lightweight cryptography for rfid systems · lpn based entity authentication protocol for rfids...
TRANSCRIPT
Lightweight Cryptography for RFID Systems
Guang Gong
Department of Electrical and Computer EngineeringUniversity of Waterloo
CANADA<http://comsec.uwaterloo.ca/∼ggong>
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 1 / 31
Part III. Design of Authentication Protocols forRFID Systems
Security and Privacy threats in RFID systemsLightweight Crypto Solutions to Authentication for RFIDsLPN Based Entity Authentication Protocol for RFIDsWG-7 Based Authentication Protocol for RFIDs
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 2 / 31
Security Threat Classification
Information LeakagePrivacy ViolationTag Impersonation AttackRelay AttackDenial of Service AttackBackward and Forward TraceabilityServer Impersonation Attack
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 3 / 31
Information Leakage
Problem
� An adversary should not be able to obtain useful information about the taggedobject.
Attacking Method
� The adversary can query the target tag or eavesdrop communications betweenthe tag and readers.
Reader Tag
Adversary
Query
Response
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 4 / 31
Privacy Violation
Problem
� An adversary should not be able to track the movement of a tagged item, andby extension, the person associated with it.
Attacking Method
� The adversary can query the target tag and correlate data from multiple RFIDreaders.
Reader
Adversary
Query1
Response1
Reader Tag
Query2
Response2
Position A
Position B
Tag
Tag moves
from A to B
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 5 / 31
Tag Impersonation Attack
Problem
� An adversary should not be able to impersonate a tag.
Attacking Method
� The adversary can query the target tag or eavesdrop communications betweenthe tag and readers. Then the adversary tries to use the responses from thevictim to fool a legitimate reader.
Adversary’s
Reader
Legitimate
Tag
Query1
Response1
Legitimate
Reader
Adversary’s
Tag
Query2
Response2= f(Response1)
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 6 / 31
Replay Attack
Problem
� An adversary should not be able to reuse the communications from previoussessions to perform a successful authentication between a tag and a reader.
Attacking Method
� The adversary can intercept the valid authenticators from a past transactionand use them to finish the authentication.
Legitimate
Tag
Query1
Response1
Legitimate
Reader
Adversary’s
Tag
Query2
Response1
Legitimate
Reader
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 7 / 31
Denial of Service Attack
Problem
� An adversary should not be able to disturb the interactions between a tag anda reader.
Attacking Method
� The adversary can intercept or block the transmitted messages which mightlead to the desynchronization of the shared secret between a reader and atag.
Reader Tag
Adversary
Query1
Query2
???
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 8 / 31
Backward and Forward Traceability
Problem
� An adversary should not be able to link a tag with past and future actionsperformed on the tag, even after compromising the tag.
Attacking Method
� The adversary can compromise a tag and try to track the victim’s past andfuture transactions.
ReaderTag
The adversary compromises a
l e g i t i m a t e t a g a t t h e t i m e
instance t and tries to figure out
whether the tag involves the
transactions at time instances t1
a n d t 2 , w h e r e t 1 < t < t 2 .
Queryt
Responset
TagQuery t1
Response t1
Queryt2
Responset2
Tag
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 9 / 31
Server Impersonation Attack
Problem
� An adversary should not be able to impersonate a legitimate server to the tagwithout knowledge of a tag’s secret.
Attacking Method
� The adversary can eavesdrop a valid session and block some messages fromreaching the tag. Then the adversary initiates another session as an imper-sonated reader.
Legitimate
Tag
Query1
Response1
Query2
Response2
Legitimate
TagAdversary’s
Reader
Legitimate
Reader
Message
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 10 / 31
Countermeasures
Physical Protection Distance measurement, Faraday cage approach
Deactivation Killing, sleeping, hash lock
Re-naming Relabeling or effacing, minimalist cryptography, re-encryption
User-Oriented Light Crypto based approaches
Proxy Or Filter Watchdog tag, RFID guardian
Jamming Blocking, soft-blocking tag
Entity authentication PRG-based, hash-based, private authentication
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 11 / 31
Identification and Authentication
Identification ProtocolAn identification protocol allows a reader to obtain the identity of aqueried tag, but no proof is required.
Reader (ID) Tag (ID)Query−−−−−−−−−−−−−−−→
ID←−−−−−−−−−−−−−−−
Primal goal of identification protocols is to provide functionalityand privacy.Examples: Localization, stock management, etc.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 12 / 31
Tag Authentication
Authentication ProtocolAn authentication protocol allows a reader to be convinced of theidentity of a queried tag. Conversely, it can allow a tag to be convincedof the identity of a querying reader. If both properties are ensured, wespeak of mutual authentication.
Reader (K ) Tag (K )r−−−−−−−−−−−−−−−−−→
Ek (r)←−−−−−−−−−−−−−−−−−
Primal goal of authentication protocols is to provide security.Examples: Access control, e-documents, anti-clone,anti-counterfeiting, etc.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 13 / 31
Performance Requirements
Low Computational Cost: The computational overhead ofauthentication protocols in the tag side should be small due to thelimited power available to RFID tags.Low Communication Cost: The message transmitted in theauthentication phase should be minimized because of the limitedbandwidth available to RFID tags.Low Storage Requirement: The data stored in a RFID tagshould be kept as small as possible since the tag memory isextremely constrained.Scalability: The back-end database should be able to efficientlyidentify an individual tag even though the tag population is huge.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 14 / 31
Privacy-Preserving RFID Authentication Protocols
Block Cipher Based Authentication ProtocolsPublic-key Based Authentication ProtocolsHB-family Based Authentication Protocols
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 15 / 31
Block Cipher based Authentication Protocols
Reader Tag
C
R = EK(C)R
C ′ = DK(R)
If C ′ = C then
Accept Tag
Reader
3010 200 40 50 60
Send C1 Send C2 Send C3
Tag1
R3 = EK(C3)
Tag2
Tag3
R1 = EK(C1)
R2 = EK(C2)
ReqR1
ReqR2
ReqR3
Resp
Resp
Resp
R1
R3
R2
· · · · · ·
Figure: Interleaved Challenge-Response Protocol Using AES [Feldhofer etal.’04]
HF tags running at a frequency of 100KHz are considerted.The standard requires that a reponse must follow 320µs after a request.Otherwise, the tag has to stay quiet.AES is too slow (1032 cycles/block) to meet the requirement of the standard andtherefore an interleaving authentication method is used.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 16 / 31
Lightweight Identification Schemes based onPublic-key Schemes
The most commonly public-key schemes, such as those basedon the difficulty of factorization, discrete logarithms, or ellipticcurve discrete logrithms, are not suitable for RFID applications.The hardware implementations of public-key schemes usuallyrequire many tens of thousands of logical gates.Two types of identification schemes can provide public-keyfunctionality to RFID tags at a low cost.
Use a variation of the Rabin cryptosystem(i.e., SQUASH [Shamir’08] and WIPR [Oren et al.’08])Use a token (coupon)-based approach(i.e., cryptoGPS [Girault’07, Mcloone et al.’07])
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 17 / 31
Public-key Based Authentication Protocols
Reader Tag
xi choose coupon xi
c
generate ri = PRFK(i)
compute xi = HASH(riG)
store coupon {x1, x2, . . . , xt}
secret key spublic key V = −sGpublic key V = −sG
re-generate ri = PRFK(i)
choose c
compute y = ri + s× cy
verify xi = HASH(yG+ cV )
Figure: The Elliptic Curve Variant of cryptoGPS [Mcloone et al.’07]
The computation on the tag is simple.There are a variety of implementation trade-offs. For example, we can use asparse challenge c to “change" multiplication into a small number of additions(but still cost).
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 18 / 31
HB+ Protocol [Juels & Weis ’05]
Tag (k1,k2) Reader (k1,k2)
b ∈R {0,1}m b−−−−−−−→a←−−−−−−− a ∈R {0,1}m
v ∈R {0,1|Pr[v = 1] = η};y = (a · k1)⊕ (b · k2)⊕ v y−−−−−−−→
(a · k1)⊕ (b · k2)?= y
Based on Learning Parity with Noise (LPN) problemk1 and k2 are two m-bit vectors as authentication key,η ∈ (0, 1
2), b is a blinding vector, a is a challenge vector
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 19 / 31
LCMQ Protocol (Li-Gong10)
Definition of Circulant-P2 Matrix
(m ×m) Square Circulant Matrix
θ0 θ1 · · · θm−1
θm−1 θ0 · · · θm−2...
.... . .
...
θ1 θ2 · · · θ0
Circulant-P2 Matrix
m is a prime number satisfying that 2 is a primitive element offinite field GF (m).
Square, landscape, and portrait: Cθ, C[n×m]θ , and C[m×n]
θ
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 20 / 31
Linear Independence of Circulant-P2 Matrix
All row vectors in a landscape circulant-P2 matrix (and all columnvectors in a portrait circulant-P2 matrix) are linearly independent.A landscape circulant-P2 matrix always has a right inverse.Likewise, an portrait circulant-P2 matrix always has a left inverse.All m row vectors in a square circulant-P2 matrix Cθ are linearlyindependent if and only if the Hamming weight of θ is odd.Consequently, Cθ is invertible if only if the Hamming weight of θ isodd.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 21 / 31
A Secure Encryption Against Ciphertext-Only Attack
A symmetric-key encryption scheme
z = Enc(θ,κ) = θ ◦ C[(m−1)×m]κ ,
Plaintext θ: (m − 1)-bit random vector, θ 6= 0m−1
Encryption key κ: randomly selected from Sem
Ciphertext z : an element in Sem
Sm: Set of all m-bit vectors except 0m and 1m
Sem: Set of all vectors in Sm whose Hamming weights are even
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 22 / 31
LCMQ Protocol Specification
Tag (k 1, k 2) Reader (k 1, k 2)
a←−−− a ∈R Sem
b ∈R Sm;
v ∈R {{0, 1}n|Pr[vj = 1]
= η, where 0 ≤ j ≤ n − 1};y = (b ◦ C[m×n]
k1)⊕ v ;
r ∈R {0, 1}m−n−1;
z = (y ||r) ◦ C[(m-1)×m]k2⊕a b, z
−−−→y ||r = Dec(z, k 2 ⊕ a);
? Hwt((b ◦ C[m×n]k1
)⊕ y) ≤ τ
k 1$← Sm and the parity of Hwt(k 1) is public, k 2
$← Sem, interaction expansionn < m,
noise level η ∈ (0, 12 ), integer pass-threshold τ ∈ (ηn, n
2 )
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 23 / 31
Security of LCMQ Protocol
An LCMQ authentication system is denoted by a pair of probabilisticfunctions (Tk1,k2,η,n,Rk1,k2,n,τ ).
Definition (DET-Model)Adversary A interacts q times with the tag Tk1,k2,η,n.
Definition (MIM-model)Adversary A manipulates any communications between the tagTk1,k2,η,n and the reader Rk1,k2,n,τ for q executions
LCMQ protocol is provably secure in both DET-model andMIM-model!
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 24 / 31
Practical Parameters
According to the LCMQ security proofs in the DET model, m ≥ 81would suffice to provide 80-bit security.Security proof in the MIM-model demands negligible false rates,ruling out too small choices of m.
Recommended Parameter Set for 80-bit Securitym = 163,n = 162, η = 0.08, τ = 19Key size: 326-bit
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 25 / 31
WG-7 based Authentication Protocol(Luo-Qi-Gong-Lai 10)
Reader Tag
Randomly pick nR (nR)−−−−−−−−−−−−−−→(M1,M2)←−−−−−−−−−−−−−−
Randomly pick nT
M1 = id ⊕ nT
M2 = WG7(k , nR ⊕ nT )
Search a valid (id , k) such that
WG7(k , nR ⊕M1 ⊕ id) = M2 (M3)−−−−−−−−−−−−−−→Continuously execute WG7 for80 clock cycles and obtain M3
Verify M3
A privacy-preserving challenge-response protocol
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 26 / 31
Security Properties
The protocol has the following privacy and security properties:Tag untraceabilityTag impersonationReader impersonation
An adversary can obtain at most 160 consecutive keystream bitsfor a successful mutual authentication.For a chosen IV attack, the adversary can get at most 80keystream bits for each IV, thus it is impossible for the adversaryto obtain 224 consecutive keystream bits in this protocol.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 27 / 31
Devices for Implementation
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 28 / 31
Concluding Remarks
RFID is one of the most promising technologies in the field ofubiquitous and pervasive computing.EPC standard has put forward austere challenge for designingsecurity mechanisms for RFID systems.Lightweight cryptographic algorithms and protocols are crucialfor RFID security.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 29 / 31
Related Work
Z. Li and G. GongSecure and Efficient LCMQ Entity Authentication Protocol .Centre for Applied Cryptographic Research (CACR) Technical Reports, CACR2010-21, available at http://www.cacr.math.uwaterloo.ca/.
Y. Luo, Q. Chai, G. Gong, and X. LaiA Lightweight Stream Cipher WG-7 for RFID Encryption and Authentication.IEEE Global Communications Conference (IEEE GLOBECOM 2010), December6-10, 2010, Mimami, Florida, USA.
The other references can be found in the above two papers.
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 30 / 31
Questions?
G. Gong (University of Waterloo) Lightweight Crypto for RFID: Part III December 12 - 15, 2010 31 / 31