Radio Frequency Identification System Security: Rfidsec'11 Asia Workshop Proceedings v6

RADIO FREQUENCY IDENTIFICATION SYSTEM SECURITY

Cryptology and Information Security Series The Cryptology & Information Security Series (CISS) presents the latest research results in the theory and practice, analysis and design, implementation, application and experience of cryptology and information security techniques. It covers all aspects of cryptology and information security for an audience of information security researchers with specialized technical backgrounds. Coordinating Series Editors: Raphael C.-W. Phan and Jianying Zhou Series editors Feng Bao, Institute for Infocomm Research, Singapore Kefei Chen, Shanghai Jiaotong University, China Robert Deng, SMU, Singapore Yevgeniy Dodis, New York University, USA Dieter Gollmann, TU Hamburg-Harburg, Germany Markus Jakobsson, Indiana University, USA Marc Joye, Thomson R&D, France Javier Lopez, University of Malaga, Spain

Nasir Memon, Polytech University, USA Chris Mitchell, RHUL, United Kingdom David Naccache, École Normale Supérieure, France Gregory Neven, IBM Research, Switzerland Phong Nguyen, CNRS / École Normale Supérieure, France Andrew Odlyzko, University of Minnesota, USA Adam Young, MITRE Corporation, USA Moti Yung, Columbia University, USA

Volume 6 Recently published in this series Vol. 5. Vol. 4. Vol. 3. Vol. 2. Vol. 1.

V. Cortier and S. Kremer (Eds.), Formal Models and Techniques for Analyzing Security Protocols Y. Li and J. Zhou (Eds.), Radio Frequency Identification System Security – RFIDsec’10 Asia Workshop Proceedings C. Czosseck and K. Geers (Eds.), The Virtual Battlefield: Perspectives on Cyber Warfare M. Joye and G. Neven (Eds.), Identity-Based Cryptography J. Lopez and J. Zhou (Eds.), Wireless Sensor Network Security

ISSN 1871-6431 (print) ISSN 1879-8101 (online)

Radio Frequency Identification System Security RFIDsec’11 Asia Workshop Proceedings

Edited by

Tieyan Li Institute for Infocomm Research (I2R), Singapore

Chao-Hsien Chu Pennsylvania State University, USA

Ping Wang Peking University, China

and

Guilin Wang University of Wollongong, Australia

Amsterdam • Berlin • Tokyo • Washington, DC

© 2011 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-60750-721-5 (print) ISBN 978-1-60750-722-2 (online) Library of Congress Control Number: 2011922546 Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam The Netherlands fax: +31 20 687 0019 e-mail: [email protected] Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail: [email protected]

LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved.

v

Preface This volume contains the papers presented at the 2011 Workshop on RFID Security (RFIDse’11 Asia) held in Wuxi, China on April 6–8, 2011. The workshop was hosted by Peking University, and co-hosted by Penn state University. The Honorary Chairs were Fuqing Yang from Peking University and Weize Yang from Wuxi Government. The General Chairs were Xueming Tan from Wuxi Government, Zhong Chen from Peking University, Qi Zhang from RFID China Alliance, and Dave Hall from Penn State University. RFIDsec Asia is the Asia version of the earliest RFID security workshop (RFIDsec) that has been devoted to address the security and privacy issues in Radio Frequency Identification (RFID). Starting in 2005, RFIDsec has been organized as a series of workshops held in Graz (2005/06), Malaga (2007), Budapest (2008), Leuven (2009) and Istanbul (2010). RFIDsec’11 Asia is the third edition of the Asia series of workshops followed by RFIDsec’10 Asia in Singapore (2010) and RFIDsec’09 Asia in Taipei (2009). RFIDsec’11 Asia provides a forum to address the fundamental issues in theory and practice related to security and privacy issues, designs, standards, and case studies in the development of RFID systems, EPCglobal network, and Internet of Things (IoT). This year we had an excellent program that consists of one invited paper, and nine regular papers, which were selected after a rigorous reviewing process by the Program Committee members and external reviewers. The papers cover many interesting topics in the realm of RFID security, including distance bounding and mutual authentication protocols, public key cryptography implementation and Internet of Things. All RFIDsec’11 Asia papers are published formally by IOS Press in the Cryptology and Information Security Series (CISS). A number of selected papers in the RFIDsec’11 Asia proceedings may be invited for submission to a special issue of an international journal. The success of RFIDsec’11 Asia was made through the contributions from many individuals and organizations. We thank all authors who submitted their scientific papers. We are grateful to all Program Committee members and external reviewers for the time and effort they put into reviewing and commenting. Further on, we thank the Organization Committee, especially, Guangyi Shi for managing the workshop website. Last but not least, we are grateful to the Peking university Wuxi campus for sponsoring the workshop. RFIDsec’11 Asia Program Chairs Tieyan Li, Chao-Hsien Chu, and Ping Wang April 2011

This page intentionally left blank

vii

Organization of the 2011 Workshop on RFID Security (RFIDsec’11 Asia) 6–8 April, 2011, Wuxi, China Hosted by Peking University, China Co-hosted by Penn State University, USA Supported by RFIDsec Asia

Honorary Chair Fuqing Yang (Peking University, China) Weize Yang (Wuxi City, China) General Co-Chairs Xueming Tan (Wuxi City, China) Zhong Chen (Peking University, China) Qi Zhang (RFID China Alliance, China) Dave Hall (Penn State University, USA) Program Co-Chairs Tieyan Li (Institute for Infocomm Research, Singapore) Chao-hsien Chu (Penn State University, USA) Ping Wang (Peking University, China) Program Committee Members Manfred Aigner (TU-Graz, Austria) Mike Burmester (Florida State University, USA) Hung-Yu Chien (NCNU, Taiwan) Jia Di (U. of Arkansas, USA) Tassos D. Dimitriou (AIT, Greece) Juan Estevez-Tapiador (York University, UK) Qijun Gu (Texas State University, USA) Jinsong Han (Xi’an Jiaotong Univ., China) Shuihua Han (Xiamen University, China) Julio C. Hernandez-Castro (University of Portsmouth, UK) Sozo Inoue (Kyushu Institute of Technology, Japan) Florian Kerschbaum (SAP Research, Germany) Kwangjo Kim (KAIST, Korea) Miroslaw Kutylowski (WUT, Poland) Kwok-yan Lam (Tsinghua University, China) Yingjiu Li (SMU, Singapore)

viii

Nai-Wei Lo (NTUST, Taiwan) Yong Lu (Penn State Univ., USA) Zongwei Luo (Hong Kong University, Hong Kong) Masahiro Mambo (University of Tsukuba, Japan) Atsuko Miyaji (JAIST, Japan) Yi Mu (UOW, Australia) Pedro Peris-Lopez (TU Delft, Netherlands) Raphael Phan (Loughborough University, UK) Matthew Robshaw (Orange Labs, France) Kazuo Sakiyama (UEC, Japan) Kouichi Sakurai (Kyushu University, Japan) Huiping Sun (Peking University, China) Willy Susilo (UOW, Australia) Dale Thompson (University of Arkansas, US) Guilin Wang (UOW, Australia) Jie Wang (University of Massachusetts, USA) Chan Yeob Yeun (KUSTAR, UAE) Yunlei Zhao (Fudan University, China) Sencun Zhu (Penn State University, USA) Weisong Shi (Wayne State University, USA) Publication Chairs Guilin Wang (UOW, Australia) Organization Co-Chairs Ping Wang (Peking University, China) Keping Zhang (Wuxi City, China) Organization Vice Co-Chairs Guangyi Shi (Peking University, China) Organization Committee Members Huiping Sun (Peking University, China) Ying Ding (Peking University, China) Xiaodi Gao (Peking University, China) Yi Gong (Peking University, China) Juan Zhang (Peking University, China) Hongzhen Xue (Peking University, China) Jiali Yang (Peking University, China) Kaiming Yang (Peking University, China) Hongquan Wang (Peking University, China) Xiaolan Zhou (Peking University, China) Yufeng Fan (Peking University, China) Local Arrangement Chair Hongzhen Xue (Peking University, China) Secretary General Zhonghai Wu (Peking University, China)

ix

External Reviewers Shu Cheng Konidala Munirathnam Divyan Yoshikazu Hanatani Lukasz Krzywiecki Krzysztof Majcher Shin’ichiro Matsuo Takashi Nishide Soyoung Park Koutarou Suzuki

This page intentionally left blank

xi

Contents Preface Tieyan Li, Chao-Hsien Chu and Ping Wang Organization of the 2011 Workshop on RFID Security (RFIDsec’11 Asia) 6–8 April, 2011, Wuxi, China

v

vii

Invited Paper Passive Black-Box Cryptanalysis of an Ultralightweight Protocol After Eavesdropping One Authentication Session Julio Cesar Hernandez-Castro, Pedro Peris-Lopez, Juan E. Tapiador, Raphael C.-W. Phan and Tieyan Li

3

Regular Papers A Fine-Grained Authentication Method for Inter-Domain EPCglobal Network Bing Liu and Chao-Hsien Chu

21

RFID Mutual Authentication Protocols with Universally Composable Security Chunhua Su, Yingjiu Li and Robert H. Deng

35

On False Authentications for C1G2 Passive RFID Tags Kevin Chiew, Yingjiu Li, Tieyan Li and Robert H. Deng

50

Attacks and Improvements to a New RFID Authentication Protocol Mohammad Hassan Habibi, Mahmud Gardeshi and Mahdi R. Alagheband

66

RFID Electronic Visa with Personalized Verification Przemysław Błaśkiewicz, Jacek Cichoń, Mirosław Kutyłowski and Krzysztof Majcher

81

A Sub-0.5V Lattice-Based Public-Key Encryption Scheme for RFID Platforms in 130nm CMOS Yu Yao, Jiawei Huang, Sudhanshu Khanna, Abhi Shelat, Benton Highsmith Calhoun, John Lach and David Evans Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things Sandra Dominikus, Hannes Gross, Manfred Aigner and Stefan Kraxberger MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection Wei Xin, Cong Tang, Hu Xiong, Yonggang Wang, Huiping Sun, Zhi Guan and Zhong Chen

96

114

129

xii

Integrated EPC Information Service Authentication Using OpenID in Cross Domains Yan-Chen Liu, Hung-Yu Chien, Yu-Chang Chen, Chu-Sing Yang and Nai-Wei Lo

144

Subject Index

155

Author Index

157

Invited Paper

This page intentionally left blank

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-3

3

Passive Black-Box Cryptanalysis of an Ultralightweight Protocol after Eavesdropping One Authentication Session Julio Cesar Hernandez-Castro a,1 Pedro Peris-Lopez b Juan E. Tapiador c Raphael C.-W. Phan d Tieyan Li e a School of Computing, University of Portsmouth, UK b Information Security and Privacy Lab, Technical University of Delft, The Netherlands c Department of Computer Science, University of York, UK d Department of Electronic & Electrical Engineering, Loughborough University, UK e Institute for Infocomm Research, A*STAR, Singapore Abstract. We present a black-box attack that is able to fully recover the secret values shared between entities involved in an authentication protocol. First, we explain how this black-box technique can be successfully applied against the class of protocols commonly known as ultralightweight protocols. Then, the effectiveness of this attack is shown by successfully cryptanalyzing the David-Prasad ultralightweight protocol [1], which is one of the most recent proposals in this research area. We show how we can recover the secret static identifier ID – the most valuable information which the protocol is designed to conceal – after eavesdropping only one protocol session. Our attack compares favorably to previous attacks against this protocol, and constitutes an interesting alternative for the very realistic scenario of attackers having access only to messages exchanged during a single authentication session. We also show how this disclosure attack can be used to mount a very powerful traceability attack that also improves on previous results. Keywords. Black-box attack, cryptographic protocols, ultralightweight cryptography, cryptanalysis

1. Introduction Only a few researchers have investigated in the past the possibility of using heuristic algorithms in cryptanalysis. Two very relevant works are those of Knudsen and Meier [2], and of Clark and Jacob [3]. Although these results had quite an impact on the security of Identification Protocols, both were more focused on solving the underlying NP-hard problem (the Permuted Perceptron Problem, PPP [4]) than in the protocol itself. 1 Corresponding Author: School of Computing, Buckingham Building, Lion Terrace, Portsmouth PO1 3HE, United Kingdom; E-mail: [email protected]

4

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

In this paper, we cast metaheuristics in a general light as a black box technique to cryptanalyze protocols using only a single eavesdropped session. We demonstrate the applicability of this technique against an ultralightweight RFID protocol. Such protocols are designed to keep a tiny footprint as demanded by low-cost RFID tags, and use only the composition of bitwise logical and arithmetic operations. In [5], an interesting work was presented in this vein. Nevertheless, its relevance is limited as the practicability of the technique is tested only by cryptanalyzing a toy protocol (a scaled-down and simplified version of SASI [6]). More interesting results, following a related scheme, were subsequently published against another lightweight RFID authentication protocol called SLMAP [7]. Heuristic techniques are also useful for evolving or automatically designing cryptographic protocols. In [8], the use of simulated annealing and genetic algorithms were combined to generate correct and efficient BAN protocols. Similarly, Chen et al. [9] showed how an optimization based technique can be used successfully to generate abstract security protocols. The rest of the paper is organized as follows. In the next section, we present a general model for the metaheuristic attack on cryptographic protocols, and describe its details. After this, in Section 3 we describe a recently proposed ultralightweight authentication protocol for low-cost RFID tags, and later in Section 4 we demonstrate our new metaheuristic cryptanalysis of this protocol. Finally, in Section 5 we draw some concluding remarks and comment on directions for future research. 2. Black-Box Technique The cryptanalysis of a security protocol can be interpreted as a search problem in which a range of metaheuristics search techniques (Simulated Annealing, Genetic Algorithms, Genetic Programming, etc.) are available. In general, during this search we will try to find which are the secret state values (keys, static identifier, nonces, etc.) of some subset of the entities involved in the protocol. We can follow several strategies to reveal this confidential information. The most natural approach is to evaluate the cost function at the tentative set of secret values. More precisely, we measure the proximity of the messages produced by these tentative solutions to the real public protocol messages – generated and exchanged during the actual protocol execution. Several messages (M ) are exchanged between the participants of a M -pass cryptographic protocol to achieve its security objective(s) (e.g. authentication, key exchange, etc.) These messages are sent via a public channel that can be easily eavesdropped by a passive attacker. In the RFID context, messages are passed between the reader and the tag over the insecure radio channel. In our attack model, the cryptanalyst will generally try to infer the secret values that the two entities intend to hide, by exploiting the knowledge of the exchanged messages. The effectiveness of this strategy against welldesigned protocols, based on highly-nonlinear standard cryptographic primitives such as block ciphers or hash functions, is questionable because states that are very close to the real secret state should not produce messages that are very close (for any useful distance definition) to the real public messages. Favorably for our cryptanalysis, new proposals in the field of lightweight cryptography cannot follow standard approaches since the intended devices (i.e low-cost RFID

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

5

tags, sensor networks, etc.) have severe limitations regarding their computation capabilities, memory, power consumption, etc. That is, these devices cannot generally support on-chip classical cryptographic primitives such as hash functions [10]. Taking advantage of this fact, we can identify many of the blossoming ultra-lightweight protocols as potential candidates to be vulnerable against attacks based on our metaheuristic approach. We now introduce the principles underlying our proposed attack. First, we explain the requirements that the target protocol should meet. Once we check these prerequisites, we can run an efficient search algorithm. Requirement 1. Let P be a security protocol in which the entities {X1 , X2 , .... Xn } exchange M messages. K1 of these messages are transmitted over a secure channel, while the rest K2 = M −K1 messages pass over an insecure channel and can be snooped by an adversary A. What we require here is that K2 should be a positive integer, i.e. K2 > 0. This is quite a general requirement and most if not all protocols meet it. Requirement 2. Let P be a security protocol in which the entities {X1 , X2 , ...., Xn } exchange M messages. L1 of these messages are computed by using standard cryptographic primitives. But, and this could be quite advantageously for the attacker A, the remaining L2 messages are computed by using bitwise logic and arithmetic operations; where L = L1 + L2 , for some non-negative integer L1 and a positive integer L2 . In an RFID protocol, three entities are mainly involved: 1) tags; 2) readers; 3) backend database. It is commonly assumed that the communications between the reader and the database is secure. However, the reader and the tag use the radio channel, which is completely insecure. So, in general terms, RFID systems meet Requirement 1. On the other hand, RFID protocols can be classified according to the computing capabilities of the tags [6]. We can roughly distinguish between high-cost tags and low-cost tags. Highcost tags are divided into two classes: “full-fledged” and “simple”. Full-fledged tags support on-board conventional cryptography like symmetric encryption, cryptographic one-way functions and even public key cryptography. Simple tags can support random number generators and one-way hash functions. Likewise, there are two classes for lowcost RFID tags. “Lightweight” tags are those whose chip supports a random number generator and simple functions like a Cyclic Redundancy Checksum (CRC), but not cryptographic hash functions. “Ultralightweight” tags can only compute simple bitwise operations like XOR, AND, OR, etc. Summarizing, both lightweight and ultralightweight RFID protocols comply with Requirements 1 & 2. We can simplify our model because the adversary cannot capture the K1 messages passed over the secure channel and he cannot generally obtain any advantage from the L1 messages computing by using standard cryptographic primitives. So, the candidate protocols to be vulnerable against a metaheuristic full recovery attack meet the following definition: Definition 1. Let an (ultra)lightweight protocol ((U )LP) be one in which only two entities {X1 , X2 } are involved and share some secret values {K1 , K2 , . . . , Ks }. During the protocol execution, the two entities exchange some messages {M1 , M2 , . . . , Mm } that are computed by using bitwise logical and arithmetical operations and these are transmitted over an insecure channel. So, the (U)LP protocol is compliant with Requirements 1 and 2 (K1 = 0, L1 = 0, K2 = L2 = |{M1 , M2 , . . . , Mm }| = m).

6

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

From here on, we consider the case where our target T -ULP protocol is compliant with Definition 1 and our objective is the disclosure of the secret values (i.e. {K1 , K2 . . . , Kk }) by eavesdropping one session. The attacker starts from the knowledge of messages {M1 , M2 , . . . , Mm } linked to any legitimate session between X1 and X2 . As the protocol is public, the attacker could conduct an exhaustive search trying to find what secret values {K1 , K2 , . . . , Kk } generate the captured messages. However, instead of doing that, a much more efficient search can be executed. There are many alternatives and probably most of them would give reasonably good results but we decided to use a Genetic Algorithm because of its good tradeoff between efficiency and its ability to escape from local optima. Here, we explain the steps followed in using this technique. 1. Population Initialization: First, a population of abstract representations of candidate solutions (named individuals) is generated. In our case, each candidate represents a possible set of secret values shared between the entities {X1 , X2 } involved in the protocol. More precisely, the secret values {K1 , K2 , . . . , Kk } of each individual are randomly initialized. The population size is a parameter that has to be set and it typically contains hundreds or thousands of possible solutions. The first population is generally randomly generated. 2. Genetic Algorithm is executed: (a) Selection: A proportion of the existing candidates is selected and this subset is used to generate a new generation. Basically, we evaluate the whole set of candidates by using a fitness function and then the bad candidates are probabilistically discarded by some selection method, in our case roulette wheel selection. In our particular problem, for each individual {K1 , K2 ,. . . ,Kk } , we run the T -ULP protocol and obtain the associated public messages {M1 , M2 , . . . , Mm }. Then, we evaluate via a fitness-based process the proximity of these values and the values captured {M1 , M2 , . . . , Mm }. So, in general terms the fitness function is defined as: fS = pd({M 1 , M 2 , . . . , M m }, {M1 , M2 , . . . , Mm })

(1)

where pd(·) symbolizes a proximity distance function, which can simply be implemented by common distances such as Hamming, Euclidean, Edit, and Weighted distances. (b) Reproduction: new individuals are created by using the methods of mutation or crossover. More precisely, we randomly select a pair of individuals from the pool selected previously and a new individual is generated by using one of the multiple crossover methods available, like single point crossover where we randomly choose a point and before it we copy the genome of one of the parents and before it that of the other. The process is repeated with new pairs until the new population of solutions has the appropriate size. The crossover and mutation probabilities set how often these methods are executed and these parameters have to be fixed at the beginning. (c) Termination: the process (a-b-c) is repeated until a termination condition is reached. There are many such alternative conditions, such as finding a solution

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

7

that satisfies the minimum criteria (i.e. pd({M 1 , M 2 , . . . }, {M1 , M2 , . . . 1| ), reaching a fixed number of generations, }) < δ, where 0 < δ < m·|M 2 consuming a maximum computation time, etc. The selection of the parameters of the Genetic Algorithm determines its efficiency and effectiveness. The choice of the population size, cross-over and mutation probabilities and the termination criteria is relatively easy to challenge and can only be analyzed by the quality of the final results. Nevertheless, the design of the fitness function is not an easy task and we found our proposed one, despite its simplicity, only after performing large number of experiments.

3. Description of the David-Prasad Protocol David and Prasad proposed at MobiSec’09 [1] an ultralightweight RFID authentication protocol inspired by previous approaches such as the UMAP family of protocols [11,12, 13], and the SASI [6] and Gossamer protocols [14]. This DP protocol aims to provide a strong authentication mechanism and, at the same time, to offer a significant reduction in the computational load of the tag, without compromising security. The tag and the server (also called back-end database) share four values: The old and the potential new pseudonym {PID , PID2 }, respectively, and two secret keys {K1 , K2 }. Furthermore, the tag stores a static identifier ID which facilitates its unequivocal identification. The designers assumed that the ID and all the remaining variables have the same bit length (i.e. {PID , PID2 , K1 , K2 , ID} ∈ Z296 ). The common communication model is assumed, so communications between the reader and the server – both arguably powerful devices – are considered to be secure as these entities can afford to use classical security solutions (e.g., TLS or SSL). On the other hand, the forward (reader-to-tag) and backward (tag-to-reader) channels are considered to be insecure and open to all sorts of attacks. We now describe the protocol, which is divided into six steps (see Figure 1). The operands {⊕, ∧} symbolize the bitwise exclusive OR (XOR) and the bitwise AND, respectively, while x denotes the bitwise NOT of x. Step 1: The reader sends a request message Crequest to the server. If it proves to be an authorized reader, the server sends a one-day authorization access certificate C. If the reader has already a valid certificate, it jumps directly to Step 2. Step 2: The reader sends a request message IDrequest to the tag, which replies with its pseudonym PID2 . Step 3: The reader sends the tuple {PID2 , C} to the server in order to acquire the private information linked to the tag. If the certificate is valid and PID2 matches one of the entries in the database, the server sends {K1 , K2 } to the reader. Otherwise, the server informs the reader that PID2 does not correspond to any entry in its database. In that case, the reader repeats Step 2 in order to get access to the old pseudonym PID of the tag. Then, Step 3 is executed with the tuple {PID , C}. Step 4 The reader generates two random numbers n1 and n2 . Then, it computes messages {A, B, D} as follows and sends them to the tag:

8 J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

Figure 1. David-Prasad RFID Ultralightweight Authentication Protocol

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

9

A = (PID2 ∧ K1 ∧ K2 ) ⊕ n1

(2)

B = (PID2 ∧ K2 ∧ K1 ) ⊕ n2

(3)

D = (K1 ∧ n2 ) ⊕ (K2 ∧ n1 )

(4)

Step 5 From messages {A, B}, the tag can easily infer the value of the nonces {n1 , n2 } associated to the current session. Using these values, it computes its local version of message D (let’s call it D ) and checks if it is identical to the received value. If they coincide, then the reader is authenticated. Otherwise, the protocol is aborted. After a successful reader authentication, the tag computes messages {E, F } as follows and sends them back to the reader: E = (K1 ⊕ n1 ⊕ ID) ⊕ (K2 ∧ n2 )

(5)

F = (K1 ∧ n1 ) ⊕ (K2 ∧ n2 )

(6)

Finally, the tag updates its pseudonyms values using the session nonces: PID = PID2 PID2 = PID2 ⊕ n1 ⊕ n2

(7) (8)

Step 6 Upon receiving messages E and F , the reader computes a local version, F  , and checks if it is identical to the received value. If F == F  , the tag is authenticated and the reader can obtain the static identifier ID of the tag by using message E and the now known values {K1 , K2 , n1 , n2 } (i.e., ID = E ⊕ (K2 ∧ n2) ⊕ K1 ⊕ n1 ). It then updates the pseudonyms linked to the tag in the same way: PID = PID2 PID2 = PID2 ⊕ n1 ⊕ n2

(9) (10)

Finally, the reader sends an updated version of the pair {PID , PID2 } and its certificate C to the server. If the certificate is valid, the server updates the information (pseudonyms) associated to the tag.

4. Attacks against the David-Prasad Protocol In this section, we present our black-box attack on the DP protocol. 4.1. Known Attacks against the David-Prasad Protocol To properly place our results, we first discuss related cryptanalytic work proposed so far [15] against the DP protocol, notably a traceability attack (that leads to an attacker’s adUNT (t, 1) of 14 after seeing one session) and a passive (so-called Tango) atvantage AdvA tack that took full advantage of the existence of multiple good approximations to the protocol secrets. The Tango attack was able to recover with very high probability the value

10

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

Table 1. GA Parameters for Breaking the DP Protocol Genome Length

480

Number of Generations

20,000

Crossover Probability

0.8

Mutation Probability

0.005

Population Size

100

Number of Experiments

21

of the ID, after eavesdropping only around 50 authentication sessions and combining these multiple approximations together to construct a global one. In contrast to the Tango attack that requires negligible computational effort and some number of eavesdropped sessions (e.g. {2, 25, 50} eavesdropped sessions / {87.008, 95.938, 96} recovered bits of ID), the attack we propose in this paper offers completely different tradeoffs: it is possible with only one eavesdropped session, but requires more computational power, in the form of multiple runs of a genetic algorithm. 4.2. Our Attack against the David-Prasad Protocol We now propose a black-box attack that requires to eavesdrop only one authentication session, and uses metaheuristic algorithms (in this case genetic algorithms) to approximate the internal, secret values of the protocol by taking advantage of the exchanged public messages. After eavesdropping one single session, we will have access to the values of the exchanged messages {PID , A, B, D, E, PID2 }. As the description of the David-Prasad protocol is public, we can start from a random set of secret values {K1 , K2 , n1 , n2 , ID }   and run the protocol over them to see what messages {PID , A , B  , D , E  , PID2 } do they generate. Then, using a metaheuristic technique, in our case a genetic algorithm for which details can be seen in Table 1, we can look for those that minimize the distance between the candidate and the real exchanged messages. We have chosen a genetic algorithm for the search part because while it is not the most efficient metaheuristic technique, it has a great ability to avoid becoming trapped in local minima, a characteristic that is critical for solving this quite challenging problem. 4.2.1. Cost Function Different types of fitness functions have been tried, and the most successful family was, by far: fS =

i=N 

wt(Mi ⊕ Mi )g(i) · 96h(i)

(11)

i=0

where wt(·) stands for the Hamming weight and Mi stands for the real (snooped) messages and Mi their corresponding approximations, as computed from the values of candidate state S  = {K1 , K2 , n1 , n2 , ID }. We tried multiple fitness functions, but for our particular problem, the approach that seemed to consistently lead to better results is shown in the equation below:

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

fS = 6 · 96 −

i=6 

wt(Mi ⊕ Ai )

11

(12)

i=1

= 6 · 96 − wt(MA ⊕ A) − wt(MB ⊕ B) − wt(MD ⊕ D) − wt(MF ⊕ F ) − wt(ME ⊕ E) − wt(MPID2 ⊕ PID2 ). According to the definition presented in [3], the use of this relatively straightforward cost function will not correspond to the application of what those authors name a warping technique because the correct set of secret values will always lead to a global minimum. This is a quite simple cost function that, surprisingly enough, works much better that other more complex and problem specific ones we have tried. It has been experimentally observed to consistently produce quite good approximations for our target secret value ID. With the parameter setting shown in Table 1, in most cases the genetic algorithm did indeed reach a global maximum (of 6 · 96 = 576), or values that were extremely close to it. That is, the snooped values {PID , A, B, D, E, PID2 } and the candidates values   {PID , A , B  , D , E  , PID2 } are identical or very close. Probably, less direct approaches will also work well, especially the use of more complex warping techniques. In this particular case, however, the most simple formulation described above worked sufficiently well, so we were not tempted to introduce any unnecessary complexity. 4.2.2. Inferring the ID Using the strategy and techniques just described, we ran N = 21 genetic algorithms for trying to infer the secret value of the ID, which was arbitrarily set to be a 96bit value derived from π (i.e. ID = 31415926535897932384626433832 mod 296 = 0x6582A5360B14388541B65F 28). Some of the most relevant results are presented in Table 2. The approach for retrieving the value of the ID is sketched below.2 1. Tag Initialization: The secret values {K1 , K2 , n1 , n2 , ID} of the target tag are randomly initialized. 2. Population Initialization: The secret values {K1 , K2 , n1 , n2 , ID } of the individuals are randomly initialized. 3. Protocol Execution: David-Prasad Protocol is run with the secret values of the tag and the public messages {PID , A, B, D, E, PID2 } eavesdropped from one session. 4. Genetic Algorithm is executed: (a) Selection: the best individuals are selected through a fitness-based process. The fitness function, defined in Equation (12), is based on the distance between the eavesdropped (protocol execution) and the computed values (linked to the secret values of each individual). (b) Reproduction: new individuals are created by mutation and crossover. (c) Termination: the process (a-b-c) is repeated until a fixed number of generation has been reached. 2 For the random initialization of the 96-bit variables in Python, we use the random library from scipy (i.e. accessed by the call randint(0,2**96-1)).

12

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

Table 2. Cryptanalytic Results against the DP Protocol Exp. #

F. V.

IDapprox

Difference with ID

Exp. #1 Exp. #2 Exp. #3 Exp. #4 Exp. #5 Exp. #6 Exp. #7 Exp. #8 Exp. #9 Exp. #10 Exp. #11 Exp. #12 Exp. #13 Exp. #14 Exp. #15 Exp. #16 Exp. #17 Exp. #18 Exp. #19 Exp. #20 Exp. #21

574 572 576 574 575 575 575 576 576 576 574 576 575 575 576 576 576 576 576 576 576

0x7584a536cb14788561b65ea8 0x7586a5324b04788541b65b28 0x6d86a5764b04388441b65c28 0x6582a576cb15788541b65f88 0x7582a5764b14308441b65c88 0x6582a5760b04388441b65ca8 0x75c6a5360b14388541b65f88 0x6582a5764b04708461b65ca8 0x7582a5368b14308561b65528 0x7586a5764b04388441b65f88 0x7582a5724b04388561b65f88 0x7582a5368b14388441b65a08 0x7d86a5324b14708441b65e08 0x7d86a5720b14788541b65108 0x7582a576cb14708441b65588 0x7582a5760b04388461b65e28 0x7582a5364b04388541b652a8 0x7d82a5360b14388561b65fa8 0x6582a5364b14788441b65f28 0x7d86a5764b04708541b65b08 0x7586a576cb04308541b65fa8

0x10060000c000400020000180 0x100400044010400000000400 0x80400404010000100000300 0x40c0014000000000a0 0x1000004040000801000003a0 0x400010000100000380 0x1044000000000000000000a0 0x404010480120000380 0x100000008000080020000a00 0x1004004040100001000000a0 0x1000004440100000200000a0 0x100000008000000100000520 0x180400044000480100000120 0x180400440000400000000e20 0x10000040c000480100000aa0 0x100000400010000120000100 0x100000004010000000000d80 0x180000000000000020000080 0x4000400100000000 0x180400404010480000000420 0x10040040c010080000000080

† F. V. - Fitness Value

H. D. to ID 9 7 8 7 9 6 5 10 6 8 8 6 10 10 11 6 7 4 3 10 8

H. D. - Hamming Distance

After extensive experimentation, a set of parameters was found to be a fair compromise between efficiency (the genetic algorithm will be employed many times) and search efficacy. These are given in Table 1. One important characteristic of our attack, that puts it in a class of its own, is that it is remarkably successful after eavesdropping only one authentication session, which is a very economic requirement compared with those of other passive attacks. Even when compared with the only existing attack against the David-Prasad protocol, which is in itself relatively efficient requiring only around 50 eavesdropped sessions, this approach could be very useful for those scenarios where only one session can be accessed. All the approximations {IDapprox (1), IDapprox (2), ..., IDapprox (N )} obtained in experiments 1 through N can be combined to obtain a global one for the secret value ID. There are multiple possibilities for doing so, for example weighting approximations by their fitness function, making those corresponding to better approximations count more, etc. In our case we will use a more simple approach. Approximations are represented in a r-dimensional space (r = 96 in the DP protocol) instead of considering them as numerical values to facilite this calculation. More precisely, if a variable IDapprox (x) is represented in binary format, the coefficients ai are the values of the vector IDapprox (x) in each dimension:

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

IDapprox (x) =

r−1 

ai · 2i , ai ∈ {0, 1}

13

(13)

i=0

IDapprox (x) = [a0 a1 · · · ar−1 ] We then can sum the approximations obtained in the N experiments:

IDapprox =

N 

IDapprox (i)

(14)

i=1

The only remaining question is to obtain the average value of the above vector (i.e. IDconjecture = g(IDapprox )). We propose using the following g function which is simple but entirely effective. The components of the input and output vector in each axis are denoted by IDiapprox and IDiconjecture , respectively. Thus, for each i = 0, . . . , r−1, we have g(IDiconjecture )

 =

1 0

if (IDiapprox ≥ γ) if (Diapprox < γ)

(15)

The parameter γ is set to N2 . Finally, the attacker concludes IDconjecture = r−1 conjecture · 2i as its conjecture of the static identifier ID. i=0 IDi To clarify the proposed procedure, we give below the numbers derived from Table 2. In our simulations N is set to 21, and each of these experiments consumed approximately 1700s. (28 minutes) in a very modest portable computer, but they are completely parallelizable. When adding all the bits of the 21 approximations, we obtained a IDapprox vector, in which the wrongly guessed bits are highlighted: IDapprox = [0, 0, 0, 21, 0, 11, 0, 12, 12, 14, 16, 17, 21, 0, 21, 0, 0, 21, 21, 0, 21, 21, 0, 21, 21, 0, 0, 0, 0, 6, 21, 0, 11, 0, 21, 0, 0, 0, 0, 21, 0, 0, 0, 14, 21, 21, 9, 0, 1, 0, 21, 0, 11, 0, 0, 0, 21, 21, 0, 21, 0, 0, 14, 6, 0, 21, 17, 0, 21, 21, 12, 0, 21, 0, 21, 0, 0, 21, 0, 21, 0, 20, 9, 0, 0, 0, 1, 21, 21, 0, 21, 5, 16, 21, 21, 0]  0x82f56b14588341b0635a2856 Finally, the average value IDconjecture is obtained by computing the g function. We can observe that this technique is able of correctly guessing 92 out of 96 bits (or a 95,83% of the ID bits): IDapprox = [0, 0, 0, 1, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 0, 1, 1, 1, 0]  0x82f56b14588341b0635a2856 As direct consequence of this attack, tracing the tag becomes a trivial task (see Section 4.2.3). The adversary exploits the knowledge of a significant part of the ID, which on the other hand is a static value and thus does not change between different authentication sessions. So any disclosure attack involving static secret values such as this, immediately implies a traceability attack.

14

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

4.2.3. Traceability Attack In [16], Juels and Weis give a formal definition of traceability, that was later reformulated, in a style more similar to that used for security protocols, in [17]. We use the latter approach to analyze the David-Prasad protocol. For completeness and readability, we will first present the model, and later we will detail our proposed attack. In RFID schemes, tags (T ) and readers (R) interact in protocol sessions. In general terms, the adversary (A) controls the communications between all the participants and interacts passively or actively with them. Specifically, A can run the following queries: • Execute(R, T , i) query. This models a passive attacker. A eavesdrops on the channel, and gets read access to the exchanged messages between R and T in session i of a genuine protocol execution. • Test(i, T0 , T1 ) query. This does not model any ability of A, but it is necessary to define the untraceability test. When this query is invoked for session i, a random bit is generated b ∈ {0, 1}. Then, a static identifier IDTb from the set {IDT0 , IDT1 } corresponding to tags {T0 , T1 } is given to A. Upon definition of the adversary’s abilities, the untraceability problem can be defined as a game G divided into three phases: Phase 1 (Learning): A can make any number of Execute queries, which facilitate the eavesdropping of exchanged messages – modeling a passive attack – over the insecure radio channel. Phase 2 (Challenge): A chooses two fresh tags {T0 , T1 } whose associated identifiers are IDT0 and IDT1 . He then sends a Test(i, T0 , T1 ) query. As a result, and depending on a chosen random bit b ∈ {0, 1}, A is given a static identifier ID Tb from the set {ID T0 , IDT1 }. Phase 3 (Guessing) A ends the game and outputs a bit b as its conjecture of the value of b. A’s success in winning G is equivalent to the success of breaking the untraceability property offered by the protocol. So the advantage of A in distinguishing whether the messages correspond to T0 or T1 is defined as below: 1 UNT AdvA (t, r) = |P r[b = b] − |. 2 where t is a security parameter (i.e. the bit length of the key shared by the tag and the reader) and r is the number of times A runs an Execute query. Definition 2. An RFID protocol in an RFID system (S= {Ri , T0 , T1 , ....}) in which an adversary A can invoke {Execute(R, T , i), Test( i, T0 , T1 )} in a game G, offers resistance against traceability if: UNT (t, r1 ) < ε(t, r1 ) AdvA

ε(.) being some negligible function.

(16)

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

15

We will show how the DP scheme does not guarantee privacy location, thus allowing the tracking of tags. Theorem 1 The David-Prasad protocol, on an RFID system (S= {Ri , T0 , T1 , ....}) in which an adversary A can invoke one Execute(R, T , i), and one Test( i, T0 , T1 ) query in the untraceability game G, is vulnerable to traceability attacks, since the advantage for UNT an adversary to win G is significant (in fact, maximal): AdvA (t, 1) = 0.5  ε(t, 1). Proof . Specifically, an adversary A performs the following steps: Phase 1 (Learning): A sends an Execute(R, T0 , n) and acquires the public messages passed over the insecure radio channel {PID , A, B, D, E, PID2 }. By using the above mentioned values, A runs the algorithm described in Section 4.2.2 and obtains an approximation X of the IDT0 . Phase 2 (Challenge): A chooses two fresh tags {T0 , T1 } whose associated identifiers are ID T0 and IDT1 . He then sends a Test(i, T0 , T1 ) query. As a result, A is given a static identifier Y = IDTb from the set {IDT0 , IDT1 }, which depends on a chosen random bit b ∈ {0, 1} Phase 3 (Guessing) A finishes G and outputs a bit b as its conjecture of the value b. In particular, A utilizes the following simple decision rule: 

if wh(X ⊕ Y ) < 96/4 = 24 b = 0 if wh(X ⊕ Y ) ≥ 96/4 = 24 b = 1

(17)

So the adversary can associate tags’s answers with its holder, with a nearly 100% probability (≈ 1 − 2−24 ) of success. Basically, we exploit the possibility of inferring the static identifier of a tag after eavesdropping one authentication session. In comparison with [15], we increase the advantage for the adversary to the maximal value of 12 from the advantage of 14 achieved there after sniffing one session, so the present attack compares quite favorably with the one presented there. The only drawback of our approach is that it is much computationally expensive in the Learning Phase due to the execution of multiple instances of the genetic algorithm.

5. Concluding Remarks In this paper we have presented a black-box attack that is able to recover the ID, the most relevant secret value shared between the readers and tags involved in a RFID protocol, and the one the whole protocol is designed to conceal. We have explained why this black-box technique can be successfully applied against the class of protocols commonly known as (ultra)lightweight protocols, which are characterized by not using classical cryptographic primitives. We emphasize here that standard cryptography exceeds the capabilities of many constrained devices such as low-cost RFID tags or WISP chips. The effectiveness of the proposed cryptanalytic technique attack is shown by successfully attacking the David-Prasad ultralightweight protocol, after eavesdropping only one protocol session. Our attack compares quite favorably to previous attacks against

16

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

this protocol, and constitutes an interesting alternative for the very realistic scenario of attackers having access only to messages exchanged during a single authentication session. We also show how this disclosure attack can be used to mount a very powerful traceability attack that also improves on previous results leading to an almost maximal attacker advantage. We make no optimality claims whatsoever, and although the results presented here were obtained after extensive experimentation, we could easily foresee slightly better ones getting obtained by other researchers employing different heuristic techniques (Simulated Annealing instead of Genetic Algorithms, for instance) and different fitness functions and parameters. We believe, however, that our main claims, which are that heuristic techniques could be very useful in cryptanalysis in general (as shown by a few authors before us), and that they are particularly relevant when studying the security of (ultra)lightweight protocols, have been largely proven. Using these or similar techniques for breaking other related protocols remains an interesting research line, as it is employing similar approaches to help in the designing phase of new protocols. References [1]

[2]

[3] [4] [5]

[6] [7]

[8]

[9] [10] [11]

[12]

[13]

M. David and N. R. Prasad. “Providing Strong Security and High Privacy in Low-Cost RFID Networks”. In Proc. of Security and Privacy in Mobile Information and Communication Systems, MobiSec 2009, pages 172–179. Springer Berlin Heidelberg, 2009. L.R. Knudsen and Willi Meier. “Cryptanalysis of an Identification Scheme Based on the Permuted Perceptron Problem”. In Advances in Cryptology - EUROCRYPT 1999, LNCS 1592, pp. 363–374. SpringerVerlag, 1999. J.A. Clark and J.L. Jacob. “Fault Injection and a Timing Channel on an Analysis Technique”. In Advances in Cryptology - EUROCRYPT 2002, LNCS 2332, pp. 181–196. Springer-Verlag, 2002. D. Pointcheval. “A New Identification Scheme Based on the Perceptron Problems.” In Advances in Cryptology - EUROCRYPT 1995. LNCS 2199. Springer-Verlag, 1995. J.C. Hernandez-Castro, J.M. Estevez-Tapiador and A. Ribagorda. “Non-standard Attacks against Cryptographic Protocols, with an Example over a Simplified Mutual Authentication Protocol”. In Proc. of MCO 2008, pp. 589–596, 2008. H.-Y. Chien. “A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity”. IEEE Transactions on Dependable and Secure Computing, 4(4):337–340, 2007. J.C. Hernandez-Castro, J.E. Tapiador, P. Peris-Lopez, J.A. Clark and E.-G. Talbi. “Metaheuristic traceability attack against SLMAP, an RFID lightweight authentication protocol”. In Proc. of 23rd IEEE International Symposium on Parallel and Distributed Processing (IPDPS 2009), pages 1–5, Rome, Italy, May 23-29, 2009. J.A. Clark and J.L. Jacob. “Protocols are Programs Too: the Meta-heuristic Search for Security Protocols”. Special Issue on Metheuristics for Software Engineering. Information Software Technology 43(14):891-904, 2001. H. Chen, J.A. Clark and J. Jacob. “Human Competitive Security Protocols Synthesis”. In Proc. of the 8th Annual Conference on Genetic and Evolutionary Computation (GECCO 2006), pp. 1855–1856, 2006. A. Bogdanov, G. Leander, C. Paar, A. Poschmann, M. Robshaw and Y. Seurin. “Hash Functions and RFID Tags: Mind the Gap”. In Proc. of CHES 2008, LNCS 5154, pp. 283–299. Springer-Verlag, 2008. P. Peris-Lopez, J.C. Hernandez-Castro, J. Estevez-Tapiador and A. Ribagorda. “LMAP: A Real Lightweight Mutual Authentication Protocol for Low-cost RFID tags”. In Hand. of RFIDSec 2006, 2006. P. Peris-Lopez, J.C. Hernandez-Castro, J. Estevez-Tapiador and A. Ribagorda. “M2AP: A Minimalist Mutual-Authentication Protocol for Low-cost RFID Tags”. In Proc. of UIC 2006, LNCS 4159, pages 912–923. Springer-Verlag, 2006. P. Peris-Lopez, J.C. Hernandez-Castro, Juan M. Estevez-Tapiador and A. Ribagorda. “EMAP: An Efficient Mutual Authentication Protocol for Low-cost RFID Tags”. In Proc. of IS 2006, LNCS 4277, pages 352–361. Springer-Verlag, 2006.

J.C. Hernandez-Castro et al. / Passive Black-Box Cryptanalysis of an Ultralightweight Protocol

[14]

17

P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador and A. Ribagorda. “Advances in Ultralightweight Cryptography for Low-cost RFID Tags: Gossamer Protocol”. In Proc. of WISA 2008, LNCS 5379, pages 56–68. Springer-Verlag, 2008. [15] J. C. Hernandez-Castro, P. Peris-Lopez, Raphael C.-W. Phan and J. M. E. Tapiador. “Cryptanalysis of the David-Prasad RFID Ultralightweight Authentication Protocol”. In Proc. of Workshop on RFID Security (RFIDsec 2010), LNCS 6370, pages 22-34. Springer-Verlag, 2010. [16] A. Juels and S. Weis. “Defining Strong Privacy for RFID”. In Proc. of PerCom 2007, pages 342–347. IEEE Computer Society Press, 2007. [17] R.C.-W. Phan. “Cryptanalysis of a New Ultralightweight RFID Authentication Protocol - SASI”. IEEE Transactions on Dependable and Secure Computing. 6(4):316-320, 2008.

This page intentionally left blank

Regular Papers

This page intentionally left blank

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-21

21

A Fine-Grained Authentication Method for Inter-Domain EPCglobal Network Bing Liu and Chao-Hsien Chu 1 The Pennsylvania State University 306A, IST Building University Park, PA 16802, USA

Abstract. Radio Frequency Identification (RFID) technology has been studied for several years. Supply chain management is one of the most significant fields that employ this novel technology. RFID-based EPCglobal network is a distributed inter-domain system, which enables every partner within the supply chain to share information with each other. However, no detailed security specification has been developed in EPCglobal standard, therefore a security mechanism is needed to solve the inter-domain information sharing issues between entities that have business relationship. In this paper, we examine the security threats, requirements and solutions for EPCglobal network from the information security perspective, with a focus on the authentication mechanism. We propose a security platform and a X.509 public key infrastructure (PKI) based EPCglobal certificate hierarchical model. The model enables a fine-grained authentication framework to secure the inter-domain EPCglobal supply network. Keywords. X.509, PKI, Authentication, RFID, EPCglobal Supply Network

Introduction The EPCglobal Network is an infrastructure fusing inexpensive RFID technology (tags and readers) in the global supply chain to pass Electronic Product Code (EPC) via the Internet to access large amounts of associated information that can be shared among authorized users. The greatest promise of the EPCglobal network is that it enables the seamless sharing of data and provides item-level visibility for all the participants across the supply network. EPCglobal network aims to eventually achieve the blueprint of “Internet of things (IoT)” that any participants could easily access to all the shared information. EPCglobal is an industry standard for uniquely identifying the object by using the RFID technology. The model composes several major components: EPC tag, RFID reader, Application Level Events (ALE) interface, EPC Information Services (EPCIS), and EPC Object Name Service (ONS), etc. First, an object’s identification/information is encoded in the EPC tag. The RFID reader then captures those data and submits it to EPCIS for specific information about the object (e.g., manufacturer, product class, and instance of a particular product). ALE locates between the RFID reader and EPCIS, provides means to process and deliver the data. The filtered data will be stored in the EPCIS repository. Each organization manages its own EPCIS repository. Users inquire 1

Corresponding Author. Tel: +1 (814) 865-4446; Fax: +1 (814) 865-6426; e-mail: [email protected]

22

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

information about an object through EPCIS query interface, which consults to the EPC ONS. The EPC ONS would return the address of EPCIS repository that contains the requested data [1]. Please refer to section 1 for more details. The benefits of RFIDenabled supply network have been extensively studied, including item level identifying and tracking, non-line sight scanning, assets and inventory management improving, and increasing visibility of the supply network, etc [2]-[4]. However, the implementation of RFID-enabled EPCglobal network still facing some major challenges, for example, higher cost, lack of standardization, the security and privacy issues, the information sharing issues, the voluminous data issues, and the bad performance in harsh environments [5][6]; among which security is the most significant one. The security issues can be divided into two categories: intra-domain and inter-domain issues. The former type concerns the security issues between the EPC tag and RFID reader, such as eavesdropping, tracking, replay attack, etc. The other type contains the information sharing issues among different organizations that participating in the supply network. In order to take advantages of EPCglobal network, the information from related partners across the supply chain needs to be shared. The former security type has been extensively studied [7]-[9]; however, little work [10][12] has been focused on inter-domain security issues that motivates us to study the inter-domain security issues. Although information sharing is the key to achieve ultimate business benefits, it should be done in a controlled manner that employs proper authentication and authorization mechanisms. In this paper, we examine the security threats and requirements, with a focus on the authentication mechanism, from the information security perspective. We envision a security platform that may help to achieve the information security requirements for supply chains. Furthermore, we propose a finegrained authentication framework based on X.509 public key infrastructure (PKI) for the inter-domain EPCglobal supply network. The structure of this paper is as follows. Section 1 reviews the related works. Section 2 introduces a security platform for EPCglobal network. Section 3 describes the proposed X.509 PKI-based EPCglobal certificate hierarchical model and the finegrained inter-domain authenticated method for EPCglobal network. And the last section concludes this study, along with possible future work.

1. Related Works 1.1. EPCglobal Network To meet the needs of a dynamic competitive environment, EPCglobal developed and defined a set of standards (services) for the EPC related information exchange between the business partners within a supply network. Fig. 1 illustrates the activities carried out by end users and the components of an inter-domain EPCglobal network architecture [13]. Each component plays a unique and important role in the EPCglobal network. Here we will not discuss the function of EPC Discovery Service (EPC-DS) as it is still under development. Within a supply network, different domains means different organizations, e.g. supplier and retailer are two different domains. When physical object trading taking place means the object moves from one domain to another and the RFID sub-system will capture the events. The RFID sub-system composes EPC tag and RFID reader,

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

23

where the EPC tag is attached to the object. The captured raw data will then be processed and delivered to EPCIS by ALE interface (which was originally called Savant). ALE is essentially a middleware performing the counting, logging, accumulation, and filtering operations on the data. EPCIS contains two major components, EPCIS repository and EPCIS query interface. The filtered data will be stored in the EPCIS repository.

Figure 1. EPCglobal network architecture.

When the users in EPCglobal network requests the information about a specific object, a query will be initiated via the EPCIS query interface. The interface will then consult the registries, the EPC ONS, for the address of inquired object. The ONS owns no information except the address of the EPCIS repository that stored the requested EPC data. The ONS uses the structure similar to the existing internet Domain Name System (DNS). After resolution of an inquired EPC, the root ONS retrieve the local ONS and return the address of relevant EPCIS servers. 1.2. EPCglobal Network Security Although EPCglobal network security has been a major concern to industry practitioners, little concrete research has been conducted. Reference [14]-[16] enumerated the threats and the possible solutions for EPCglobal systems. Reference [17] systematically analyzed the vulnerabilities and mapped the threats into their corresponding EPCglobal network components and reviewed the existing solutions as well. Although the paper provides a holistic view of the EPCglobal network security, it is better to map those threats and solutions from the information security perspective.

24

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

According to the well-known security requirements for information and communication systems, we map the EPCglobal system threats into four categories: confidentiality, integrity, availability and accountability [18]. Fig. 2 illustrates the relationships between the EPCglobal system threats and the security requirements. (1) Confidentiality requires that data is accessible only to authorized entities and that intentional or unintentional disclosures of the data do not occur. (2) Integrity requires that data is authentic, correctly reflecting the source data, and complete, without unauthorized modifications, deletions, or additions. But it does not imply the data is valid, only that it is the same as the source. (3) Availability requires that data is accessible by authorized entities whenever they need it. And (4) Accountability requires that the actions of an entity to be traceable uniquely to that entity. This implies that entities receiving the data cannot subsequently deny receiving it and vice versa

Figure 2. Security requirements undermined by EPCglobal network threats

Clearly, majority of the threat groups are only targeting at a single security requirement; for example, the listening threat group only compromises confidentiality requirement; the DoS threat group only compromises availability requirement; while a few threat groups (e.g., interaction and planted groups) may target on more than one requirement or even all of them. On the other hand, all of the security requirements, especially confidentiality and integrity, will be compromised by unauthorized activities. Therefore, some kinds of authentication mechanisms are necessary in order to determine if the entities are authorized to access the data. 1.3. X.509 PKI X.509 PKI is a key management mechanism primarily developed for authentication and trust establishment. The infrastructure contains three core components: Certificate Authority (CA), Certificate Revocation Lists (CRLs), and Registration Authority (RA) [19]. Its most important functions include issuing certificates, revoking certificates, and

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

25

key management. PKI is a standardized infrastructure that involves huge computational cost, thus appropriate adjusting is necessary to fulfill the EPCglobal network applications. There are few studies aimed to build PKI-based EPCglobal network authentication mechanism. However, each of them focused on solving the authentication problems that from specific part of the system, e.g. [10] and [11] expatiated some adjusted PKI methods to solve the EPCIS authentication issues, and [12] depicted a Lightweight PKI (LPKI) encryption strategy to enhance the security of ONS. Therefore, a wider and deeper authentication mechanism for the system is requisite. X.509 PKI is the foundation of our proposed EPCglobal inter-domain authentication method.

2. Security Platform for EPCglobal Network As can be seen from the above illustration that a variety of threats and vulnerabilities may compromise the EPCglobal network and single or two countermeasures cannot fully protect the network from attack. Therefore, a comprehensive security platform is necessary for restraining the threats and achieving the security requirements. Based upon the “Defense-in-Depth” principle, we propose a layered platform, as shown in Figure 3, to secure EPCglobal network.

Figure 3. Security platform for EPCglobal network

At the foundation of the platform are some countermeasures toward security audit and management. Security management supports the whole system security, and thus

26

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

locates at the bottom part of the platform. The system security policies are developed based on the business rules and procedures. Risk analysis may be used to assess the security policy and security technologies that employed to protect the system reiteratively, and thus refine the system security. In the higher layers of the platform, we suggest to employ several security technologies to eliminate the effects of the threats that may compromise the security requirements. Some of them are common for most information and communication systems. For instance, data backup would ensure system availability, and intrusion detection system (IDS), firewall, antivirus systems, and ONSSEC (ONS Security Extension) can protect the system from the DoS and Repudiation threats. Among those security technologies, the authentication and authorization countermeasures play key roles in ensuring information confidentiality and integrity for EPCglobal network. Through both are typically supported by advanced cryptography technologies, authentication normally involves the processes to verify whether an entity is whom it claims to be, while, authorization makes sure that the entities obtain the correct access privileges to entitle them to interact with specific information. Thus, authentication is the prime step for authorization and other countermeasures. Plenty authentication protocols have been proposed in the intra-domain of RFID system [7]-[9]. These protocols enable the RFID tag and reader authenticate to each other. Due to resources constraints and low computation capability of RFID tag, most of them are light weight authentication protocols (LWAP). Basically authorization is achieved by some access control mechanisms. Typically, there are three types of access control method: (1) Discretionary access control (DAC). This type of system allows the owner of the resource to determine who has access and what privileges they have. Access control under this type is at the discretion of the owner. (2) Mandatory access control (MAC). This type of system applies controls based on privilege (or clearance) of a subject (or user) and the sensitivity (or classification) of an object (or data). This type of model is used in environments where information classification and confidentiality is very important. And (3) Role-based access control (RBAC). For this type of authorization, control access based on the roles (functions) that users have within the system and on rules stating what accesses are allowed to users in given roles. None of these authorization models can be directly applied to EPCglobal network without modification. As a distributed inter-domain system, the security issues of information sharing are obviously critical for EPCglobal network. Reference [20] proposed a novel semantic access control model to address the authorization issues. The EPCglobal recommends the use of X.509 PKI as the authentication method to secure the inter-domain environment [21]. However, they did not provide any implementation details.

3. A Fine-Grained Authentication Method Comparing to [10]-[12], our suggested PKI-based authentication mechanism not only affects at the EPCIS or ONS level, but also goes depth to the ALE and RFID reader level, and thus called fine-grained. Because X.509 PKI is complex and expensive, and EPC tag is an energy and computational capability constrained device, we do not intend to deploy PKI at the EPC tag level, whereas, fortunately, there are already many LWAPs for achieving the tag-reader authentication.

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

27

Fine-grained authentication is needed, because of it is important to gain authentication at ALE and RFID reader level. Without authentication, illegal ALE may deliver false data to EPCIS, or unauthorized reader may send distort data to legal ALE, and then store those data into EPCIS. Additionally, in some cases, it may allow user to access ALE and obtain real-time data about the objects through manipulating the associated readers, which also require ALE and reader level authentication. 3.1. CA Architecture for EPCglobal network In X.509 standard, a commonly trusted third party, traditionally is the governmental department, will take the role of certificate authority (CA). Under the supply network environment, a market dominant retailer, e.g. Wal-Mart, may be trusted by other participants within the network, therefore it may take the role of mediator. In this paper, we assume WM Inc. dominants the supply network, and thus it is the trusted mediator that issuing certificate to the authenticated entities. Fig. 4 illustrates the conceived EPCglobal certificate hierarchical model.

Figure 4. Wal-Mart’s EPCglobal certificate hierarchy model

In this infrastructure, WM Inc. works as the root CA that locates at the top-most of the tree. The root WM Inc. CA signs itself and issues certificate to its subordinate CAs, WM.US and WM.China. WM.China shares the same structure as WM.US. WM.US manages the certificates under the United States scope, and divides its descendants into several layers. It issues certificates by location of the branches, e.g. it may sign WM.DC and WM.PA as its subordinate CAs. Each branch has the similar hierarchy. WM.DC will then sign certificate for its provider WM.DC.P and for its own EPCIS repository (maybe more than one) WM.DC.EPCIS. And the provider will sign its own EPCIS repository WM.DC.P.EPCIS, and may also sign other parties, if any, that have business relationship with it. Under each EPCIS CA, there are ALE and User subordinate CAs that associates with the EPCIS repository. It allows the EPCIS to sign certificates for its different users

28

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

(e.g. privilege user or common user). Moreover it signs the ALE which may manipulate the connected RFID readers. In this scenario, a fine-grained authentication mechanism is achieved. The mutual authentication is formed between all the relevant components and users, for example between the RFID reader and the corresponding ALE, between ALE and its corresponding EPCIS repository, and among different EPCIS repositories. This process ensures that the RFID reader only submit captured raw data to the authorized ALE, and ALE only processes the data that is from the authorized reader and delivers it to the permitted EPCIS repository. Therefore the EPCIS repository will only accept updates from the legal ALE. Besides, it enables inter-domain authentication, while entities in different domains can authenticate to each other by seeking help from their antecedent CA chains. 3.2. Fine-Grained Authentication in Multi-Domain System Suppose that there are two different domains, 1 and 2, within an EPCglobal supply network, and having certain business relationship with each other. There is an object and its attached EPC tag X originally belonged to Domain1, and thereafter transformed to Domain2, see Fig. 5. The RFID reader in both Domain1 and Domain2 will then capture the movement and report to ALE. After the two domains authenticate to each other, the ALEs will update X’s information in their authorized EPCIS repository. With the update, the EPCIS repository of Domain1 will record that tag X has been exported to Domain2, with the export timestamp. When Domain2 receive and scan the tag X, its EPCIS repository will record that tag X imported from domain 1, with the imported timestamp. When User1 who is authenticated by Domain1 inquires information of EPC tag X, the following authentication and authorization steps will take place: 1) Uer1 sends request to EPCIS query interface of Domain1. 2) EPCIS consults the security manager of Domain1. User1 and EPCIS will first authenticate with each other, and then according to the security policies, security manager might approve or deny the request of User1 for tag X. 3) If the User1 is authorized to access tag X in Domain1, the query interface will return the tag X information that store in EPCIS repository of Domain1. Meanwhile, it forwards the request to Domain2 according to its record of the movement of tag X. 4) When receiving the request, Domain2 and Dmoain1’s EPCIS repositories will first authenticate each other. 5) After further authenticating User1, Domain2 needs to consult its security manager and then return the authorization decision for User1. 6) User1 will then mutually authenticate with Domain2’s EPCIS repository, ALE and RFID reader. 7) According to the permission, User1 may access Domain2’s EPCIS repository to obtain static information about tag X, or further accessing the ALE and RFID reader of Domain2 to get real time data about tag X. As we can see, the benefits of adapting the fine-grained EPCglobal inter-domain authentication framework include the followings. First, every component within the EPCglobal network will be able to mutually authenticate with each other. Second, the inter-domain authentication is achieved. Entities can mutually authenticate themselves

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

29

with other domains’ entities. Last but not the least, the authentication mechanism goes deep into the ALE and RFID reader levels, which forms a fine-grained security solution.

Figure 5. Authentication and authorization in EPCglobal inter-domain network

3.3. Adjusted PKI for the Proposed Framework The implementation of a PKI is intended to provide mechanisms to ensure trusted relationships are established and maintained. It is usually a foundation on which other applications and network security components are built [22]. The X.509 PKI is a standardized infrastructure that is composed by a set of hardware, software, people, policies, and procedures. For implementing, an analysis of business objectives and the trust relationships that exist in the EPCglobal network is required. Traditionally, PKI involves huge computational costs because it is based on an exponentiation function such as the RSA cryptography. Besides, X.509 defines a fixed certificate format that some items may not be needed. As a result, for the purpose of implementing our framework, an adjusting for the standard X.509 PKI is necessary. First, the RSA cryptography can be replaced by the Elliptic Curve Cryptography (ECC). Elliptic curve based solutions are usually based on the difficulty of solving the Elliptic Curve Discrete Logarithm (ECDL) and factorization in elliptic curves, it is believed that a 160-bit key in an elliptic curve-based system provides the same level of security as that of a 1024-bit key in an RSA-based system [23]. Thus, ECC obtain great advantages compare to RSA. The ECC key pair generation and distribution process are as following. For any user, a point G is selected from an elliptic curve E, both of the G and E are public. And the private key is a randomly selected integer Ks. Therefore, the public key is generated as:

30

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

Kp= Ks*G

(1)

There are two ways to generate the key pair. For the entity that has enough computational capability, such as EPCIS Server or ALE server, the keys can be generated by itself. And for the entity that has insufficient computational power, such as end user or RFID reader, the keys can be generated by a trusted key generating server. The generated key pair (Kp, Ks) should be stored in a secured place, e.g. smart card or server, safely. After adequate proofs, the CA will certify the public key Kp. The Diffie-Hellman key exchange algorithm [24] can be used for key establishment between the different parties, for example A and B. A possesses key pair (KpA, KsA), while B holds key pair (KpB, KsB). They can now establish the shared secret key, Ke, respectively. A would compute: Ke= KsA * KpB = KsA * KsB * G

(2)

While B would compute: Ke= KsB * KpA= KsB * KsA * G

(3)

As a result, the shared secret key, Ke, of A and B has been established successfully. Ke can be used as a session key to encrypt the communications between A and B. CA should back up those key for future usage. Additionally, based on the business process of EPCglobal supply network and our needs, we should adjust the standard X.509 certificate and the PKI. The proxy certificates method [25] may be employed. As in Fig. 4, the upper layer is a global based distributed network that may need full X.509 PKI functions. However, the lower layer, from the EPCIS to ALE and, especially, from ALE to reader constructed a subtree which is a local-based distributed network. The local based distributed environment is considered much more secure than the global based distributed environment, and thus it may only need part of the PKI functions. EPCIS can delegate its privileges to ALE, and ALE does not need to perform full CA function when it deals with the connected readers. Reader only needs to store two key pairs, its own public and private keys and the corresponding ALE public and private keys. With these keys, reader and the related ALE can verify and transform encrypted message between each other. Moreover, the readers locate at a same end point may have the same attributes, and therefore, they can share the same keys pairs. The system will consider them as an identical entity. For instance, there are three readers that deployed at a store’s sell point, they are connected with the same ALE and basically perform the same function, and thus they can share a same key pairs. By employing this manner, ALE can create (revoke) proxy certificates dynamically for adding (removing) corresponding RFID reader from the network. Thus, we greatly reduce the burdens of the whole system. The Globus Toolkit [26] supports the Grid Security Infrastructure [27], which provides libraries and tools for authentication and message protection that uses X.509 certificates, PKI, the SSL/TLS protocol [28] and X.509 Proxy Certificates to enable the privileges delegation. Proxy Certificate binds the public key to the subject name. The subject name should be unique within the network. This is accomplished by appending to the issuer’s subject name, for example WM.DC.EPCIS issues proxy certificate to its ALE, the subject name of ALE would be WM.DC.EPCIS.ALE. Proxy Certificate needs to express its delegation policy in the X.509 extension. The Extensible Access

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

31

Control Markup Language (XACML) is a proper tool to fulfill this task. Policy is defined by a unique policy identifier and the policy filed. The following policy example defined the policy that WM.DC.EPCIS.01 can delegate all of its privileges to WM.DC.EPCIS.01.ALE, by performing “Proxying” action. <Subjects> <Subject> <SubjectMatch MatchId="&function;string-equal"> WM.DC.EPCIS <SubjectAttributeDesignator AttributeId="urn:attributes:name" DataType="&xml;string"/>

32

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

<Subjects> <Subject> <SubjectMatch MatchId="&function;string-equal"> WM.DC.EPCIS.01 <SubjectAttributeDesignator AttributeId="urn:attributes:name" DataType="&xml;string"/> WM.DC.EPCIS.01.ALE Proxying

4. Conclusion In this paper, we first map the security threats to potential solutions from the information security requirements perspective, and emphasize the importance of the authentication mechanism. We then conceive a security platform to against those system threats. Further, we propose a X.509 PKI-based EPCglobal certificate hierarchy model. This model enables a fine-grained authentication framework to secure the interdomain EPCglobal network. Thereby, every component within the EPCglobal network is able to mutually authenticate with each other. Entities can also authenticate themselves with entities in other domains. Moreover, the fine-grained authentication mechanism goes deep into the ALE and RFID reader levels, which potentially enhance the security of the network. In the future, we will develop our authentication framework to combine with security manager. The business rules model and security policy generation model will be studied. Besides, we will find a way to associate our mechanism with authorization, either role-based or semantic access control models [20], to enhance the security of the inter-domain EPCglobal supply network.

References [1] EPCglobal: The Application Level Events (ALE) Specification. Version 1.1 (2008). http://www.gs1.org/docs/ale/ale_1_1_1-standard-core-20090313.pdf. [2] M. Kärkkäinen, Increasing Efficiency in the Supply Chain for Short Shelf Life Goods using RFID Tagging. International Journal of Retail & Distribution Management, Vol. 31, No. 10, pp. 529 – 536 (2003). [3] R. Angeles, RFID Technologies: Supply-chain Applications and Implementation Issues. Information Systems Management, Vol. 22, No. 1, pp. 51-65 (2005). [4] E. Prater, G.V. Frazier, and P. Reyes, Future Impacts of RFID on E-supply Chains in Grocery Retailing. Supply Chain Management, Vol. 10, No. 2, pp. 134-142 (2005). [5] K. Michael and L. McCathie, The Pros and Cons of RFID in Supply Chain Management. In: Proceedings of the International Conference on Mobile Business, pp. 623- 629 (2005). [6] A. Juels, RFID Security and Privacy: A Research Survey. IEEE Journal on Selected Areas in Communications, Vol. 24, No 2, pp. 381 – 394 (2006). [7] T. Dimitriou, A Lightweight RFID Protocol to Protect Against Traceability and Cloning Attacks. Conference on Security and Privacy for Emerging Areas in Communication Networks, SecureComm, pp. 59 - 66 (2005). [8] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, Strong Authentication for RFID Systems using the AES Algorithm. In: Proceedings of the Conference of Cryptographic Hardware and Embedded Systems, Vol. 3156, LNCS, Springer, pp. 357-370 (2004).

34

B. Liu and C.-H. Chu / A Fine-Grained Authentication Method

[9] A. Juels, R. Rivest, and M. Szydlo, The Blocker Tag: Selective Blocking of RFID Tags for Consumer Privacy. In: Proceedings of the 10th ACM Conference on Computer and Communication Security, pp. 103–111. ACM Press, (2003). [10] J. Sun, Y. Ma, H. Zhao, and H. Xiao, A Study on the Design and Implementation of EPCIS Trust Model. In: Proceedings of the 2008 International Conference on Computer Science and Software Engineering, pp. 713 – 716 (2008). [11] M. Chung, J. Choi, K. Lee, and S.K. Rhyoo, Constructing Enterprise Application Framework for Secure RFID Application Using SPKI/SDSI. In: Proceedings of the Sixth International Conference on Advanced Language Processing and Web Information Technology, pp. 572-577 (2007). [12] J. Sun, H. Zhao, H. Xiao, and G. Hu, Lightweight Public Key Infrastructure and Service Relation Model for Designing a Trustworthy ONS. In: Proceedings of the Eight IEEE/ACIS International Conference on Computer and Information Science, pp.295-300 (2009). [13] F. Armenio, H. Barthel, P. Dietrich, J. Duker, C. Floerkemeier, J. Garrett, M. Harrison, B. Hogan, J. Mitsugi, J.P. Pfluegl, O. Ryaboy, S. Sarma, K.K. Suen, K. Traub, and J. Williams, The EPCglobal Architecture Framework. Version 1.3 (2009). http://www.soi.wide.ad.jp/class/20090051/materials_for_student/02/AutoID-20090624-1in1.pdf [14] M.D. Konidala, S.W. Kim, and K. Kim, Security Assessment of EPCglobal Architecture Framework. Technical report, Auto-ID Labs, (2007). http://autoidlabs.mit.edu/CS/files/folders/whitepapers/entry3035.aspx [15] R. Melanie, B.C. Rieback, S.T. Andrew, The Evolution of RFID Security. IEEE Pervasive Computing, Vol. 5, No. 1, pp. 62-69 (2006). [16] S.L. Garfinkel, A. Juels and R. Pappu, RFID Privacy: An Overview of Problems and Proposed Solutions. IEEE Security and Privacy, Vol. 3, pp. 34-43 (2005). [17] B. Liu, C.H. Chu, Security Analysis of EPC-enabled RFID Network. In: 2010 IEEE International Conference on RFID-Technology and Applications, pp. 239 – 244 (2010). [18] W. Stallings, Cryptography and Network Security: Principles and Practice. 5th edition, Prentice-Hall, NJ (2006). [19] R. Housley, W. Polk, W. Ford, and D. Solo, RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. (2002). http://www.ipa.go.jp/security/rfc/RFC3280-00EN.html [20] Z. Li, C.H. Chu and W. Yao, A Semantic Access Control Model for Securing RFID-enabled Supply Chains, in Y. Li and J. Zhou (Eds.), Radio Frequency Identification System Security, IOS Press, pp. 95117 (2010). [21] EPCglobal: EPCglobal Certificate Profile. Version 1.0.1 (2008). [22] J. Weise, Public Key Infrastructure Overview. Sun BluePrints™ (2001). http://www.sun.com/blueprints/0801/publickey.pdf [23] D. Hankerson, A. Menezes and S. Vanstone, Guide to Elliptic Curve Cryptography. Springer-Verlag, New York (2004). [24] D.J. Malan, M. Welsh, and M.D. Smith, A Public-Key Infrastructure for Key Distribution in TinyOS Based on Elliptic Curve Cryptography. In: Proceedings of the First Annual IEEE Communications Society Conference on Sensor and Ad Hoc Communications and Networks, pp. 71-80 (2004). [25] V. Welch, I. Foster, C. Kesselman, O. Mulmo, L. Pearlman, S. Tuecke, J. Gawor, S. Meder, and F. Siebenlist, X.509 Proxy Certificates for Dynamic Delegation. In Proceedings of the 3rd Annual PKI R&D Workshop (2004). [26] I. Foster, and C. Kesselman, Globus: A Toolkit-Based Grid Architecture. Morgan Kaufmann, pp. 259278 (1999). [27] V. Welch, F. Siebenlist, I. Foster, J. Bresnahan, K. Czajkowski, J. Gawor, C. Kesselman, S. Meder, L. Pearlman and S. Tuecke, Security for Grid Services. In: Proceedings of the Twelfth International Symposium on High Performance Distributed Computing, IEEE Press, pp. 48 - 57 (2003). [28] T. Dierks and C. Allen, The TLS Protocol Version 1.0, RFC 2246, IETF, (1999). http://www.ietf.org/rfc/rfc2246.txt.

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-35

35

RFID Mutual Authentication Protocols with Universally Composable Security CHUNHUA SU a and YINGJIU LI a and ROBERT H. DENG a a School of Information Systems, Singapore Management University, 80 Stamford Road, Singapore 178902. Email: {chsu, yjli, robertdeng }@smu.edu.sg Abstract. Universally Composable (UC) framework is the strongest security notion for designing fully trusted cryptographic protocols, and it is very challenging on applying UC security in the design of RFID mutual authentication protocols. In this paper, we formulate the necessary conditions for achieving UC secure RFID mutual authentication protocols in a fully trusted environment, and indicate the flaws of some existing schemes under UC framework. We define the ideal functionality for RFID mutual authentication and propose the first UC secure RFID mutual authentication protocol based on public key encryption and some trusted third parties which can be modeled as functionalities. We prove the security of our protocol under the strongest adversary model assuming both the tags’ and readers’ corruptions. Furthermore, we present two (public) key update protocols for the cases of multiple readers: one uses Message Authentication Code (MAC); the other uses trusted certificates in Public Key Infrastructure (PKI). Keywords. Universal Composability, RFID Security and Privacy, Mutual Authentication

Introduction RFID reader/tag mutual authentication is a very important research topic in RFID security and privacy realm. In such an authentication protocol, RFID tags have to authenticate themselves to a reader and that the reader has to authenticate itself to the tags in such a way that they are assured of each others’ identities. In this paper, we focus on the RFID mutual authentication protocols within Universally Composable (UC) framework. Cryptographic protocols that are secure in UC framework can guarantee that the protocols remain secure even when composed concurrently with an unbounded number of instances of arbitrary protocols. This is known as the strongest (computational) security model for cryptographic protocol. A protocol which is secure under UC-framework preserves its security under arbitrary protocol composition to construct a fully trusted functionality. 0.1. Related Work and Challenging Issue The research in RFID security and privacy, mainly security and privacy enhanced authentication protocols, is updating rapidly and quite extensive. The most of RFID authentication protocols can be classified into two approaches. One approach is based on symmetric-key technique such as PRNGs, hash functions, block ciphers. The typical works of this approach are hash-lock based scheme [18] and OSK scheme using hash

36

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

chain [13]. The other approach is based on public key technique, for examples, Tuyls et al. proposed a scheme using Elliptic Curve Cryptography (ECC) [16] and Vaudeney et al. proposed some scheme based on CCA secure public key encryption [14,17]. Public key based approach usually can provide stronger privacy than symmetric-key based approach in the case of adversary making the corruption of tags and getting their internal states [14,17]. The security model of RFID authentication protocols is another important issue. Avoine [2] first formalized an adversary model in RFID systems. Based on the adversary model, Juels and Weis defined the notion of strong privacy for analyzing the privacy issues in RFID systems [10]. The security definitions in the existing works [2,10,12, 17] for RFID authentication protocols are built on the traditional game-based security model. The model first sets a goal of the attack in RFID authentication, says, under which conditions the adversary can win, then model the adversary’s attack as a series of queries to some oracles which model the execution of the protocol. The RFID protocol is proved to be secure if the probability of adversary’s success is negligible. The works most related to ours are the forward formalization of privacy model for RFID systems[4,5,11], the authors try to present some RFID authentication and authenticated key-exchange protocols in the UC framework. However, there are still some unclear points in their schemes and need more concrete security analysis (See Section 3). Furthermore, they only consider the corruption of the tag, while in UC security, all parties’ corruption must be considered. So it is very important for us to formulate the necessary conditions which are required for a UC secure RFID mutual authentication scheme and implement such a scheme. Challenging Issue. The RFID protocols in the related works are secure under traditional standalone model. When those protocols are used in the concurrent way or being composed with other instances of the same or other protocols, they may not be secure anymore. UC-framework is the strongest computational security framework for cryptographic protocols used in ubiquitous applications as an sub-protocol or as a single arbitrary authentication protocol. When designing a UC secure RFID authentication protocol, one should not only model attacker’s behavior but also has to do comprehensive security proof in a higher level requirements by comparing the executions of two protocol processes, a real process and an ideal process. Furthermore, in the UC-secure framework, we should also model both tag and reader’s corruptions. So implementing a UCsecure RFID mutual authentication requires different settings and techniques compared to implementation in traditional security model. 0.2. Our Contributions and Organization Our contributions. In this paper, we address UC-framework and its applications for RFID mutual authentication and make the following contributions: 1. We provide a stronger security framework for RFID mutual authentication protocol and define an ideal functionality to model the protocol and the adversary’s behavior. We work out two ideal functionalities for authenticated key update. Furthermore, we prove that it is impossible to implement UC secure RFID mutual authentication protocol under the plain model (without some extra assumptions) and make further analysis on Le et al.’s UC secure protocols [5,11].

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

37

2. We modify the public key encryption-based authentication protocols of [14,17] into a UC secure mutual authentication protocol. We construct our UC secure protocol based on common reference string (CRS) which can generate common public key for both the reader and the tag. Due to the pure theoretical flavor of UC security framework, we provide some optimized practical solutions to reduce the communication overhead. 3. We use PKI functionality to maintain trusted relationship between reader and tag which involves trusted third party issuing certification for reader to update the public keys in RFID tags requested by typical RFID enabled supply chain management. For updating the readers’ public keys, we propose two UC secure key update protocols, of which one is using Message Authentication Code (MAC) and the other is using certificates in Public Key Infrastructure (PKI). The organization of this paper. In the next section, we show the basic components for RFID mutual authentication and make a comparison between the traditional security model and our model, and then introduce the formal definition of universal composability framework. In Section 3, we model the functionalities of RFID mutual authentication and authenticated public key update, and show that designing a UC secure protocol for the implementation of ideal RFID mutual authentication functionality in plain model is non-trivial. In Section 4, we present our implementations of UC secure protocols for RFID mutual authentication and the authenticated public key update, together with some optimized solutions on reducing the communication cost. In Section 5, we describe the security proofs of our protocols under the UC framework. At last, we draw conclusions.

1. Preliminaries In this section, we first give a brief description about RFID mutual authentication protocol, and then we compare the traditional game-based security model with simulationbased security model in UC-framework. After that, we introduce the security definitions in UC-framework, which shall consist of two definitions: firstly, it must specify how an arbitrary, probabilistic, polynomial-time adversary can interact with legitimate participants of a protocol; and secondly, it must state what the adversary should achieve in order to break the security of the protocol. 1.1. RFID Mutual Authentication Protocol As a malicious reader could obtain unauthorized information from a tag during the tag authentication, so it is an important issue of authenticating the reader as well. As a countermeasure, Tsudik [15] proposed the YA-TRIP and YA-TRAP schemes based on timestamps to do the mutual authentication. An RFID mutual authentication scheme is such that the output is correct except with a negligible probability, it can be described as follows. 1. Initiate a reader R with certain keys for verifying tags’ identities. 2. Create a set of tags, each tag Ti having a unique IDi . 3. Execute a complete protocol between the reader R and a tag Ti , output the tag’s IDi to the reader and verify the reader to the tag.

38

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

Here, the reader may have real-time access to a database so as to identify a tag’s ID. There are two general models to formalize the security of interactive protocols: the game-based model and the simulation-based model. Game-based security model used in [12,14,17] has the advantages of easy-to-understand and simple-to-apply in the formalization of RFID authentication protocols. Unfortunately, such game-based security modes cannot be used to analyze the security of an RFID protocol when it is used as a sub-protocol in a composite setting. 1.2. Security Definition of UC Framework A protocol that is secure within the framework [6] proposed by Canetti is called universally composable (UC). We say that the protocol UC realizes the given functionality. In UC framework, a computationally limited entity called the environment Z has to distinguish between an execution of the protocol with adversary A and an execution of an ideal functionality with simulator S. We then say that a protocol π realizes an ideal functionality F if there exists a simulator S which given access to F can simulate a run of π with the same input-output behavior. In doing so, S is given the inputs of the corrupted parties, and the information leaked on the execution of F, and can specify the inputs of corrupted parties. Let IDEALF ,S,Z and REALπ,A,Z denote the view of environment Z in ideal world model and real world model, respectively. For any environment Z, it holds:

IDEALF ,S,Z ≡ REALπ,A,Z

(1)

A protocol that is secure under UC-framework can be run in a network where many different and arbitrary protocols are being executed. F expects each incoming message to contain a special field consisting of its session ID (SID). That is, each call to a copy of F and each response from this copy should hold the SID of that copy. The Adversarial Power. In the UC RFID model, the adversary can corrupt and take full control of RFID tags and reader at will. The corruption strategy deals with the questions of when and how parties are corrupted. There are two main kinds of corruption:  Static corruption: The adversary is given a fixed set of RFID tags or readers of which it controls. Uncorrupted parties remain honest and corrupted parties remain corrupted throughout the protocol runs.  Adaptive corruption: Different from the static corruption, adaptive adversaries are given the capability of corrupting RFID tags or readers during the mutual authentication. The choice of which one to corrupt, and when, can be arbitrarily decided by the adversary and may depend on its view of the execution. In this paper we deal with the static corruptions of RFID tags and readers assuming all the adversaries have polynomial computation capability.

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

39

2. The Functionality of RFID Mutual Authentication and Impossibility Result 2.1. The Ideal Functionality for RFID Mutual Authentication To properly design a functionality which can model the mutual authentication and the adversary behavior is a very critical before building a excellent implementation. The functionality must model the adversary’s attack and what kind of messages the adversary can use. For an ideal functionality, we have to consider the simulator’s action inside the ideal functionality and follow three principles as follows. 1. The functionality should be secure even though the simulator can affect the execution between RFID tags and reader in the ideal world. Simulator can be considered as an adversary in the ideal world. 2. The event of communication between two parties is allowed to be informed to the simulator. In the real world model, the message transferred between two parties maybe not be revealed to an adversary due to the security of the encryption system, however, the adversary can know that communication between two parties is going on. 3. The simulator can delay the timing of message transmission. In the real world model, the communication channel can be controlled by the adversary. So in the ideal functionality, the simulator also do the same and delay the message output. Here, we define the ideal functionality of RFID mutual authentication F RMA . Note that one functionality is correspond to one session id sid.

The Functionality of RFID Mutual Authentication The functionality F RMA is parameterized by a security parameter k. It interacts with an adversary S and a set of RFID tags and a reader. 1. Upon receiving the identifier (ReaderIden, sid, U ) from reader, store U and send (ReaderIden, sid) to S. 2. Upon receiving (TagIden, sid, V, IDi ) from tag Ti , check whether the relation R = (U, V ) = 1 and send (TagIden, sid) to S. Here, the relation R is a predetermined relation to define whether both identifiers match. 3. Upon receiving (Output, sid, R, Ti ) from S, output IDi to reader and send OK to tag Ti iff R = 1.

Figure 1. The ideal functionality of RFID mutual authentication, F RMA

We now consider RFID mutual authentication protocol where the new-joining readers want to update their public keys or authentication related keys into each tag and where the keys are needed to be updated after each authentication for security. We give out the ideal functionality for the key updating operations in Figure 2.

40

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

The Functionality of Authenticated Key Update The functionality F KeyUpdate interacts with an adversary S and a set of RFID tags and some readers. 1. Upon receiving the first message (RegisterKey, sid, KP , idenR ) from reader R, send (Registered, sid, KP ) to the S; upon receiving ok from S, and if sid is correct and this is the first request from R, then record the pair (RegisterKey, R, idenR , KP ). 2. Upon receiving a message (Update, sid, Ti , idenR ) from reader R, send (Update, sid, Ti ) to S. After receiving an ok from S and if there is a recorded pair (sid, Ti ), output (NewKey, sid, KP ) to tag Ti . Else output nothing.

Figure 2. The ideal functionality of key update, F KeyUpdate

2.2. Impossibility Result In this section, we show that the F RMA functionality cannot be securely realized in the plain model without using additional cryptographic primitives like a common random string. Canetti et al. show broad impossibility results by demonstrating that large classes of two-party functionalities cannot be UC realized in the plain model [8]. The results indicate the security proof problems in the design of existing RFID mutual authentication protocols claimed to be UC secure. Here, we show that the impossibility result refers to non-trivial protocols, a nontrivial protocol has the property that if the real world adversary delivers all messages and does not corrupt any parties, then the ideal world adversary also delivers all messages (and does not corrupt any parties). Both the reader and the tag are ensured to pass the mutual authentication verifications at the end of a protocol execution (except perhaps with negligible probability), provided that (1) both the reader and the tag use some keys or randomness which satisfy a certain relation; and (2) the adversary passes all messages between reader and tags without modifying them or inserting any message of its own. Theorem 2.1 There does not exist a non-trivial protocol π that securely realizes the functionality F RMA in the plain model. Proof: Here, we can model all parties as Turing machine. Initially, the environment needs to provide the same inputs to the readers and the tags in the real world model and in the ideal world model. In the real world model, A can corrupt the tags executing the RFID mutual authentication, also A would eavesdrop the communication between the readers and the tags and sends it back to the environment Z. In the ideal world, there is a simulator S which interacts with the ideal functionality F RMA . S can simulate what A has seen in the real world and report the simulated messages to Z. • Every input value S received from Z is written on A’s input-tape (as if coming from A’s environment). Likewise, every output value written by A on its own output-tape is copied to S’s own output-tape (to be read by S’s environment Z).

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

41

• When a tag or a reader is corrupted by the adversary in the real world execution, S shall simulate the corruption in the ideal world. Intuitively, it is difficult for S to provide a simulation for Z since S must send the correct identifiers of the reader and tags to F RMA , while the only way of obtaining information about identifier is through a real execution of the protocol with Z. The simulator must be able to extract the identifiers of the reader and tags from the messages seen by the adversary in the real world. If there is a match conversation between a tag and a reader (the identities of the tag and the reader match) in the authentication of both real world and ideal world, Z outputs 1, otherwise Z outputs 0. When there is no match conversation, Pr[Z outputs 0|R = (U, V ) = 1 in real world] = 1 − negl(k), where negl(k) is a negligible function, and Pr[Z outputs 0|R = (U, V ) = 1 in ideal world] = 1 − negl(k). It is difficult for S to provide a correct simulation for Z since S must send correct identities of both the tag and the reader, while its only way of obtaining such information is through a real authentication execution of the protocol with Z. so S can simulate the output of 0 with the probability with 1/2+negl(k). The non-trivial requirement is necessary since an protocol where no reader and tags can do anything on securely realizing the ideal functionality (note that in the ideal model, the simulator can never generate correct identifiers to the functionality). So we can claim the theorem above. Analysis of Existing Schemes in UC Framework: RFID mutual authentication schemes under UC-framework are proposed in [4,5,11]. However, the above result on the non-trivial requirement indicates some incompleteness of security proof in the scheme of [4,5,11]. In UC security framework, the environment Z generates all the inputs and sends them to the real tags and reader of real world and dummy tags and reader in the ideal world. Here we provide a brief analysis as follows: 1. In the security proof of [4], it is assumed that there is a trusted server which is modeled as an oracle OS and creates a database of keys Ki , i = 1, ..., n. The simulator can access the oracles in the ideal world simulation, however, in UC security model, the simulator should simulate all the oracles without interaction with them. 2. As in the authentication of [5,11], both the reader and the tags have secret states during the protocol execution. In UC-framework, rtag , ktag are provided by Z. In their proposal, they are encrypted by a pseudo-random function F , obviously, the simulator S can not extract rtag , ktag from the messages transferred between the tags and the reader. Due to the onewayness of pseudo-random function, it is impossible to be used to implement a UC secure RFID protocol. So in this paper, we use public key encryption to achieve the extractability and the requirements of UC security.

3. Our Implementations of UC Secure Mutual Authentication On designing a UC secure protocol, we have to provide a relatively general and minimal assumption that can be realized by a number of quite different and alternative "set-up mechanisms". Here, the common reference string (CRS) model is used in our protocol.

42

C. Su et al. / RFID Mutual Authentication Protocols with Universally Composable Security

In this model, originally proposed in [3], all parties have access to a common string r that was ideally drawn from some publicly known distribution. It acts as a trusted third party which allows parties to register their identities together with an associated public key. 3.1. UC Secure Mutual Authentication Protocol for RFID We first consider an RFID system comprising of a single legitimate reader R and a set of RFID tags T1 , ..., Tn . The reader and the tags are probabilistic polynomial time Turing interactive machine. Typically, each tag is a passive transponder identified by a unique ID and has only limited memory which can be used to store only several keys and/or state information. We modify the protocol from Paise and Vaudenay’s scheme [14] based on a CCA-secure Public Key Cryptosystem (PKC). A PKC includes a key generator, an encryption algorithm, and a decryption algorithm. The correctness of a PKC ensures that the decryption of the encryption of any x is always x. The scheme is CCA-secure if all polynomial-time adversaries win the CCA game with negligible advantage. To achieve the extractability, both the reader and the tags use the same public key generated by CRS, which is the minimum condition on the realization of UC secure RFID authentication protocols. Z^͗ ŐĞŶĞƌĂƚĞƉŬ͕ƐŬ ƉŬ

ƐŬ

^ŝŵƵůĂƚŽƌ^

ƉŬ

dĂŐ ƚŝ 2) readers can be reduced to the scenario of n − 1 readers by assuming that one of the readers is lucky to have no FNAs, and the conclusion holds true for more than two readers interacting with one tag. From the above conclusions, we come out the necessary and sufficient condition for false authentications prevention. Theorem 3 Under the protocol pattern of challenge-response, FNAs can be prevented iff there is neither an early-read nor a lagged-read on any reader. Proof: (a) Necessity. If there is either an early-read or a lagged-read on any reader, then by Claim 1 an FNA arises. (b) Sufficiency. If there is neither an early-read nor a lagged-read on any reader, then it is guaranteed what a reader reads is exactly what it should read, and no FNAs will arise.

58

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

1. T ←− R: c1 if (c1 is correct) then accept R else reject R

1. R −→ T: c1 ˆ 1) 2. R ←− T: R(c ˆ 1) 3. Server ←− R: R(c ˆ if (R(c1 ) is correct) then accept T else reject T

(a) RAO protocol

(b) TAO protocol

ˆ 1) 1. R −→ T: c1 ; 2. R ←− T: R(c ˆ 1) 3. Server ←− R: R(c ˆ if (R(c1 ) is correct) then accept T else reject T, abort 4. T ←− R: c2 if (c2 is correct) then accept R else reject R

1. T ←− R: c1 if (c1 is correct) then accept R else reject R, abort ˆ 1) 2. R ←− T: R(c ˆ 1) 3. Server ←− R: R(c ˆ if (R(c1 ) is correct) then accept T else reject T

(c) TRA protocol

(d) RTA protocol

Figure 5. Illustration of simplified four types of authentication protocols

4. Classification of Authentication Protocols With the above protocol pattern, we give a classification for the existing protocols and investigate what kinds of protocols contain this pattern and may bring with FNAs. A typical authentication protocol works by two phases, namely, a tag identification phase followed by an authentication phase [1, 9, 17]. There are many reader/tag authentication protocols with different rounds of conversations in the authentication phase though, the tag identification phase is the same amongst all. If we ignore the tag identification phase, the existing protocols can be classified into four types based on the readertag conversations in their authentication phases. They can be simplified as illustrated in Figure 5. The first two types of protocols are one-way authentications, i.e., either a tag authenticates itself to a reader or a reader authenticates itself to a tag; whereas the latter two types of protocols are mutual authentications by which tags and readers authenticate to each other mutually. They are briefly described as follows. (1) The first type is reader authentication protocols under which only readers authenticate themselves to tags, referred to as RAO (reader authentication only) as shown in Figure 5(a). Challenge c1 from the reader is a function (e.g., hashing) of key k held by the tag. The tag runs the same function with key k as the input and compares the result with c1 . If both are equal, i.e., c1 is correct as illustrated in the figure, then it accepts the reader; otherwise it rejects the reader. With hash-locking protocol [17] as a representative, this type of protocols prevent unauthrised readers from accessing tags. (2) The second type is tag authentication protocols under which only tags authenticate themselves to readers, referred to as TAO (tag authentication only) as shown in Figure 5(b). Upon receiving challenge c1 , the tag (of which the legitimacy is unknown) ˆ 1 ) which is a function of challenge c1 . The reader compares it with returns response R(c ˆ 1 ) = R(c1 ), then the reader accepts the tag; otherR(c1 ) on the back-end server. If R(c wise it rejects the tag. This type of protocols allow readers to prevent unauthorised tags from being accepted. Representatives of this type of protocols include YA-TRAP and five protocols of challenge-response proposed in [15]. (3) The third type of protocols such as the protocol of Avoine et al. [2], the protocol of Yang et al. [18] and the protocol of Molner and Wagner [11], referred to as TRA (tag-

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

59

then-reader authentication) in Figure 5(c), allow tags to authenticate themselves to readers first followed by readers authenticating themselves to tags. TRA protocols work as a combination of TAO and RAO. The reader first sends challenge c1 and verifies response ˆ 1 ) = R(c1 ), then it accepts the tag and ˆ 1 ) on the back-end server. If response R(c R(c proceeds to authenticating itself to the tag by sending challenge c2 ; otherwise, it rejects the tag and aborts the authentication process. Once the tag passes the authentication to the reader, it verifies challenge c2 and accepts the reader if correct or otherwise rejects the reader. (4) The fourth type of protocols such as the protocol of Alomari et al. [1] and M2 AP [13], referred to as RTA (reader-then-tag authentication) in Figure 5(d), allow readers to authenticate themselves to tags first and then tags authenticate themselves to readers. Similar to TRA protocols, RTA protocols work as a combination of RAO and TAO. The difference is, under TRA protocols, the tag responds challenge c1 without verifying its validity; whereas under RTA protocols, the tag first verifies challenge c1 beˆ 1 ). If c1 is correct, then the tag accepts the reader; fore responding with response R(c otherwise, it rejects the reader and aborts the authentication. Once the reader passes the ˆ 1 ). It authentication to the tag, it starts to authenticate the tag by verifying response R(c ˆ accepts the tag if R(c1 ) = R(c1 ) or otherwise rejects the tag. From Theorems 1 & 2 we have the following conclusion. Corollary 1 Under any of TAO, TRA and RTA protocols, FNAs may arise if there is one or more readers interacting with the same tag. Proof: From the above classification, we observe that the pattern of challenge-response exists in all TAO, TRA and RTA protocols. By Theorems 1 & 2, the conclusion follows.

5. Semaphore-based Solution In the above we have analysed that the major reason of false authentications is due to the contention of the shared resource. If there is a coordinator that can inform each user when the shared resource is available for it to access, the contention can be resolved. Enlightened by the idea of semaphore as a solution to critical-section problem in operating systems, we assume that the role of such a coordinator can be taken up by semaphores. In the next, we propose to add semaphore operations to the protocol pattern for false authentications prevention. This is a plain solution without considering attacks though, it is simple and effective. Improved solutions against attacks deserve further study in separate papers. 5.1. Semaphore We define three semaphores s0 , s1 and s2 , each of which is a predefined memory inside a tag. They play the following roles. (1) Semaphore s0 indicates the availability of a tag. If s0 = 0, then the tag is ready for processing a challenge; if s0 = S(c), where S(c) known as a token is supposedly a single-valued function w.r.t. challenges such that S(x) = S(y) iff x = y, then the tag is generating response R(c). At the reader side, the reader keeps checking semaphore s0 until s0 = 0 and sends a challenge; whereas at the tag side, the tag updates the state

60

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

1. Reader −→ Tag: c 2. Tag: 2.1. if (s0 = 0) then s0 ← S(c), s1 ← S(c) 2.2. Tag −→ Reader: s0 , s1 , R(c) 3. Reader: 3.1. if (s0 = S(c)) then goto 1 3.2. Reader −→ Tag: S(c) 4. Tag: if (s2 = S(c)) then s0 ← 0 Figure 6. Revised protocol pattern with semaphores

of semaphore s0 from 0 to token S(c) when it starts to generate response R(c) w.r.t. challenge c from the reader. (2) Semaphore s1 indicates the readiness of response R(c). The response is ready iff s1 = S(c) where S(c) is the token currently held by semaphore s0 . At the reader side, upon sending challenge c, the reader keeps checking semaphore s1 until s1 = S(c) and reads response R(c); whereas at the tag side, the tag updates semaphore s1 with token S(c) when response R(c) is ready. (3) Semaphore s2 indicates that the reader has read response R(c). It is set to S(c) iff the reader finishes reading response R(c), in which token S(c) is currently held by both semaphores s0 and s1 . At the reader side, upon reading response R(c), the reader updates semaphore s2 with token S(c); whereas at the tag side, the tag keeps checking semaphore s2 until s2 = S(c) and updates semaphore s0 with 0. All three semaphores are readable and updatable to the tag though, semaphores s0 and s1 are only readable to readers and semaphore s2 is updatable to readers. We reserve extra memory units in memory Mr for semaphores s0 and s1 besides the units for response R(c), and use memory Mc for semaphore s2 and a challenge from a reader. This arrangement of memory allows a reader to read response R(c) together with semaphores s0 and s1 by a single read command. 5.2. Solution with Semaphore Operations The revised protocol pattern with semaphore operations is shown in Figure 6 in which two steps are added as compared with the original pattern shown in Figure 3(a). Accordingly the implementation of the revised pattern is shown in Figure 7, in which we can also merge steps 4 and 5 into one command as “R: rRead(T, Mr , s0 , s1 , R(c))”. It works by several phases that are carried out concurrently at both reader and tag sides. • At the reader side, there are two phases as follows. (1) Send challenge c (steps 1, 2 and 4). Reader R keeps querying the availability of tag T in step 1, and runs step 2 of sending challenge c iff tag T is available. However, it is very likely that reader R sends challenge c prior to reader R. Thus in step 4, semaphore s0 tells reader R about (a) whether tag T has started to generate a response (if yes, then s0 = 0), and (b) whether tag T is generating a response w.r.t. its challenge c or w.r.t. challenge c from reader R . If s0 = S(c ), meaning that the tag is processing challenge c rather than challenge c, then reader R has to start its try from step 1; otherwise, it proceeds to the next phase. (2) Read response R(c) (step 5) and acknowledge (step 6). In step 5 reader R keeps reading semaphore s1 together with response R(c). If s1 = S(c), meaning that the

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

61

1. R: rRead(T, Mr , s0 ) if (s0 = 0) then goto 1 // tag busy 2. R: rW rite(T, Mc , c) // another challenge c at the same time 3. T: tRead(Mr , s0 ) if (s0 = 0) then // available, otherwise ignoring other challenges 3.1. T: tRead(Mc , c) 3.2. T: tW rite(Mr , S(c)) // s0 ← S(c), indicating busy now 3.3. T: tW rite(Mr , R(c), S(c)) // s1 ← S(c), writing R(c) done 4. R: rRead(T, Mr , s0 ) if (s0 = 0) then goto 4 // awaiting tag running step 3 if (s0 = S(c)) then goto 1 // challenge c earlier than c 5. R: rRead(T, Mr , R(c), s1 ) // reading s1 together with R(c) if (s1 = S(c)) then goto 5 // R(c) not yet ready 6. R: rW rite(T, Mc , S(c)) // s2 ← S(c), reading R(c) done 7. T: tRead(Mc , s2 ) if (s2 = S(c)) then goto 7 // awaiting reader to read R(c) 8. T: tW rite(Mr , 0) // s0 ← 0, acknowledgement Figure 7. Implementation of protocol pattern with semaphores

response is not yet ready, then it knows what it reads is not R(c) and ignores it; otherwise, it knows from s1 = S(c) what it reads is exactly R(c) and updates semaphore s2 with token S(c) to acknowledge finish of reading response R(c). • At the tag side, there are two phases as follows. (1) Read challenge c (step 3.1) and store response R(c) (step 3.3). The tag responds a challenge iff it is available indicated by semaphore s0 = 0. When starting to process challenge c (step 3.1), the tag updates semaphore s0 with token S(c) (step 3.2) and does not respond any latter challenge. It updates semaphore s1 with token S(c) to indicate its finish of storing response R(c) into memory Mr (step 3.3). (2) Receive acknowledgement (step 7). Once it finishes storing response R(c) (step 3.3), the tag keeps querying sema-phore s2 (step 7) until s2 = S(c) which means the reader’s completion of reading the response, then the tag resets s0 to 0, indicating ready to process a new challenge. Given the above solution, we have the following conclusion. Theorem 4 No FNAs will arise from the solution when one or more readers are interacting with the same tag. Proof: By Claim 1, we only need to prove that there is neither early-read nor laggedread on any reader. From the above analysis, we can see that there are several phases of operations carried out by the reader or the tag. At each side, either the reader or the tag can control by itself the execution sequence of the operations; whereas both sides may run respective operations concurrently. We discuss the following two cases. (1) One reader. An early-read will arise iff the reader reads response R(c) (step 5) before it is stored into memory Mr (step 3.3). From Figure 7, the reader keeps checking sema-phore s1 until s1 = S(c) before accepting response R(c) that it reads together with semaphore s1 , while setting sema-phore s1 to S(c) is run by the tag together with storing response R(c) in step 3.3. Even if the reader goes to step 5 earlier than the tag going to step 3.3, it would be blocked by semaphore s1 until the tag finishes running step

62

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

3.3 which sets semaphore s1 to S(c) indicating the completion of storing response R(c). Therefore, the potential early-read is prevented by semaphore s1 . On the other hand, the tag keeps response R(c) unchanged in memory Mr until the reader sets s2 to S(c) indicating end of reading R(c), a lagged-read on the reader is hence prevented. (2) Two or more readers. Given tag T and reader R1 together with several other readers, it is possible that several readers send respective challenges to tag T at the same time after verifying semaphore s0 = 0. From Figure 7, any of other readers will be blocked at step 4 if s0 = S(c1 ), which indicates that challenge c1 from reader R1 arrives to tag T earlier than any other challenges and the tag is responding to challenge c1 . Thus there is no way for other readers to access memory Mr hence either early-read and lagged-read will not arise on these readers. From step 5 onwards, only reader R1 is allowed to interact with the tag, and either early-read or lagged-reader on reader R1 is prevented as analysed in the first case. 5.3. Memory Cost of Semaphores The memory cost of a semaphore is determined by token S(·) which is supposedly a single-valued function w.r.t. challenges. In practice, token S(·) is a hashing operation of challenges, whereas a challenge is normally a pseudo-random number of at least 128bit length for security consideration [8, 11]. Given s-bit length of S(·) and t challenges, the probability of collision that any two challenges are hashed to the same token is 1 − 2s !/(2st · (2s − t)!). Normally the minimum block size of a read/write operation by a tag/reader is 8-bit (one-byte) or 16-bit (two-byte) [3, 4]. Therefore, if we use 8-bit length of token, then the probability of collision is less than 0.04 for t = 5 (5 challenges); whereas if we use 16-bit length of token, the probability is less than 0.015 for t = 40 (40 challenges). Both probabilities of collision are negligibly low in real applications. Not all three semaphores cost memory because semaphore s2 shares memory Mc with challenges as aforementioned. Moreover, to further save memory, semaphore s1 can be just 1-bit of length with one for response ready and zero for otherwise. Thus the memory cost of semaphores are acceptable as compared with the memory costs of challenges and responses.

6. Experiment We conduct three experiments to verify our conclusions. In the first experiment, we verify that early-read could arise from one reader interacting with a tag; in the second experiment, we verify that lagged-read could arise from two readers interacting with the same tag; while in the third experiment, we verify that semaphore operations can effectively prevent either early-read or lagged-read from arising. The tags and readers that we use in our experiments are (1) IAIK UHF tag emulators [4] and (2) CAEN A828 readers [3], and the back-end servers are laptop PCs running Microsoft Windows XP and Windows 7. The CPU speeds of laptops do not affect the results because the speed of reader-tag communications is determined by tags and

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

63

Table 1. N th round of read from which onwards the reader reads the correct response challenge

Length of response (bytes)

length

2

4

6

8

10

12

14

16

18

20

1 block

3

3

4

4

5

5

6

7

7

8

2 blocks

3

4

4

5

5

6

6

7

7

8

3 blocks

4

4

5

5

6

6

7

7

8

8

Table 2. N th round of read from which onwards reader R1 reads response R(c2 ) challenge

Length of response (bytes)

length

2

4

6

8

10

12

14

16

18

20

1 block

5

6

7

7

9

9

11

13

14

15

Table 3. Rounds of reading semaphore s1 before response R(c1 ) ready challenge

Length of response (bytes)

length

2

4

6

8

10

12

14

16

18

20

1 block

2

2

3

3

4

4

5

5

6

7

readers. Any challenge c is a random number, and response R(c) is part of the hashing result of SHA-256 with challenge c as the input4 . In the first experiment, we run 20 rounds of rRead( ) command to read a response right after a rW rite( ) command which sends a challenge, and verify what the reader reads. We vary the challenge length from one to three blocks of input size5 , and vary the length of response from 2 bytes to 20 bytes. Our experimental result in Table 1 shows from which round onwards the reader reads the correct response; in other words, before this round of read, any read action that the reader takes leads to an early-read with unexpected data read by the reader. The table also shows, either longer length of challenges or longer length of responses leads to longer time of response generating or storing and results in a later round of read from which onwards the reader reads the correct response. This experiment demonstrates that we have captured early-read arising from one reader interacting with one tag. In our second experiment, we run three consecutive steps as follows: (1) reader R1 sends challenge c1 , (2) reader R2 sends challenge c2 , and (3) reader R1 runs 20 rounds of command rRead( ) to read a response. We keep the challenge length within one block of input size but vary the response length from 2 bytes to 20 bytes. Table 2 shows from which round onwards reader R1 reads response R(c2 ) which is destined for reader R2 rather than reader R1 . The result tells that to avoid early-read reader R1 may postpone reading response R(c1 ), however, it has to finish its read action before the round of read from which onwards it reads response R(c2 ); otherwise, lagged-read on reader R1 arises. This experiment demonstrates that we have captured lagged-read arising from two reader interacting with one tag. In the third experiment, the tag and readers are equipped with semaphores. We take the first byte of challenge c as token S(c) because we use only two readers in the experiment, and let challenge c2 from reader R2 be sent after challenge c1 from reader R1 . 4 The hashing result of SHA-256 is 256 bits (i.e., 32 bytes) though, we take part of the result as a response in our experiments. The time for the tag to write a response into a memory increases with the response length. 5 The input size of SHA-256 is 64n − 9 bytes for n blocks. The execution time of SHA-256 grows with the input size though, it is a constant for any bytes of length within the same input size.

64

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

Similar to the second experiment, we keep the challenge length within one block of input size but vary the length of responses from 2 bytes to 20 bytes. Table 3 shows how many rounds of read action that reader R1 has taken to read semaphore s1 in step 5 (Figure 7) before s1 = S(c1 ) indicating the readiness of response R(c1 ). The result complies with that in the first experiment. This experiment demonstrates that with semaphore operations, there is neither early-read nor lagged-read arising from the process of two readers interacting with one tag, because reader R2 does not send any challenge to the tag before the tag receives acknowledgement from reader R1 and sets semaphore s0 to 0 indicating its readiness to receive challenges. From the results of the above three experiments, in summary, we come out the conclusion that false authentications resulting from the protocol pattern can be easily captured in experiments and the semaphore-based solution can effectively prevent such false authentications from arising.

7. Conclusion In conclusion, we have made the following major contributions in this paper: (1) we have pointed out that false authentications may arise from the existing protocols when they are applied to C1G2 passive tags; (2) we have identified a protocol pattern under which false authentications may arise, and further identified three types of the existing protocols that contain this pattern and may bring with false authentications; and (3) we have given a necessary and sufficient condition for false authentications prevention. In addition, we have made some other contributions as follows: (1) we have proposed a semaphorebased solution to prevent false authentications from arising; (2) we have demonstrated with experiments the arising of false authentications and verify the effectiveness of our solution. For the next stage of study, it would be interesting to study secure solutions against various attacks.

Acknowledgement This work is partly supported by Singapore A*STAR SERC Grant No. 082-101-0022.

References [1]

[2]

[3] [4] [5]

Alomair, B., L. Lazos, and R. Poovendran. Towards securing low-cost RFID systems: an unconditionally secure approach. In Proceedings of the 2010 Workshop on RFID Security (RFIDsec’10 Asia), pages 1–17, Singapore, February 22–23, 2010. Avoine, G., E. Dysli, and P. Oechslin. Reducing time complexity in RFID systems. In Proceedings of the 12th Annual Workshop on Selected Areas in Cryptography (SAC’05), pages 291–306, Kingston, ON, Canada, August 11–12, 2005. CEAN RFID. CAENRFIDLib: Ansi C functions Library—Technical information manual. http://www.caen.it/rfid/index.php. DemoTag. http://www.iaik.tugraz.at/content/research/rfid/tag_emulators/. EPCGlobal, EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860 MHz–960 MHz Version 1.2.0.

K. Chiew et al. / On False Authentications for C1G2 Passive RFID Tags

[6]

[7] [8]

[9] [10]

[11]

[12]

[13]

[14]

[15]

[16] [17]

[18]

65

Feldhofer, M., S. Dominikus, and J. Wolkerstorfer. Strong authentication for RFID systems using the AES algorithm. In Proceedings of the Sixth International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2004), pages 357–370, Cambridge, MA, USA, August 11–13, 2004. International Organization for Standards (ISO), ISO/IEC 18000-6: Radio frequency identification for item management—Part 6: Parameters for air interface communications at 860 MHz to 960 MHz. . Juels, A. and S. A. Weis. Authenticating pervasive devices with human protocols. In Proceedings of the 25th Annual International Cryptology Conference (Crypto 2005), pages 293–308, Santa Barbara, CA, USA, August 14–18, 2005. Lai, Y.-C. and C.-C. Lin. Two blocking algorithms on adaptive binary splitting: Single and pair resolutions for RFID tag identification. IEEE/ACM Transactions on Networking, 17(3):962–975, 2009. Melski, A., J. Müller, A. Zeier, and M. Schumann. Improving supply chain visibility through RFID data. In Proceedings of the the IEEE 24th International Conference on Data Engineering Workshop (ICDEW’08), pages 102–103, Cancun, Mexico, April 7–12, 2008. Molner, D. and D. Wagner. Privacy and security in library RFID: Issues, practices, and architectures. In Proceedings of the 11th ACM conference on Computer and communications security (CCS’04), pages 210–219, Washington DC, USA, October 25–29, 2004. Myung, J., W. Lee, J. Srivastava, and T. K. Shih. Tag-splitting: Adaptive collision arbitration protocols for RFID tag identification. IEEE Transactions on Parallel and Distributed Systems, 18(6):763–775, 2007. Peris-Lopez, P., J. C. Hernández-Castro, J. M. Estévez-Tapiador, and A. Ribagorda. M2 AP: A minimalist mutual-authentication protocol for low-cost RFID tags. In Proceedings of the Third International Conference on Ubiquitous Intelligence and Computing (UIC06), pages 912–923, Wuhan, China, September 3–6, 2006. Tsudik, G. YA-TRAP: Yet another trivial RFID authentication protocol. In Proceedings of the Fourth IEEE Annual International Conference on Pervasive Computing and Communications Workshops (PerComW 2006), pages 643–646, Pissa, Italy, March 13–17, 2006. Vajda, I. and L. Buttyán. Leightweight authentication protocols for low-cost RFID tags. In Proceedings of the Fifth International Conference on Ubiquitous Computing (UbiComp 2003), Seattle, WA, USA, October 12–15, 2003. Wang, C., M. Daneshmand, K. Sohraby, and B. Li. Performance analysis of RFID generation-2 protocol. IEEE Transactions on Wireless Communications, 8(5):2592–2601, 2009. Weis, S. A., S. E. Sarma, R. L. Rivest, and D. W. Engels. Security and privacy aspects of low-cost radio frequency identification systems. In Proceedings of the First International Conference on Security in Pervasive Computing (SPC 2003), pages 201–212, Boppard, Germany, March 12–14, 2003. Yang, J., J. Park, H. Lee, K. Ren, and K. Kim. Mutual authentication protocol for low-cost RFID. In Proceedings of the Workshop on RFID and Lightweight Crypto, pages 17–24, Graz, Austria, July 14–15, 2005.

66

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-66

Attacks and Improvements to a New RFID Authentication Protocol Mohammad Hassan Habibi1a, Mahmud Gardeshia and Mahdi R. Alaghebandb a Faculty of ICT, I.H. University, Tehran, Iran b EE Department, Science and Research Campus, Islamic Azad University, Tehran, Iran

Abstract. The application of RFID technology has gently incorporated into our daily life, e.g. supply chain management, credit cards, barcodes and ticketing. Hence privacy and security in RFID have a particular emphasis inasmuch as RFID tags suffer from some inherent weaknesses. Authentication as a crucial element for all security mechanisms has been an interesting subject in recent years. In this work, we analyze a recently proposed RFID authentication protocol by Kulseng et al. [1] and highlight its security and privacy vulnerabilities. We show that Kulseng protocol (KWYG protocol) being vulnerable to several significant attacks like desynchronization, tag and reader impersonation and traceability attacks. Finally, we propose our protocol to eliminate the vulnerabilities with reasonable storage and computational requirements. Keywords. RFID authentication, security analysis, Impersonation, untraceability, desynchronization

Introduction Radio Frequency Identification (RFID) technology is one of the most important technologies in this decade. This technology allows the readers to identify the tags via a wireless channel. The RFID technology has widely been used in applications e.g. passports [2], supply chain management [3], Access control [4], Contactless cart [5] and etc. There are three main components in the RFID systems: tags, readers and a backend server. Each tag contains a microchip, antenna and a restricted amount of computational and storage capabilities. A reader queries tags to obtain tag contents through wireless channel and sends this information to the back-end server via secure channel as well. The back-end server is composed of a database and some processors [6]. Since the passive tags have low-cost and low computational capabilities, there are information leakage and many security flaws in passive RFID systems. The main security threats of a RFID system are as following. Tag and reader impersonation: A malicious adversary masquerades as a legitimate either reader or tag and the adversary either exploit system services fraudulently or gets access to stored secrets of tag respectively [7]. Man-in-the middle attack: As tags and readers utilize the mutual wireless channel, this attack can endanger system. The adversary not only does intervene 1

Corresponding Author: I.H. University, Faculty of Information and Communication Technology (ICT), Cryptography Group; Email: [email protected]

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

67

between a legal tag and a legitimate reader but also exchanges or manipulates the authentication messages [8]. Tag tracing and tracking: Traceability is one of the most important security threats related to RFID technology. Hence RFID authentication protocols should be untraceable, i.e. it should not be possible for a tag's movements to be traced or tracked. Namely an adversary should not be able to get any helpful information about the tag for tracing [9, 10]. Desynchronization: A malicious adversary tries to disturb synchronization between tag and reader to update inconsistent values and make tag disabled [11]. In recent years, many researchers have tried to propose lightweight and secure authentication protocols [12, 13, 14, 15, 16, 17, 18, 19, 20], but unfortunately many vulnerabilities have been found in their schemes [21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31]. Kulseng et al. have proposed a lightweight mutual authentication (KYWG) and ownership transfer for RFID systems [1]. In this paper we analyze the KYWG protocol and present six different attacks over this protocol including desynchronization attack, tag impersonation, reader impersonation, attacks on untraceability, backward untraceability and forward untraceability. As well we propose our protocol to eliminate the mentioned vulnerabilities with reasonable storage and computational requirements. The remainder of this paper is organized as following. In Section 1 the notations are introduced. The KYWG protocol is summarized in section 2. Our attacks over this protocol are demonstrated in section 3. We explain the privacy model for RFID systems and give our traceability attacks on KYWG protocol in section 4. Our protocol is presented in section 5 and finally, we give our conclusion in section 6.

1. Notations The notations in Table1 are used throughout this paper. For convenience, side of the reader and the back-end server is specified only as the reader.

Table 1. Notations A F G IDold IDSold IDnew IDS new ‫ܦܫ‬௝௜ ‫ܵܦܫ‬௝௜ K K' P PRNG R T ۩

malicious adversary a random permutation function a bit string the previous tag identifier the previous index to tag’s ID the new tag identifier the new index to tag’s ID the identifier related to the tag Ti at time tj the IDS related to the tag Ti at time tj a bit string is defined as Ki = F (Gi) a bit string is defined as K'i = F (Ki ) a random permutation function is implemented on Physically Unclonable Function (PUF) Pseudo Random Number Generator a coalition of the legitimate reader and the back-end server the legitimate tag XOR Operator

68

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

2. KYWG Protocol Kulseng et al. have proposed a lightweight mutual authentication (KYWG protocol) and ownership transfer for RFID systems [1]. We explain the KYWG protocol as follows (Fig.1). Setup phase: Both the reader and the tag are preloaded with a tuple of three secrets {IDS, ID, Gn} that is known only by themselves. Both parties share a random permutation function F mapping within range [1, q], where log q is the bit length of IDS and the F function is public. Tag also implements a function P as a random permutation function implemented based on Physically Unclonable Function (PUF) [32]. Besides, the reader and the tag keep Gn+1 and Gn-1 respectively during the protocol in the round n. Authentication phase: The authentication phase is as following. 1. The reader sends a request to the tag. 2. The tag transmits its IDS in response to the reader. 3. The reader searches IDS in database to find the corresponding Gn, and then it sends IDْGn to the tag. 4. Receiving IDْGn, the tag verifies the received message by its (ID, Gn, Gn-1) to find whether IDْGn ൌǫ IDْGn or IDْGn ൌǫ IDْGn-1. Not only the tag authenticates the reader provided that one of these equalities is satisfied, but also it checks IDْGn ൌǫ IDْGn-1 to assure the preservation of synchronization between itself and the reader. Then it computes two values Gn+1 and Gn+2:

Gn+1 = P(Gn)

and

Gn+2 = P(Gn+1)

The tag updates Gn into Gn+1 and computes two values Kn and K'n : Kn = F(Gn)

and

୬ାଵ †୬ ƒ† ୬ାଶ †ʅ୬

K'n = F(Kn)

Finally, the tag sends to the reader. The reader computes Kn from Gn and retrieves ୬ାଵ from ୬ାଵ ْ ୬ . If the retrieved ୬ାଵ is equal by stored ୬ାଵ , the reader will authenticate the tag. The reader computes ʅ୬ with the aide of Kn and F, afterwards extracts ୬ାଶ from ୬ାଶ ْ ʅ୬ and updates Gn and Gn+1 into Gn+1 and Gn+2. 6. Finally, both the reader and the tag update their IDS as:

5.

IDSnew = F(IDSold†Gn)

Figure 1. The KYWG protocol

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

69

3. Security Analysis of the KYWG Protocol In this section, the KYWG protocol from several security viewpoints is analyzed. Indeed, six different security vulnerabilities have been found in the protocol as following. 3.1. Attack on Synchronization One of the most important weaknesses of the KYWG protocol is against desynchronization attack. The reader relies on value Gi+1 to authenticate a tag in the round i of protocol, Whereas it is unable to compute Gi+1 by itself and have to accept any value of Gi+1 transmitted by the tag in the round i-1 of the protocol. This is a considerable security flaw in designing KYWG protocol which results a desynchronization attack. An adversary exploits this point and simply desynchronizes a legal tag T and the legitimate reader R by a man-in-the-middle attack as following: 1. The adversary eavesdrops a valid session between the tag T and the reader R in the round n. 2. He lets T and R exchange the first, second and third messages entirely (based on Fig. 1), but he changes the fourth message in a way the first part (Gn+1†Kn) remains unchanged whereas the second part (Gn+2 †ʅ ) is manipulated into Gn+2 † ʅ୬ † ̶୬ (  ̶୬ is an arbitrary bit string). He sends (Gn+1†Kn, Gn+2† ʅ୬ † ̶୬ ) as the fourth message to the reader. 3. Receiving the fourth message, firstly the reader extracts Gn+1 from the first part (Gn+1†Kn). Since the recovered Gn+1 is the same as the copy of Gn+1 it stored, the reader authenticates the tag. So the reader wants to extract Gn+2 from the second part, but Gn+2 †ʅ݊ has been changed to Gn+2 †ʅ †̶ . Therefore, the reader computes (Gn+2 †ʅ †̶ )† ʅ୬ = Gn+2 †̶ and stores Gn+2†̶ . At the next session, when the tag T sends Gn+2† ʅ୬ to the reader to authenticate itself, the reader extracts Gn+2 from Gn+2† ʅ୬ and compares it with the stored value (Gn+2† ̶୬ ) and since they are not the same, not only the reader reject T but also the tag T and the reader R have no way to resynchronize themselves in the future. 3.2. Tag Impersonation The structure of the messages in KYWG protocol is dependent on no random and fresh value, so the protocol is vulnerable to replay attacks. We show how an adversary exploits this weakness to impersonate a legal tag. The attack is as below.

70

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

1.

2.

3.

At the beginning of the nth session between a tag Ti and the reader R, they have (IDSi, IDi, Gn-1, Gn) and (IDSi, IDi, Gn+1, Gn) respectively. The adversary eavesdrops this session and reserves the second (IDSi) and fourth (Gn+1†Kn, Gn+2 †ʅ ) messages. He also prevents the reader from being updated by blocking the fourth message. The adversary masquerades as the tag Ti and starts a new session with the reader. He sends IDSi as a response to the reader's query. After finding IDS i in database, the reader replies with IDi†Gn. The adversary has (Gn+1 †Kn, Gn+2† ʅ୬ ) and sends these values to the reader as the fourth message. As soon as the reader receives (Gn+1†Kn, Gn+2† ʅ୬ ), it extracts Gn+1 from Gn+1†Kn and compares it with its stored Gn+1. Since they are the same, the reader authenticates the adversary and updates its secret values.

3.3. Reader Impersonation Now, we address another weakness in the Kulseng scheme. In this protocol there is a weak and unsecure condition to reader authentication, inasmuch as a reader is authenticated just by ID † Gn which is transmitted publicly. As ID † Gn does not include any random and fresh value, it can be replayed by an adversary to impersonate a legitimate reader. Furthermore, a tag updates its secret values before the reader updating and it can result a desynchronization problem. The authors have added a property to their scheme to preserve its synchronization. They have modified their protocol in a way that the reader computes IDS new and the tag also stores Gn-1 in the round n. However, these changes are not enough to preserve synchronization of tag and reader in their scheme. We show that how an adversary exploits these weaknesses: 1. At the beginning of the nth session between the tag Ti and the reader R, they have (IDSi1, IDi, Gn-1, Gn) and (IDSi1, IDi, Gn, Gn+1) respectively. 2. The adversary eavesdrops on this session and reserves IDi † Gn .Then he blocks the fourth message and prevents the reader from being updated, whereas Ti updates its secret values to (IDSi2, IDi, Gn, Gn+1). 3. The adversary masquerades as the reader and sends Request to Ti and Ti responds with IDSi2. The adversary replies with IDi †Gn. 4. Receiving IDi †Gn, firstly Ti checks the received value with ID † ൅ͳ and since they are not the same, it checks with ID †Gn and finds matching. So Ti authenticates the adversary and updates its secret values to (IDSi3, IDi, Gn+1, Gn+2) whereas the reader has (IDSi1, IDi, Gn, Gn+1). 5. At the next session, when Ti wants to authenticate itself to the reader, it sends IDSi3 to the reader, but the reader has IDSi1 and it just computes IDSi2. Therefore, the reader rejects Ti and they have no way to resynchronize.

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

71

4. Untraceable Privacy Model Although some privacy models have been proposed to evaluate RFID protocols [33, 34, 35, 36, 37], the general untraceable privacy (UPriv) model is described in this paper that proposed by Ouafi and Phan [34], cited model is based on [35] and [33] proposed by Juels-Weis and Lim-Kwon. In Ouafi and Phan model, protocol parties are tags (T) and readers (R) which interact in protocol sessions [34]. In this model an adversary A controls the communication channel between all parties by interacting either passively or actively with them. The adversary A is allowed to run the following queries: ─ Execute (R, T, i ) query. This query models the passive attacks. The adversary A eavesdrops on the communication channel between T and R and gets read access to the exchanged messages between the parties in session i of a truthful protocol execution. ─ Send (U, V, m, i) query. This query models active attacks by allowing the adversary A to impersonate some reader U ‫ א‬R (respectively tag V ‫ א‬T ) in some protocol session i and send a message m of its choice to an instance of some tag V ‫ א‬T (respectively reader U ‫ א‬R ). Furthermore the adversary A is allowed to block or alert the message m that is sent from U to V (respectively V to U) in session i of a truthful protocol execution. ─ Corrupt (T, ‫ ܭ‬ᇱ ) query. This query allows the adversary A to learn the stored secret  of the tag T ‫א‬T, and which further sets the stored secret to ‫ ܭ‬ᇱ . Corrupt query means that the adversary has physical access to the tag, i.e., the adversary can read and tamper with the tag’s permanent memory. x Test (i, To, T1) query. This query does not correspond to any of A’s abilities, but it is necessary to define the untraceability test. When this query is invoked for session i, a random bit b ‫{א‬0, 1} is generated and then, A is given Tb ‫{ א‬To, T1). Informally, A wins if he can guess the bit b. Untraceable privacy (UPriv) is defined using the game g played between an adversary A and a collection of the reader and the tag instances. The game g is divided into three following phases: Learning phase: A is given tags To and T1 randomly and he is able to send any Execute, Send and Corrupt queries of its choice to T0, T1 and reader. Challenge phase: A chooses two fresh tags T0, T1 to be tested and sends a Test (i, To, T1) query. Depending on a randomly chosen bit b ‫{ א‬0, 1}, A is given a tag Tb from the set {T0, T1 }.A continues making any Execute, and Send queries at will. Guess phase: finally, A terminates the game g and outputs a bit b' ‫{א‬0, 1}, which is its guess of the value of b. The success of A in winning game g and thus breaking the notion of UPriv is quantified in terms A advantage in distinguishing whether A received T0 or T1 and denoted by ‫ܞܑܚ۾܃ܞ܌ۯ‬ (k) where k is the security parameter. ‫ۯ‬ ଵ

(k) =| pr (b = ܾ ʅ ሻ – pr (random flip coin) |= | pr (b' = b) - | ‫ܞܑܚ۾܃ܞ܌ۯ‬ ‫ۯ‬ ଶ

72

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

The notions of backward and forward untraceability are defined as: " backward untraceability states that even if given all the internal states of a target tag at time t, the adversary shouldn't be able to identify the target tag's interactions that occur at time t' < t. " and " forward untraceability can be similarly defined as requiring that knowledge of a tag’s internal state at time t should not help identify the tag's interaction that occurred at time t' > t " [33]. Now, we will show how the KYWG protocol is vulnerable to traceability attacks.

4.1. Attack on Untraceability An authentication protocol for RFID systems should assure the privacy of a tag and its holder. However, many RFID protocols put it at risk by designing protocols where tags answer readers' queries with permanent values, thus performing traceability attacks not only possible but trivial. Now, we show how the KYWG does not guarantee privacy location, thus allowing tags tracking. Learning phase: The adversary chooses tag T0 randomly. The stored secrets on T0 in the round n are: (IDS0, ID0, G0n-1, G0n). IDS0 and ID0 stand for IDS and ID ଴ stored on the tag T0 in the round n. ୬ିଵ and ୬଴ stand for ୬ିଵ and ୬ related to the tag T0 in the round n. A sends an Execute (R, T0, n) query and obtains IDS0 and ID0۩ ୬଴ . Challenge phase: A chooses two fresh tagsT0, T1 to be tested and sends a Test (n, To, T1) query. Depending on a randomly chosen bit b ‫{ א‬0, 1}, A is given a tag Tb from the set {T0, T1}. A makes an Execute (R, Tb, n) query and as a result, A is given messages IDS0 and IDb۩ ୬ୠ Guess phase: finally, A terminates the game g and outputs a bit b' ‫{א‬0, 1} as its guess of the value of b. In particular, A utilizes the following simple decision rule: The first method: ௕ ଴ ᇱ b' =൜‹ˆ ܵ ൌ ܵ ܾ ᇱ ൌ Ͳ
‘–Š‡”™‹•‡ܾ ൌ ͳ

The second method: „ ୠ ଴ ଴ ᇱ b' =൜‹ˆ  ۩ ୬  ൌ   ۩ ୬ ܾ ᇱ ൌ Ͳ


‘–Š‡”™‹•‡ܾ ൌ ͳ

In both cases the adversary gains the maximum advantage: ଵ

ଵ

ଵ

ଶ

ଶ

ଶ

(k) = | pr (b' = b) – pr (random flip coin) | = | pr (b' = b) - | =ȁͳȂ ȁ ൌ  . ‫ܞ܌ۯ‬୙୔୰୧୴ ୅

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

73

4.2. Attack on Backward Untraceability In this section we will show how to break the notion backward untraceability in the KYWG protocol. Note that EP‫ܥ‬௦ is permanent in the all rounds of SRP and an adversary can exploit this weakness to track a target tag. In particular, consider an adversary A performing the following steps: Learning phase: A sends a Corrupt (T0,  ᇱ ) query at time t1 and thus obtains ଴ ǡ ୬଴ ሻ. ሺ ଵ଴ ǡ ଵ଴ ǡ ୬ିଵ Challenge phase: A chooses two fresh tags T0, T1 to be tested and sends a Test (n, To, T1) query. Depending on a randomly chosen bit b ‫{ א‬0, 1}, A is given a tag Tb from the set {T0, T1}. A makes an Execute (R, Tb, n-1) query at time t0 < t1 in ୠ . A makes the round (n-1) and as a result, A is given messages ଴ୠ and ୠ଴ ۩ ୬ିଵ ୠ another Execute (R, Tb, n-2) query at time t-1 < t0 in the round (n-2) and gets ିଵ . Guess phase: finally, A terminates the game g and outputs a bit b' ‫{א‬0, 1} as its guess of the value of b. In this phase, the adversary works as follows: ୠ ୠ ଴ ᇱ b' =൜݂݅ ଴ ൌ ሺ ିଵ ۩ ୬ିଵ ሻܾ ᇱ ൌ Ͳ
‫ ܾ݁ݏ݅ݓݎ݄݁ݐ݋‬ൌ ͳ

The advantage of the adversary is: ଵ

ଵ

ଵ

ଶ

ଶ

ଶ

(k) = | pr (b' = b) – pr (random flip coin) | = | pr (b' = b) - | =ȁͳȂ ȁ ൌ  . ‫ܞ܌ۯ‬୙୔୰୧୴ ୅ ୠ from the Proof: The adversary has ଵ଴ from the Learning phase and ୠ଴ ۩ ୬ିଵ ଴ ଴ Challenge phase. Since ID is not updated we have ଵ = ଴ . Now, let Tb = T0, then ୠ ଴ ଴ we have ୠ଴ ۩ ୬ିଵ = ଴଴ ۩ ୬ିଵ . If Tb = T0, then the adversary computes ୬ିଵ as: ୠ ଴ ଴ )۩ ଴଴ = ( ଴଴ ۩ ୬ିଵ )۩ ଴଴ = ୬ିଵ ( ୠ଴ ۩ ୬ିଵ ୠ ଴ = ିଵ from the Challenge phase, so he computes The adversary has ିଵ ᇱ ଴ ଴ ൌ ሺ ିଵ ۩ ୬ିଵ ) =  The adversary does the above calculations, if Tb = T0, then his calculations will be correct and the computed  ᇱ will be equal to ଴଴ . He also has ଴ୠ from the Challenge phase. So if ଴ୠ =  ᇱ he outputs ܾ ᇱ =0, otherwise he outputs ܾ ᇱ =1.

଴଴

4.3. Attack on Forward Untraceability Now, we explain the vulnerability of the Kulseng scheme to forward untraceability. Learning phase: A sends a Corrupt (T0,  ᇱ ) query at time t1 in the round n and ଴ ǡ ୬଴ ሻ. A lets T0 and R perform a session at time t2>t1 and he is given ሺ ଵ଴ ǡ ଵ଴ ǡ ୬ିଵ

74

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

଴ ଴ ଴ update their secrets to ሺ ଶ଴ ǡ ଴ଶ ǡ ୬଴ ǡ ୬ାଵ ሻ and ሺ ଶ଴ ǡ ଴ଶ ǡ ୬ାଵ ǡ ୬ାଶ ሻ respectively ଴ ଴ ଴ where ଶ ൌ ሺ ଵ ۩ ୬ାଵ ሻ.

Challenge phase: A chooses two fresh tags T0, T1 to be tested and sends a Test (n, To, T1) query. Firstly, T0 and R perform a perfect session at the absence of the ଴ ଴ adversary at time t3>t2 and T0 updates its secrets to ሺ ଷ଴ ǡ ଴ଷ ǡ ୬ାଵ ǡ ୬ାଶ ሻ. Then, depending on a randomly chosen bit b ‫{ א‬0, 1}, A is given a tag Tb from the set {T0, T1}. A makes an Execute (R, Tb, n+3) query at time t4 > t3 and gets ୠ . A makes another Execute (R, Tb, n+4) query at time t5 > t4 ଷୠ and ୠଷ ۩ ୬ାଶ ୠ ୠ . and obtains ସ and ୠସ ۩ ୬ାଷ Guess phase: finally, A terminates the game g and outputs a bit b' ‫{א‬0, 1} as its guess of the value of b. In particular, A utilizes the following simple decision rule: ୠ ୠ ୠ ୠ ଴ ᇱ b' =൜‹ˆ ସ  ൌ ሺ ଷ ۩ሺ ସ ۩ ୬ାଷ ۩ ଵ ሻሻܾ ᇱ ൌ Ͳ
‘–Š‡”™‹•‡ܾ ൌ ͳ

Hence we have: ଵ

ଵ

ଵ

ଶ

ଶ

ଶ

(k) = | pr (b' = b) – pr (random flip coin) | = | pr (b' = b) - |= |1 - | = ‫ߝ ب‬ ‫ܞܑܚ۾܃ܞ܌ۯ‬ ‫ۯ‬ ୠ ଴ = ଴ସ ۩ ୬ାଷ and ଷୠ = ଷ଴ . Since ID is not Proof: Let Tb= T0, then ୠସ ۩ ୬ାଷ ଴ ଴ ଴ updated, we have ସ = ଵ , therefore the adversary computes ୬ାଷ as ଴ ଴ ଴ ଴ ଴ ଴ ሺ ସ ۩ ୬ାଷ ሻ۩ ସ = ୬ାଷ . Having ୬ାଷ and ଷ , the adversary computes ସ଴ as ଴ ሻ=  ᇱ . ସ଴ ൌ ሺ ଷ଴ ۩ ୬ାଷ The adversary does the above calculations, if Tb = T0, then his calculations will be correct and the computed  ᇱ will be equal to ସ଴ . Now, If ସୠ = ᇱ , he outputs ܾ ᇱ =0 and otherwise he outputs ܾ ᇱ =1.

5. Our Proposed Protocol: HGA Protocol We showed the KYWG protocol suffers from several weaknesses and it is vulnerable to many attacks. In order to terminate these problems, we perform fundamental changes in the Kulseng scheme and propose our secure protocol namely HGA protocol. Firstly, the security flaws in the KYWG protocol are explained and then, the necessary changes are proposed. 5.1. Weaknesses Weakness 1. In the Kulseng scheme, the tag authentication is based on the value Gn+1 = P(Gn) whereas the reader have no way to compute Gn+1 by itself and as a result, it has to accept any value transmitted by other party. This weakness leads to desynchronization attack.

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

75

Fix the weakness 1. In order to terminate this fault, we omit the P function and replace it with a pseudo random number generator (PRNG) which can be computed via two parties. Weakness 2. All messages exchanged during an execution of the KYWG protocol do not include any random and fresh value, so the protocol is vulnerable to replay and traceability attacks. Fix the weakness 2. In order to remove the mentioned problem, we construct the messages in the HGA protocol with the help of random values. Remark. Two functions P and F are implemented on each tag in the Kulseng protocol which implies the additional storage costs. In order to reduce the storage requirements, we omit the F function and replace the P function with a PRNG.

5.2. HGA Protocol Now we explain our proposed protocol in details: Set up phase: Each tag is preloaded with a tuple of three secrets (G, IDS, ID) and the reader keeps (Gold, IDSold, IDold, Gnew, IDSnew, IDnew) for each tag. Besides, both parties share a pseudo random number generator (PRNG) to produce n-bit random strings (n =16 or 32). Authentication phase: The authentication phase of the HGA protocol is depicted in Fig. 2. The interactions between a tag and the reader are described as follows. 1. The reader generates a random number NR and then sends it with a Request to the tag. 2. After receiving NR and the Request, the tag generates a random number NT and computes M1=PRNG (G۩IDS۩NR۩NT) and then sends M1ԡNT as response to the reader. 3.

4.

Receiving M1ԡNT, the reader computes M’1=PRNG (GX۩IDSX۩NR۩NT) for each tag (X = old or new) and compares it with the received M1. Upon finding a match, the tag is authenticated. After that, the reader computes M2=PRNG (IDX۩IDSX۩NT) and sends it to the reader. The reader updates its secrets as following: If X=new: Gold=Gnew, IDold=IDnew, IDSold=IDSnew,

Gnew=PRNG (GX۩IDSX) IDnew=PRNG (IDX۩IDSX) IDSnew=PRNG(IDSx۩NR۩NT)

If X=old: IDSnew=PRNG(IDSold۩NR۩NT) 5.

Receiving M2, the tag computes M’2=PRNG (ID۩IDS۩ and compares it with the received M2. If they are the same, the tag authenticates the reader and updates its secrets as following:

76

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

G=PRNG (G۩IDS) ID=PRNG (ID۩IDS) IDS=PRNG (IDS۩NR۩NT) 5.3. Security Evaluation We now analyze the security of the proposed protocol as following. Desynchronization attack. The messages of the HGA protocol have been designed in a way that any manipulation in them can be discovered easily and an adversary cannot cause to desynchronize parties via message manipulation. In addition, due to a twofold updating process in our protocol, if an adversary blocks the third message, not only the reader recognizes the tag in the next session, but also they resynchronize themselves in future. Replay attack. In the HGA protocol, two messages M 1 and M2 include random and fresh numbers NR and NT, hence an adversary cannot replay and reuse these messages in future. Tracing attacks. Due to the messages M1 and M2 include IDS and NT and they are different in each session, hence our protocol guarantees the untraceability, forward untraceability and backward untraceability. Forward security. In the HGA protocol the new secret values are produced via a PRNG, so if a tag is compromised in a situation, the security of the previous secret values is guaranteed.

Figure 2. The HGA protocol

77

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

6. Conclusion In this paper, the significant security flaws in the Kulseng et al. mutual authentication protocol were showed. Not only the reader impersonation and the desynchronization attack emphasize some defects of the cited scheme but also the replay attack has been applied to impersonate a legitimate tag. Besides, we proved via formal privacy model this protocol does not have untraceability, forward untraceability and backward untraceability attributes. Finally, we propose our secure protocol to eliminate the mentioned problems. The proposed protocol has the significant benefits in security and efficiency capabilities than the Kulseng protocol. In Table 2, we examine the performance of our protocol in terms of storage space, computational cost and communication cost, and compare it with the Kulseng scheme.

Acknowledgment This work is supported by the Education & Research Institute for ICT, Tehran, Iran.

Table 2. Performance comparison between KYWG and HGA protocols Computational cost (Tag)

Computational cost (Reader)

Communication rounds

Storage cost (Tag)

Storage cost (Reader)

Kulseng protocol (KYWG)

2P+3F

3F

4

4L+P+F

4L+F

Our protocol (HGA)

4PRNG

4PRNG

3

3L+PRNG

6L+PRNG

Protocol

P: P function, F: F function, PRNG: Pseudo Random Number Generator

References [1] Kulseng, L., Yu, Z., Wei, Y., and Guan, Y.: Lightweight mutual authentication and ownership transfer for RFID Systems. In Proceedings of IEEE INFOCOM 2010, 1-5, CA, March (2010). [2] Carluccio, D., Lemke-Rust, K., Paar, C., and Sadeghi, A.-R.: E-Passport: The global traceability or how to feel likean UPS package. In J. K. Lee, O. Yi, and M. Yung (eds) Proc. WISA 2007, Lecture Notes in Computer Science,Vol.4298 (Springer, Berlin), 2007, 391–404

78

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

[3] Brown, S. A.: Revolution at the checkout Counter: The explosion of the bar code. Wertheim Publications in Industrial Relations, Harvard University Press, Cambridge, MA, 1997. [4] Australia, E.-C.: Access control, sensor control, and transponders. At: http://www.rfid.com.au/rfid uhf.htm, 2008. [5] Thales e-Security,: Smart cards for payment systems. Available online via www.thales–esecurity.com/whitepapers/documents/smart-cards-for-payment-systems. pdf.2006. [6] Kitsos, P., and Zhang Y.,(eds): RFID Security- Techniques, protocols and systemon-chip design. Springer Science + Business Media, 2008. [7] Van Deursen, T., and Radomirovic, S.: Attacks on RFID protocols. Cryptology ePrint Archive, Report 2008/310, 2008.. [8] Gilbert, H., Robshaw, M., Sibert, H.: An active attack against HB+ - A provably secure lightweight authentication protocol. Cryptology ePrint Archive, http://eprint. iacr.org/2005/ 23. pdf [9] Phan, R. C.-W., Wu, J., Ouafi, K., and Stinson, D. R.: Privacy analysis of forward and backward untraceable RFID authentication schemes. Wireless PersCommun, LLC, Springer Science+Business Media, April, 2010, DOI 10.1007/ s11277-0100001-0. [10] Ouafi, K., and Phan, R.C.-W.: Traceable privacy of recent provably-secure RFID protocols”, Proc. Sixth Int’l Conf. Applied Cryptography and Network Security (ACNS ’08), pp. 479-489, 2008. [11] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez- Tapiador, J. M., and Ribagorda, A.: Vulnerability analysis of RFID protocols for tag ownership transfer”, Computer Networks 54 (2010) 1502–1508. [12] Chien, H., Chen, C.: Mutual Authentication Protocol for RFID Conforming to EPC Class-1 Generation-2 Standards. Computer Standards & Interfaces, 29 (2007) 254–259 [13] Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M, and Ribagorda, A.: LMAP: A real lightweight mutual authentication protocol for low-cost RFID tags. In: Proceedings of the 2nd Workshop on RFID Security, July 2006. [14] Fu, J., Wu, C., Chen, X., Fan, R., and Ping, L.: Scalable pseudo random RFID private mutual authentication. 2nd IEEE International Conference on Computer Engineering and Technology (ICCET). V. 7, pp. 497-500, China, 2010. [15] Chien, H. Y., and Chen, C.H.: Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards. Computer Standards & Interfaces, 29(2), 254–259, 2007. doi:10.1016/j.csi.2006.04.004. [16] Gu, Y., Wu, W.: Mutual authentication protocol based on tag ID number updating for low-cost RFID. In Proceedings of the first IEEE International Conference on Network Infrastructure and Digital Content( IC-NIDC2009), pp. 548551, 2009. [17] Duc, D.N., Park, J., Lee, H., and Kwangjo, K.: Enhancing security of epcglobal Gen-2 RFID tag against traceability and cloning. In Proc. of Symposium on Cryptography and Information Security, 2006. [18] Vajda, I., and Buttyán, L.: Lightweight authentication protocols for low-cost RFID tags. In Proc. of UBICOMP’03, 2003.

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

79

[19] Song, B., and Mitchell, C. J.: RFID authentication protocol for low-cost tags. In Wisec 2008, pages 140-147. [20] Chien, H. Y.: SASI: A new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Transactions on Dependable and Secure Computing, 4(4):337–340, 2007. [21] Phan, R. C.-W.: Cryptanalysis of a New Ultra lightweight RFID Authentication Protocol –SASI. IEEE Transactions on Dependable and Secure Computing, vol. 6, no. 4, pp. 316-320, Oct-Dec 2009. [22] Habibi, M. H., Gardeshi, M., Alagheband, M. R.: Cryptanalysis of a mutual authentication protocol for low-cost RFID. In proceedings of IEEE International Conference on Intelligent Information Networks (ICIIN 2011), UAE, 2011. [23] Van Deursen, T., Radomirovi´c, S.: Security of RFID protocols – A case study. Electronic Notes in Theoretical Computer Science 244 (2009) 41–52. [24] Habibi, M. H., Gardeshi, M., Alagheband, M. R.: Cryptanalysis of two mutual authentication protocols for low-cost RFID. International Journal of Distributed and Parallel systems, Volume 2, Number 1, pp. 103-114. [25] Chien, H. Y., and Huang, C. W.: Security of ultralightweight RFID authentication protocols and its improvements. ACM Operating System Reviews, 41(Issue 4), 83–86, 2007. [26] Avoine, G., Carpent, X., and Martin, B.: Strong Authentication and Strong Integrity (SASI) is not that Strong. In Hand. of RFIDSec’10, 2010. [27] Habibi, M. H., Gardeshi, M., Alagheband, M. R.: Practical attacks on a RFID authentication protocol conforming to EPC C-1 G-2 standard. International Journal of UbiComp, Volume 2, Number 1, pp. 1-13. [28] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez- Tapiador, J. M., and van der Lubbe, J. C. A.: Security flaws in a recent ultralightweight RFID protocol. In Workshop on RFID Security (RFIDSec Asia’10), Volume 4 of Cryptology and Information Security Series, pages 83-93. IOS Press, 2010. [29] Alomair, B., Lazos, L., and Poovendran, R.: Passive attacks on a class of authentication protocols for RFID. K.-H. Nam and G. Rhee (Eds.): ICISC 2007, LNCS 4817, pp. 102–115, 2007. [30] Juels, A.: Minimalist cryptography for low-cost RFID tags. In Proc. of SCN’04, volume 3352 of LNCS, pp. 149–164, Springer-Verlag, 2004. [31] Peris-Lopez, P., Li, T., Lim, T.-L., Hernandez-Castro, J. C., Estevez- Tapiador, J. M., and Ribagorda, A.: Cryptanalysis of a novel authentication protocol conforming to EPC-C-1 G-2 standard. Computer Standards & Interfaces, Elsevier Science Publishers, doi:10.1016/j.csi. 2008.05.012, 2008. [32] Suh, G.E., Gassend, B., Clarke, D., van Dijk, M., Lee, J.W., Lim, D., and Devadas, S.: Physical unclonable functions for device authentication and secret key generation. In Proceedings of DESIGN AUTOMATION CONFERENCE ( DAC 2007) (2007) 9–1

[33] Lim, C.H., and Kwon, T.: Strong and robust RFID authentication enabling perfect ownership transfer. In Proceedings of ICICS ’06, LNCS 4307 (2006) 1–20 [34] Ouafi, K., and Phan, R.C.-W.: Privacy of recent RFID authentication protocols. L. Chen, Y. Mu, and W. Susilo (Eds.): ISPEC 2008, LNCS 4991, pp. 263–277, 2008. [35] Juels, A., and Weis, S.A.: Defining strong privacy for RFID. In Proceedings of PerCom ’07 (2007) 342–347, http://eprint.iacr.org/2006/137

80

M.H. Habibi et al. / Attacks and Improvements to a New RFID Authentication Protocol

[36] Avoine, G.: Adversarial model for radio frequency identification. Cryptology ePrint Archive, report 2005/049. http://eprint.iacr.org/2005/049 [37] Vaudenay, S.: On Privacy Models for RFID. K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 68–87, 2007.

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-81

81

RFID Electronic Visa with Personalized Verification1 ´ ´ Mirosław KUTYŁOWSKI, Przemysław BŁASKIEWICZ, Jacek CICHON, Krzysztof MAJCHER Wrocław University of Technology, Poland Abstract. The paper presents a new approach for systems with electronic identification documents equipped with simple RFID tags. We assume that document verification is performed offline, but the number of document verifiers as well as the number of documents is controlled by the document issuer. The primary application in mind are visas on a paper sticker with an inbuilt RFID circuit. We also aim to provide simple solutions based on paper stickers with simple RFID for club cards, customer ID cards, public transportation multi-usage tickets, soccer game tickets, etc.. With this application in mind, we consider a model in which document verifier may leak all verification information to a third party. This must not lead to possibility of forging RFID identification documents. Moreover, verification process should support privacy and provide no transferable proof of presence of a given person at a given place and time. Designing a system with such properties is possible with asymmetric cryptography implemented in identity documents. In contrast, we present a lightweight solution, such that the document is hard to clone without physical access, verification can be performed by entitled agents only and without online contact to a central database. Despite this high functionality, the hardware requirements for RFID circuit remain relatively low. Keywords. RFID, electronic travel document, e-visa, personalized verification, symmetric cryptography

1. Introduction One of perspective application areas for RFID tags are broadly understood identification documents and a growing number of such solutions is deployed. Majority of them do not bind a person with some identification data; instead, they bind certain attributes and rights with the document’s holder. There is a diversity of documents: ranging from relatively advanced ones such as biometric passports, to simple artefacts such as public transportation tickets valid for a certain period of time and for a single person. In the latter case, price overhead and physical limitations due to usage of RFID tag are critical issues. Some high-end solutions have been developed for official personal identity cards issued by public authorities. A good example are new personal ID cards in Germany (Per1 This research has been supported by Polish Ministry of Science and Higher Education, project N N206 2573 35, and by Foundation for Polish Science, “Mistrz” Programme

82

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

sonalausweis) – they are equipped with asymmetric cryptography and a careful choice of protocols enables very reliable authentication and privacy protection at the same time. Analogous solutions can be used for corporate ID cards - enabling access control and authentication in IT systems. Another high-end example are biometric passports complying to the rules of ICAO. The solutions mentioned above cannot be used in all application areas due to the following reasons: • the cost of the chip might be too high, • the chip is relatively thick and requires protecting cover in order to prevent physical damage and access to memory storing private cryptographic material, • assuring security of the chip involves high certification costs. On the other hand, securing documents electronically becomes more and more important. Even if there are remarkable advances in secure printing technologies, similar progress is visible in forging methods. Techniques such as holograms have strong points as well as some weaknesses — in particular, much trust must be put on integrity of hologram manufacturers. RFID technology should offer additional possibilities for inspection of ID documents. Among possible advantages it can provide, two remain most important: • easiness of processing, • possibility of securing data in a document with cryptographic means. However, it turns out that designing lightweight cryptographic algorithms suitable for simple RFID tags is a challenging problem. The major issues are: resilience against cloning: because tag and reader communicate in an open channel, i.e. over radio, it is hard to prevent eavesdropping and, consequently, cryptanalysis based on information exchanged between them and leading to disclosure of the secrets of the RFID tag; privacy issues: an RFID tag (and therefore its holder) can potentially be easily traced when a number of readers initiate communication with it at different locations and then these traces are correlated; strength of authentication: a standard security level normally attributed to typical cryptographic products is not attainable by relatively simple tags. So far, design of lightweight cryptographic protocols for RFID chips followed more or less the same scenario as for powerful cryptographic smart cards. The researchers focused on redesigning cryptographic algorithms and reducing their computational complexity. At the same time, other assumptions relating to the entire system, where the tags are only one part of, have not changed much. As a result, it gets more and more difficult to design still more efficient solutions, since the hardware constraints remain more or less the same, and any progress in this respect requires more effort. 1.1. Electronic Visa 1.1.1. Current e-visa procedures. Today, the term electronic visa is used often for visa application procedures performed online. Apart from filling in an application form the rest of the procedure is performed in

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

83

a traditional way. However, in some countries (Vietnam, Cambodia, Bahrain) the electronic visa can be issued and stored in the system of the issuer. When a traveller crosses the border, then it is checked if the visa is stored in the central system. This procedure has been adopted in order to speed up visa processing, but in order to take full advantage of it, one needs to cross the border at places where connection to the central database is available and visa status can be instantly verified. This resembles e-ticketing functionality adopted by airlines. Inspection scenario in Schengen Treaty countries of the European Union is much different than in the countries mentioned above. There is a large number of entry points, there is no control on inner borders, but instead there is more control inside the countries. In such a scenario we encounter usability problems concerning communication to the central database – while it is relatively easy to build fast communication lines from a few fixed control points, it becomes a challenging problem when control is distributed and control points are often mobile. Within the Biodev project, Gemplus company designed a solution based on contactless chips storing visa information. The proposed solution concerned a visa on a plastic card to be used together with a travel document or as a sticker to be inserted in the visa holder’s passport. In principle, it can be treated as issuing electronic ID-cards for visa holders. The solution entered testing phase in France. 1.2. Design goals From this description the following picture emerges. The planned system should allow an easy, almost automated verification against a database of some identifiers carried on an RFID. The database of visa holders might be quite large (for example, the number of visas issued by the Japanese government in 2009 was almost 1.4 billion [9], which can give an estimate of the number of visas valid in a given day). The database should not be made accessible, even partially, to the public nor to the verifiers. The reasons are multiple, the main one being public security: data stored in the database may be particularly useful for all kind of illegal activities, including terrorism. Due to scalability problems and processing speed, the solution should be based on offline inspection. Therefore, a sufficient fraction of information must be preprocessed on daily basis and uploaded to verifying devices. However, such dissemination of sensitive data is risky by nature. The personnel performing document verification should be trustworthy and must not be able to leak this information to outsiders. This in turn requires numerous security procedures which are costly and not always effective. Therefore we assume that information available for offline verification: • should not give advantage for the verifier to generate fake identifiers that would also be accepted with high probability, • collusion of many verifiers must not give such possibility either. As verification is performed in a wireless way and RFID devices might be too weak to perform any strong encryption, we have to assume that no third-party may gain significant advantage by overhearing the communication between the e-visa and the verifier. On the other hand, as long as the secret stored in a visa cannot be used by other passport holders, there is no need for tamper-proof solutions for storing sensitive data. We note that slight false-positive rates are admissible, say at the level of ≤ 1%. This

84

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

means that a forged e-visa might be accepted with probability not higher than 0.01. Falsepositive rate equal to zero is not really necessary, as a person attempting to cross a border would not risk to be arrested with probability higher than 0.99. There are strong arguments for using the RFID technology. First, the tags can be easily attached to paper documents (e.g. passports) and present exactly the same properties as visa stickers that are commonly used today (printed data, stamp placed both on the sticker and the document that assures integrity, etc.) Apart from the cases of joint border control by a group of countries (like Schengen treaty countries), the system might be run by a single authority, and therefore no large scale international cooperation is necessary. (Even in case of Schengen countries, the number of parties involved is limited and cooperation is one of the conditions to enter the treaty.) Therefore, a central system administration over e-visas is realistic from practical point of view. The situation is somewhat different from biometric passports, where international coordination is necessary even between countries with no diplomatic relations or even between hostile countries. This can be achieved only on the level of protocol specification and minimal dependence on data not stored in a passport. On the other hand, RFID technology imposes specific constraints. The tags cannot be expected to perform strong cryptographic computations; also the tag on its own is relatively easy to duplicate/imitate. Of course, with cryptographic smart cards designed for personal ID cards we do not have these problems, but they cannot be accepted when economical factors are taken into consideration (or, simply, are too thick to be placed in passports with many visas). As for the devices used by the verifiers we can assume that they have relatively large memory and are far more computationally effective. However, in order to assure quick and efficient service, a small number of effective operations must be assured. 2. Previous work Literature on electronic documents, and specifically on electronic (biometric) passports is abundant and has numerous origins. A computer-scientific overview is presented in [1]: both the problems and technology applied for biometric passports are described. A more political twist on those aspects provides [2], an in-depth analysis of the process of introducing biometric passport by the US government. The impact of pervasive RFID identification systems on people (users/subjects) and systems (providers) is discussed in [11]. Interestingly, the authors report that at the moment (i.e. year 2007) RFID technology is perceived merely as substitute for electronic key or wallet, but this approach is likely to change into somewhat more pervasive systems allowing a more exact inspection of users’ behavior, collecting more detailed data on human flow etc. Also, a number of challenges to safeguard users’ privacy is set forth by the authors, such as clearly defined responsibility for handling the data and transparent methods of its acquisition. Paper [8] is an exhaustive study of privacy and security implications that are present in RFID-enabled e-passport systems. It is particularly valuable as it discusses in detail the ICAO’s directives for standard of international passports [7]. Juels et al. identify a number of threats and provide a list of countermeasures that could alleviate the problem. Notably, among them is the concept we utilize in our work: a bit-entropy source, with the difference that our solution far extends the one mentioned in the paper.

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

85

On the other hand, the authors of [3] focus on one single problem of such systems. With German e-passports as an example, Carluccio et al. discuss the privacy threats that arise from the fact that passports respond with a unique identifier. Two feasible attacks are presented, one aimed at cryptanalysis of the authorization key used between the verifier and the passport, the other utilizing fine-tuned eavesdropping. Similar critique can be found in [6], where the authors scrutinize the Dutch version of the electronic passport. At the same time, detailed description of extensions that EC introduced to ICAO’s directives with the aim of extending security and privacy is discussed.

3. Design Paradigms We propose to change main design paradigms for RFID chips and lightweight cryptography. In a traditional setting, we usually attempt to minimize the key length. The reason is that it strongly influences computational complexity of classical cryptographic algorithms. In some cases it is also important to keep the key size reasonably short due to convenience of users. A good example are random 128-bit keys for WLAN: inputting such keys is regarded by most users as very tedious. On the other hand, rapid technological advance in the field of non-volatile memories may force us to rethink some of the previous assumptions. It seems that large key size is no longer a problem, except for the case when it has to be copied manually (which is not the case in any thinkable e-visa scenario). Of course, the cryptographic algorithms used must have complexity sub-linear in the key size. Last not least, we have to keep in mind that the key length does not directly define hardware cost. What really counts in our application scenario is the cost of the circuitry implementing the memory for key storage. Technologies such as PROM memories might have a positive impact here. The second issue is information-theoretic security. In a classical scenario, when the key has length n, then a challenge-response protocol returns key dependant data of the length which is of the same order as n. Consequently, an adversary with unlimited computational resources might obtain enough information bits to reconstruct the whole secret key. On the other hand, if the key is long, the number of queries is limited in practice, and each answer returns just a few bits, then collecting information bits becomes hard. Therefore, even an algorithm that is weak in the classical sense might serve well its purpose. Summarizing, our idea is to increase the length of keys so that: • the total length is still affordable for PROM memories, • the authentication algorithm should make use of the whole key or at least an unpredictable majority of its bits, and execute simple operations only, • every response must provide only a limited number of information about key bits, • off-line verification data available for a single verifier should be as limited (in terms of information bits) as possible; data available for one verifier should be useless for another verifier.

86

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

4. System architecture There is a number of different entities in the system we consider. These include algorithms, actors and datasets. We describe the building blocks first, and then proceed to description of the system’s behavior. 4.1. Building blocks 4.1.1. Self-keying lightweight authentication – SKA. In this paper we use an algorithm from an unpublished paper of some of the coauthors. However, instead we could use some other generic solutions, and one of them we describe in the next subsection. This algorithm utilizes a long bit (say n = 2048 bits) string bitSecret written into RFID’s permanent memory. The device takes a challenge of the form: (A0 , mix) : A0 ∈ [0, l − 1], mix ∈ [0, m], where m is a security parameter in the system. Assume reasonably m = 32, so that bit-length of each challenge is 16. Then, SKA performs some predefined number of “jumps” on bitSecret, beginning from position A0 , and using mix as an additional bias. Namely, each next jump position is calculated using log2 (n) bits surrounding the current address and mix (e.g. by XOR’ing with a counter dependent on mix). As an output, SKA returns only one bit of bitSecret, at a position determined by the last jump. The rationale behind this algorithm is to perform a pseudorandom walk on the bitSecret that is sufficiently short to be efficient, but which goes through unpredictable places, so that an adversary cannot focus on breaking only a limited number of bits from the key. Without knowing the whole bitSecret one cannot say, given (A0 , mix), with probability 12 what the response bit is. In the following, let expression b = SKA(c, s) signify “bit b is a result of SKA with challenge c run on secret s”. 4.1.2. Shrinking Generator. An alternative to SKA which fulfills similar specification is, introduced in [5] by Don Coppersmith et al. the Shrinking Generator. As with SKA, the input for shrinking generator (SG) is an integer, and the output is a single bit. SG has two secret keys K1 and K2 , a bit sequence of the length n and two secret linear functions, F1 , F2 : Zn2 → Z2 . The generator uses two LFSRs. The first, LF SR1 , with secrets K1 , F1 , generates a stream of bits, while the second, LF SR2 , with secrets K2 , F2 controls its output. They cooperate in the following way: if the bit of LF SR2 is 1, then the last bit of LF SR1 is the output of the whole generator; if the bit of LF SR2 is 0, then the shrinking generator does not generate an output in this iteration. By a simple combinatorial argument, the behavior of SG is cyclic. It was shown, that for appropriate K and F , the length of that cycle is 2|K| . There are currently no known attacks better than exhaustive search when the feedback polynomials F are secret.

87

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification 1

2

3

TD

bitSecret

ID

AB 12345 AA 23414 CA 94029 FG 42351 AB 91239

4

5

responses

VC

1

2

···

k−1

k

0xAF233. . .94

V54SPGVY AB»PL30

1

0

···

1

1

xs4wqap31

0x4ceA4. . .e6 0x45233. . .bf ··· 0xfa0cc. . .2a

V24SQGGY AA»PL21 V74AWG1Y AA»PL22

0 1

0 1

··· ···

0 0

1 0

a12wc0sag 9c09a2ss1

V84BBGOY DA»PL22

1

1

··· ···

1

1

l7vc2E82A

0x28eb7. . .0b

V94ZAYYY DD»PL30

0

0

···

1

0

m3UEjxM4i

Table 1. Example data table for the system. Columns 1-3 are maintained and stored securely in the issuer’s database. Columns 3-5 are daily updated and transferred to verifier’s machine.

4.1.3. E-visa. Each e-visa is a pair: {ID, bitSecret}. ID is the public unique information about the e-visa (i.e., its serial number). It can be read by any party inspecting the RFID tag. For instance, ID could be a hash value of holder’s name and other plaintext data on the visa. On the other hand, bitSecret is a secret information of the e-visa and it is not accessible directly. Instead, there is a verification procedure that enables entitled parties to check that proper bitSecret is in the e-visa without disclosing it (see below for details). Unlike other authors, we do not assume that bitSecret is short. We rather assume that it is relatively large. As we have already mentioned, the idea is to trade the gates necessary for complicated computations against ROM memory in the RFID chip. For each e-visa, the pair {ID, bitSecret} is also stored in a secure registry of the document issuer. 4.1.4. Verifier. Verifier is a person entitled by the visa issuer to check authenticity of all e-visas issued (or their subset). Each verifier holds a secret, we denote by KA the secret of verifier A. Additionally, verifier A obtains a data set TA that holds information for each of, say, v documents issued. From logical point of view, TA is a database with v entries, each entry keyed by the corresponding e-visa ID. The entry contains also some number k of bits, which are the answers that should be given by the e-visa corresponding to this entry for the challenges issued by the verifiers. The number k will be small. The organization of TA must guarantee that finding an entry A with a given key IDi is fast, as well as the memory overhead of the search structure is low. Any standard data structure with these properties can be applied. In fact, it is not really necessary to assign a distinct verifier in the system for each officer entitled to inspect the travel documents. The same data may be shared by a number of physical verifiers. The point is that the number of different verifiers in the sense of the system must be high enough so that a holder of a forged visa cannot collect data from most of them on (see the cryptanalysis section below). Choice of concrete parameters depends on the situation and risk analysis. 4.1.5. Data in the system. An example of datasets circulating in the described system is presented in Table 1. This paper presents a system that allows verification of a physical token of some sort, that

88

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

uniquely identifies its holder and assures its connection with a dataset stored outside the system. Different data may be necessary in various applications. For e-visa these would be items such as name, date of birth, issue and expiry dates, etc. European Union defines this set for Schengen Visa (see [10]). What is important is that visa is only a witness confirming that the holder is actually listed in the issuer’s database (i.e. has been approved in visa application process). All details about the holder are stored securely and maintained by the issuer in a database. Next, we assume that visa identifier, ID, is publically available. It can be printed on the surface of the visa tag, and RFID tag responds to a reader with this value without special authorization. Similarly, let TD be a publically readable identifier of the document the visa is attached to (e.g., travel document).2 Dataset we described so far can be considered static in that it does not change in the system during visa validity period. Next, we introduce data items that are periodically re-calculated. respBits is a k long bit vector associated with each visa ID calculated for each verifier with key K by Algorithm 1. Note that respBits is bound to a specific date; hence the output of Algorithm 1 can be considered time-stamped. Algorithm 1 genRespBits(): generating respBits for visa ID respBits ← [ ] d ← valid-for date K ← verifier secret key for all i ∈ [1, . . . , k] do c ← genChallenge(K, i, ID, d) b ← SKA(c, bitSecret) respBits[n] = b end for return respBits The function genChallenge(·) should be a pseudorandom bijection secure in a cryptographic sense. Lastly, we introduce the validity code V C that binds logical information (i.e. respBits and K) with physically inspectable information (visa ID and TD). It is calculated so that it is possible to compute: TD∗ = h(K, respBits, ID, V C), for some function h(·), where TD∗ is a subset of information that TD holds. For example, TD∗ might yield few pre-specified digits from a passport identification number. 4.2. System behavior Previous section introduced two actors in the system: the holder and the verifier. The former carries a visa that is a proof of his presence in the issuer’s database, while the latter is in possession of data that can be used to verify that proof. In what follows, we describe interactions between these two as well as data flow between the verifier and the issuer. 2 One can claim that in this point we enable tracing passport holders by tracing e-visas. However, we introduce no additional privacy risk, as this problem already exists for electronic passports.

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

89

4.2.1. Generating the tables. The issuer wants to enable each single verifier to verify all visas that have been issued and are valid at a given moment in time. In order to do that, he prepares a dataset, TA , according to Algorithm 2. The dataset provides all information required for authentication on the one hand, but is small enough to handle effectively on the other. Algorithm 2 genDataTable(): generating TA for verifier with key K w=0 TA ← [ ] for all visas do TA [w][ ID ] ← ID; TA [w][ responses ] ← genRespBits(); TA [w][ V C  ] ← h−1 (K, TA ( responses ), ID, TD∗ ) w ←w+1 end for return TA So created TA corresponds to columns 3-5 in Table 1. TA is sent to verifier’s device. Note that in the table, columns “responses” and “VC” are by their nature random, hence their values do not repeat too often. On the other hand, column “ID” contains identifiers of visas which naturally obey some pattern, and therefore are similar to one another. At the same time, the first column contains most data in the table. This observation leads to a conclusion, that the table can effectively be compressed to occupy less space (during transfer as well as in the verifier’s device). For the e-visa scenario, we imagine the following framework for distributing TA ’s. Each day, after the procedures for issuing visas are closed, the issuer (e.g., Ministry of Foreign Affairs) gathers information about all visas issued so far that are valid for the next day, say d. Next, for each Customs Officer in service, adequate TA ’s are generated by Algorithm 2. These are sent securely to adequate offices, where CO’s devices are updated with new data. Certainly, such distribution causes that a newly issued visa will be visible in the system not faster than the next day. In may happen that an urgent visa is issued that needs to be verifiable immediately. Then “last minute” updates/extensions of TA can be sent directly to CO’s terminal via GPRS/SMS messages due to their small size, which in turn will not induce additional costs. Of course, in this case it is better if the CO’s device requests such update if it recognizes an urgent visa (e.g. by its ID), than if this information is pushed to all CO’s in service. 4.2.2. Verification procedure. As we said before, a verifier (V) can use its dataset to verify that the visa of a holder’s (H) is valid. By validity we understand that the visa will behave as predicted at the time when the verifying dataset was created. To check that, the following procedure is executed: 1. on V’s request H’s visa responds with its ID; 2. V generates a set C = {c1 , c2 , . . . , ck } of challenges applying the procedure genChallenge(·) from Algorithm 1 to his key K, the received ID, current date and all i ∈ [1, k];

90

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

3. V challenges H with a subset of C (the size of the subset is a parameter in the system) and collects a vector of responses respBits’ in such a way, that respBits [i] =



? if H was not challenged with ci b otherwise, and responded with b

4. V searches TA for lines that satisfy respBits == respBits where ’?’ is a wildcard; 5. if the above search did not succeed V rejects H; 6. for all matching rows, V calculates TD∗ = h(K, respBits, ID, V C) and verifies TD∗ with H’s TD. Searching in point 4 can be effectively performed as a binary search. The last step of the verification is done to confirm the binding of the visa with the document it is attached to. For this purpose one can use e-passport applications. Alternatively, one can retreat to manual inspection, when the passport is not a biometric one. Note that verification of T D∗ in point 6 can easily be automated since in general travel documents follow the same standard as to where and how identification data is printed. This allows even simple text recognition techniques to easily recognize required information. Alternatively, one can use machine readable code form the passport.

5. Security considerations In order to show that our system is secure we first describe possible threats for an electronic visa system. Next, we introduce different scenarios for an adversary A. and discuss related attack costs. 5.1. Security threats A few problems may arise from the fact that such electronic system for visa circulation is deployed. First of all, forgery. It is conceivable that a person might try to design an RFID transponder that would perform the verification protocol and present verifiable data. Below we provide calculations that estimate the probability of success of such an attempt. Also, we note that, when compared to forging only paper stickers that are in use nowadays, building a forged e-visa is by far more involved. Second issue is that of identity theft and privacy. One may argue that since each visa responds with its ID that is unique, this mechanism may be used for purposes different than trans-border traffic control. The same problem however is present in any systems that utilize wireless transponders for identification or access control. We therefore do not address this issue here since there are readily available solutions to this problem to be found elsewhere. For example, keeping passports in a Faraday-cage wallets and displaying them only when needed for identification is advised for European States [12]. Lastly, the problem of disloyal verifiers that might try to utilize their privileged role in the system to obtain personal profits. Even though we do not describe any accounting features in our system, they can easily be incorporated within the framework to keep log of the verifier’s actions. Of course, the devices must posses higher level of security (in fact it is rather funny to think that the Customs Officer would inspect a person’s

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

91

passport using a standard smart phone). At the moment of uploading a new table TA at the base station, the logs might be downloaded for inspection. It is even conceivable that the information can only be extracted from the device with the use of proper secret key of the corresponding base station and only by a certified communication protocol. Then, extracting all information from TA for cryptanalysis would require too much time, as it would require not only accessing the device, but also breaking the key. 5.2. Adversary In order to analyze how our system is resistant to adversarial actions we first define the possible threats an adversary can pose. We focus on electronic visa system as the one having grave implications and concerning international law. Nevertheless, our considerations also apply in greater or smaller part to other RFID based systems we mentioned in Introduction. 5.2.1. Privacy. One of important threats is that e-visa verification data might be used to prove to a third party that a given person was at a given place at a given time. This will not succeed for the protocol presented, as the verifier does not obtain any information that is different from the data already possessed. In other words, the visa identifier is a publically available piece of information; as such, there can be many fake tags responding with such an ID, but only one is the true e-visa with its secret. So a person buying evidence of e-visa holder’s presence can be cheated easily by the verifier. 5.2.2. Collecting all responses. Probably the easiest activity of an adversary is that of eavesdropping the communication between a verifier (or verifiers) V and an e-visa H. That is, for some visa identifier id, A can collect a set of challenge-response pairs of the form (ci , bi ). Then, A can mimic id before the same or a different verifier V if he is challenged with values ci that are in the list. Note however, that in order to collect all possible values of ci , by the standard coupon collector problem A needs to eavesdrop k2 · n · m log(n · m) transmissions. For the proposed values n = 2048, m = 32, k = 10 (i.e. bit length of the challenge is 16 bits, verifier’s TA contains 10 pre-computed response bits for each visa), this number is large: assuming that each verification takes 1 second, it would require 40 hours to collect full information about a single visa. 5.2.3. Cryptanalysis. A may also launch a cryptanalysis attack. In this case he does not obtain full knowledge about all possible challenges. Instead, A uses a small number of known pairs (ci , bi ) and tries to infer the bitSecret from them. Let us assume that A can do the following: 1. collect a list L of r responses of the form (ci , bi ); let all ci ’s be pairwise different;3 3 Note that the situation when many V’s collude by combining their tables T is a special case of the above A situation. Then, there are t colluding verifiers and TA of each verifier contributes k pairs (ci , bi ) different from other verifiers’ contributions.

92

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

2. uniquely assign each bi from each pair in L to a specific location in bitSecret; let all these locations be different. Under these very favorable assumptions A would learn the exact locations of r bits in bitSecret. With this knowledge he can try to mimic SKA for any challenge. By the way SKA works however, the number r must be very close to n. First, using Lemma 1 we estimate t, the number of transmissions to be eavesdropped to learn all but m bits of the key (or, similarly, to collect all but m distinct ci ’s), under favorable conditions for the adversary described above. Lemma 1. Let Ω be a set of cardinality n. Suppose that we select independently random subsets K1 , . . . , Kt of Ω of cardinality k. Let Fn,k,t = card (Ω \ (K1 ∪ . . . ∪ Kt )). Then 

k E (Fn,k,t ) = n 1 − n Moreover, if 0 < m < n and ε > 0 and t ≥

n m 1 1− k n

ln ln

t .

(1 + ε), then E (Fn,k,t ) = m

m ε n

.

Before we start the proof let us remark that the problem considered in Lemma 1 is different from the standard model where we throw tk balls into n bins and ask how many bins hold at least one ball. In our case the balls are thrown in groups of k, and no two balls of the same group go to the same bin. Proof. Let us fix a point x ∈ Ω. Let K = K1 ∪ . . . ∪ Kt . Then 

n−1 nk

k

Pr[x ∈ / K] = Pr[x ∈ / K1 ] t =

t .

Notice that    n k n−1 =1− / k k n



hence Pr[x ∈ / K] = (1 − nk )t and E (Fn,k,t ) =

 x∈Ω



k Pr[x ∈ / K] = n 1 − n

The second result follows from direct substitution t → mula. Notice that if k n, then ln 1−1 k ∼ n

k n,

n m 1 1− k n

ln ln

.

(1 + ε) into the last for-

hence in this situation we have

n ln m n n 1 (1 + ε) ∼ (1 + ε) k ln m . ln 1− k n

t

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

93

n n Notice that, if t ≈ nk ln m , then E (Fn,k,t ) ≈ m and, for example, if t ≈ 2 nk ln m , then m2 E (Fn,k,t ) ≈ n . Recall that in each transmission there are k distinct ci ’s revealed. More, relating Lemma 1 notation to our case we have:

n - is the bit-length of bitSecret; k - signifies the number of challenges presented to the visa during one session and overheard by A; t - is the number of overheard transmissions for the same visa, where different bits from bitSecret are revealed. As we see, we can quite precisely determine the expected number of unknown key bits after collecting a given number of responses. The adversary might hope that a number of bits broken need not to be equal n. In some cases, SKA can omit some of the bits from the secret bitstring, which is favorable to the attacker. Recall that according to design assumptions, SKA performs look-up at random positions, each time reading a block of log n bits. The following lemma allows us to estimate the probability that an arbitrary visa authentication session (specifically: the run of SKA algorithm executed during the session) does not depend on a set of bits from bitSecret unknown to the attacker. Lemma 2. Let us choose m independent subsets I1 , . . . , Im of the set {1, . . . , n} of cardinality L. Let us choose a random point ξ ∈ {1, . . . , n}. Then  Pr[ξ ∈ / (I1 ∪ . . . ∪ Im )] =

1−

L n

m .

Proof. Let F = {1, . . . , n} \ I1 ∪ . . . ∪ In . Then  Pr[ξ ∈ F ] = Pr[ξ ∈ F |card (F ) = a] Pr[card (F ) = a] = a

a 1 1 a Pr[card (F ) = a] = E (card (F )) . Pr[card (F ) = a] = n n n a a On the other hand, for each fixed ξ ∈ {1, . . . , n} we have Pr[ξ ∈ F ] = (Pr[ξ ∈ / I1 ])m . Therefore m   L E (card (F )) = Pr[ξ ∈ F ] = n 1 − . (1) n ξ

Let us identify now the space {1, . . . , n} with the cyclic group with Cn . Using the technology developed in [4] we may transform the last lemma to the family of all subintervals of {1, . . . , n} of length L. Let us consider a family I1 , . . . , Im of sub-intervals of length 2 ln n of the cyclic group Cn and a sequence of random points ξ1 , . . . , ξt . Let S denote the event {ξ1 , . . . , ξt } ∩ (I1 ∪ . . . ∪ Im ) = ∅ .

94

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

Then  Pr[S] =

2 ln n 1− n

mt

Hence 

1 Pr[S] < K



 ≡

tm >

ln K ln 1− 21ln n

n ln K ≈ 2 ln n



n

For n = 2000 we get 

1 Pr[S] < K

 ≡ (tm > 131.0626... ln K) .

Again, applying the notation of the lemma to our problem we have that {ξ1 , . . . , ξt } denote bits unknown to the attacker and (I1 ∪. . .∪Im ) denotes a set of indices in bitSecret that SKA uses during execution. Consequently, event S denotes “SKA does not use any of the unknown bits for its execution”. 5.2.4. Remarks. Note that the adversary model is an extremely strong one. Indeed, the assumption made in point 2 above is not easy to fulfill: there seem to be no effective way to invert SKA (or the shrinking generator, if that is used). The strength of the SKA algorithm reflected in the above calculations lies in the fact that each authentication yields only a very small fraction of information. Namely, A learns only one bit of the secret per transmission and all transmissions are independent, i.e., they reveal some bit from the location that has uniform distribution. Even more, such single authentication involves just a small fraction of bits from bitSecret, therefore A cannot infer the values of the remaining bits, not involved in the process, based on the one-bit output he gets. Therefore it is clear that small number of eavesdropped authentications is not sufficient to break the visa’s secret.

6. Conclusions In this paper we proposed an electronic visa system based on RFID technology. It allows for an off-line verification of all visas valid for a given day, at the same time not posing big requirements on computation and storage, both on the side of the visa tag as well as the verifying device. We employed a new design paradigm, where we shift the weight of the security of the algorithm from computations towards memory; by this we address numerous remarks circulating in literature of the topic that ordinary RFID tag does not have enough entropy to safeguard its credentials. Our approach is supported by explicit computations that provide fully acceptable results for reasonable real-life parameters.

P. Bła´skiewicz et al. / RFID Electronic Visa with Personalized Verification

95

References [1] [2] [3]

[4]

[5]

[6]

[7] [8]

[9] [10] [11] [12]

Paul Balanoiu. Enhancing privacy for biometric identification cards. CoRR, abs/1002.3475, 2010. Chris Bronk. Innovation by policy: A study of the electronic passport. Available at SSRN: http://ssrn.com/abstract=1557728, May 2007. Dario Carluccio, Kerstin Lemke-Rust, Christof Paar, and Ahmad-Reza Sadeghi. E-passport: The global traceability or how to feel like a ups package. In Jae-Kwang Lee, Okyeon Yi, and Moti Yung, editors, WISA, volume 4298 of Lecture Notes in Computer Science, pages 391–404. Springer, 2006. J. Cicho´n and M. Klonowski. A note on invariant random variables. In 21st International Meeting on Probabilistic, Combinatorial, and Asymptotic Methods in the Analysis of Algorithms (AofA’10), DMTCS Proceedings, pages 107–116, 2010. Don Coppersmith, Hugo Krawczyk, and Yishay Mansour. The shrinking generator. In Douglas R. Stinson, editor, CRYPTO, volume 773 of Lecture Notes in Computer Science, pages 22–39. Springer, 1993. Jaap henk Hoepman, Engelbert Hubbers, Bart Jacobs, Martijn Oostdijk, and Ronny Wichers Schreur. Crossing borders: Security and privacy issues of the european e-passport. In In 1st IWSEC (Kyoto, pages 152–167. Springer, 2006. ICAO. Document 9303, machine readable travel documents, 2004. Ari Juels, David Molnar, and David Wagner. Security and privacy issues in e-passports. In Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks, pages 74–88, Washington, DC, USA, 2005. IEEE Computer Society. Ministry of Foreign Affairs of Japan. Statistics for the number of visas issued in 2009. WWW announcement, 2010. European Parliament and European Council. Regulation (ec) no 810/2009 of the european parliament and of the council of 13 july 2009 establishing a community code on visas (visa code), 2009. Christian van’t Hof. Rfid and identity management in everyday life. Technical report, European Community, Technology Assessment, June 2007. Ilona Vercseg. The Budapest declaration: Building European civil society through community development. Community Development Journal, 39(4):423+, 2006.

96

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-96

A Sub-0.5V Lattice-Based Public-Key Encryption Scheme for RFID Platforms in 130nm CMOS Yu Yao, Jiawei Huang, Sudhanshu Khanna, Abhi Shelat, Benton Highsmith Calhoun, John Lach, and David Evans University of Virginia {yy4y,jh3wn,sk4fs,as4bd,bcalhoun,jlach,evans}@virginia.edu

Abstract. Implementing public-key cryptography on passive RFID tags is very challenging due to the limited die size and power available. Typical public-key algorithms require complex logical components such as modular exponentiation in RSA. We demonstrate the feasibility of implementing public-key encryption on low-power, low cost passive RFID tags to large-scale private identification. We use Oded Regev’s Learning-With-Error (LWE) cryptosystem, which is provably secure under the hardness assumption of classic lattice problems. The advantage of using the LWE cryptosystem is its intrinsic computational simplicity (the main operation is modular addition). We leverage the low speed of RFID application by using circuit design with supply voltage close to transistor threshold (Vt ) to lower power. This paper presents protocols for using the LWE cipher to provide private identification, evaluates a design for implementing those protocols on passive RFID tags, and reports on simulation experiments that demonstrate the feasibility of this approach. Keywords: RFID Privacy, Private Identification, LWE Public-Key Cryptosystems, Sub-Threshold Design, Lattice Encryption, Passive RFID

1

Introduction

Many RFID applications such as supply chain management require the ability to uniquely identify individual tags, while scaling to billions of items and limiting the cost of a tag to a few cents. Such applications raise privacy concerns when individuals do not wish to be tracked or businesses do not want competitors to learn too much about their logistics. Public-key cryptosystems offer an attractive solution but standard public-key algorithms cannot be implemented in the severe area and power constraints for passive RFID tags. For large scale private identification, no provably secure public-key encryption algorithm has been found that can be implemented on passive RFID tags. Instead, lightweight symmetric key schemes or hash functions are used. However, symmetric key

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

97

approaches must sacrifice privacy for scalability. The power available on the passive RFID tag is the main limiting factor for the choice of cryptosystem. Passive RFID tags capture all their energy from their antenna coupling with the reader, so the power available for cryptographic operations is extremely low, typically a few microwatts. Implementations of standard public-key cryptosystems such as RSA and El Gamal require far more power than is available on passive RFID tags. Eliptic curve cryptography (ECC) is the most promising one but still requires area complexity around 15K gates. New public-key schemes or variations of known public-key encryption algorithm have been proposed [3, 30], but the security of ad hoc schemes is unclear due to the lack of reduction to a classical hard problems. Section 2 provides more details on previous work. In this paper, we introduce a new approach to implementing public-key cryptosystems on RFID tags. The main idea behind our approach is to use a lattice-based cryptosystem that provides a high level of security while only requiring simple (modular addition) logical operations. The main challenge in implementing this cryptosystem on a passive RFID tag is the large key size needed. We address this by using sub-threshold design techniques to reduce the size and power consumption needed to store the public key in ROM. In particular, we make the following contributions: – We demonstrate the feasibility of implementing a public-key encryption on low-end passive RFID tags. We adopt the Learning-With-Error (LWE) lattice-based cryptosystem proposed by Oded Regev and proved secure via a reduction to classical lattice problems [28]. (Section 4) – We present a private identification protocol based on the LWE cryptosystem. The protocol protects privacy by ensuring that tracking an RFID tag is as hard as breaking the LWE cryptosystem in a game model similar to the chosen-plaintext-attack model. (Section 5) – We describe and evaluate a design in 130nm CMOS. Our results show the logic required to implement our design (1545 GEs) is far smaller than any other known public-key cryptosystem implementation. By using a combination of sub-threshold and near-threshold circuits, the power consumption is as low as 9.19μW and is well within the requirements of passive RFID tags). (Section 7)

2

Related Work

Much previous work has focused on the problem of privately identifying an RFID tag. Since the tags send messages over radio transmissions that can easily be intercepted, private identification requires using cryptographic protocols that take advantage of secret keys known only to legitimate readers. There are two main approaches: symmetric schemes where the tags and readers have shared secret keys, and asymmetric schemes. In a pure symmetric scheme, the reader has a unique shared key with each tag in the system [33]. Pure symmetric key schemes cannot scale to support billions of tags since the reader needs to try all secret keys in the system to decrypt the received message. The cost of identifying a tag on the RFID reader must scale sub-linearly with the size of the system. Tree-based hash protocols [25, 4] address this problem by assigning shared

98

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

secrets to tags. This achieves scalability but sacrifices privacy [26, 9, 4]. Another approach is to use symmetric keys that are updated after each successful read [5, 6, 15, 31, 34, 12]. This approach sacrifices either availability or privacy for scalability. De-synchronization attacks that prevent a legitimate reader from being able to read a tag after an adversary interacts with it maliciously pose the main threat to this approach. Another drawback is that it requires rewritable memory and high power consumption to rewrite data on NVRAM memory for each read. Asymmetric schemes have the advantage that identification can be done in constant time and there is no privacy loss when key material stored on individual tags is lost. Due to severe restrictions on implementation area and power consumption, new public-key cryptosystems as well as variations of previous systems have been proposed. A variant of Rabin’s public-key scheme was proposed by Shamir [30] and implemented by Oren and Feldhofer (WIPR) [27]. However, subsequent research by Jiang Wu identified a serious security flaw in WIPR [35]. The proposed remedy requires a cryptographic hash function, which is too expensive for low-end tags. The NTRU public-key cryptosystem, first proposed by Hoffstein, Pipher and Silverman in 1996, is a lattice-based cryptography employing only simple polynomial multiplications instead of exponentiation. This system was implemented with 2.8K gates with dynamic power consumption of 1.72μW [3]. However, there is no formal security proof for NTRU and it suffers from the lattice reduction attack [18]. To date, no public-key cryptosystem has been found that is adequate for passive RFID tags.

3

Private Identification for RFID

A private identification protocol enables a legitimate RFID reader to identify a tag without providing a way for an adversary to track, profile, or identify tags. We adopt Juels’ and Weis’ definition of privacy [21] with a parameterized privacy experiment. It captures the idea of classic indistinguishability under chosen plaintext attack. The adversary A first corrupts at most N − 2 tags, where N is the number of tags in the system, and performs any computation within its parameter bounds. A selects two uncorrupted tags as challenge candidates. One of them is randomly picked and presented to A. A perform any computation within its parameter bounds and responds with a bit b indicating which tag is picked. A wins the privacy experiment if A guess the chosen bit correctly with probability noticeably more than 50%. We strengthen the adversary’s ability by eliminating parameterized communication bounds and setting A as standard interactive probabilistic polynomial Turing Machine since we admit A similar to the public-key cryptosystem adversary model. Assume we have public-key cryptosystem Π = {Gen, Enc, Dec}, where n as a security parameter (e.g., key length) and a system with N tags. We define the privacy experiment as: (n) The Private Identification Protocol Expprivacy A,Π 1. Gen(n) is run to obtain a key pair P K, SK ← Gen(n). 2. Assign each tag its unique ID and store the information necessary for encrypting the ID.

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

99

3. In the learning phase, Adversary A is allowed to break at most N − 2 tags and acquire all the information on the tag. 4. In the challenge phase, A picks two uncorrupted tags T ag0 and T ag 1 , a random bit b ∈ {0, 1} is chosen, denote ID b = ID of T ag b . Then c = EncP K (ID b ) is computed and given to A. 5. A is allowed to interact with the tags in the system as follows: A can query q ∈ {0, N − 1}. In response, A receives Enc(ID q ), and outputs a bit b . 6. The output of the experiment is defined to be 1 if b = b, and 0 otherwise. Definition 1. A protocol is private if for all probabilistic polynomial-time adversaries A there exists a negligible function  such that: Pr[Expprivacy (n) = 1] ≤ A,Π

1 2

+ (n)

In the above game, the adversary’s objective is to perform malicious profiling or tracking attacks by distinguishing any two tags it picks, which threats a wide range of RFID applications.

4

The LWE Public-Key Cryptosystem

Our private identification protocols use the LWE public-key cryptosystem proposed by Oded Regev [28, 24] and proven to be chosen-plaintext-attack (CPA) secure based on the learning with error (LWE) problem. The hardness of LWE follows from known hard lattice problems, namely the decision version of the shortest vector problem (GapSVP) and the shortest independent vectors problem (SIVP). Unlike factoring-based asymmetric cryptosystems such as RSA, there is no known quantum algorithm to solve these problems. The LWE problem assumes we have a secret vector S = [s1 , s2 , ...sn ] ∈ ZPn and polynomial random equations modulo prime P with errors: ⎧ a11 s1 + a12 s2 + ... + a1n sn ≈ b1 mod P, ⎪ ⎪ ⎨ a21 s1 + a22 s2 + ... + a2n sn ≈ b2 mod P, (1) .... ⎪ ⎪ ⎩ am1 s1 + am2 s2 + ... + amn sn ≈ bm mod P Given aij ∈ ZP , bi ∈ ZP and P , where i ∈ {1, m}, j ∈ {1, n}, learning secret S from a set of equations with error is provably as hard as solving classic worst-case lattice problems [28]. The LWE cryptosystem proposed by Oded Regev is shown in Algorithm 1. For instance, the public key constructed from the set of equations (1) is: ⎞ ⎛ a11 a12 ... a1n b1 ⎜ a21 a22 ... a2n b1 ⎟ ⎟ (2) PK = ⎜ ⎝ ... ... ... ... ... ⎠ am1 am2 ... amn bm To illustrate how LWE encryption works, consider each row in public key ai = [ai1 , ai2 , ..aim ], since each equation satisfies ai · S ≈ bi mod P , for a random subset

100

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

Algorithm 1: The LWE based public-key Cryptosystem [24] Parameters n, m, l, t, r, q, δ (all operations are done in modulo q) Private Key Choose S ∈ Zn×l uniformly at random. The private key is S. q uniformly at random and E ∈ Zm×l from a distribution Public Key Choose A ∈ Zm×n q q determined by δ. The public key is (A, P = AS + E) ∈ Zm×n × Zm×l . q q Encryption Given an element of the message space v ∈ Zlt and a public key (A, P), choose a vector a ∈ {−r, −r + 1, ...r}m uniformly at random, and output the ciphertext l (u = AT a, c = PT a + f (v)) ∈ Zn q × Zq n Decryption Given a ciphertext(u, c) ∈ Zq × Zlq and a private key S ∈ Zn×l , output q f −1 (c − ST u)

  R ⊆ {1, ..m}, we have i∈R ai ·S ≈ i∈R bi mod P . To encrypt a message compute the sum of a random subset of the rows, which is statistically close to uniform distribution if m is large enough [1, 28], and shift a small of the message. distance by a function  a mod P, b For example, the encryption of 0 is(c1 , c2 ) = ( i∈R i∈R i mod P ), and  i the encryption of 1 is (c1 , c2 ) = ( i∈R ai mod P, i∈R bi + P/2 mod P ). To decrypt with the decryption key S, simply check if c1 · S ≈ c2 to reveal the encrypted bit. Thus, encryption is done by summing up random rows in the public key (A, P) and adding a shift f (v) : Zlt → Zlq . The shift, f (v), could be a simple function such as qt v. To reduce the encryption blowup, the parameter l, t is introduced so that multiple bits can be encrypted in one round. To reduce the size of public key and increase security, each row can be added or subtracted up to r times instead of just 0 or 1 times. Figure 1 depicts various parameters in Algorithm 1.

Fig. 1. Parameters in LWE Cryptosystem

The LWE cryptosystem has three notable advantages for RFID systems: (1) The only logical operation in encryption is modular addition which can be implemented cheaply in hardware; (2) It has proven security and resistance to quantum attacks; (3) It

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

101

is a randomized encryption scheme so there is no linkability between any two ciphertexts for the same message. 4.1

Cyclic Key

Though the LWE logic unit is inherently simple, the memory size for storing the public key would dominate the die size and consequently the manufacturing cost. As indicated in Regev’s paper [24], the size of the public key is in the order of megabits, which is out of reach for a low-end passive tag. A compact way of representing the public key without jeopardizing security is necessary. The size of the public key (A, P) could be reduced dramatically by replacing the random matrix A with a cyclic matrix as proposed by Micciancio [23]. In a cyclic matrix, each column is a cyclic rotation of the first column. This reduces the key storage from m(n + l) elements to m(1 + l) elements. This twist takes the toll on the original security proof by Regev and replaces the hardness assumption on classic general lattice problems with cyclic lattice problems [23]. However, no algorithms are known so far that solve cyclic versions of the lattice problems more efficiently than the classic ones. It is assumed solving cyclic lattice problems is also hard [24]. Several efficient constructions such as the SWIFFT hash function [2] are based on cyclic lattices.

5

Private Identification Using LWE Cryptosystem

For private identification, a tag has to deliver its ID to a legitimate reader without revealing any information to malicious attackers. The LWE public-key cryptosystem has been proven to be CPA-secure and could be simply employed to encrypt the tag ID and deliver the ciphertext. The protocol is show in Figure 2.

Tag Public key P K, IDi

query

Reader Private Key SK

←−−−− C = EncP K (IDi )

C

− →

DecSK (C)

Fig. 2. Private identification Protocol 1

Theorem. The LWE Private Identification Protocol is private. Proof sketch. To satisfy the privacy definition, we need to prove an adversary has no non-negligible advantage in the privacy game: (n) = 1] ≤ Pr[Expprivacy A,Π

1 + (n) 2

The LWE cryptosystem has been proven to be CPA secure [28]. Comparing the CPA privacy game Pubcpa A,Π (n) with the privacy game ExpA ,Π (n), we notice that the two games

102

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

are very similar except that the adversary A in the privacy game has the power to break the tags and “decrypt” the message while the adversary A in the CPA game only has access to an encryption oracle. It seems that for A to invoke A , A needs to provide A a “decryption” oracle. However, arbitrary ciphertexts are not “decryptable” by A since A has to find the tag which generates the message to break. This “decryption” procedure actually could be simulated by using A’s the encryption oracle. During the challenging phase, A gets to “interact” with the tags before outputting a guess. The LWE scheme works because when the scheme is “re-randomizable CPA-secure” then it can handle this by giving new randomizations of the received challenge ciphertext. Therefore A could successfully invoke A in the CPA game and output what A outputs. We show if an adversary A wins Expprivacy (n) with non-negligible probability, then A,Π there exists an A to win the CPA experiment with non-negligible probability. Thus, breaking the privacy of the protocol implies breaking the LWE cryptosystem. (See the Appendix for proof details.) 5.1

Application in Data Sensitive Scenarios

In certain applications such as e-passports, the ID itself could be sensitive information which is risky to store on the tag. One solution to this is to store only indices on the tag and require readers to perform a back-end database lookup. This has the disadvantage that it requires readers to be online to gain any information from the tag. The LWE cryptosystem enables a solution that allows a tag to convey a meaningful ID directly to a legitimate reader without storing that ID on the tag except in encrypted form. Figure 3 shows the protocol. The ID is encrypted once and stored on the tag as a constant. During every encryption performed on the tag, message 0 is encrypted by the randomized encryption block and added to the encryption of ID. It takes the advantage of the malleability property with LWE cipher ID = Dec(EncP K (ID) + EncP K (0)). Each time, CIDi is the same value but EncP K (0) keeps changing in a randomized way. (See the Appendix for the proof for privacy.) Now, even an adversary who can physically break the tag only learns the encrypted ID value, and has no advantage for obtaining the plaintext tag ID. 5.2

Forward Security

Forward security (or forward traceability) ensures that revealing tag information at any time will not put in danger the security or indistinguishability of previously sent messages. Thus even if the adversary A breaks the tag at some point, A still has little

Tag public-key P K, CIDi = EncP K (IDi ) C = CIDi + EncP K (0)

query

Reader Private Key SK

←−−−− C

− →

DecSK (C)

Fig. 3. LWE Protected Private Identification Protocol

103

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

advantage at tracing back the identity of the tag in previously recorded sessions. This is another form of a tracking attack that could jeopardize consumer privacy. Also directly inheriting from the CPA security of the LWE cipher, the simple private identification protocol preserves the forward security. Since the adversary is the one who chooses two plaintexts and thus has the knowledge of the potential plaintext given the challenge of two ciphertexts. Therefore, even with the knowledge of the encrypted ID, an adversary has no advantage at distinguishing the ciphertexts from random guessing and the simple private identification scheme preserves forward security.

6

Parameter Selection

Table 1 summarizes the LWE parameters. Our goal is to find parameters that provide adequate security and response time, while minimizing implementation area and power consumption. We consider five metrics in Table 2. Parameter n m l t r q δ

Meaning number of columns in A number of rows in public-key (A and P) number of columns in P size of one character in the message space v ∈ Ztl maximum number of times each row is selected by vector a the modulus √ used to the compute the distribution Φα with standard deviation √ αq/ 2π from which the noise matrix E is generated and α = 4 · max{ 1q , 2−2 Table 1. LWE Parameters

6.1

nlog(q)log(δ)

}

Computation Time Model

The first three metrics are calculated using formulas from the LWE paper [24]. To derive the computation time to encrypt one message, we analyze the time complexity of processing each row of the public-key. If the generated random number is i, we need |i| cycles to process this number before moving on to the next one. Since the value of i is uniformly  distributed in the range [−r, r], the average number of cycles to process r r 2 +r i=−r |i| = 2r+1 . The public-key has m rows and n + l columns, so a number is: 2r+1 2

r +r the expected time to encrypt one message is: fm(n+l) ·Nadder 2r+1 , where f is the operating frequency and Nadder is the number of log q-bit modular adders.

6.2

Gate Equivalents

To derive the area for storing the public-key, we consider 1 GE as the average area of 2-input low strength basic logic gates in a standard cell library. We looked at multiple

104

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

Metrics Security level (Lattice dimension in attack) Encryption blowup Error rate (per letter)

Measurement nlog(q)/log(δ) (l+n)log(q) llog(t)  1 6π 2(1 − Φ( 2tα · r(r+1)m )) m(n+l) r 2 +r f ·Nadder 2r+1

Computation time (s) Storage for public-key (GEs) m(l + 1)log(q)/β Table 2. Algorithm Level Metrics

Default > 325 < 60 < 0.9% < 0.8s ≈ 6K

commercial technology nodes from 130nm down to 65nm and found that 1 GE is about 10μm2 in 130nm and increases by a factor of two as we go to the higher technology node. Ricci [29] describes a standard cell library for an RFID tag implementation and reports a number close to 20μm2 for a GE in 0.18μm technology, which fits in the area and scaling trend we suggest for 1GE. This definition of GE allows comparisons of implementations across technology nodes, and also fits well with commercial standard cell libraries. We use this definition of GE to estimate area of both our scheme and the previous work. 6.3

ROM Area Model

We use a ROM to store the public-key, which is fixed and uniform across all tags. To estimate the area required for the ROM, we use previously published results. NAND ROM bit-cell area of less than 0.15μm2 (in 90nm technology) has been reported by Chang [22] and Harris [16]. We have shown before that 1GE for 130nm is 10μm2 . Since bit-cell sizes scale regularly over technology nodes, a ROM bit-cell is equivalent to roughly 0.033 GE per bit, assuming 75% array efficiency. Thus, we estimate the GEs based on ROM bit-cells. 6.4

Parameter Selection

Based on the requirements of a large-scale private identification application in supply chain management, we set the default requirements on each metric as shown in Table 2. We estimate gate equivalent (GEs) for the storage of public-key by dividing the number of bits need to store by β = 30 (0.033 GE per bit as justified in Section 6.3). We swept through the parameter space to find several interesting design points summarized in Table 3. The Low Cost parameters offer reasonable security within small ROM area and power consumption. The Fast Encryption parameters parallel adders to speed up. Since lattice encryption algorithm has a highly parallel dataflow and this can be easily exploited by having multiple modular adders working in parallel. The increasing power on adders is offset by the decreasing power of ROM due to the reduced frequency. For the Fast Encryption and Low Power designs, we use four adders to minimize the total power consumption. The Low Power parameters reduce the power consumption by decreasing the operating frequency and the Strong Security selects parameters that produce a high security level as estimated by lattice dimension.

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

105

Parameter Low Cost Fast Encryption Low Power Strong Security n 152 152 152 198 m 1005 1005 1005 1238 l 12 12 12 12 t 16 16 16 16 r 2 2 2 2 q 8219 8219 8219 6803 δ 1.013 1.013 1.013 1.011 # adders 1 4 4 1 Freq (KHz) 800 800 200 800 Security (Dim) 326 326 326 400 Storage (GEs) 6036 6036 6036 6904 Blowup 48 48 48 57 Error rate 0.69% 0.69% 0.69% 0.742 Time (ms) 494.46 123.6 494.46 779.94 Table 3. Parameter Selection

7

Implementation

In this section, we describe our implementation of the private identification protocol on RFID tags based on the LWE encryption algorithm and discuss the low area, low power techniques for components such as logic block, memory and random number generator. 7.1

Ultra-Low Power Logic

Sub-threshold operation, or operation of a circuit below the threshold voltage of a transistor, has been shown to lower power in memory [10], processor [32] and system design [20]. Lowering voltage increases circuit delay as well, and thus power (CV 2 f ) decreases at a fast rate. We leverage sub-threshold and near-threshold operation in the implementation of our scheme. Since RFID encryption schemes work at sub-1MHz frequencies, such low voltages are sufficient to provide the necessary performance. At supply voltages near the threshold voltage, excessive leakage and variation start becoming more pronounced. To lower the impact of these effects we choose an older technology (130nm) for our implementation. We simulate the design generated by the synthesis tool (RTL Compiler) and the place and route tool using circuit level simulator Ultrasim. This step eliminates possible errors that may be caused as these tools use circuit data characterized at nominal voltages (1.2V). 7.2

Design Architecture

In order to evaluate the performance, area and power consumption of the LWE encryption design, we implemented the encryption circuit in VHDL and synthesized it with RTL compiler from Cadence. Automatic place and route was done by SOC Encounter. The final extracted netlist was simulated using the Ultrasim simulator. We obtain the encryption time using behavioral RTL simulation. Area is gathered from the Encounter

106

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

gatecount report, and power is calculated by averaging the simulated current waveform over 1000 cycles. Figure 4 shows the architecture of cyclic lattice cipher and the logical operations being performed. The public-key is stored in ROM at manufacturing time. A true random number generator (TRNG) generates random numbers in the range of [−r, r] for row selection (Section 7.4. The modular adder performs the actual computation. The running sum is stored in an SRAM, which provides two ports for simultaneous read and write in a cycle. The control module coordinates the whole encryption process. The final values stored in the SRAM are transmitted as the encryption output.

(a)

(b)

Fig. 4. (a) Top level architecture of our cyclic lattice cipher; (b) Main computation involved in lattice cipher.

7.3

Encryption Logic

The encryption logic consists of a control and a modular adder unit. Since the modular adder can only process one public-key element per cycle, it needs to process all the elements of a given row before starting the the next row (row-wise scheme). Another column-wise scheme accumulates the elements in a given column first. The former scheme is adopted because it greatly reduces the operating frequency and power of the RNG. This scheme requires a small SRAM for storing intermediate sums. The SRAM has both read and write ports. They keep the modular adder busy for highest performance. Whenever the RNG generates a zero, it must waits for 40 cycles before generating the next number. This enables the RNG to run 40 times slower than the main logic, significantly lowering its power consumption. The time overhead is small because it takes much more than 40 cycles to process a non-zero row. The modular addition/subtraction is performed by the modular adder. Its output is connected back to one of its input ports, achieving the effect of accumulation. The mode pin controls the type of operation (modular addition/subtraction) to be performed. The latency from the input to the output is one cycle, so no pipelining is necessary.

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

107

The logic part of the circuit operates at under 0.5V, the lowest voltage to reliably perform the encryption at 800KHz clock frequency. Operating at lower voltages than 0.5V has diminishing returns for power as the leakage power starts to dominate. 7.4

Random Number Generation

Cryptographic applications require cryptographically strong random numbers, and many low-power random number generators (RNG) have been proposed for RFID applications [8, 11, 7, 14]. Bucci [8] implemented a true RNG which consumes 2.3mW of power while delivering a throughput of 10Mbps. This RNG fulfills the NIST FIPS and correlation-based tests for randomness. Since power is roughly a linear function of frequency and quadratic function of Vdd , we scale down the throughput and supply voltage from 10Mbps, 1.8V down to the needed 40Kpbs, 0.5V and estimate the power to be 0.35μW. 7.5

Sub-Threshold ROM

In this section we focus on estimating the read power for the ROM that we need for public-key storage. ROM design in sub-threshold is challenging because of codedependent read noise in the presence of bit-line leakage, charge sharing, and crosstalk. To estimate ROM power we choose a design that has been demonstrated in silicon in the sub-threshold region by Chang et al. [22]. This ensures that our estimates for ROM power reflect the design modification needed in a ROM for working at low voltages. We calculate dynamic and leakage energy separately. Of the dynamic energy, 10% is allocated to the timing block of the ROM, and this remains fixed across various ROM sizes. The rest of the dynamic energy is consumed in the bit-lines of the ROM. Bit-line size increases linearly with the number of rows, and the number of bit-lines increases linearly with the number of columns. Thus 90% of the dynamic energy of a large ROM scales linearly with the ROM capacity. Leakage in a large ROM is consumed mainly in the bit-cells and the word-line drivers. Leakage per word-line driver is about 20% the of leakage of a row of 512 bit-cells. Thus, 20% of total cited leakage can be attributed to word-line drivers. This allows us to estimate the leakage per word-line driver using the number of word-line drivers from Chang et al.’s results [22]. The rest of the leakage is consumed by bit-cells, so we can also estimate the per bit-cell leakage. We then use the leakage per word-line and bit-cell to calculate the leakage for our ROM size. To take into account the impact of technology node, we scaled dynamic energy, √ √ leakage power, and delay by 2x, 2x, and 2x as we go from one technology node to an older technology node. These factors are consistent with constant field scaling. A custom ROM built for the exact capacity that is desired would be optimized in both power and delay as compared to a model that’s extrapolated from another point in the design space. 7.6

Results

Table 4 summarizes the results from our simulation experiments for the designs in Table 3. The power and area for each components are listed. As expected, several design

108

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

points gives better results in corresponding metrics. Small area gives low cost — 8297 GEs is relatively small among the implementations of public-key schemes. By using four adders in parallel, the transaction time could be reduced to 132ms. Due to subthreshold and near-threshold design, the power consumption is low and does not vary too much among the four design points. The lowest power achieved is 9.19μW . High security is achievable with moderate additional area cost, but still below 10K total GEs.

Low Cost Fast Low Power Strong Security Frequency (KHz) 800 800 200 800 logic modular adder 0.34 1.36 0.63 0.36 rest 0.27 0.27 0.07 0.28 Power (μW) memory ROM 8.10 8.10 7.40 9.10 SRAM 1.50 1.50 1.0 1.50 RNG (@20KHz) 0.35 0.35 0.09 0.35 total 10.56 11.58 9.19 11.59 logic modular adder 352 1408 1408 329 rest 489 489 489 495 Area (GEs) memory ROM 6036 6036 6036 6904 SRAM 620 620 620 784 RNG (20μm2 /GE) 800 800 800 800 total 8297 9353 9353 9312 Security (Lattice Dimension) 326 326 326 400 Transaction time (ms) 528 132 528 840 Energy per Tran (μJ) 5.57568 1.52856 4.8532 9.7356 Table 4. Cost and Performance Evaluation of Lattice Cipher

7.7

Comparison with Related Work

Table 5 compares our results with other public-key encryption implementations targeting RFID applications. Elliptic curve cryptography (ECC) has been regarded as the most promising widely-used public-key cryptosystem for RFID tags. However, the area and power are still beyond the reach of low-power, low-cost passive RFID tags. We implemented WIPR-RNS [35] in 6793 GEs for logical components and 71GEs for memory We apply the subthreshold design to WIPR-RNS as well and the power consumption is very small. Unfortunately, WIPR-RNS cannot achieve satisfactory security due to the implementation flaw identified by Jiang Wu [35]. The proposed remedy requires a cryptographic hash function, which is too expensive for low-end tags. The LWE-Cost, LWE-Power and LWE-Time are corresponding to the three design points (Low Cost, Low Power, Fast) from Table 3. They are suitable for applications with different requirements. Another related work in public key cryptography for RFID is the GPS scheme [13] proposed by Girault,Poupard and Stern (GPS). GPS is a zero-knowledge authentication scheme, which has been implemented, fabricated and ISO standardized [19]. The RFID

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

109

tag which possesses a secret key can prove its identify to the reader with cheap operations. However, it is not scalable for identification purposes and since it is designed for different functionality, its implementation results are not included in Table 5. Algorithm Area (GEs) Freq (KHz) Power (μW) Cycles (k) Trans (s) Energy (μJ) ECC-163 [17] 15K 106 8.57 296 2.79 23.91 ECC-192 [17] 23.6K 106 19.95 500 4.7 93.76 WIPR-RNS 6.9K 1 MHz 2.84 149 0.14874 0.42 LWE-Cost 9K 800 10.56 422 0.528 5.57 LWE-Power 11K 200 9.19 105 0.528 4.85 LWE-Time 11K 800 11.58 105 0.132 1.53 Table 5. Comparison with Other Public-Key Cryptographic Algorithms

8

Tech 180nm 180nm 130nm 130nm 130nm 130nm

Conclusion

Providing a high level of privacy at a low cost for large scale RFID applications remains an important and elusive goal. Our results provide reason for optimism that new developments in asymmetric cryptosystems will enable public-key encryption on RFID tags. Our simulation experiments and analyses show that an implementation of a private identification protocol based on the LWE cipher is within the power and area constraints for low-cost RFID systems. The LWE cipher offers many advantage over previous alternatives including it simple logic and provable security even against quantum attacks. Further we show how circuit techniques like sub-threshold and near-threshold operation help reduce power drastically in RFID applications where performance is not tightly constrained.

References 1. Ajtai, M.: Generating Hard Instances of Lattice Problems (Extended Abstract). In: TwentyEighth Annual ACM Symposium on Theory of Computing (1996) 2. Arbitman, Y., Dogon, G., Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFTX: A Proposal for the SHA-3 Standard (2008) 3. Atici, A.C., Batina, L., Fan, J., Verbauwhede, I., Yalcin, S.B.O.: Low-Cost Implementations of NTRU for Pervasive Security. In: IEEE International Conference on Application-Specific Systems, Architectures and Processors (2008) 4. Avoine, G., Martin, B., Martin, T.: Tree-Based RFID Authentication Protocols Are Definitively Not Privacy-Friendly. In: Workshop on RFID Security (2010) 5. Avoine, G., Oechslin, P.: A Scalable and Provably Secure Hash-Based RFID Protocol. In: Third IEEE International Conference on Pervasive Computing and Communications Workshops (2005) 6. Bolotnyy, L., Robins, G.: Physically Unclonable Function-Based Security and Privacy in RFID Systems. In: International Conference on Pervasive Computing and Communications (2007)

110

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

7. Brederlow, R., Prakash, R., Paulus, C., Thewes, R.: A Low-Power True Random Number Generator using Random Telegraph Noise of Single Oxide-Traps. In: Solid-State Circuits Conference (2006) 8. Bucci, M., Germani, L., Luzzi, R., Trifiletti, A., Varanonuovo, M.: A High-Speed OscillatorBased Truly Random Number Source for Cryptographic Applications on a Smart Card IC. IEEE Transactions on Computers Vol 52.(4) (April 2003) 9. Butty´an, L., Holczer, T., Vajda, I.: Optimal Key-Trees for Tree-Based Private Authentication. In: Workshop on Privacy Enhancing Technologies (2006) 10. Calhoun, B.H.; Chandrakasan, A.: A 256kb Sub-Threshold SRAM in 65nm CMOS. In: International Solid-State Circuits Conference (2006) 11. Che, W., Deng, H., Tan, W., Wang, J.: A Random Number Generator for Application in RFID Tags. In: Networked RFID Systems and Lightweight Cryptography (2008) 12. Erguler, I., Anarim, E.: Scalability and Security Conflict for RFID Authentication Protocols. In: Cryptology ePrint Archive (2010) 13. Girault, M., Poupard, G., Stern, J.: On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order. In: Journal of Cryptology (2006) 14. Gueler, U., Erguen, S.: A High Speed IC Random Number Generator Based on Phase Noise in Ring Oscillators. In: 2010 IEEE International Symposium on Circuits and Systems (ISCAS) (2010) 15. Ha, J., Ha: LRMAP: Lightweight and Resynchronous Mutual Authentication Protocol for RFID System. In: 1st International Conference on Ubiquitous Convergence Technology (2007) 16. Harris, N.W.: CMOS VLSI Design A Circuits and Systems Perspective. Addison Wesley (2004) 17. Hein, D., Wolkerstorfer, J., Felber, N.: ECC is Ready for RFID - A Proof in Silicon. In: Workshop on RFID Security (2008) 18. Howgrave-Graham, N.: A Hybrid Lattice-Reduction and Meet-In-The-Middle Attack Against NTRU. In: 27th Annual International Cryptology Conference on Advances in Cryptology (2007) 19. ISO/IEC: 9798: Information Technology - Security Techniques - Entity Authentication - Part 5: Mechanisms using Zero-Knowledge Techniques. (2006) 20. Jocke S.C., Bolus J.F, C.B.: A 2.6-uW Sub-Threshold Mixed-Signal ECG SoC. In: 2009 Symposium on VLSI Circuits (2009) 21. Juels, A., Weis, S.: Defining Strong Privacy for RFID. In: International Conference on Pervasive Computing and Communications (2007) 22. Meng-Fan Chang, S.M.Y.: A 0.29V Embedded NAND-ROM in 90nm CMOS for Ultra-LowVoltage Applications. In: International Solid-State Circuits Conference (2010) 23. Micciancio, D.: Generalized Compact Knapsacks, Cyclic Lattices, and Efficient One-Way Functions from Worst-Case Complexity Assumptions. In: 43rd Symposium on Foundations of Computer Science (2002) 24. Micciancio, D., Regev, O.: Lattice-based Cryptography . In: Post-Quantum Cryptography (2009) 25. Molnar, D., Wagner, D.: Privacy and Security in Library RFID: Issues, Practices, and Architectures. In: Conference on Computer and Communications Security (2004) 26. Nohl, K., Evans, D.: Quantifying Information Leakage in Tree-Based Hash Protocols. In: International Conference on Information and Communications Security (2006) 27. Oren, Y., Feldhofer, M.: A Low-Resource Public-Key Identification Scheme for RFID Tags and Sensor Nodes. In: 2nd ACM Conference on Wireless Network Security (2009) 28. Regev, O.: On Lattices, Learning With Errors, Random Linear Codes, and Cryptography. In: Thirty-Seventh Annual ACM Symposium on Theory of Computing (2005)

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

111

29. Ricci A, G.M.: Design of a Low-Power Digital Core for Passive UHF RFID Transponder. In: 9th EUROMICRO Conference on Digital System Design: Architectures, Methods and Tools (2006) 30. Shamir, A.: Memory Efficient Variants of Public-Key Schemes for Smart Card Applications. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques (1994) 31. Song, B.: Scalable RFID Authentication Protocol. In: 3rd International Conference on Network and System Security (2009) 32. Wang, A.; Chandrakasan, A.: A 180mV FFT Processor using Subthreshold Circuit Techniques. In: International Solid-State Circuits Conference (2004) 33. Weis, S., Sarma: Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In: International Conference on Security in Pervasive Computing (2003) 34. Wu, J., Stinson, D.R.: A Highly Scalable RFID Authentication Protocol. In: 14th Austrialasian Conference on Information Security and Privacy (2009) 35. Wu, J., Stinson, D.R.: How to Improve Security and Reduce Hardware Demands of the WIPR RFID Protocol. In: IEEE International Conference on RFID (2009)

Appendix Proof for Private Identification Protocol 1

Tag Public key P K, IDi

query

Reader Private Key SK

←−−−− C = EncP K (IDi )

C

− →

DecSK (C)

Fig. 5. Private identification Protocol 1

Proof: To show this protocol is private, we need to prove Pr[Expprivacy (n) = 1] ≤ A,Π 1 + (n). Recall that Π here is the LWE crypto which has been shown to be CPA. The 2 CPA experiment is summarized below for convenience: Pubcpa A,Π (n) 1. Gen is run to obtain keys (pk, sk) ← Gen(1n ) 2. Adversary A is given pk and oracle access to Encpk (·). It outputs two messages m0 , m1 of the same length (m0 , m1 ) ← AEncpk (·) (pk, n) 3. A random bit b ← {0, 1} is choosen. A ciphertext c ← Encpk (mb ) is computed and given to A. 4. A outputs a bit b ← AEncpk (·) (c) 5. The output of the experiment is defined to be 1 if b = b, and 0 otherwise. A public-key cryptosystem Π has indistinguishable encryptions under chosenplaintext attack if for all probabilistic polynomial-time adversaries A, there exists a negligible function  such that:

112

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

Pr[Pubcpa A,Π (n) = 1] ≤

1 2

+ (n)

(n) with the CPA game, we notice that we Comparing the privacy game Expprivacy A,Π allow A to access the plaintexts of received messages by breaking the tags physically. However, this is not equivalent to a decryption oracle which enables A to access plaintexts of arbitrary ciphertexts A picks. We show if an adversary A wins Expprivacy (n) A,Π with non-negligible probability, then there exists A to win the CPA experiment with non-negligible probability. Here is a way for A to win the CPA experiment by invoking A : 1. (pk, sk) ← Gen(1n ) 2. A is given pk and oracle Encpk (·) (a) assign each tag with pk (b) randomly generate ID0 , ID1 , ..., IDN with same length (c) invoke A . Use oracle Encpk (IDi ) as responses to the query of ith tag by A , and reveal IDi if A chooses to break the ith tag. (d) Output the two IDs A picks as m0 , m1 3. b ← {0, 1}, and c ← Encpk (mb ) is presented to A 4. A feed c to A 5. Use oracle Encpk (IDi ) as responses to the query of ith tag by A when A interact with tags 6. A outputs a bit b’ as A outputs Therefore, if A wins the the privacy game with non-negligible probability, A is able to win the CPA game with non-negligible probability. Proof for Private Identification Protocol 2

Tag Public key P K, EncP K (IDi )

query

Reader Private Key SK

←−−−− C = EncP K (IDi ) + EncP K (0)

C

− →

DecSK (C)

Fig. 6. Private identification Protocol 2

Proof: To show this protocol is private, we need to prove Pr[Expprivacy (n) = 1] ≤ 12 + A,Π (n) (n). We prove by reduction. Assume we have adversary A that breaks Expprivacy A,Π with non-negligible probability: 1. Gen(n) is run to obtain key pair P K, SK for system 2. Store on each tag CIDi = EncP K (IDi ) and P K 3. In the learning phase, Adversary A is allowed to break at most N − 2 tags and acquire CIDi and P K on the tag, where N is the number of tags in the system

Y. Yao et al. / A Sub-0.5V Lattice-Based Public-Key Encryption Scheme

113

4. In the challenge phase, A picks two uncorrupted tags T ag0 and T ag 1 , a random b b = CID of T ag b . c = CID + EncP K (0) is bit b ∈ {0, 1} is chosen, denote CID  computed and given to A 5. A is allowed to communicate with two uncorrupted tags and output a bit b 6. The output of the experiment is defined to be 1 if b = b, and 0 otherwise Now we can construct Adversary A to break the CPA game: 1. (pk, sk) ← Gen(1n ) 2. A is given pk and oracle Encpk (·) (a) assign each tag with pk (b) randomly generate ID0 , ID1 , ..., IDN with same length (c) use oracle Encpk (·) to produce CID0 , CID1 , ..., CIDk (d) invoke A . Use oracle Encpk (IDi ) as responses to the query of ith tag by A , and reveal CIDi and P K if A chooses to break the ith tag. (e) Output the two IDs (denote as ID0 , ID 1 ) corresponding two CID (denote as 0 1 CID , CID ) A picks 3. b ← {0, 1}, and c ← Encpk (mb ) is presented to A 0 + (c − Encpk (ID0 )) to A 4. A feed CID 5. Use oracle Encpk (0) + CIDi as responses to the query of ith tag by A when A interact with tags 6. outputs a bit b’ as A outputs Here, if b == 0, c − Encpk (ID0 ) is equal to Encpk (0) and A should have non1 negligible probability to break it. Thus if Pr[Expprivacy A ,Π (n) = 1] ≤ 2 + (n), then the privacy success probability for A is: Pr[ExpA,Π (n) = 1] ≤ 12 + 12 (n).

114

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-114

Low-cost RFID Tags as IPv6 Nodes in the Internet of Things Sandra DOMINIKUS, Hannes GROSS, Manfred AIGNER and Stefan KRAXBERGER Institute for Applied Information Processing and Communications Graz University of Technology Abstract. RFID tags can no longer be treated as pure bar-code substitute as their functional capabilities increase rapidly. Many of them are able to store and compute data, or hold sensors. The data flow in the EPCglobal network, which was created for “traditional” low-cost tags, does only work one-way: from tags to a couple of servers where data for the tags is stored and can be accessed by other readers or servers. To draw advantage from the increased functionality of the tags it will become important to have a two-way end-to-end communication between servers and tags, e.g. to remotely change data on the tags. In this paper we show how to modify RFID readers and low-cost tags to make them suitable for a two-way communication via Internet. We consider the required capabilities of readers and tags and show how communication can be done via mobile IPv6. Afterwards we describe our implementation of a simulation environment based on the described concepts and discuss some applications. Security considerations round the description before we can conclude, that also passive low-cost RFID tags are able to become part of the Internet of Things. Keywords. Passive RFID Technology, Internet of Things

1. Introduction In [1] Sarma et al. presented their vision towards an Internet of Things (IoT) on basis of RFID-tagged items. They illustrate a system that allows tracking and tracing of items by individual identification of items on basis of low-cost RFID tags. Meanwhile, the idea has evolved to the de-facto standard in modern supply-chain management. Lowcost RFID tags, as suggested by Sarma et al., are widely available (EPC-Gen2 tags) and the EPCglobal network was defined to support open-loop supply chain applications. Although RFID technology is quite accepted in closed-loop applications, the evolvement towards open-loop systems using the EPCglobal network with distributed databases, did not take place as predicted. The RFID tags considered in the EPCglobal network were considered as bar-code replacement. Cost optimization was the main objective during specification of those tags. Bulk-reading, no requirement for direct line of sight, and hard-coded unique identifier (UID) were considered as the main advantages of such tags over bar codes. The main functionality of the EPCglobal network is to provide data assigned to a specific tag, so that each participant scanning a tag can store the scanning event in a distributed database in a way that applications can be built on this data. Since the tags were not considered to

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

115

carry or compute additional data, the EPCglobal network does not provide a mechanism to address remote tags from a networked application. Meanwhile low-cost tags provide more functionality: They can store data in nonvolatile memory, they provide additional commands for electronic article surveillance, or they can be permanently disabled by a kill command. Future versions will provide even more functionality, like extended memory, cryptographic authentication, or even sensors. This was not considered in the design of the EPC network. Whenever a networked application would like to store data or change the configuration of “its” tags via remote readers, addressing of the tags via Internet is required. IPv6 provides an address space that is large enough to include tagged items (as there will be a huge number of them). It foresees mobile nodes moving from one part of the network to another. In this work we present an approach how to combine the vision of the Internet of Things on basis of passive RFID tags with IPv6 networks. This approach is compatible with current RFID systems and allows direct addressing of RFID tags via IPv6 addresses as long as they are present in the field of a reader that acts as the network bridge. This paper bases on a concept which we presented in [2]. In the following section we will give an overview over the application scenario. This is followed by a section about related work and a short introduction to mobile IPv6. In section 5 a concept for an RFIDenhanced IoT on basis of IPv6 is elaborated. Section 6 explains our implementation for a proof of concept. In section 7 we show some first considerations about security for our communication concept.

2. Definitions and Motivation In our scenario we have four types of participating parties: the tag manager, the Internet, RFID readers, and tagged items. The tag manager issues (and manages) RFID tags. During issuing an UID and other personalization information is assigned to the RFID tag. In many of the cases, the tag manager is also the manufacturer of the item. The intention of the tag manager, in our scenario, is to be able to communicate with the tag to get information from it or to change information stored on the tag. The Internet provides the routing mechanisms for IPv6 communication. Readers are connected to the Internet and are able to “translate” RFID protocol requests into IPv6 messages. The tagged items are mobile and are expected to move in their lifetime from one reader to others. As the tags are passive low-cost RFID tags, they can only be “online” when they are in a reader field. We call such tags IPv6-enabled tags, although they communicate to the reader via their standard RFID protocol. The reader acts as a translator between the RFID protocol and the IPv6 protocol. In figure 1 the communication processes between the parties are shown. In this work we only address the remote communication between tag and tag manager although the concept enables generic communication. In our system, the communication is possible in both ways: the tag can send a message to the tag manager when it enters the reader’s field. In contrast to the EPC-Network, the tag manager can contact the tag and send messages to it at any chosen time. Of course, the contact attempt will only be successful if the tag is in a reader field. In this work we think of application scenarios where the tag manager may want to

116

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

IPv6 RFID Protocol

Tag Manager Internet

Reader

Tagged Item

Figure 1. Communication Scenario

• change the tag status (e.g. revocation, call-back of tagged items), • write data on the tag (e.g. guarantee, maintenance for tagged items), • poll the recent tag status (e.g. to acquire sensor data from the tag). We assume, that the IPv6-enabled tags remain a certain time in a particular reader field. We also assume, that the RFID readers are polling their environment continuously, so that they can sense each new tag in the field within an adequate time. We show how such tags can be integrated into an IPv6 network with the use of adapted readers. As the tags are supposed to be mobile and may be online via different readers, we will use the mobile IPv6 approach to handle these tags. In Annex A, we provide a short summary of earlier work in the field of RFID and IPv6.

3. Related Work In June 2002, Engels compared the EPC identification scheme with the IP address identification scheme in a paper [3]. He came to the conclusion, that both identification schemes are very similar in structure, but neither of them can be used to replace the other scheme. Both of them are needed to do item-level identification and network communication because IPv6 addresses cannot be used as unique item identifiers and EPCs cannot be used as routing addresses in their original intention. In 2007 Sang-Dong et al. proposed to use object’s EPCs to create their current IPv6 addresses [4]. They suggest to replace the network prefix (= the 64 most significant bits) of an IPv6 address by the EPC, which only works for 64-bit EPCs. The reader accessing the tag generates this IPv6 address from the EPC and transmits it to the corresponding EPCIS server. The reader stores the created IPv6 address as well. The EPCIS server holds information about the current IPv6 address of particular tags (identified by their EPC). If someone wants to retrieve data from the tag, the EPCIS server is asked for the IPv6 address and the tag can be contacted. If the reader receives a message for the particular IPv6 address, it can transmit it to the tag and send back the response to the contacting node. In 2008, Yao-Chung et al. proposed a so-called IPv6-EPC Bridge Mechanism [5]. There exist various RFID networks, which are managed as EPCglobal Networks. Each network is connected to the IP network via a so-called RFIPv6 gateway. Information about tags are stored in the corresponding EPCIS servers which are part of the EPCglobal

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

117

network. Nodes outside this network can find information on the tag via the anycast mechanism of IPv6. The reader can identify the EPCIS address through the EPC and the correct sub network can be found via the RFIPv6 gateways, which have unique addresses as well and are derived from the EPCIS addresses. The related work so far is mainly done on EPC standards and tries to integrate IP technology into the EPCglobal network. As stated before, the idea of the EPCglobal network was created under the assumptions that tags are more or less a bar-code substitute. Modern tags do highly exceed this functionality and new applications will appear, which will require two-way end-to-end communication. To be ready to handle these tags the integration into the Internet of Things should happen over standard IP technology (IPv6). In this way we are not limited only to EPC technology but can handle also other passive RFID standards.

4. Mobile IPv6 Basics The specification of IPv6 can be found in RFC 2640 [6]. The most important change is the augmentation of the address space from 32 bits to 128 bits. Based on the most pessimistic estimates of address assignment efficiency, with this address space is predicted to provide over 1500 addresses per square foot of the earth’s surface, which certainly seems like it can serve as basis for an Internet of Things. The address prefix of an IPv6 is defined as the leading bits of the address and can have a variable length. For global unicast addresses the prefix is fixed to 64-bits which partitions the address into a network and a host portion. The 64-bit network portion consists of a network and a subnet identifier. The last 64-bit portion of an IP address, the host part, form the interface identifier which is unique for each network interface. Thus, one interface identifier can be part of multiple IPv6 addresses which are bound to the same network interface with different prefixes. This fact simplifies the concept of multi-homing. The IPv6 protocol provides some concepts to handle mobile nodes. These are nodes which are able to move in the IP network, they can join different subnets over time. In mobile IPv6 (MIPv6) two mobile nodes can establish a point-to-point communication without the intervention of another server. Communication between a “fixed” node and a mobile node works over a so-called Home Agent, which is a router with MIPv6 capabilities. A mobile node has a home subnet, where the Home Agent is located. The Home Agent always knows the current location of the mobile node. As the concept of handling mobile nodes can be also very useful for RFID tags, we shortly describe this concept. If the mobile node leaves the home subnet, the following steps are carried out: • Discovery of new subnet: the mobile node must realize, that it moved to another subnet. This is done with the Neighbor-Discovery-Protocol (NDP): each MIPv6capable router sends a Router Advertisement message periodically, which contains the prefix of the subnet. If the mobile node receives subsequently two different prefixes, it knows that the subnet has changed. • Generation of Care-of Address: the mobile node has to generate a new IP address to indicate where it is currently located. It has to send this address to its Home Agent. The new address is called Care-of Address and is generated from the subnet prefix and the EUI-64 address of the mobile node. The mobile node has also

118

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

to take care, that its address is unique in the current subnet. This functionality is offered by IPv6 with the Duplicate Address Detection (DAD). • Home Agent Binding: the mobile node sends its Care-of Address to the Home Agent. The Home Agent stores the new Care-of Address in its Binding Cache. In the Binding Cache all Home Addresses are assigned to the current Care-of Addresses. If the Home Agent receives a packet destined for a particular Home Address, the Home Agent forwards the packet to the assigned Care-of Address using an IPv6 tunnel. The Home Agent also broadcasts to all nodes in the home subnet, that requests for the corresponding mobile node will be relayed by the Home Agent. This is achieved by sending a Neighbor Advertisement which associates the mobile node’s IPv6 address with the Local Link address of the Home Agent. If the mobile node changes the subnet, a new Care-of Address will be generated (with the new subnet prefix). The new Care-of Address is then sent to the Home Agent, which updates its Binding Cache. If the mobile node returns to its home subnet, the assignment of the Home Address to Care-of Address is deleted in the Binding Cache and the Local Link address is updated in the home subnet. For sake of simplicity, we omitted some optional steps (Discovery of Home Agent, Setup of Security Association, Correspondent Node Binding). For more information about these steps refer to [6]. How we use the concepts of MIPv6 for the IoT with passive low-cost RFID tags as mobile nodes is described in the next sections.

5. Passive RFID Technology in the IoT As we state in section 4, we propose concepts from mobile IPv6 to integrate passive RFID tag into the IoT. This means, that also tags can be accessed directly and can thus provide their information to any Corresponding Node or can also be fed with data. To enable fully compatible IP-based communication in the IoT, we suggest to treat the RFID tags as mobile IPv6 nodes. The difference is, that the tags will not implement the IPv6 protocol by themselves but they will use the readers as a “translator” to the IPv6 network. There are some requirements, that have to be fulfilled to establish our suggestion of a passive-RFID enhanced IoT: • There exists an instance, we call it Home Agent according to MIPv6, which manages the tags and stores their current location. This Home Agent will relay all IPv6 packets for the corresponding tag. • The tags hold an unique IPv6 address to be contacted via IPv6. • The readers act as IPv6 routers for the tags and manage the communication between tags and the IoT. They also translate the IPv6 packets into RFID standard communication frames and vice versa. • Optionally, there can be an online look-up service, which can be use to derive the IP of a tag from its UID. Home Agent. Each IPv6-enabled tag is assigned to a so-called Home Agent. In our case, the tag manager provides the Home-Agent service. When a tag is issued or newly assigned, the Home Agent creates a new item in a database, where all assigned tags are registered with their UIDs and their Home Addresses. The Home Address consist of the subnet-prefix of the Home Agent and the tag identifier (= the 64 least-significant bits of

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

119

the IP address), which uniquely identifies the tag at the Home Agent site. If a tag enters a reader field, a Care-Of Address is created, which is the IP address where the tag can be reached currently. It consist of the subnet prefix of the reader and the tag identifier. This Care-Of Address is also stored in the Home Agent’s database to be able to relay the communication for the tag to the correct location. In principle, communication with an IPv6-enabled tag works like communication via MIPv6. The Corresponding Node wants to send a IPv6 packet to a particular tag. Therefore, it has to know the Home Address of the tag. If the Corresponding Node does not know it anyway, it has to know at least the UID of the tag. With this information, the IP address of the tag can be found by an online look-up service, which works similar to DNS in IP technology. For our scenario, we suppose, that the tag manager wants to contact an assigned tag. Therefore he does not only provide the Home-Agent service but is also the Corresponding Node and the IP address of the tag is known. Therefore, an online look-up service is not required for our applications. Corresponding Node 1

Home Agent IPv6 request 6

IPv6 response 7I Pv6

resp

2

ons

e

RFID request 4 RFID Tag

IPv6 request

IPv6 response 5

3

RFID response

Reader

Figure 2. Communication Principle

Figure 2 shows how the communication with an IPv6-enabled tag will be established. The Corresponding Node sends the packet via an IPv6 network (1). First the packet is sent to the Home Agent as the IP address starts with the subnet prefix of the Home Agent. From the IP address (=Home Address) the Home Agent can derive the UID and the Care-Of Address. Then the IPv6 packet is forwarded to the Care-Of Address(also via an IPv6 network) (2). The Care-Of Address refers to the subnet of the RFID reader, where the tag is currently present. The reader receives the IPv6 packet and looks up in its routing table which UID is related to the received IPv6 destination address. The payload of the packet is translated into an RFID request for the tag and sent via RF to the tag (3). The tag answers with an RFID response (4). The response has to be translated into an IPv6 packet. This packet is either sent back to the Home Agent (5) which relays the packet to the Corresponding Node (6) or sent to the Corresponding Node directly with the Care-Of address as source address (7). Depending on the Corresponding Node (if it is MIPv6-capable or not), further connection can be established directly with the reader or via the Home Agent.

120

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

Addressing Tags. The first approach to find IPv6 addresses for tags is the mapping from the UIDs to an IPv6 address, i.e. the bits from the UID are used to form the IP address. The advantage of this approach would be, that no extra memory space is needed on the tags and that Corresponding Nodes only need the UID of a tag to derive the IP address. As different passive RFID standards exist (e.g. [7], [8], [9], [10], [11]), there is no common UID structure for tags. Even within standards, there are different types of UIDs with different structures. This means, that a general concept to map tag UIDs to IPv6 addresses will not work. In the following, we will give an example how mapping could work for a GID96 identifier of EPC tags: A GID-96 identifier consists of 96 bits, which are arranged in header, serial number, an object class, and a manager number. Figure 3 shows the structure of a GID-96 identifier. The header consists of 8 bits. It is followed by a 28-bit General Manager Number. This number is a unique identifier for the manager of this object (corresponds to the Home Agent), which is responsible for the assignment of the following fields (serial number and object class). The Object Class is encoded as a 24-bit value. This value must be unique within the General Manager domain and identifies the object type. The 36-bit Serial Number is unique within an object class and identifies a particular entity of an object.

Header Manager # 8 bits 28 bits

Obj. Class 24 bits

Serial # 36 bits

Figure 3. Structure of GID-96 Identifier

An IPv6 address consists of 128 bits, which means we have to map some of the 96 bits from the EPC to an IPv6 address. It consists of 64 bits to identify the subnet and of 64 bits to identify the mobile node itself. The GIC-96 identifier consist of some bits to identify the company, which manages the tags (General Manager Number), and some bits to identify the type of item (Object Class) and the item itself (Serial Number). Thus, the General Manager Number can be used for the subnet prefix of the Home Agent and the Object Class and Serial Number should be used for the tag identifier of the IPv6 address. In figure 4, the size of the required IPv6-address fields are compared with the information gained from the 96-bit tag identifier.

4 bits

Subnet Prefix (64 bits) Tag Identifier (64 bits) Manager # Obj. Class Serial # 36 bits 28 bits 24 bits 36 bits Figure 4. Mapping of GID-96 codes to MIPv6 addresses

The General Manager Number holds only 28 bits and the subnet is decoded with 64 bits, therefore 36 bits for the subnet-prefix are missing. A direct mapping could be done at the reader site (e.g. padding), but this would reduce the address space of the Home Agents drastically to 28 bits. Another problem occurs if the subnet prefix is derived directly from the UID. We consider the tags to change their manager during lifetime. If the Home Agent address is coded in the UID (which does in general not change) it cannot be changed in case of an ownership transfer.

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

121

As the 64 most-significant bits of the IPv6 address (tag identifier) should define the tag, the tag specific parts of the UID could be used to fill up this part of the address. In our case, these parts are the Object Class and Serial Number. They consist of 60 bits, i.e. 4 bits are left. These 4 bits can be padded without reducing the address space, because at the Home Agent site, the Object Class together with the Serial Number must identify one item uniquely. If the Home Agent only issues 60-bit identifiers, no more than 260 items can be issued anyway. But an ownership transfer can be a problem also for the tag specific part of the IP address. The Tag Identifier is unique within the Home Agent domain, but this is not guaranteed for a new Home Agent domain. As we described above, there are some problems if the mobile IP address of an RFID tag is derived from its UID, therefore we propose another solution: when a tag is issued, the Home Agent creates a unique new Home Address for the tag. The IP address is stored on the tag and can be read out by a custom command. If the owner (or manager) of a tag changes, a new IP address, which is unique in the new domain, is stored on the tag. This solution needs more memory space and a little more time (for the request to get the tags’ IP) but has the advantage that it is a more general solution which works for all RFID standards. Look-Up Service. If the IP address is unrelated to the UID of a tag and the Corresponding Node does not know the IP address of the tag, it cannot derive it from the UID. In this case, a look-up service can help. The look-up service can map registered tag UIDs to their current Home Addresses. When a tag is issued, the Home Agent registers the tag at the look-up service with its UID and the new MIPv6 address. If the Home Agent of a tag changes, the entry at the look-up server is modified by the previous Home Agent. The modification of the data stored on the look-up server should only be done by authenticated Home Agents. The look-up service should work similar to DNS in an IP network. Readers as Routers. Readers communicate with the tags via RFID protocols and should be able to receive, process and send IPv6 packets. Readers are in general connected to a computer in order to control the reader and process the data gained from it. Also reader applications are controlled by the computer. As most of the computers are connected to the Internet, we assume that in the future Internet (of Things), these computers are able to handle IPv6 packets. We see the reader and the connected computer as one entity and use the term ”reader“ to refer to this entity. So we define that readers are able to handle IPv6 packets. If a new tag enters the reader’s field, the UID is recognized and further processed. In our case, the tag indicates (e.g. with a flag in the inventory response) that it is IPv6enabled. If this is the case, the reader obtains the IP address of the tag and creates a new Care-Of Address: The 64 least-significant bits of the address should be the same as for the IPv6 address of the tag. The 64 most-significant bits are filled with the subnet prefix of the reader. The reader uses the original subnet prefix of the tag address as destination address to send the new Care-Of Address to the Home Agent. Figure 5 shows the updating process. In the figure, the reader sends an inventory request (1), which is responded with the UID of the tag (2). The tag has indicated via a flag, that is IPv6-enabled, therefore the reader sends a custom command (getIP) (3) and receives the IP address of the tag (4).

122

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

RFID Tag

Inventory 2

1

Reader

UID get IP

4

IP

Home Agent 6

3

UID CoA

5 Subnet prefix Part of IP CoA

Figure 5. Address updating for IPv6-enabled RFID tags

The reader creates the new Care-Of Address for the tag (5) and sends it together with the UID to the Home Agent (6). The IP address of the Home Agent is derived from the tags’ IP address. The Home Agent updates its database with the tag’s new Care-Of Address. The reader itself will add the tags’ Care-Of Address in a “routing table”. In this table, also the IP address of the Home Agent and the RFID communication standard for the tag will be stored. The reader has to act as translator from IPv6 to RFID standard communication. In the simplest case, the reader can extract the data content from an IPv6 packet and sends it to the tag corresponding to the destination IP address. In this case, the Corresponding Node has to act as a remote reader and chooses the correct RFID protocol to talk to the tag. The Corresponding Node has to create the correct RFID requests and wraps it into an IPv6 packet to send it via the Internet. The reader extracts the data and relays the RFID frames to the tag. Another approach is, that a public command suite can be created and the Corresponding Node can send reader commands via IPv6 packets. The reader will then translate it into the correct RFID frame for the destination tag, send it to the tag, and send back the response as an IPv6 packet to the Corresponding Node. The reader must remember from which IP address a request came from, to send the corresponding response back to the correct Corresponding Node, i.e. that the reader also stores the last IPv6 packet received for any tag in its field. If a response from the tag arrives, the source address of the stored packet is used as destination address for the IPv6 response. In our scenario, the tag does not initialize an IPv6 communication, therefore it is always a previous IPv6 packet with the address of the Corresponding Node available.

6. Implementation We implemented a simulation environment for a proof of concept and to show that the basic idea of our approach works. This environment simulates the devices (nodes) and the communication principle shown in figure 2. For easier simulation some of the concepts were simplified. 6.1. Simulation Environment The IP network nodes are simulated on a single computer and they all use the same network card to communicate with each other. Since the nodes use different IPs and MACs they appear in the simulation environment as autonomous network nodes.

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

123

Software Components. In order to gain access to the data-link layer of the network we implemented a network stack in JAVA that uses the library JPCAP. JPCAP provides the functionality for sending and receiving raw network packets. Furthermore, a fully configurable JPCAP filter can be used to simulate a real network, because only correctlyaddressed packages will be received by the nodes. Each of the nodes has its own configuration file and starts as separate process. With this configuration file, parameters like the IP, MAC and the capture filter are set for each node. Hardware Components. For prototyping the RFID communication part of the implementation, we use an IAIK RFID HF Reader prototyping platform and IAIK RFID HF Demo Tags [12]. Both devices are built for easy prototyping of RFID applications with additional tag functionality. The IAIK RFID HF Demo Tag emulates passive RFID tags. It allows easy extension of its functionality and easy integration of custom commands to extend the protocols. Both, reader and demo tag can handle different RFID protocols, namely ISO/IEC14443[7], ISO/IEC 15693 [13] and ISO/IEC 18092 [10]. We decided to use the ISO/IEC 15693 protocol for the implementation. However, any other available RFID protocol could be used, because it is completely independent from the IPv6 part. For this implementation, the Demo Tag firmware has been extended by a custom command to request the IP address which is stored on the tag. The Reader firmware remains unmodified, since it offers a transparent interface for sending selfdefined custom commands. 6.2. Overview of the Test Implementation The text below gives a short overview about the implemented functionality of each of the three nodes and describes how they interact together. Home Agent Node. When the Home Agent node is started, it waits for incoming IPv6 packets which contains a so called RFID protocol header. We defined this header for testing purposes. It is in principle an IPv6 extension header with a currently unassigned Next Header byte. If this RFID protocol header is available in an IPv6 packet, its payload is interpreted as RFID frame. There are three types of RFID frames which are handled by the Home Agent: • UID/IP Lookup – Is sent by the Corresponding Node to receive an IP for a dedicated tag UID • Address Update – Is sent by the Reader Node to generate or change an IP entry for a tag in the list of the available tags • Data – Is sent by the Corresponding Node and forwarded to a tag Reader Node. The Reader node detects tags within its HF Reader field by doing anti-collision processes. If a tag is found, the reader requests its Home Address. From the Home Address, the IP of the Home Agent can be derived. The Reader creates a new IP address for the tag in its database (= routing table). There, it stores the UID of the tag and the current IP address as well as the Home Address. So, the reader can translate the destination IP of any incoming request into an UID. The reader sends an Address Update to the corresponding Home Agent containing the tag’s UID and its new IP address. The Reader node checks incoming IPv6 packets for RFID frames. If an RFID frame is detected, the Reader translates the destination IP into an UID and forwards the RFID

124

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

frame payload as addressed RFID command to the corresponding tag. The tag’s answer to the command is then packaged into an IPv6 frame and delivered to the Corresponding Node via the network. For this purpose, the Reader has to store the IP source address of the incoming RFID frame. Corresponding Node. The Corresponding Node represents the interface for a user or the application which initiated remote communication with a tag. Three tasks were implemented: • UID/IP lookup • Send data directly to a tag using its IP • Use the Home Agent to forward data to a tag 6.3. Communication Scenarios In the following we describe the program flows for the three simulated nodes in different situations. We illustrate how the Home Agent gets notified about the current IP of the tags and how the Corresponding Node receives this information. Finally, we show the communication between the nodes. Tag Detection. The following explanation refers to figure 5. After the Reader sent the Inventory request (1) to detect the tags in the field, it gets the UID (2) of one of the available tags. Afterwards the Reader sends a command (3) to this tag to receive its stored IP (Home Address) (4). The Reader creates a new IP address (=Care-Of Address) for the tag in its routing table and sends an Address-Update command to the Home Agent. TheAddress-Update command (6) contains the UID and the new IP of the tag. The command gets acknowledged by the Home Agent after the list with the UID/IP pairs has been updated. UID/IP Lookup. The Corresponding Node sends a lookup request containing the tag’s UID to the Home Agent. The Home Agent searches its database for the UID. If the UID is listed, the Home Agent replies with the current IP address for the requested UID. When the UID is not found in the list the Home Agent replies with an empty RFID packet containing an error code in the RFID header. Sending Data. In our implementation we tested two methods to send data to a tag. In the first method, an UID/IPv6 lookup is performed to get the current IP address to a known tag UID. Then, an IPv6 packet with an RFID frame is sent over the network to the Reader (as the current IP address of the tag contains the subnet address of the Reader). The Reader converts this packet into a valid RFID command and forwards it to the tag. Afterwards, it puts the tag’s response into an IPv6 frame and sends it back to the Corresponding Node. The regular method in mobile IPvs is the indirect addressing (figure 2). For the indirect addressing the Corresponding Node sends an RFID frame containing the UID of the tag and the data to the Home Agent. The Home Agent translates the UID part into the current IP address of the tag. It creates a new RFID frame using the current IP address of the tag as the destination address. The source address remains unchanged (= Corresponding Node). The payload from the original frame is copied in the new frame.

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

125

The rest of the communication is equal to the first method, the Reader will not recognize any difference between the direct and the indirect addressing. 6.4. Extension of the IPv6 Header The structure of an IPv6 Header is shown in figure 6. The Version byte is set to 0x06 to mark the package as IPv6 packet. Since we are not using any Quality-of-Service functionality, the Traffic Class and the Flow Label bytes are set to zero. The Next Header byte defines the type of the next header, which follows after the Destination Address. This can be a so called Extension Header or an Upper-Layer protocol (e.g. TCP). Some of the type identifiers are not assigned yet. We used one of these unassigned type identifiers (0xDD) to identify the payload of the packet as an RFID Frame.

Figure 6. IPv6 Header Structure

An RFID frame consists of: • Type Field (1 Byte) – Defines the structure of the Data Field. • Error Code (1 Byte) – If an error occurred, this field is not zero. • Data Field (n Bytes) – The content depends on the type of the package and may contain a UID, an IP or an RFID Command.

7. Security Considerations One of the main open topics for designing the Internet of Things is security. As we have seen in the “traditional” Internet, applications are not successful unless they provide an appropriate level of security. We suppose that this rule applies also for the IoT. This section discusses some basic considerations about a security layer for IPv6-enabled RFID tags, many points are left open for further investigation. For securing an IPv6 communication, well-known approaches exist: IPSec is a protocol that provides authentication and confidentiality for an IP communication [14]. For the connection between IPv6 nodes (Home Agent, corresponding node, reader) no additional security services have to be provided, as they already exist. But the communication line between Corresponding Node and IPv6-enabled tag is not secured, because the security depends on the behavior of the reader, which controls the IPv6 communication with the Corresponding Node. The tag cannot trust the reader, therefore a new security layer for secure communication between Corresponding Node and tag has to be implemented. For the applications which we have in mind (change of tag status, polling of tag information), the Corresponding Node should authenticate itself against the tag before being able to access the tag’s data. Also encryption of the tag information sent over the IP network should be provided. Recent research proofs, that passive low cost RFID tags

126

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

can compute symmetric and asymmetric crypto (e.g. [15], [16], [17], [18]). Challengeresponse protocols can provide authentication between tag and Corresponding Node and encryption can establish confidentiality between the nodes. Privacy protection in terms of tracking prevention for the tags is not considered in this paper, as we are of the opinion that if a tag wants to be addressable within an IP network it must reveal its identity. Corresponding Node 1 7

Home Agent read challenge response data

6 12

2 read

4 10 RFID Tag

read req. challenge response data

3

8 chall.

resp.

5

data 11

9 Reader

Figure 7. A Secure Connection for IPv6-enabled RFID tags

In figure 7 we illustrate protected communication between Corresponding Node and tag. In this scenario the Corresponding Node requests data from the tag. The Corresponding Node sends read request to the Home Agent which relays the message to the tag’s Care-Of Address . The reader receives the message and translates it into an RFID frame before forwarding it to the corresponding tag. The tag’s response indicates, that it requires authentication from the Corresponding Node and replies a challenge to the reader. The reader translates the tag response into an IPv6 packet and returns it to the Corresponding Node. The Corresponding Node encrypts the challenge with its private key and sends the response back to the tag (same procedure as before). The tag can now check the response and, if successful, may encrypt the requested data to send it back to the Corresponding Node. This mechanism is only a basic concept and still suffers from some insufficiencies, e.g. also the tag should authenticate itself against the Corresponding Node. Another point to consider is, that this protection does not yet repel session hijacking. This problem does not exist in “traditional” RFID technology because the reader polling the data is physically present. In our scenario the Corresponding Node is remotely connected. During the reading process, this may not be a problem, because an unauthorized Corresponding Node will not be able to process the encrypted tag response. For writing, other security protocols have to be considered, e.g. only encrypted requests are handled by the tag. Another solution for the problem is the usage of IPSec, i.e. that session keys are used and the reader can control if the Corresponding Node changes. Then, the tag has to trust the reader and indicate that the IP communication should use IPSec. Anyway, the reader or the Corresponding Node can decide to use IPSec for the communication or not. Another approach will be to secure the end-to-end connection between the Corresponding Node and the tag with IPSec. The critical point in this matter are the cryptographic capabilities of the RFID tags. Tags will need some functionality like symmetric and asymmetric encryption, MACs or random number generation. As we stated before, all of these functionality are already capable also for passive RFID tags. The work, that

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

127

has to be done is to define different requirements (= security suites) for tags to reach different security goals. We are confident that this work will be done in the near future and also secure end-to-end communication from nodes in the network to RFID tags will soon be possible.

8. Conclusion In this paper we present a concept to integrate passive RFID tags as nodes into IPv6 networks. We think that many new applications will be possible if RFID tags can be accessed via the Internet. We looked at concepts from mobile IPv6 technology and came to the conclusion, that these concepts also work for passive RFID tags. We designed a system consisting of a Home Agent (which manages tag information), RFID readers (which act as routers and translators), IPv6-enabled tags holding IPv6 addresses, and an optional online look-up service. As proof of concept, we implemented a simulation environment, which implements the concept in a simplified way. The overhead to create IPv6-enabled tags is minimal. Most of the complexity of the system is shifted to the readers, which have in general enough resources available for managing this challenge. The particular implementation of the reader software is one major point in the future. Security is another important topic for an RFID-enhanced Internet of Things on basis of IPv6. In the last section, we give some starting points for a security discussion in this scenario. To provide secure communication, some more functionality is required also on the tag. We think that all in all, the additional benefit does exceed the overhead for many applications. Many open questions There remain for future research. With this paper we hope to give an impulse for IPv6-enabled passive RFID devices.

References [1] S. Sarma, D. L. Brock, and K. Ashton, “White Paper: The Networked Physical World,” MIT-AUTOIDWH-001.pdf, October 2000. [2] S. Dominikus, M. J. Aigner, and S. Kraxberger, “Passive rfid technology for the internet of things,” in Workshop on RFID / USN Security and Cryptography, 2010, in press, will be published by IEEE and fully indexed by IEEE Xplore. [3] D. W. Engels, “Comparison of the Electronic Product Code Identification Scheme & the Internet Protocol Address Identification Scheme,” June 2002. [Online]. Available: http://www.autoidlabs.org/uploads/media/MIT-AUTOID-TM-008.pdf [4] L. Sang-Do, S. Myung-Ki, and K. Hyoung-Jun, “EPC vs. IPv6 mapping mechanism,” in The 9th International Conference on Advanced Communication Technology, vol. 2, February 2007, pp. 1243–1245. [5] L. Y.-S. Chang Yao-Chung, Chen Jiann-Liang and W. Shi-Ming, “RFIPv6 - A Novel IPv6-EPC Bridge Mechanism,” in Proceedings of the IEEE International Conference on Consumer Electronics, Januar 2008. [6] S. Deering and A. Hiden, “RFC 2460: Internet Protocol, Version 6 (IPv6) Specification,” December 1998. [7] International Organization for Standardization (ISO), “ISO/IEC 14443: Identification Cards - Contactless Integrated Circuit(s) Cards - Proximity Cards,” 2000. [8] ——, “ISO/IEC 18000-3: Information Technology AIDC Techniques — RFID for Item Management – Part 3: Parameters for air interface communications at 13.56 MHz,” March 2004. [9] ——, “ISO/IEC 18000-6: Information Technology AIDC Techniques — RFID for Item Management – Part 6: Parameters for air interface communications at 860-960 MHz,” 2004.

128

S. Dominikus et al. / Low-Cost RFID Tags as IPv6 Nodes in the Internet of Things

[10] International Organisation for Standardization (ISO), “ISO/IEC 18092: Information technology Telecommunications and information exchange between systems - Near Field Communication - Interface and Protocol,” April 2004. [11] EPCglobal, “13.56 MHz ISM Band Class 1 Radio Frequency (RF) Identification Tag Interface Specification,” February 2003, available online at http://www.epcglobalinc.org/. [Online]. Available: http://www.epcglobalinc.org/ [12] M. Feldhofer, M. J. Aigner, M. Hutter, T. Plos, E. Wenger, and T. Baier, “Semi-passive rfid development platform for implementing and attacking security tags,” in Workshop on RFID / USN Security and Cryptography, IEEE, Ed., 2010, in press, will be published by IEEE and fully indexed by IEEE Xplore. [13] International Organisation for Standardization (ISO), “ISO/IEC 15693-3: Identification cards - Contactless integrated circuit(s) cards - Vicinity cards – Part 3: Anticollision and transmission protocol,” 2001. [14] S. Kent and K. Seo, “RFC 4301: Security Architecture for the Internet Protocol,” RFC 4301 (Proposed Standard), Dec 2005. [Online]. Available: http://www.ietf.org/rfc/rfc4301.txt [15] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, “Strong Authentication for RFID Systems using the AES Algorithm,” in Cryptographic Hardware and Embedded Systems – CHES 2004, 6th International Workshop, Cambridge, MA, USA, August 11-13, 2004, Proceedings, ser. Lecture Notes in Computer Science, M. Joye and J.-J. Quisquater, Eds., vol. 3156. Springer, August 2004, pp. 357–370. [Online]. Available: http://springerlink.metapress.com/content/26tmfjfcju58upb2/fulltext.pdf [16] M. Feldhofer, J. Wolkerstorfer, and V. Rijmen, “AES Implementation on a Grain of Sand,” IEE Proceedings on Information Security, vol. 152, no. 1, pp. 13–20, October 2005. [Online]. Available: http://ieeexplore.ieee.org/iel5/10348/32912/01541355.pdf ˝ A Proof in [17] D. Hein, J. Wolkerstorfer, , and N. Felber, “ECC is Ready for RFID USilicon,” in Workshop on RFID Security 2008 (RFIDsec08), July 2008. [Online]. Available: http://events.iaik.tugraz.at/RFIDSec08/ [18] H. Bock, M. Braun, M. Dichtl, E. Hess, J. Heyszl, W. Kargl, H. Koroschetz, B. Meyer, and H. Seuschek, “A Milestone Towards RFID Products Offering Asymmetric Authentication Based on Elliptic Curve Cryptography,” Invited talk at RFIDsec 2008, July 2008.

Radio Frequency Identification System Security T. Li et al. (Eds.) IOS Press, 2011 © 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-722-2-129

129

MEED: A Memory-efficient Distance Bounding Protocol with Error Detection Wei XIN a , Cong TANG a , Hu XIONG b , Yonggang WANG a , Huiping SUN a , Zhi GUAN a and Zhong CHEN a a Institute of Software, EECS, Peking University, Beijing, China MoE Key Lab of High Confidence Software Technologies (PKU) {xinwei,tangcong,wangyg,huipingsun,guanzhi,chen}@infosec.pku.edu.cn b School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu, P.R.China Abstract. Radio Frequency Identification (RFID) systems suffer from different security and privacy problems, among which relay attacks are a hot topic recently. A relay attack is a form of man-in-the-middle (MITM) attack where the adversary manipulates the communication by only relaying the verbatim messages between two parties. The main countermeasure against relay attacks is the use of distance bounding protocols measuring the round-trip time between the reader and the tag, more precisely, it uses bit exchanges for a series of rapid challenge-response rounds in RFID systems. In 2005, Hancke and Kuhn first introduced distance bounding protocol into RFID systems, after that, many schemes have been proposed based on this protocol. However, most schemes tend to a more complex design to decrease adversary’s success probability. In this paper, we propose a novel distance bounding protocol named MEED, using only 2n bits of memory, which, to our best knowledge, is equal to Hancke and Kuhn’s protocol and less than any existing protocols. In addition, by using our protocol, the tag is able to detect adversary’s malicious queries. We also make a comparison with typical previous distance bounding protocols in both memory and mafia fraud success probability. Keywords. RFID, distance bounding protocol, relay attack

Introduction RFID technology represents a fundamental change in the information technology infrastructure. It is a non-contact, automatic identification technology that uses radio signals to identify, track, sort and detect a variety of objects including people, vehicles, goods and assets without the need for direct contact. These systems comprise Radio Frequency (RF) tags and RF readers and sometimes back-end server. Readers broadcast RF signals to access resistant data stored in tags. Like all growing technologies, RFID brings along its share of security related problems, among which relay attacks are a hot topic recently. Relay attacks were first introduced by Conway [1], describing a person who knew nothing about chess could beat a grandmaster. The secret was relaying moves between two grandmasters, the person will either win against one, or draw against both. Desmedt et al. [2] showed how relay attacks could be applied to security protocols, and in their paper, relay attack was called “mafia fraud”. We will adopt the definition in [3] that a relay attack is a form of man-

130

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection

in-the-middle (MITM) attack where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Some relative concepts such as distance fraud, mafia fraud, and terrorist fraud attacks were also precisely defined in their paper. RFID systems are vulnerable to relay attacks where the attacker relays communication between the reader and the tag. It is difficult to prevent these attacks since the adversary does not change any data between the reader and the tag. Therefore, relay attacks cannot be prevented by using cryptographic protocols that operate at the application layer. Relay attacks not only exist in RFID systems, but also in electronic payment systems [4] using contact Chip-and-Pin smart cards. To deploy relay attack, an attacker needs a tag agent (T ) and a reader agent (R), which not only have regular functions of the tag and the reader, but also with the ability of relaying communications. The relay channel between T and R usually has a long distance in order to relay information without being detected. The relay attack setup is shown in Fig. 1. A relay module in the dashed rectangular is made up of three parts, the tag agent, the reader agent and the relay channel. The reader agent and the tag agent are placed respectively near the real tag and reader. Any information transmitted from the real reader to the real tag is relayed by the tag agent and the reader agent to the real tag. The tag mistakes the reader agent as the real reader and responds. The response is then relayed back passing through the reader agent and the tag agent to the real reader. The real reader is unable to distinguish between the real tag and the tag agent and will therefore assume that the real tag is in the near field and associated with the owner. A possible relay attack setup using modified Near Field Communication (NFC) devices was presented by Kfir, et al. [5]. Hancke [6] successfully executed a relay attack against an ISO 14443A contactless smart card, up to a distance of 50m. Lishoy Francis [7]described a relay attack implementation using legitimate peer-to-peer NFC communication by installing suitable MIDlets on NFC-enabled mobile phones.

Ĺ

ĺ

  

 

   

  

    



ķ

ĸ

Figure 1. Relay attack on a RFID system

In this paper, we propose a novel distance bounding protocol using only 2n bits of memory, which, to our best knowledge, is equal to Hancke and Kuhn’s protocol [8], and less than any other existing protocols. In addition, in our protocol, a tag is able to detect malicious queries. The rest of the paper is organized as follows. In Section 1, we describe related work on distance bounding protocols. Section 2 presents our novel

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection

131

protocol. Sections 3 compares performances of our proposed protocol with other distance bounding protocols. Finally, section 4 concludes.

1. Distance Bounding Protocols In order to resist relay attacks, a myriad of approaches have been proposed, such as using Faraday cage, constructing unique fingerprint on communication channels [9], and adding location information to the devices [10,11]. The main approach to prevent relay attacks were introduced by Beth and Desmedt [12], namely distance bounding, based on calculating the round trip time (RTT) between th verifier and the prover. A verifier checks the distance of a prover by measuring the RTT given that the speed of the radio signal can not exceed that of the light. The mechanism of RTT is shown in Fig. 2. To decide whether the prover is in the neighborhood, the verifier needs to measure the RTT of a single bit of data transmitted from the verifier to the prover and return back for n times. Assuming that the signal propagation speed is known, the verifier can define Δtmax that is the maximum expected RTT including propagation and processing delays. A RTT Δti less than Δtmax demonstrates that the prover stays in the verifier’s neighborhood.

 



 





 % 

!"#"$  

Figure 2. Round Trip Time Measurement

Brands and Chaum [13] designed the first distance bounding protocol based on RTT to hinder relay attacks. In 2005, Hancke and Kuhn [8] first introduced a distance bounding protocol (HKP) into RFID systems. HKP has been chosen as a reference-point since many schemes were based on the protocol. In 2006, Munilla et al. modified HKP by applying “void challenges”[14]. Reid et al.[15] eliminated HKP’s vulnerability to the terrorist fraud attack. In 2009, Avoine et al.[16] extended the void challenges to psymbols. Avoine et al. [17] and Trujillo-Rasua et al.[18] respectively brought tree-based and graph-based methods into distance bounding protocols. Kim et al.[19] provided a protocol based on binary mixed challenges that converges toward the expected and optimal (1/2)n bound on the success probability of the adversary. Singelée and Preneel

132

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection

[20] proposed a protocol using Error Correcting Code (ECC) to cope with bit errors during the rapid bit exchanges. In order to better understand the common process of these protocols, we divide it into four basic phases as follows: 1. Initialization. The verifier and the prover share some security parameters such as secret keys and hash functions. The verifier also sets the maximum expected RTT Δtmax in this phase. 2. Slow Phase. The verifier and the prover do preparations for the Fast Phase such as negotiating the rules of generating correct response bits. Generally, in this phase, the verifier and the prover exchange more than one bit of data in each round. 3. Fast Phase. This phase consists of n rounds, in each round, the verifier picks a random bit challenge ci and sends it to the prover. The latter immediately responds with ri , the verifier records the time between sending ci and receiving ri . 4. Verification. The verifier ensures that the exchanges in the Fast Phase has been executed faithfully and can therefore use the RTT to calculate the distance. 1.1. Brands and Chaum’s Protocol Brands and Chaum proposed the first distance-bounding protocol based on timing the single-bit RTT in a cryptographic challenge-response exchange. It is shown in Fig. 3. The phases are described as follows: Initialization. The verifier and the prover share no security parameters, so the verifier just needs to set a timing bound Δtmax . Slow Phase. The verifier generates a random bit string of challenge C and the prover generates a random bit string of M which serves as one part of responses, both C and M have the same length of n. The prover then commits to the string M to the verifier using a secure commitment scheme before the Fast Phase starts. The prover’s responses are based on string M and the challenge C, so the prover must wait until she received the challenge before transmitting her responses. Fast Phase. The verifier transmits one challenge bit of challenge C denoted by ci at a time (for all i = 1, ..., n), to which the prover responds immediately with ri = ci ⊕ mi . The verifier times the round-trip delay Δti between sending each bit ci and receiving the corresponding response bit ri . Verification. The prover reveals M and transmits a digital signature of m which concatenates two bit strings of C and R (r1 ...rn ). The verifier will check whether the prover received challenge bits correctly by using the digital signature of m. The verifier also checks that mi = ci ⊕ ri for i = 1 to n, by using the string M she committed to. Finally, the verifier checks that ∀i, 1 ≤ i ≤ n,Δti ≤ Δtmax to make sure that the prover is in the neighborhood. A fraudulent prover or a third party attacker that attempts to preemptively guess all the response bits ri from honest prover will succeed with probability 2−n . The protocol fails if a single bit error occurs during the Fast phase, since the verification signature will be incorrect and not accepted by the verifier. In addition, this protocol was not designed for RFID systems.

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection %&&% &  3

 .-

*%

"$

0102220

133

4

'(

0102220

 )

--

   

/

! !  !" # "$

 

' +(,- '(

Å 002220 0

Figure 3. Brands and Chaum’s protocol

1.2. Hankce and Kuhn’s Protocol The HKP [8], as illustrated in Fig. 4, is the most popular distance bounding protocol in RFID systems. In Fig. 4, we use the reader and the tag instead of the verifier and the prover. HKP is a simple and fast protocol, but it suffers from high adversary success probability. The phases are described as follows: Initialization. The Reader (R)and the Tag (T) share a secret x and agree on a security parameter n and a public pseudo random function H whose output size is 2n. R sets a timing bound Δtmax which is the maximum expected RTT. Slow Phase. R generates a random nonce Na and sends it to T. In response, T generates Nb and sends it to R. R and T then both compute H 2n := H(x, Na , Nb ). Let Hi (1 ≤ i ≤ 2n) denote the ith bit of H 2n , and Hi ...Hj (1 ≤ i < j ≤ 2n) denote the concatenation of the bits from Hi to Hj . Then R and T split H2n into two registers of length n: v0 := H1 ...Hn and v 1 := Hn+1 ...H2n . Fast Phase. The fast phase consists of n rounds. In each of the rounds, R picks a random bit ci (the challenge) and sends it to T. T responds immediately with ri = vi0 if ci = 0 and ri = vi1 if ci = 1. Verification. After n rounds, R checks the correctness of each ri and the propagation time that ∀i, 1 ≤ i ≤ n, Δti ≤ Δtmax . If T meets these two conditions, R will regard T as a legitimate tag. The best known attack in the distance bounding protocols is that the adversary queries the tag with n 1-bit challenges between the slow and fast phases, she can obtain some useful messages for answering the reader’s challenges. As an example, we assume that the adversary sends all 1-bit zero challenges to the tag, then the adversary has two choices facing the reader’s challenges: if ci = 0, she sends the right answer; if ci = 1, she sends a random number 0 or 1 with success probability 12 . Thereby, the adversary’s success probability is ( 34 )n . Except for high success probability of the adversary, HKP has at least two drawbacks: (a)HKP is an One-way authentication protocol, which is one reason for the high success probability of the adversary. (b)HKP only consumes n bits

134

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection

of vi0 and vi1 for responses, thus remaining n bits are totally wasted. That is one reason why we put forward our own protocol.

&  3





$,8,"$

$,8

 4

4

700)8'$,4

700)8'$,4,46( 07000

--

   



 46

46

 .-

,46(

07000

 )

 



77 

! -- 5-  " # "$

Figure 4. Hankce and Kuhn’s protocol

2. Design of MEED HKP was modified by Munilla et al. with “void challenges” [14]. The main idea is to add another n-bits string p in each execution, if pi = 1 the reader sends challenge (fullchallenge) and pi = 0 she does not (void-challenge). These void-challenges, will allow the tag to detect whether she is communicating with an adversary or a legitimate reader. Assume that the probability of being full challenges is pf , in [21], the author recommended, the optimal value of pf is 4/5. Since pf = 3/4 is close to 4/5 and easy to generate, the author proposed to use 2n bits to generate the vector p combining bits two by two, if H2i−1 H2i are ‘00’,‘01’ or ‘10’, it means that pi = 1, and if they are ‘11’ it means pi = 0. It is an exquisite design, however, it needs extra n bits to generate p. Another problem in existing distance bounding protocols is that only n bits of v 0 and v 1 have been used, leaving remaining n bits wasted. The author also suggested that using two directions of n + 1 bits of v instead of 2n bits of v 0 and v 1 . If a challenge ci = 0, the tag responds with the most significant bit of v, then discards this bit; If the challenge ci = 1, the tag will respond with the least significant bit of v, then discards this bit. This design seems possible, yet it brings a serious threat. If an adversary sends all 1-bit zero challenges to the tag in advance, she will obtain the first n bits of v. As a result, the adversary will be able to answer most of the challenges except for the first ‘1’ challenge from the reader. Moreover, there is a concealed defect in this method, if the reader sends ci to the tag, the tag receives a wrong challenge bit for some reason such as noisy circumstances. The reader and the tag will lose synchronization which leads to disastrous consequences in the later rounds. Our proposed scheme aims to address aforementioned issues. The basic idea is described as follows: we use a hash function H(x, Na , Nb ) to generate a 2n bits string

135

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection

which is split into n bits of p and v respectively. If pi = 1, the reader sends a 1-bit ranand vi , if dom challenge; if pi = 0, the reader performs a XOR operation between pi pi vi = 1, then reader still sends a 1 bit random challenge, otherwise if pi vi = 0, she does not. In this way, the probability of being full challenges can be achieved to 3/4. Since the reader still has 1/4 probability to send void challenge, and the adversary can not get both pi and vi in advance, the malicious queriesto the tag can be detected . In order to save memory, we use an expression of (pi ∨ ci ) (ci ∧ vi ) instead of vi0 and vi1 as a response. The expression satisfies that ci and ∼ ci have the same chance to generate 0 or 1, an adversary can hardly finds any useful message when her pre-ask challenge (c∗i ) is different from the reader’s challenge (ci ), so she will unable to answer the challenge correctly in the fast phase. Now we describe our protocol in detail. The whole process of protocol is shown in Fig. 5. Initialization. The Reader (R) and the Tag (T) share a secret x and agree on a security parameter n and a public pseudo random function H whose output size is 2n. R sets a timing bound Δtmax . Slow Phase. R generates a random nonce Na and sends it to T. In response, T generates Nb and sends it to R. R and T then both compute H 2n := H(x, Na , Nb ). Let Hi (1 ≤ i ≤ 2n) be the ith bit of H 2n , R and T split H2n into two registers of length n: p = H1 ...Hn and v = Hn+1 ...H2n . Fast Phase. The fast phase consists of n rounds. In each of the rounds: (a) At the reader’s side. R generates a random bit ci ∈ {0, 1}, if pi = 1, R sends ci to T, otherwise if pi = 0, R makes a further judgement, if pi ⊕ vi = 1, R sends ci to T, if pi ⊕ vi = 0, she does not send. (b) At the tag’s side. Upon reception of a challenge ci from R, if pi ∧ vi = 0, T responds with a random bit (error detected); otherwise T responds with (pi ∨ ci ) (ci ∧ vi ) to R. The procedures of R and T are shown in Algorithm 1 and Algorithm 2. Algorithm 1 The Procedure for R to Generate a Challenge R generates a random bit ci ∈ (0,1) if pi = 1 then R sends ci to T else if pi ⊕ vi = 1 then R sends ci to T else R does not send challenge end if end if Verification. The authentication succeeds that, in each round, ri = (pi ∨ ci ) vi ) and Δti ≤ Δtmax .



(ci ∧

3. Analysis As stated in [3], there are four types of frauds in distance bounding protocols: impersonation fraud, distance fraud, mafia fraud and terrorist fraud. Mafia fraud is regarded as

136

W. Xin et al. / MEED: A Memory-Efficient Distance Bounding Protocol with Error Detection

Algorithm 2 The Procedure for T to Respond a Challenge T receives of a challenge ci if pi ∧ vi = 0 then T responds with a random bit else  T responds with (pi ∨ ci ) (ci ∧ vi ) end if

/ŶŝƚŝĂůŝnjĂƚŝŽŶ

ZĞĂĚĞƌ

 dĂŐ 

$,8,"$

$,8

 4  ^ůŽǁWŚĂƐĞ

46

 46

98:1 8'$,4,46( 9:8008100222008  9:8 ;008 ;1002220081