Mohammad Reza Sohizadeh Abyaneh



Similar documents
EQUATIONS OF LINES AND PLANES

The art of Paperarchitecture (PA). MANUAL

Small Business Networking

Small Business Networking

Reasoning to Solve Equations and Inequalities

Small Business Networking

Small Business Networking

Polynomial Functions. Polynomial functions in one variable can be written in expanded form as ( )

How To Network A Smll Business

ASPECTS CONCERNING A DYNAMIC MODEL FOR A SYSTEM WITH TWO DEGREES OF FREEDOM

How To Set Up A Network For Your Business

1.2 The Integers and Rational Numbers

Rotating DC Motors Part II

Novel Methods of Generating Self-Invertible Matrix for Hill Cipher Algorithm

Example 27.1 Draw a Venn diagram to show the relationship between counting numbers, whole numbers, integers, and rational numbers.

Regular Sets and Expressions

AntiSpyware Enterprise Module 8.5

Bayesian Updating with Continuous Priors Class 13, 18.05, Spring 2014 Jeremy Orloff and Jonathan Bloom

JaERM Software-as-a-Solution Package

2 DIODE CLIPPING and CLAMPING CIRCUITS

Architecture and Data Flows Reference Guide

Small Businesses Decisions to Offer Health Insurance to Employees

Math 314, Homework Assignment Prove that two nonvertical lines are perpendicular if and only if the product of their slopes is 1.

Section 5-4 Trigonometric Functions

Technical Appendix: Multi-Product Firms and Trade Liberalization (Not For Publication)

Answer, Key Homework 10 David McIntyre 1

Project 6 Aircraft static stability and control

In addition, the following elements form an integral part of the Agency strike prevention plan:

1.00/1.001 Introduction to Computers and Engineering Problem Solving Fall Final Exam

Unleashing the Power of Cloud

Scalable Mining of Large Disk-based Graph Databases

Appendix D: Completing the Square and the Quadratic Formula. In Appendix A, two special cases of expanding brackets were considered:

Binary Representation of Numbers Autar Kaw

RTL Power Optimization with Gate-level Accuracy

P.3 Polynomials and Factoring. P.3 an 1. Polynomial STUDY TIP. Example 1 Writing Polynomials in Standard Form. What you should learn

Factoring Polynomials

Firm Objectives. The Theory of the Firm II. Cost Minimization Mathematical Approach. First order conditions. Cost Minimization Graphical Approach

Helicopter Theme and Variations

MATH PLACEMENT REVIEW GUIDE

European Convention on Certain International Aspects of Bankruptcy

Dynamic TDMA Slot Assignment in Ad Hoc Networks

Or more simply put, when adding or subtracting quantities, their uncertainties add.

Health insurance exchanges What to expect in 2014

9 CONTINUOUS DISTRIBUTIONS

The Principle of No Punishment Without a Law for It LEARNING OBJECTIVES: CRLA.GAAN:

Angles 2.1. Exercise Find the size of the lettered angles. Give reasons for your answers. a) b) c) Example

Health insurance marketplace What to expect in 2014

Solving the String Statistics Problem in Time O(n log n)

CS99S Laboratory 2 Preparation Copyright W. J. Dally 2001 October 1, 2001

Math 135 Circles and Completing the Square Examples

Mathematics. Vectors. hsn.uk.net. Higher. Contents. Vectors 128 HSN23100

DlNBVRGH + Sickness Absence Monitoring Report. Executive of the Council. Purpose of report

Morgan Stanley Ad Hoc Reporting Guide

Features. This document is part of the Terms and Conditions for Personal Bank Accounts Barolin St, PO Box 1063 Bundaberg Queensland 4670

Network Configuration Independence Mechanism

Pure C4. Revision Notes

FAULT TREES AND RELIABILITY BLOCK DIAGRAMS. Harry G. Kwatny. Department of Mechanical Engineering & Mechanics Drexel University

Econ 4721 Money and Banking Problem Set 2 Answer Key

New Internet Radio Feature

THE PARAMETERS OF TRAPS IN K-FELDSPARS AND THE TL BLEACHING EFFICIENCY

VoIP for the Small Business

Cafitesse 60. Gebruiksaanwijzing Mode d emploi Bedienungsanleitung Operator manual Instrucciones de servicio. December 2009 Article no

The Journal of Systems and Software

Use Geometry Expressions to create a more complex locus of points. Find evidence for equivalence using Geometry Expressions.

Vendor Rating for Service Desk Selection

Utilization of Smoking Cessation Benefits in Medicaid Managed Care,

Angles and Triangles

5 a LAN 6 a gateway 7 a modem

Section 5.2, Commands for Configuring ISDN Protocols. Section 5.3, Configuring ISDN Signaling. Section 5.4, Configuring ISDN LAPD and Call Control

Simulation of operation modes of isochronous cyclotron by a new interative method

Graphs on Logarithmic and Semilogarithmic Paper

All pay auctions with certain and uncertain prizes a comment

COMPONENTS: COMBINED LOADING

ClearPeaks Customer Care Guide. Business as Usual (BaU) Services Peace of mind for your BI Investment


Experiment 6: Friction

Data replication in mobile computing

** Dpt. Chemical Engineering, Kasetsart University, Bangkok 10900, Thailand

Quick Reference Guide: One-time Account Update

A Network Management System for Power-Line Communications and its Verification by Simulation

Secure routing for structured peer-to-peer overlay networks

Integration by Substitution


Outline of the Lecture. Software Testing. Unit & Integration Testing. Components. Lecture Notes 3 (of 4)

Version 001 Summer Review #03 tubman (IBII ) 1

EasyMP Network Projection Operation Guide

Software Cost Estimation Model Based on Integration of Multi-agent and Case-Based Reasoning

An Undergraduate Curriculum Evaluation with the Analytic Hierarchy Process

Virtual Machine. Part II: Program Control. Building a Modern Computer From First Principles.

Solving BAMO Problems

Pentominoes. Pentominoes. Bruce Baguley Cascade Math Systems, LLC. The pentominoes are a simple-looking set of objects through which some powerful

Transcription:

PA S S I V E C R Y P TA N A LY S I S O F T H E U N C O N D I T I O N A L LY S E C U R E A U T H E N T I C AT I O N P R O T O C O L F O R R F I D S Y S T E M S Mohmm Rez Sohizeh Ayneh Astrct. Recenty, Aomir et. propose the first Un- Conitiony Secure mutu uthentiction protoco for owcost RFID systems(ucs-rfid). The security of the UCS- RFID reies on five ynmic secret keys which re upte t every protoco run using fresh rnom numer (nonce) secrety trnsmitte from reer to tgs. Our resuts show tht, t the highest security eve of the protoco (security prmeter= 256), inferring nonce is fesie with the proiity of 0.99 y evesropping(oserving) out 90 runs of the protoco. Fining nonce enes pssive ttcker to recover five secret keys of the protoco. To o so, we propose three-phse proiistic pproch in this pper. Our ttck recovers the secret keys with proiity tht increses y ccessing more protoco runs. We so show tht trcing tg using this protoco is so possie even with ess runs of the protoco. Key Wors: RFID, Authentiction Protoco, Pssive Attck. Deprtment of Informtics, University of Bergen 85

Security Anysis Of Lightweight Schemes for RFID Systems 1 I N T R O D U C T I O N As of toy, RFID (Rio Frequency Ientifiction) is referre to s the next technoogic revoution fter the Internet. A typic RFID system invoves reer, numer of tgs, which my rnge from the ttery-powere, to the ow-cost ones with even no intern power, n tse. RFID systems ene the ientifiction of ojects in vrious environments. They cn potentiy e ppie most everywhere from eectronic pssports[19, 20], contctess creit crs[18], to suppy chin mngement[21 23]. Keeping RFID systems secure is impertive, ecuse they re vunere to numer of micious ttcks. For ow-cost RFID systems, security proems ecome much more chenging, s mny trition security mechnisms re inefficient or even impossie ue to resource constrints. Some existing soutions utiize trition cryptogrphic primitives such s hsh or encryption functions, which re often too expensive to e impemente on ow-cost RFID tgs. Another metho of securing RFID systems hs een the ightweight pproch. These soutions se themseves on mosty ightweight opertions (e.g. itwise or simpe rithmetic opertions) inste of more expensive cryptogrphic primitives. The HB-fmiy(HB +,HB ++, HB*,etc.) [1 7] n the MAP-fmiy(LMAP,EMAP,M2AP,etc)[8 10] uthentiction protocos, re some exmpes of this kin. However, propose ightweight protocos so fr hve een trgete to vrious successfu ttcks n therefore, the serch for concrete ightweight soution for uthentiction in ow-cost RFID tgs sti continues. Recenty, Aomir et. emrke on the notion of UnConitiony Secure mutu uthentiction protoco for RFID systems (UCS- RFID)[16]. UCS-RFID s security reies miny on the freshness of five secret keys rther thn the hrness of soving mthemtic proems. Freshness in the keys is gurntee with key upting phse t every protoco run y mens of fresh rnom numer (nonce). This nonce is generte t the reer sie ue to ow-cost tgs constrints, n eivere to the tg secrety. This ows the tgs to enefit from the functionities of rnom numers without the hrwre to generte them. Our Contriution. In this pper, we present three-phse proiistic pssive ttck ginst the UCS-RFID protoco to recover the secret keys in the protoco. Our ttck is miny se on wekness oserve in the protoco(section 3). To put in nutshe, the wekness 86

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs impies tht the more outputs we hve from consecutive runs of the protoco, the more knowege we wi otin on the nonces in these protoco runs. In other wors, hving more numer of protoco run outputs oserve, we re e to etermine some of the nonces (victim nonces) with higher proiity. It shou e note tht this wekness hs so een tcke y the uthors in [16]. Nevertheess we wi show tht the security mrgin they expecte from the protoco hs een overestimte. Fining the victim nonce in the protoco pves the wy towr opting n ttcking scenrio to chieve of the five secret keys in the system. Outine. The reminer of this pper is orgnize s foows. In section 2, we riefy escrie the UCS-RFID protoco. In section 3 the wekness of the protoco is investigte thoroughy. Section 4 n 5 escries our ttcking scenrio to recover the keys, n trce the tg in the protoco. Finy, section 6 concues the pper. 2 D E S C R I P T I O N O F T H E UCS-RFID P R O TO C O L The UCS-RFID uthentiction protoco consists of two phses: the mutu uthentiction phse n the key upting phse. The former phse mutuy uthentictes n RFID reer n tg. In the tter phse oth the reer n the tg upte their ynmic secret keys for next protoco runs. In this protoco, first the security prmeter, N, is specifie n 2N-it prime integer, p, is chosen. Then, ech tg T is oe with n N-it ong ientifier, A (0), n five secret keys, k (0), k (0), k (0) c, k (0) n chosen inepenenty n uniformy from Z 2 N, Z p, Z p \{0}, Z 2 N k (0) u n Z p \{0} respectivey. 2.1 N O TAT I O N S - N: security prmeter. - p: prime numer in Z 2 N - A x, B x, C x, D x : oserve outputs of x th protoco run - n = n n r : rnom numer in Z 2 N - n, n r : eft n right hf-nonces 87

Security Anysis Of Lightweight Schemes for RFID Systems Specifictions - Puic prmeters: p, N. - Secret prmeters(shre etween R n T): k (0), k (0), k (0) Mutu Authentiction Phse (1) R T : Heo (2) T R : A (i) (3) R T : B (i), C (i) (4) T R : D (i) c, k (0) Fig. 1: i th run of the mutu uthentiction phse in the UCS-RFID protoco, k(0) u. 2.2 M U T U A L A U T H E N T I C AT I O N P H A S E Figure 1 shows one instnce run of the mutu uthentiction phse in the UCS-RFID protoco. The reer strts the interrogtion with Heo messge which is respone y tg s ynmic ientifier A (i). The reer then ooks up in the tse for set of five keys(k, k, k c, k, n k u ) which correspons to A (i). If this serch is successfu, it mens tht the tg is uthentic. Hving the tg uthenticte, the reer genertes 2N-it rnom nonce n (i) uniformy rwn from Z p, ccutes messges B (i), C (i) y (2),(3) n sens them to the tg. A (i) n (i 1) + k (i) mo 2 N (1) B (i) n (i) + k (i) mo p (2) C (i) n (i) k (i) c mo p (3) The tg first checks the integrity of the receive messges y (4): (B (i) k (i) ) k(i) c C (i) mo p (4) This check impies the uthenticity of the reer s we. Then, the tg extrcts the nonce n (i) y (5.) n (i) (B (i) k (i) ) mo p (5) To concue the mutu uthentiction phse, the tg trnsmits D (i) s receipt of otining n (i). D (i) = n (i) k (i) (6) 88

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs 2.3 K E Y U P D AT I N G P H A S E After successfu mutu uthentiction, oth the reer n the tg upte their keys n ynmic ientifier (A (i) ) for the next protoco run. k (i+1) = n r (i) k (i) (7) k (i+1) k (i) u + (n (i) k (i) ) mo p (8) k (i+1) c k (i) u (n (i) k (i) c ) mo p (9) k (i+1) = n r (i) k (i) (10) k (i+1) u k (i) u n (i) mo p (11) A (i+1) n (i) + k (i+1) mo 2 N (12) It shou e note tht the ynmic vues hve een prove to preserve their properties of inepenency n uniformity fter upting[16]. 3 O B S E RVAT I O N In this section, we she more ight on wekness in the UCS-RFID protoco which ecomes the origin of our propose ttck presente in the susequent section. By xoring (7) n (10), we hve: k i+1 k i+1 = k i k i (13) Eqution (13) shows tht the ifference etween k n k remins the sme for two consecutive runs of the protoco. This sttement cn so e generize for every r ritrry run of the protoco the s foowing: k r+1 k r+1 = k r k r =... = k0 k 0 = L (14) 89

Security Anysis Of Lightweight Schemes for RFID Systems By using (14), for outputs A n D in m consecutive runs of the protoco, we hve: A (i) n (i 1) D (i) = n (i) A (i+1) n (i) D (i+1) = n (i+1). + k (i) mo 2 N (15) (k (i) L) (16) + (k (i) A (i+m 1) n (i+m 2) D (i+m 1) = n (i+m 1) (k (i) n (i) r ) mo 2 N (17) L n (i) r ) (18) + (k (i) i+m 2 n (j) r ) mo 2 N (19) (k (i) j=i i+m 2 L n (j) r ) (20) It is pprent tht we hve set of 2m equtions with 2m + 2 vries. These vries cn e ivie into two groups: 1. 2m hf-nonces: n (i 1) 2. L n k (i).,..., n (i+m 1) j=i, n r (i),..., n r (i+m 2) So, if we fix the vue of vries L n k (i), we en up with 2m equtions n 2m hf-nonce vries. This impies tht the 2m hfnonces cn not e chosen inepenenty n fufi the ove equtions simutneousy. In other wors, if we oserve the outputs of m consecutive runs of the protoco, it is ony necessry to serch over possie sequences of k (i) n L, which is 2 2N, n then it wi e possie to fin 2m hf-nonces uniquey. As we wi see, this wekness is the resut of introuction of tighter oun for the hf-nonces whie we keep oserving more runs of the protoco. By the rnomness nture of the generte hf-nonces, the tot numer of possie sequences for them(2 2N ) is uniformy istriute over them. This impies tht ech of the 2m hf-nonces is expecte to hve oun of 2m 2 2N possie vues (compring to its previous oun which ws N). Therefore, for m consecutive protoco runs, the tot numer of possie vues istriute over the 2m hf-nonces is 2m 2m 2 2N [16]. Now, if we excue the vue which hf-nonces hs tken rey (2m 2m 2 2N 2m), we cn ccute the proiity tht t est one hfnonce oes not receive nother possie vue (remins constnt). To o 90

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs Fig. 2: The numer of consecutive protoco runs n versry must oserve(m) in orer to infer t est one hf-nonce for N = 128, 256 so, we utiize the we-known proem in proiity theory(i.e. Given r s thrown uniformy t rnom t ins, the proiity tht t est one in remins empty which is ccute y (21))[17]: Pr(t est one in remins empty) = 1 (r 1 1 ) ( +r 1 1 ) (21) Now, it ony requires to sustitute = 2m n r = 2m. 2m 2 2N 2m in (21) n then we wi hve (22). The resut is potte in Figure 2. 2m P h = Pr(t est one hf-nonce remins constnt) = 1 (2m. 2 2N 2m 1 2m 1 ) ( 2m. 2m 2 2N 1 2m 1 ) (22) Figure 2 shows the proiity of inferring t est one hf-nonce in terms of the numer of consecutive runs of the protoco require to e oserve to o so. For exmpe, if we oserve 35 runs of the protoco runs with N=256, we wi e e to etermine t est one of the 70 trnsmitte hf-nonces with the proiity of more thn 0.99. We wi use the term "victim hf-nonce for inferre hf-nonce n nottion m h inste of m for the numer of consecutive runs of the protoco require to infer one hf-nonce herefter. 91

Security Anysis Of Lightweight Schemes for RFID Systems 4 O U R AT TA C K S C E N A R I O In the previous section, we presente proiistic pproch to fin the numer of consecutive runs of the protoco to infer one hf-nonce. But in our ttck, we nee to hve compete nonce(eft n right corresponing hf-nonces) to recover secret keys. To chieve this go, we propose n ttcking scenrio which consists of the three foowing phses: 1. Fining the tot numer of necessry consecutive runs of the protoco to fin compete victim nonce (m t ). 2. Fining the victim nonce. 3. Recovering the secret keys. 4.1 P H A S E I: F I N D I N G m t In section 3, we propose proiistic wy to ccute the numer of consecutive runs tht must e oserve y n versry to infer hf-nonce(m h ). It is ovious tht if we keep oserving more runs of the protoco(i.e. more thn m h ), fter ech extr oservtion, nother hf-nonce cn e inferre. This is simpy possie y eiminting the two equtions which contin the first victim hf-nonce n ing two newy oserve equtions to the set of equtions (15-20) n then, we gin hve 2m h equtions n 2m h + 2 vries which yie nother hf-nonce inference. If we inten to fin compete nonce, we must continue oserving the runs of the protoco unti we infer two corresponing victim hfnonces to form compete nonce. To o so, we shou first ccute the proiity tht the inferre hf-nonce t (m e + m h ) th run mtches one of the previousy victim hf-nonces. As we know, fter m h runs of the protoco, we ccompish to fin one victim hf-nonce, fter m e extr runs of the protoco, we hve β = 2m h + 2m e equtions n β hf-nonces which m e + 1 of them cn e inferre. The proiity tht none of these m e + 1 hf-nonces mtch is: Pr(Hving no pir fter m h + m e runs) = (β 1) β = m e i=1 (β i) β (m e)... (β m e) β (23) 92

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs Consequenty, the proiity of hving t est one pir fter oserving m e runs is simpy ccute y (24). P e = Pr(Hving t est one pir of mtching hf-nonces fter m h + m e runs) = 1 m e i=1 (β i) β (m e) By using (22) n (24) the tot numer of protoco runs to hve t est one compete victim nonce (m t = m h + m e ) cn e ccute y (25) n is potte in Figure 3. P t = Pr(Hving t est one compete nonce fter m t runs) = (P e m h = h) Pr(m h = h) = (P e m h = h) P h (h) (25) Remrk The uthors of [16] hve so ccute m t y using some other protoco outputs (B n C). Figure 3 compres our resuts with wht the uthors "Expecte. This comprison hs een conucte for two ifferent security prmeters N=128,N=256 which re potte on the eft n right respectivey. The resuts show tht the security mrgin of the protoco in terms of the numer of consecutive runs tht must e oserve to infer one nonce is ess thn wht the esigners of the protoco expecte. In other wors, we nee ess numer of protoco runs to infer t est one nonce. For exmpe pssive versry is e to infer compete nonce with high proiity of 0.99 y evesropping ess tht 60 n 90 runs of the protoco for the key size of 128 n 256 its respectivey. These numers were expecte to e 110 n 200 respectivey. (24) 4.2 P H A S E II: F I N D I N G T H E C O N S TA N T N O N C E Hving m h consecutive runs of the protoco oserve, we hve one constnt hf-nonce or one hf-nonce with ony one possie vue. In orer to fin this hf-nonce, we opt the foowing gorithm. Agorithm Inputs :A (i),..., A (i+m t 1), D (i),..., D (i+m t 1) 1. Determine eve of confience(proiity) for the fin resuts. 2. Fin the m h, m t rete to the etermine proiity from Figures 1,2 respectivey. 3. Ccute m e = m t m h 93

Security Anysis Of Lightweight Schemes for RFID Systems Our Resut Expecte Fig. 3: Comprison of expecte security mrgin of the UCS-RFID protoco n our resuts in terms of the numer of consecutive protoco runs n versry must oserve in orer to infer t est one nonce. 4. Choose two rnom numers from Z 2 N n ssign them to L,k (i) respectivey.,..., n (i+m h 2) r ) s fo- 5. Fin 2m nonces (n (i 1) ows.. (k (i) Fin n (i 1),..., n (i+m h 1) from (15) i.e. n (i 1) Fin n (i) from (16) i.e. n (i) Fin n (i) r Fin n (i+m h 2) r i+mh 2 j=i n (j) r ). Fin n (i+m h 1) L) i+m h 2 j=i from (17) i.e. n (i) r n (j) r., n (i) r A (i) k (i) mo 2 N. = D (i) (k (i) (A (i+1) n (i) from (19) i.e. n (i+m h 2) r from (20) i.e. n (i+m h 1) L). mo 2 N ) k (i). (A (i+m h 1) n (i+m h 2) = D (i+m h 1) (k (i) mo 2 N ) 94

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs 6. Repet 4 n 5 s mny times s we oserve tht ony one hfnonce keeps its vue for of the repetitions. 7. Sve the constnt(victim) hf-nonce. 8. Oserve nother run of the protoco. A (i+m h) n (i+m h 1) D (i+m h) = n (i+m h) + (k (i) (k (i) i+mh 1 j=i n (j) r ) mo 2 N L i+m h 1 j=i n (j) r ). 9. Repce the equtions corresponing to the foun victim hfnonce with two newy oserve equtions in the eqution set (15-20). 10. Repet 4,5,6,7,8 for m e times. 11. Mtch two corresponing victim hf-nonces(e.g. n (j), n (j) r ). 12. Output the victim nonce (n (j) = n (j) n (j) r ). 4.3 P H A S E III: K E Y R E C O V E RY In the previous two phses of our ttck, we ccompishe to fin compete victim nonce n (j),with certin proiity, y oserving m t consecutive runs of the protoco. Now, we present how n versry is e to recover five secret keys of the protoco. To fin k (j) n k (j), we shou foow(26-29). k (j) (A (j+1) n (j), k (j), k(j) c ) n (j) r mo 2 N (26) k (j) B (j) n (j) mo p (27) k (j) c ( 1 n (j) mo p) C(j) mo p (28) k (j) = n (j) D (j) (29) To recover k (j) u, we nee to fin the nonce in the next run (n (j+1) ), thus we shou ccute the upte keys for the (j + 1) th run using (7) n (10). k (j+1) = k (j) n (j) r (30) k (j+1) = k (j) n (j) r (31) 95

Security Anysis Of Lightweight Schemes for RFID Systems Then we hve: Using (30) n (33), we cn write: n (j+1) = D (j+1) k (j+1) (32) k (j+2) = A (j+2) n (j+1) (33) n (j+1) r = k (j+2) Finy, y using (27),(32) n,(34) we cn fin k (j) u. k (j) u k (j+1) (34) B (j+1) n (j+1) (k (j) n (j+1) ) mo p (35) The proceure ove provies us with our ojective to recover of the secret keys with certin proiity(p t ). This proiity cn e increse y pying the price of hving more protoco run outputs vie. Furthermore, s it cn e seen from the (32) n (34), next nonce is so chieve. This impies tht the secret keys of the next run cn so e ccute y using (26-35) for the next run. This is n ongoing proceure which yies the keys of ny ritrry run of the protoco(r) which r > j. Being e to generte the future secret keys, n versry is cpe of either impersonting oth the reer n the tg or trcing the tg. 5 O N T H E T R A C E A B I L I T Y O F T H E UCS-RFID In the previous section, we presente proiistic key recovery ttck ginst the UCS-RFID protoco. We mentione tht ccoring to Figure 3, we nee to hve out 90 runs of the protoco to e most sure tht our foun keys re correct. But with ess numer of protoco run outputs, we sti cn ppy n ttck ginst the trceiity of the protoco. In this section, we formy investigte the untrceiity of the UCS-RFID se on the form escription in [11]. 5.1 A D V E R S A R I A L M O D E L Accoring to [11], the mens tht re ccessie to n ttcker re the foowing: We enote tg n reer in i th run of the protoco y T i n R i, respectivey. 96

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs Query(T i, m 1, m 3 ): This query moes the ttcker A sening messge m 1 to the tg n sening the m 3 fter receiving the response. Sen(R i, m 2 ): This query moes the ttcker A sening messge m 2 to the Reer n eing cknowege. Execute(T i, R i ): This query moes the ttcker A executing run of protoco etween the Tg n Reer to otin the exchnge messges. Reve(T i ): This query moes the ttcker A otining the informtion on the Tg s memory. A Pssive Aversry, A P, is cpe of evesropping communictions etween tg n reer n ccesses ony to the Execute(T i, R i ):. 5.2 AT TA C K I N G U N T R A C E A B I L I T Y The resut of ppiction of n orce for pssive ttck O P {Execute(.)} on tg T in the run i is enote y w i (T). Thus, set of I protoco run outputs, Ω I (T), is: Ω I (T) = {w i (T) i I} ; I N;(N enotes the tot set of protoco runs). The form escription of ttcking scenrio ginst untrceiity of protoco is s foowing: 1. A P requests the Chenger to give her trget T. 2. A P chooses I n cs Orce(T, I, O P ) where I re f receives Ω I (T). 3. A P requests the Chenger thus receiving her chenge T 1, T 2,I 1 n I 2 4. A P cs Orce(T 1, I 1, O P ), Orce(T 2, I 2, O P ) then receives Ω I1 (T 1 ), Ω I2 (T 2 ). 5. A P ecies which of T 1 or T 2 is T, then outputs her guess T. For security prmeter,k, if Av UNT A P (k) = 2Pr(T = T) 1 > ɛ then we cn sy tht the protoco is trcee. For UCS-RFID cse, s Figure 3 impies, n versry A P nees ony to ccess to out 40 n 65 consecutive runs of the protoco to e e to etermine n (j) with proiity of more thn 0.5 (e.g. 0.6) for k =128 n 256 respectivey n then ccoring to section 4.3, she wi 97

Security Anysis Of Lightweight Schemes for RFID Systems e e to recover the keys of susequent runs. After, key recovery, the versry cn esiy istinguish trget tg with ny other chenge tg given y the chenger. So we hve: re f 40, Av UNT A P (128) = 2Pr(T = T) 1 = 0.1 > ɛ. re f 65,Av UNT A P (256) = 2Pr(T = T) 1 = 0.1 > ɛ. 6 C O N C L U S I O N S The esign of suite ightweight security protocos for ow-cost RFID tgs is sti ig chenge ue to their severe constrints. Despite of interesting proposs in the iterture, this fie sti cks concrete soution. Recenty, Aomir et hve propose the first uthentiction protoco se on the notion of unconition security. Regress of some inefficiencies in UCS-RFID uthentiction protoco, such s: rge key sizes, using mour mutipiction,etc,which mkes this protoco n unsuite nominte for ow-cost RFID tg epoyment, we presente pssive ttck which showe tht even the security mrgin which ws expecte to e yiee y UCS-RFID hs so een overestimte. In our ttck, we showe tht pssive versry is e to chieve the secret keys of the system with high proiity of 0.99 y evesropping ess tht 60 n 90 runs of the protoco for the key size of 128 n 256 its respectivey. Trcing the tg in the protoco is so fesie even y ess numer of runs of the protoco (e.g. 40, 65). Our resuts suggest mjor rethink in the esign of the uthentiction protocos for RFID systems se on unconition security notion. Drstic chnges re necessry to fufi oth technoogic constrints n security concerns in RFID systems. R E F E R E N C E S [1] N.J. Hopper n M. Bum. : Secure Humn Ientifction Protocos, in C. Boy (e.) Avnces in Cryptoogy - ASIACRYPT 2001, Voume 2248, Lecture Notes in Computer Science, pp. 52 66, Springer- Verg, (2001). [2] J. Bringer, H. Chnne, n E. Dottx.: HB++: Lightweight Authentiction Protoco Secure Aginst Some Attcks, IEEE Interntion Conference on Pervsive Services, Workshop on Security, 98

Pssive Cryptnysis of the UnConitiony Secure Authentiction Protoco for RFIDs Privcy n Trust in Pervsive n Uiquitous Computing SecPerU, (2006). [3] Juien Bringer n Herve Chnne.: Truste-HB: ow-cost version of HB+ secure ginst mn-in-the-mie ttcks. CoRR, s/0802.0603, (2008). [4] Juien Bringer, Herve Chnne, n Emmnuee Dottx.: HB++: ightweight uthentiction protoco secure ginst some ttcks, In Secon Interntion Workshop on Security, Privcy n Trust in Pervsive n Uiquitous Computing (SecPerU 2006), pges 28 33. IEEE Computer Society, (2006). [5] Dng Nguyen Duc n Kwngjo Kim.: Securing HB+ ginst GRS mn-in-the-mie ttck, In Institute of Eectronics, Informtion n Communiction Engineers, Symposium on Cryptogrphy n Informtion Security, (2007). [6] Henri Giert, Mtthew J. B. Roshw, n Ynnick Seurin: HB : Incresing the security n effciency of HB+, Avnces in Cryptoogy EUROCRYPT 2008, 27th Annu Interntion Conference on the Theory n Appictions of Cryptogrphic Techniques, Proceeings, voume 4965 of Lecture Notes in Computer Science, pges 361 378.Springer, (2008). [7] J. Muni n A. Peino.: HB-MP: A further step in the HB-fmiy of ightweight uthentiction protocos. Computer Networks, (2007). [8] Peris-Lopez, Hernnez-Cstro,Estevez Tpior, n Rigor: LMAP: A Re Lightweight Mutu Authentiction Protoco for Low-cost RFID tgs, RFIDSec 06, (2006). [9] P. Peris-Lopez, J. C. Hernnez-Cstro, J. Estevez-Tpior, n A. Rigor: M2AP: A minimist mutu-uthentiction protoco for ow-cost RFID tgs, in Interntion Conference on Uiquitous Inteigence n Computing (UIC06), vo. 4159 of LNCS, pp.912 923 (2006). [10] P. Peris-Lopez, J. C. Hernnez-Cstro, J. Estevez-Tpior, n A. Rigor: EMAP: An Efficient Mutu-Authentiction Protoco for Low-cost RFID tgs, in OTM Feerte Conferences n Workshop: IS Workshop, (2006). [11] Avoine G. :Aversri Moe for Rio Frequency Ientifiction. Cryptoogy eprint Archive, Report 2005/049, (2005). 99

Security Anysis Of Lightweight Schemes for RFID Systems [12] M. Ohkuo, K. Suzuki, n S. Kinoshit: Cryptogrphic Approch to Privcy-Frieny Tgs, in RFID Privcy Workshop, (2003). [13] D. Henrici, n P. Muer: Hsh-se Enhncement of Loction Privcy for Rio Frequency Ientifiction Devices using Vrying Ientifiers, in Proceeings of PerSec04,IEEE PerCom, pp.149-153, (2004). [14] D. Henrici, n P. Muer: Proviing Security n Privcy in RFID Systems Using Triggere Hsh Chins, in PerCom 08, 50 59, (2008). [15] L.S. Kuseng: Lightweight Mutu Authentiction, Owner Trnsfer, n Secure Serch Protocos for RFID Systems, Mster Thesis, Iow Stte University,Ames, (2009). [16] B. Aomir, L. Lzos, R. Poovenrn: Securing Low-cost RFID Systems: n Unconitiony Secure Approch, RFIDsec 10 Asi, Singpore, (2010). [17] W. Feer: An Introuction to Proiity Theory n its Appictions, Wiey Ini Pvt. Lt., (2008). [18] T.S. Heyt-Benjmin, D.V. Biey, K. Fu, A. Jues, n T. O Hre: Vuneriities in First-Genertion RFID-Ene Creit Crs, Proc. 11th Int Conf. Finnci Cryptogrphy n Dt Security (FC 07), pp. 2 14, (2007). [19] D.Cruccio, K.Lemke, C.Pr: E-pssport: The Go Trceiity or How to fee ike UPS pckge, Proceeing of WISA 06, LNCS 4298, Springer, pp.391 404, (2007). [20] J.-H. Hoepmn, E. Huers, B. Jcos, M. Oostijk, n R.W. Schreur, Crossing Borers: Security n Privcy Issues of the Europen e-pssport, Proc. First Int Workshop Security (IWSEC 06), pp.152 167 (2006). [21] CASPIAN, Boycott Benetton: http://www.oycottenetton.com (2007). [22] Mitsuishi Eectric Asi Switches on RFID: www.rfijourn.com/rtice/rticeview/2644/ (2006). [23] Trget, W-Mrt Shre EPC Dt: http://www.rfijourn. com/rtice/rticeview/642/1/1/ (2005). 100

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information