.
Researchers have already proposed many such kind of
protocols, the most popular one was HKP, which was
regarded as a reference point. The contribution of our work
is that we make a improvement of HKP by using `error state'
to record the number of response bit errors that have already
occurred and a punishment mechanism for error responding,
which was not found in existing distance bounding protocols.
In our solution, if the tag sends one bit error, it should
answer one more challenge bit as penalty, that means with
same responding errors, the success probability for an
adversary to access to the system decreases. Finally, we use
the Hancke and Kuhn's protocol as a comparison, to show
the improvements achieved when different cases are
analyzed.

[11]

[12]
[13]

[14]

[15]

[16]

REFERENCES
[17]
[1]

J.CONWAY, On Numbers and Games.Academic Press, 1976.

440

Y.Desmedt, Major security problems with the Unforgeable(Feige)Fiat-Shamir proof so fidentiy and how to overcome them, in
SecuriCom88, 1988, pp. 1517
S.Drimer and S.J.Murdoch, Youre your enemies close:distance
bounding against smart card relay attacks, in USENIX Security
Symposium,August2007, pp. 87102.
Z.Kr and A.Wool,Picking virtual pocket susing relay attacks on
contactlesss mart card systems,2005,pp.4758.
G.Hancke, A practical relay attack on iso14443 proximity cards,
Tech.Rep., 2005
L.Francis,G.P. Hancke, K.Mayes, and K.Markantonakis, Practical
NFC Peer-to-Peer Relay Attack using Mobile Phones,in Workshop
on RFID SecurityRFIDSec10, Istanbul, Turkey, June2010.
S.Brands and D.Chaum, Distance-bounding protocols (extended
abstract), in EUROCRYPT, 1993, pp. 344359.
G.Hancke and M.Kuhn, An RFID Distance Bounding Protocol, in
Conference on Security and Privacy for Emerging Areasin
Communication NetworksSecureComm2005, IEEE. Athens, Greece:
IEEE Computer Society, September 2005, pp. 6773.
K. B. Rasmussen and S.Capkun, Implications of radio nger printing
on the security of sensor networks,in PROCEEDINGS OF IEEE
SECURECOMM,2007.
Y.chun Hu, A.Perrig, and D. B. Johnson, Packetleashes:A defense
against wormhole attacks in wireless networks, 2001.
M.Kuhn, An asymmetric security mechanism forn a vigation
signals, in In Proceedings of the Information HidingWorkshop.
Springer, 2004,pp.239252.
T.Beth and Y.Desmedt, Identication to kens-or: Solving the chess
grandmaster problem,in CRYPTO, 1990, pp. 169177.
J. Munilla, A.Ortiz, and A.Peinado, Distance Bounding Protocols
with Void-Challenges for RFID, in Workshop on RFID Security
RFIDSec06. Graz, Austria: Ecrypt, July2006.
J. Reid, J. M. Nieto, T. Tang, and B.Senadji, Detecting relay attacks
with timing-based protocols,in Proceedings of the 2nd ACM Symposium
on
Information,
Computer
and
Communications
Security,2007,pp.204213.
G.Avoine, C. Floerkemeier, and B.Martin, RFID Distance Bounding
Multistate Enhancement,in Proceedings of the 10th International
Conference on Cryptology in IndiaIndocrypt2009, ser. Lecture
Notes in Computer Science, B. K.RoyandN. Sendrier,Eds., vol.5922.
NewDelhi, India:Springer, December2009,pp.290307.
Y. Niu, M. B. Nejad, H. Tenhunen, andL.- R.Zheng, Design of a
digital based and processor for uwb transceiver on rd tag,
Advanced InformationNetworking and Applications Workshops,
International Conference on,vol.2,pp.358361,2007.
P. Yu, P. Schaumont, and D.Ha, Securing RFID with UltraWideband Modulation, in Workshop on RFIDSecurity RFIDSec06.
Graz, Austria:Ecrypt,July2006.