 Hi everyone, my name is Ayesha Jann Abedin and I'm a research expert at IMAG COSIC Research Lab at K Luven. Today, I'm going to present to you an accurate secure and practical narrowband ranging system, which is a joint work with Mojiden Al Susi, Jack Roma, Pepijn Boer and Christian Backman from IMAG the Netherlands and Dave Singlet and myself from COSIC. Secure ranging has a wide range of applications, for example, in passive keyless entry systems, contactless payment systems or smart access control systems, just to name a few. But one of the biggest security threats to these systems is relay attack, in which an attacker relays possibly manipulated signals between the legitimate players in order to decrease the measured distance. An effective countermeasure against relay attacks is distance bounding. A distance bounding protocol adds an authentication layer to ranging. More specifically, an authentication protocol is a cryptographic protocol between two parties that allow the two parties to authenticate each other and to establish an upper bound on the physical distance between them. Proposed in 1993 by Brands and Chowm, distance bounding protocols had been widely studied, especially in the last decade or so. One of the key research challenges is a secure and practical implementation of distance bounding protocols. There are a number of ways to implement distance bounding solutions. For example, one can use received signal strength, which is easy to implement, but also easy to break. An attacker can defeat a system with a simple use of an amplifier, signal amplifier. And one can also use a round trip time or time of flight of the signals to measure the distance. And this has good security properties, and it's well suited for ultra-wideband, but it's hard to implement securely in practice. There's also phase-based ranging, which has good accuracy and well suited for narrowband, for example, Bluetooth low energy radios, but it's vulnerable to phase manipulation attacks. So in this work, we combine phase-based ranging with time-of-flight measurement, which overcomes the pitfalls of the two separate approaches and combines the best of the two worlds. So we apply the phase measurement for accurate ranging and time-of-flight for mitigation of phase manipulation attacks. So at this point, you may wonder why narrowband or why in particular BLE? BLE is supported by a vast commercial ecosystem and is often built into smart devices. Functionalities like low power consumption and low cost make BLE an ideal candidate for secure ranging solutions. In our work, we use the preamble of the BLE frame structure to detect the signal and to set the automatic gain control value and to estimate the carrier frequency offset. And the frame delimiter to synchronize, to authenticate the packet and to estimate the time-of-arrival of the packet. And the protocol data unit contains the payload and finally the constant tone is used for phase-based ranging. So a distance bounding using BLE radios looks like this. The verifier sends a BLE packet followed by a constant tone and as a response, the prover first sends the constant tone and then the response packet. A high-level overview of the secure distance bounding protocol that we design and implement in this paper is as follows. The verifier and prover first establish a shared secure key using an authenticated key exchange protocol. And then they use the established shared key to generate the challenge and response in the next phase in which the verifier and prover exchange in a fast manner packets and tones. And they measure the IQ values of the tone, the constant tone and also time-of-arrival and time-of-departure of the packet. And in the last phase, the prover will send its measurement results back to the verifier and the verifier will estimate the distance based upon the measurement results and makes its decision. In the next few slides, we'll take a closer look at the details of each one of these steps. For the authenticated key exchange, we use a well-known protocol, namely the Sigma protocol by Crouchik. As you may remember from the previous slide, the prover and verifier know each other's public key so in our implementation, they do not send each other's public key in the second and third stages of the process. They are stages of the key exchange protocol and we use 4Q elliptic curve for the implementation. The next stage of packet and tone exchange is also known as distance bounding stage. And in this stage, the verifier and prover engage in an exchange of challenge and response on each carrier frequency. And they measure the time-of-departure and time-of-arrival of each packet they're sending and they're receiving. And they also measure the IQ values of the constant tone that's sent along with the challenge and the response. And once one has access to all the time-stamped measurements, one can easily calculate the time-of-flight based on this simple formula. To understand how phase-based ranging works, let's take a look at multi-carrier phase difference or MCPD. In MCPD, what each party does is basically to measure the difference between the phase of the local PLL on the same frequency as the arriving tone. And once one has access to the estimated phase difference on each side, then one can obtain the round-trip phase. So what is that if we execute this procedure on at least two frequencies, then we can obtain the distance as estimated distance as follows. And here, this figure is the ambiguity bound. So if we have a frequency step size of 1 MHz, then the ambiguity bound is 150 m. And if the frequency step size is 2 MHz, then 75 m is the ambiguity bound and so on. At the end of the distance bounding stage, the prover sends all its measurement results to the verifier. The measurement results include the IQ measurements of each tone, the status of the received challenge and the time-stamped measurements of the received challenge and the sent response. Once verifier receives this information from the prover, it estimates the time of flight of each packet and then proceeds to calculate the number of rounds in which both the challenge and response are correct and the time of flight is below the ambiguity bound. And then it calculates if the number of rounds is less than a preset threshold for the correct number of rounds, it estimates the average time of flight and checks whether that is below the circle of trust, and only then it proceeds to calculate the distance using the estimated phase. And if the phase-based distance is below the threshold, below which the prover can access to the resources provided by the verifier, controlled by the verifier, verifier gives access to the prover. So what the verifier basically does in this stage is first to bring everything below the ambiguity bound and then check whether the time of flight gives a distance which is below the circle of trust, which allows the verifier to trust the phase-based distance measurement. I won't go into the details of the security analysis which you can read in detail in the paper, but only mention briefly that the proposed secure distance bounding protocol is resistant against all logical layer attacks as well as known implementation layer attacks. So in that sense, the proposed protocol combines the best of both worlds. We implemented the design solution on the NXP KW36 BLE chips, and what you see here on the verifier side, the device that's connected to the BLE chip is a Raspberry Pi used for access control. We first measure the distance using phase and the time of flight measurements in outer environment when the verifier and prover are separated from each other at various distances. This is our measurement results for 10 different distances between the verifier and the prover. If we look at the precision and the accuracy of the distance measurements, we can observe that the phase-based measurement is highly accurate and precise, and the time of flight-based distance estimation is, although not as accurate as the phase-based distance measurement, is sufficient to protect against phase manipulation attacks, as we will see in the actual relay attack evaluation later on. We further do measurements when the verifier and prover are closer to each other and far away from each other, but not beyond the ambiguity bound, of course, and in both scenarios, our obtained results are as expected. Finally, we evaluate the relay attack in particular the phase rollover attack on our system. In this setup, the verifier and prover are beyond each other's communication range, and the relay attack adversary consists of two antennae and a cable connecting the two antennae, and it simply relays the signal between the verifier and prover without any processing. We use frequency step size of 4 MHz just so that we have 37.5 m for the ambiguity bound, so that we can evaluate the attack using shorter cables. And what we obtain is, again, demonstrates that the time of flight measurement offers protection against such phase rollover attack, because what we see is that the phase-based distance estimation gives a small distance because the phase already has rolled over, but the time of flight measurement gives a distance which is beyond the ambiguity bound, indicating that the phase has already been rolled over, so the phase-based distance cannot be trusted. To summarize in this paper, we have designed and implemented an accurate, secure, and practical narrowband ranging system combining phase-based measurement offering an accuracy of less than 30 cm with a precision of less than 2.5 cm, and time of flight measurements for protection against phase manipulation attacks. An interesting future work would be to extend the current work to a setting of secure group ranging. With that, I thank you all for your attention.