designing low-cost untraceable authentication protocols for rfid · 2010. 6. 29. ·...
TRANSCRIPT
-
Designing Low-Cost Untraceable Authentication Protocols for RFID
Dave Singelée
IFIP WG 11.2 Seminar Istanbul
June 07, 2010
-
Outline of the talkn Introductionn RFID authentication protocols
n Security requirementsn Privacy requirementsn Implementation requirements
n ECC-based RFID authentication protocols
n Design challengesn Conclusion
-
RFID technologyn Radio Frequency Identification
n RFID setupn Back-end servern Readern Tag
-
Online vs offline scenarion Online
n Offline
-
RFID tags
n Various types of tags
1. Passive tag2. Battery assisted (BAP)3. Active tag with onboard power source
-
RFID authentication protocols
n Tag proves its identityn Challenge-response protocol
Reader Tag
Challenge
Response
-
Requirements
n Securityn Entity authentication
n Privacyn Untraceability
n Implementation issuesn Scalabilityn Low-cost
-
RFID security problems (I)
n Impersonation attacksn Genuine readersn Malicious tags
=> Tag-to-server authentication
-
RFID security problems (II)
n Eavesdroppingn Replay attacksn Man-in-the-middle attacksn Cloningn Side-channel attacksn …
-
RFID privacy problems (I)
n RFID Privacy problemn Malicious readersn Genuine tags
=> Untraceability
-
RFID privacy problems (II)
n Anonymityn The (fixed) identity of a tag must be
impossible to determine
n Untraceabilityn Inequality of two tags: the (in)equality of
two tags must be impossible to determine
n Untraceability > anonymity
-
RFID privacy problems (III)n Theoretical frameworkn Vaudenay [ASIACRYPT ‘07]:
n 8 privacy classes
Narrow
Wide
Weak StrongForward Destructive
X X X X
X X XX
n Public-key cryptography needed to achieve certain privacy properties!!!
-
Implementation issues
n Scalabilityn Low-cost implementation
n Memoryn Gate area
n Lightweightn Efficient
=> Depends on cryptographic building blocks used in the protocol
-
Implementation costn Symmetric encryption
n AES: 3-4 kgates
n Cryptographic hash functionn SHA-3: 10 – 30 kgates)
[ECRYPT II: SHA-3 Zoo]
n Public-key encryptionn Elliptic Curve Cryptography (ECC): 11-15 kgates
=>Public key cryptography is suitable for RFID
-
ECC-based RFID authentication protocols
n Rely exclusively on ECC !!!n Security requirementsn Privacy requirementsn Implementation requirements
n Schnorr protocoln Randomized Schnorrn ID-transfer schemen …
-
ID-transfer scheme [WISEC 2010]
Tag: x1, Y=yP
T1
T2
1sr
r , T r Pt1 1 t1∈ ←¢
( )12 1 1T r r x Yst
← +g
1 1( )( )12 1 1y T T r x Ps
− −− =g
1rs
∈¢
Server: y, X = x1P
-
Design challenges (I)
n Readers share same private key yn Online scenario: OKn Offline scenario:
n NOT OKn 1 compromised reader => no privacy
n How to solve the problemn Give unique private key to each reader?n Key updates / revocation / ... ??
-
Design challenges (II)
n ECC-based RFID protocols in literaturen Narrow-strong: OKn Wide-weak: NOT OK
n Man-in-the-middle attacksn Insider attacks
⇒ Increase privacy protection⇒ Low cost solutions
-
Design challenges (III)
n Secure and privacy-preserving extensions of basic RFID authentication protocolsn Search protocoln Grouping proofsn ...
n Physical layer securityn Distance boundingn Physical layer fingerprintsn ...
-
Design challenges (IV)
n Improve efficiencyn Lower # EC point multiplicationsn Decrease communication costn ...
n Further improve ECC hardware architecturen Arean Speedn Power consumption
-
Conclusion
n Security & privacy in RFID networksn Need for public-key based RFID
authentication protocolsn ECC is feasible on RFIDn Designing protocol is challenging task
n Various open research problems
-
Questions??
mailto:[email protected]
-
EXTRA SLIDES
-
ECC hardware architecture
-
Performance results
Circuit Area (Gate Eq.) 14,566
Cycles for EC point multiplication 59,790
Frequency 700 KHz
Power 13.8 µW
Energy for EC point multiplication 1.18 µJ
-
Schnorr protocol [CRYPTO ‘89]
Server: X = -xP Tag: x
R1
v
2r
r , R r P1 1 1∈ ←¢
2 1v xr r← +
2 1vP r X R+ =
2r ∈¢
-
Schnorr protocol (II)
n Security: OKn Privacy: vulnerable to tracking attacks
1 ( )2 1
X r R vP−= ⋅ −
-
Randomized Schnorr [CANS ‘08]
Server: y, X = xP Tag: x, Y = yP
T1 , T2
v
s 1r
, 2r rt1 t ∈¢
1 2 1v r r xr
t t s← + +
1 1( )1 1 2
r vP T y T Xs− −⋅ − − =
1rs
∈¢T r P , T r Y1 t1 2 t2← ←
-
Randomized Schnorr (II)
n Security: OKn Privacy
n Narrow-strongn Not wide-weak: vulnerable to man-in-the-
middle attackn Combine data from old protocol run with current
protocol instancen Server accepts => same tag=> Traceability
-
Randomized Schnorr (III)
-
ID-transfer scheme (protocol 1)