**1. Introduction**

18 Radio Frequency Identification

*professional*, Vol. 7, No. 3, 2005, pp. 27-33.

66 Radio Frequency Identification from System to Applications

*Adhoc and Sensor Systems (MASS)*, 2009, pp. 935-940.

[29] Weinstein R. (2005). RFID: A Technical overview and its application to the enterprise,*IT*

[30] Xue Y.; Sun H. & Zhu Z. (2009). RFID Dynamic Grouping Anti-collision Algorithm Based on FCM, *Int. Joint Conf. on Bioinfo., Sys. Biol. and Intelligent Comp.,*2009,pp. 619-622.

[31] Yan X. & Zhu G. (2009). An Enhanced Query Tree Protocol for RFID Tag Collision Resolution with Progressive Population Estimation, *International Conference on Mobile*

> Nowadays, HF contactless technologies following the ISO 14443 standard are extensively used worldwide. Critical applications like access control or payment require high security guaran‐ tees. However, contactless channels are less secure and offer more opportunities for any kind of intrusion than other ways of communication; e.g. eavesdropping and contactless card activation using false reader [1, 2, 3, 11]. Among the attacks on the physical layer, relay attack is the most dangerous because of its simplicity, its impact and its insensitivity to cryptographic protections. It consists in setting up an unauthorized communication between two devices out of their operating range [4, 6]. On Figure 1, two attackers are able to create a link between the reader and the contactless card without the agreement of the owner. A relay is composed of two elements: a first one close to the reader and called proxy, a second one close to the card and called mole. These two elements communicate together by a wired or a wireless link

**Figure 1.** Relay scenario in a queue

© 2013 Thevenon and Savry; licensee InTech. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2013 Thevenon and Savry; licensee InTech. This is a paper distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

A relay attack is thoroughly transparent for current contactless systems and cryptographic protocols. A possible countermeasure is the distance bounding protocol which can add an upper bound for the distance between the two communicating devices.

**•** The attack occurs on the physical layer i.e. the relay transmits coded bits without knowledge about the frame significance. The ISO9798 standard presents an authentication protocol to prove that the contactless devices involved in the communication share the same secret key. For eavesdropping or skimming attacks, the use of this kind of protocol limits the risks. For the relays attacks, knowing the key is not necessary. Actually, a relay does not neither modify the information of the frame nor has to know its meaning. It just transmits the data.

Implementation of a Countermeasure to Relay Attacks for Contactless HF Systems

http://dx.doi.org/10.5772/53393

69

**•** Contactless standards such as standard ISO14443 impose timing constraints in order to synchronize data sent by many cards at the same time, especially during the anti-collision protocol. However, these constraints are not enforced by the majority of cards [9]. These requirements would complicate the relay attack if they were really applied. Another weakness of the standard is the time delay between the reader request and the card answer. These time delay is not only such long but also expandable by the card and consequently

The delay in current relays is mainly due to the use of components such as microcontrollers or RFID chips. This kind of components is used for the reconstruction of the decoded signals. So, the original signal becomes compatible with other protocols, like Wifi or GSM, used in the wireless communication between the mole and the proxy. All these signal processes lead to the addition of delays in the relay. They can be considerably lowered by the only use of analog components. Attack scenarios with wired relays must then be considered because they can induce very low delays. Moreover, this kind of relays is simple to realize, with few cheap components. Even if they seem to be unlikely, they can be effective in a queue for example or

Fig. 2 depicts a simple design of a relay which introduces a very low delay close to a period of the carrier 13.56 MHz. This relay does not require an amplifier or other active components. The coaxial cable between the two antennas can be longer than 20m. Such a system is very low cost; the attacker needs a piece of PCB, few components for the matching and a coaxial wire. Overall cost is a few dollars at most. We claim that wired relays are the simplest and fastest relays by design and as a consequence, they should challenge the approaches of countermeas‐

This relay, shown on fig. 3, is quite similar to the relay attack developed by Hancke because it is not restricted by a wired link. Contrary to Hancke's relay, our wireless relay does not use digital components like microcontrollers or RFID chips to process the signal. The delay induced by this relay should be shorter. To do so, the reader signal of frequency fc is mixed with another signal of frequency F, generated by a local oscillator. It results a signal of frequency fc+F, easier

The encrypted data are transmitted as plain text.

by an attacker.

**2.2. Presentation of relay attacks**

if they are hidden in the environment.

ures which only parry the largest delays.

*2.2.2. Relay based on a wireless super heterodyne system*

*2.2.1. Passive wired relay*

In this chapter, we will first assess the potential of relay attacks by implementing them and by keeping in mind the concern of introducing a delay as low as possible. Indeed, this time remains the only detectable feature of such an attack and the existing countermeasures rely on its accurate assessment.

The delay constraint guides us towards the development of three kinds of relay: a wired passive relay, a relay based on a wireless super-heterodyne system and a wireless relay with a complete demodulation of the signal. Our experimental results show that those cheap devices introduce really low delay from 300 ns to 2 µs jeopardizing the use of current distance bounding protocols. A more adapted solution will then be implemented and addressed in the second part of the document. It modifies the stage of the distance bounding protocol which uses the physical layer to carry out a delay assessment with a correlation in the reader between the received signal and the expected one. Finally, a security analysis will be performed and improvements will be discussed.
