1

Dynamic Key-Updating: Privacy-Preserving Authentication for

RFID Systems Li Lu, Lei Hu

State Key Laboratory of Information Security, Graduate School of Chinese

Academy of Sciences Jinsong Han, Yunhao Liu, and Lionel M. Ni

Dept. of Computer Science and Engineering, Hong Kong University of

Science and Technology

2

Why Privacy in RFID?

RFID (Radio Frequency Identification) has been very popular

TagReaderMost important usage

Identifying valid users or entities

A tag is attached

Bob’s car

3

Basic Identification Procedure

iTReader Tag(1) Request

(2) IDiT

4

A tag is attached

Bob’s car

However…

Automatic response Silent scanning

Adversary

I found Bob.

5

Motivation

Concerns regarding RFID privacyAn attacker can’t determine which tag he is accessing and can’t get any information about the tag’s owner.

In ShortPrivate authentication

Keeping private information (ID, Name,…)Authenticating valid users

6

Introducing Encryption into RFID

iTReader Tag(1) {Request,

P}

(2) {ID , P}KiT

K

Key-Searching

7

Linear Key-Searching

iT

)(Pfik -- keyed one-way function

P -- a random number -- key shared by reader and tag

Reader Tag

ik

(1) Request, P

(2) )(, PfEPik

(3) searches the key space of all tags for a key

jjkK }{EPf

jk )(

Key-searching is linear search, O (n). Thus it is not practical in large scale systems.

k1 k2 kn..

8

1,1k 2,1k

1,2k2,2k 3,2k 4,2k

1,3k 2,3k 3,3k 4,3k 5,3k6,3k

7,3k 8,3k

1T 2T 3T 4T 5T 6T 7T 8T

A binary key tree with eight tags

,),,( 4,32,21,1 kkk 4T

Tree-based Key-searching

9

Authentication of Tree-based Protocols

1 Request, r

1 Nonce, r 2 Nonce, r

Reader Tag iT

),,(),,,(),,,(, 2132122112 rrkhrrkhrrkhr iii

Identification:

1T 2T 3T 4T 5T 6T 7T 8T

4T1,1k 2,1k

1,2k 2,2k

3,3k 4,3k

Compute ),,( and ),,( 212,1211,1 rrkhrrkh

),,( with comparethen 211 rrkh i

Compute ),,( and ),,( 212,2211,2 rrkhrrkh

),,( with comparethen 212 rrkh i

Compute ),,( and ),,( 214,3213,3 rrkhrrkh

),,( with comparethen 213 rrkh i

O(logn)

10

Drawbacks:No forward security.Vulnerable to compromising attack.

Requires Key Updating

1,1k 2,1k

1,2k2,2k 3,2k 4,2k

1,3k 2,3k 3,3k 4,3k 5,3k6,3k

7,3k 8,3k

1T 2T 3T 4T 5T 6T 7T 8T

11

Requirement of Key-Updating

Challenging issues:No interruption during authenticationAutomatically updating keys

We use two techniques to keep the consistency of key-updating: temporary key and state bit.

12

Our Protocol: SPATemporary keys are used to store old

keys. State bits are used to record the key-updating status of nodes in the sub-trees.

0k

1,1k2,1k

1,2k 2,2k 3,2k 4,2k

1T 2T 3T 4T

0tk

1,1tk2,1tk

ls0rs0

ls 1,1rs 1,1

ls 2,1rs 2,1

For example: Temporary KeyState bit

13

An Example of Key-Updating

4,2k

0 0 0 0

0 0

1 1

1

00

0k

1,1k 2,1k

1,2k2,2k 3,2k

1T 2T 3T 4T

0tk

1,1tk 2,1tkUsing , and to identify

0k 1,1k 1,2k1T

Using , and to identify

0k 1,1k 2,2k2T

)( 1,21,2 khk

Using , and to identify

0k 1,1tk 1,2k1T

The ’s second identification

1T

1

The ’s identification1TThe ’s identification

2T

)( 1,11,1

1,11,1

khk

ktk

)( 2,22,2 khk

Authentication:Basic tree-based identificationKey updating

Authentication sequence: T1, T2, T1

14

New Tag Joining

20s

10s

ls 1,1rs 1,1 ls 2,1

rs 2,1ls 3,1

rs 4,1

30s New subtree00 ,tkk

1,11,1 ,tkk2,12,1 ,tkk

3,13,1 ,tkk

1,2k 2,2k 3,2k 4,2k

1T 2T 3T 4T5,2k

5T6,2k

15

Tag Leaving

T1 T2 T4

20s

10s

ls 1,1rs 1,1 12,1 ls rs 2,1

k2,1 k2,2 k2,3 k2,4

k0, tk0

k1,1, tk1,1 k1,2, tk1,2

T5

ls 3,1

rs 4,1

k2,5 k2,6

30s

k1,3, tk1,3

16

Which key is used?

Which keys is used?

1,1k

2,2k

3,3k 4,3k

1T 2T 3T 4T 5T 6T 7T 8T

1,1k1,1tk

2,2k 2,2tk

3,3k 4,3k

0k 0tk

Compromising Attack Resistance

17

Security Analysis

Property\ProtocolStatic tree-

based approaches

Our design

Privacy Yes Yes

Untraceability Yes Yes

Cloning resistance Yes Yes

Forward security No Yes

18

0 20 40 60 80 1000

0.2

0.4

0.6

0.8

1

Branching Factor

Co

rre

late

d-e

xpo

sin

g p

rob

ab

ility t=20,Static tree

t=20,SPAt=200,Static treet=200,SPA

Exposing Probability Comparison(Under Compromising Attack)

Each non-leaf node has 2 keys (1 working key and 1 temporary keys).

19

0 2 4 6 8 100

500

1000

1500

2000

Tag accessing Frequency

Ke

y-U

pd

atin

g L

ate

ncy

( s

)

Upper boundSPALower bound

Key-Updating Latency

Each key updating needs less than 2 ms when the tag accessing frequency does not exceed 10 times per

second.

20

Conclusion

By using dynamic key-updating scheme, SPA enhances the security of existing RFID private-authentication protocols.SPA is lightweight. The authentication efficiency is logarithmic and the key-updating latency is acceptable.SPA can effectively defend against both passive and active attacks including compromising attack.

21

22

Authentication

To protect reader from forged tags.Only authorized reader can read valid tags.

Is the tag which I am reading valid?Is the reader which scans tags authorized?

23

However…

Authorized reader may be cheated by forged tags.A cloning tag may insert into a system while not be notified.A malicious reader can read the content in a tag easily.The goal of authentication: only authorized readers can get the content in valid tags, while private information would not be leaked if there exist dishonest entities.

24

Private Authentication

Tradeoff between privacy and authentication:

Privacy is to hide the identity of RFID tag.Authentication needs to know the identity of tag before tag being authenticated.

Private authentication is to hide the identity of a tag in authentication procedure:

Reader identifies a tag at the end of authentication.

25

System Initialization

The reader assigns the N tags to N leaf nodes in a balanced binary tree S. Each non-leaf node j in S is assigned with two keys, a working key and a temporary key .Initially, each key is generated randomly and independently by the reader, and for all non-leaf nodes. When a tag is introduced in the system, the reader distributes the keys from the root to a leaf node to this tag. for a non-leaf node j at the path, if , tag is assigned .

jkjtk

jj ktk

jj ktk jk

26

Mutual Authentication Procedure

1 Nonce, r 2 Nonce, r

Reader iTTag

1 Request, r

),,(),...,,,(),,,(, 212122102 rrkhrrkhrrkhr id

ii

ationSynchroniz ,

Updating keys

Identifying iT

Computing),,( 21 rrkh i

d

Checking Updating keys

27

Tag Identification

The tag identification procedure is similar to the previous tree-based approaches.The differences:

For each non-leaf node included in the identification, the reader uses not only the working key k, but also the temporary key tk. If some of the keys stored in a tag are temporary keys, the reader will record the level information of these keys in the synchronization message to inform the tag updating these keys.

28

Key-updating Rules

Use hash function h to generating a new key.Let be the old key for node jA new key

To remain consistent, the non-leaf node j uses temporary key to store j’s old key. Use state bits to note the key state of non-leaf node j’s children nodes. 1 for having been updated, otherwise 0.If keys in all j’s children have been updated, j updates itself.

jk)('

jj khk

jtk

29

Three Key Parameters

the correlated-exposing probability is mainly determined by three key parameters:

t, the number of compromised tags; , the branching factor of the key tree;a, the number of keys belonging to each non-leaf node

30

A new tag joining

20s

10s

ls 1,1rs 1,1 ls 2,1

rs 2,1ls 3,1

rs 4,1

30s New subtree00 ,tkk

1,11,1 ,tkk2,12,1 ,tkk

3,13,1 ,tkk

1,2k 2,2k 3,2k 4,2k

1T 2T 3T 4T5,2k

5T6,2k

31

Tag leaving

T1 T2 T4

20s

10s

ls 1,1rs 1,1 12,1 ls rs 2,1

k2,1 k2,2 k2,3 k2,4

k0, tk0

k1,1, tk1,1 k1,2, tk1,2

T5

ls 3,1

rs 4,1

k2,5 k2,6

30s

k1,3, tk1,3

32

Linear Key-Searching

iT

)(Pfik -- keyed one-way function

P -- a nonce -- key shared by reader and tag

Reader Tag

ik

(1)

(1) Request, P

(2)

(2) )(, PfEPik(3) searches the key sp

ace of all tags for a key s.t.

jjkK }{EPf

jk )(

Key-searching is linear search, O (n). Thus it doesn’t fit large scale systems.

k1 k2 kn..

33

Prototype Implementation

We have implemented the our design on 40 Mantis™-series 303 MHz asset tags and a Mantis™ II reader manufactured by RF Code. The back-end database is implemented on a desktop PC with the following configurations: Pentium M 3.2G dual core CPU, 1GBytes memory, and 40G hard disk. We use the SHA-1 algorithm as the secure hash function the system is able to maintain up to tags

202N

34

0 20 40 60 80 1000

0.2

0.4

0.6

0.8

1

Branching Factor

Co

rre

late

d-e

xpo

sin

g p

rob

ab

ility t=20,Static tree

t=20,SPAt=200,Static treet=200,SPA

Comparison of Static Protocols (under compromising attack)

Each none-leaf node has 2 keys (1 working key

and 1 temporary keys).

0 20 40 60 80 1000

0.2

0.4

0.6

0.8

1

Branching Factor C

orre

late

d-ex

posi

ng p

roba

bilit

y t=20,Static treet=20,SPAt=200,Static treet=200,SPA

Each none-leaf node has 5 keys (1 working key and 4

temporary keys).