一個極輕量級RFID認證協議的安全性分析與改良 - 政大學術集成
62
0
0
全文
(2) 一個極輕量級 RFID 認證協議 的安全性分析與改良 Security Analysis and Improvements on an Authentication Protocols in Ultra-Lightweight RFID Systems 研 究 生:黃思瑋. Advisor: Ray-Lin Tso. 國立政治大學. 學. ‧ 國. 指導教授:左瑞麟 立. Student: Szu-Wei HUANG 政 治 大. y. sit. io. er. Nat. 碩士論文. ‧. 資訊科學系. al. n. v C h A Thesis U n i engchi Submitted to Department of Computer Science National Chengchi University in partial fulfillment of the requirements for the degree of Master in Computer Science. 中華民國 一百零二 年 九 月 September, 2013.
(3) 一個極輕量級 RFID 認證協議的安全性分析與改良. 中 文 摘 要 無線射頻識別(RFID)技術是一種無線通訊技術。利用無線電射頻信號, 以非接觸的方式,識別特定目標並讀寫相關數據,由後端資料庫系統取得相關資 料。因為具備了不需要視覺接觸就能夠遠距離辨識身份和成本低廉的特性,使得 這項技術運用在各種領域應用上能帶來前所未有的便利。然而,RFID 技術所遇 到的最大困難點在於其協定中缺乏隱私保護及資料安全。這使得透過無線訊號傳 遞的資料,容易遭受到攻擊者的監聽、掃瞄與追蹤。許多學者為了解決這個問題 有提出過許多的方案。其中 Bassil 等學者於 2012 年提出基於 PUF 的輕量級 RFID 認證方案,此方案可防止被物理克隆攻擊,但此方案所提出之協議仍有安全上的 弱點。因此,在此篇論文中,我們基於 Bassil 等學者提出的方案,分析其安全性 漏洞,並在兼顧安全性與低成本的特性下,提出新的基於 PUF 函數的新的輕量 級 RFID 認證協議。. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i. i Un. v.
(4) Security Analysis and Improvements on an Authentication Protocols in Ultra-Lightweight RFID Systems. Abstract Radio Frequency IDentification (RFID) is a radio communication technique. It identifies specific targets and acquires related data from the backend database by. 政 治 大 using radio frequency signal and no physical touch needed. Because of its advantages 立 of low cost and remote identity- recognition, this technology has been widely used in ‧. ‧ 國. 學. many applications. However, the information, which is transmitted via radio signal, is easily eavesdropped and traced by an attacker. It is important to design a secure RFID protocol which can ensure the authentication of the origin and the integrity of the transmitted information. Researchers have put their efforts into this field and proposed many solutions to deal with these issues. In particular, in 2012, Bassil et al. introduced an ultra-lightweight RFID protocol based on a physical unclonable function (PUF), which means that the tags in the RFID architecture are unclonable. However, we found that this protocol exists some security flaws in the scheme. In this thesis, we will first analyze the security loopholes of the scheme and then propose a new ultra-lightweight RFID protocol based on PUF to overcome the security loopholes.. n. er. io. sit. y. Nat. al. Ch. engchi. ii. i Un. v.
(5) Table of contents CHAPTER 1 INTRODUCTION .............................................................................................................. 1 1.1.1 RFID INTRODUCTION .................................................................................................................. 1 1.1.2 RFID APPLICATIONS .................................................................................................................... 1 1.1.3 RFID CLASSIFICATIONS ............................................................................................................ 2 1.2 RESEARCH MOTIVATION ................................................................................................................. 4 1.3 RESEARCH PURPOSE AND CONTRIBUTION ...................................................................................... 5 1.4 OVERVIEW ...................................................................................................................................... 6 CHAPTER 2 CLASSIFICATION AND SECURITY ANALYSIS OF RFID COMMUNICATION PROTOCOL ............................................................................................................................................. 7. 政 治 大. 2.1 CLASSIFICATION OF COMMUNICATION PROTOCOL .......................................................................... 7 2.2 RFID COMMUNICATION PROTOCOL MUST HAVE SECURITY AND PRIVACY ........................................ 8. 立. CHAPTER 3 ULTRA-LIGHTWEIGHT RFID COMMUNICATION PROTOCOL ............................. 12. ‧ 國. 學. 3.1 UMAP FAMILY.............................................................................................................................. 12 3.1.1 M2AP ................................................................................................................................... 12. ‧. 3.1.2 LMAP .................................................................................................................................. 18 3.1.3 EMAP .................................................................................................................................. 23. y. Nat. 3.1.4 Security Analysis of UMAP family ..................................................................................... 28. sit. 3.2 SASI ............................................................................................................................................. 29. al. er. io. 3.2.1 Basic Assumptions of SASI ................................................................................................. 29. v. n. 3.2.2 SASI Ultra-lightweight RFID Communication Protocol ..................................................... 30. Ch. i Un. 3.2.3 Security Analysis of SASI.................................................................................................... 35. engchi. 3.3 PHYSICAL ANALYTIC CLONING ATTACK ....................................................................................... 36 CHAPTER 4 PUMAP ULTRA-LIGHTWEIGHT RFID COMMUNICATION PROTOCOL............... 37 4.1 PHYSICAL UNCLONABLE FUNCTION ............................................................................................. 37 4.2 PUMAP ........................................................................................................................................ 39 CHAPTER 5 OUR ULTRA-LIGHTWEIGHT RFID COMMUNICATION PROTOCOL.................... 45 5.1 BASIC ASSUMPTIONS OF OUR PROTOCOL ..................................................................................... 45 5.2 OUR ULTRA-LIGHTWEIGHT RFID COMMUNICATION PROTOCOL................................................... 47 5.3 SECURITY ANALYSIS OF OUR PROTOCOL ...................................................................................... 51 CHAPTER 6. CONCLUSION ............................................................................................................. 54. CHAPTER 7. REFERENCES .............................................................................................................. 55. iii.
(6) List of Figures [FIGURE 3.1] THE COMPLETE PROTOCOL OF M2AP ............................................................. 17 [FIGURE 3.2] THE COMPLETE PROTOCOL OF LMAP ............................................................ 22 [FIGURE 3.3] THE COMPLETE PROTOCOL OF EMAP ............................................................ 27 [FIGURE 3.5] THE DOS ATTACK FLOWCHART ......................................................................... 35 [FIGURE 4.1] ARBITER PUF ............................................................................................................ 38 [FIGURE 4.2] SCHEMATIC DIAGRAM OF TRANSFORMATION OF THE SIGNAL ............ 38 [FIGURE 4.3] THE COMPLETE PROTOCOL OF PUMAP .......................................................... 43 [FIGURE 5.1]THE FIRST STEP OF OUR PROTOCOL ................................................................ 50. 政 治 大 [FIGURE 5.3]THE THIRD STEP OF OUR PROTOCOL ............................................................... 51 立. [FIGURE 5.2]THE SECOND STEP OF OUR PROTOCOL ........................................................... 50. ‧ 國. 學. Table of Figures. ‧. [TABLE 1.1] THE COMPARISON TABLE OF RFID AND TRADITIONAL BAR-CODE ........... 2 [TABLE 2.1] COMPARISON OF RFID COMMUNICATION PROTOCOL TYPES. ................... 8. y. Nat. sit. [TABLE 3.1] THE TABLE OF NOTATIONS IN THE M2AP PROTOCOL .................................. 14. n. al. er. io. [TABLE 3.2] THE TABLE OF NOTATIONS IN THE LMAP PROTOCOL ................................. 19. i Un. v. [TABLE 3.3] THE TABLE OF NOTATIONS IN THE EMAP PROTOCOL ................................. 25. Ch. engchi. [TABLE 3.4] THE TABLE OF NOTATIONS IN THE M2AP PROTOCOL .................................. 31 [TABLE 4.1] THE TABLE OF NOTATIONS IN THE PUMAP PROTOCOL ............................... 41 [TABLE 5.1] THE TABLE OF NOTATIONS IN OUR PROTOCOL ............................................. 48. iv.
(7) Chapter 1 Introduction. 1.1.1 RFID Introduction RFID is the abbreviation of “Radio Frequency Identification”. This system is composed of readers, RFID tags and a backend database. In the connection, the reader first launches radio waves and touches the RFID tag within the induced range. Then information can be exchanged after the communication being established. The reader first sends electromagnetic wave to the tag, which produces electric current through induction. Therefore the tag is able to compute and send a responding electromagnetic wave back to the reader. Then the reader sends the messages to the backend database.. 立. 政 治 大. ‧ 國. 學. The composition of RFID can be roughly divided into three parts: (1)Reader: A reader is an interrogator in RFID system. It can induce and recognize a tag via. ‧. radio wave, and send the information from the tag back to the database through wireless communication.. y. Nat. sit. n. al. er. io. (2) Database: The database management can receive the information from the reader, and take corresponding actions according to the tag, which is automatic, safe and immediate.. Ch. engchi. i Un. v. (3) Tag: A tag is composed of some analog, digital and memory chips and antennae designed according to the frequency. Chips are used for computation and storage. Antennae are used for receiving radio waves. Furthermore, according to the power supply, tags can be classified into three types: active, semi-passive, and passive. Details will be introduced later in this chapter.. 1.1.2 RFID Applications The earliest application of RFID can be traced back to World War II. RFID was invented by British army to distinguish the airplanes which entered British air space. It was called “Identification of Friend or Foe”. As the time changes and the evolution 1.
(8) of technology sprouts, recently, Radio Frequency Identification technique is getting more and more mature, making RFID application system develop vigorously. The applications of RFID are, for example, storing management, entrance guard control, and animal monitoring, etc. Since RFID tags are used in many kinds of applications, it is desired to have RFID communication protocols that are secure and efficient. RFID can replace contact of bar-code. Furthermore, RFID is better than Bar-code no matter in applied mobility, data security or reading speed. RFID makes the whole identifying procedure automatic, and promotes commerce working efficiency. The main difference between RFID and Bar- code is that Bar- code can only record simple information of products, and read data by infrared ray contact scanning. Moreover, the mobility of Bar- code is not as good as RFID, because of its read-only property. Besides, Bar- code requires the target aimed during the identification, and it is damaged easily. In the reading process, it is not efficient because of that only one bar-code can be read once a time. RFID performs betters. A reader of an RFID system is a contactless device. It can update information in wireless environment. Furthermore, it is reusable, and it can read many tags at the same time. Unlike Barcode, RFID promotes efficiency of data transformation.. 政 治 大. 立. ‧. ‧ 國. 學. n. al. er. io. sit. y. Nat. The following table shows the comparison of RFID and Bar-code.. Ch. engchi. i Un. v. [Table 1.1] The comparison table of RFID and traditional Bar-code. 1.1.3 RFID Classifications. According to the difference of power supply to tags, they can be divided into three types, which are passive, semi-passive and active. 2.
(9) (1) Passive [2][5][8][9][10][13]: Passive tags have no power supply inside. Through the electromagnetic waves received, the internal integrated circuits can produce energy to compute. These electromagnetic waves are launched by an RFID reader. When tags receive signals which have enough intensity, it sends out data to the reader. Passive RFID tag is mainly used because of its low price, small volume, and there is no need to supply power for it.. (2) Semi-passive [20]: The standard of Semi- passive is similar to that of Passive. The difference between them is that Semi- passive has a smaller battery, and the power of its battery is just enough to activate the internal IC of the tag. Even if the IC of the tag receives a weak signal from the reader, it still has enough power to send the data back to the reader. The advantage of Semi- passive is that the internal antenna of the Semi- passive tag will not stop its tasks when the signals of electromagnetic wave are weak, and it also has enough power to send the signals back and forth. Furthermore, when compared with a Passive tag, the reaction speed of the Semi- passive is faster. In addition, it can transmit a longer distance and possesses better efficiency when communicating to the reader.. 立. 政 治 大. ‧. ‧ 國. 學. y. Nat. sit. (3) Active [7][14][18]:. n. al. er. io. An active tag is different from the two types of tags mentioned above. Active tags have their own power supply and can provide power to the internal IC to produce external signals. So, Active tag has longer reading distance as well as longer signal transmission distance. Also, it has larger memory capacity to store additional data received from the reader. The difference between Active and Semi- passive tag is that as far as the internal power is concerned, an Active tag can transmit memory data to the reader actively. However, Passive and Semi- passive tags can only wait for the reader to send out electromagnetic signals, and then carry out communication protocol.. Ch. engchi. i Un. v. Since our interest is to design of a secure authentication protocol in ultra-lightweight RFID systems where only passive tags are used, through this thesis, we will focus on the passive tags. The definition of ultra-lightweight will be introduced in detail in Chapter 2.. 3.
(10) 1.2 Research Motivation Because the communication environment of RFID is open and insecure, the communication channel between the reader and the tag is easily damaged, and it might cause paralysis of the tag. Even worse, the personal data may be stolen by eavesdropping. On the other hand, to deal with the practical needs, RFID system is anticipated to provide readers with massive reading and writing ability, and provide tags with low cost and massive production. The article from M. Ohkubo shows that the production cost is taken into consideration among the tags in market [15]. The cost of each tag should be less than 5 cents. Under this requirement, the computing abilities limited. Apart from privacy and security, computing ability of tags is also a considerable factor. So, when designing a communication protocol, tags are not required to do complicated calculation such as the computation of MD5 or SHA-1 hash function [17]. Under the limited cost, encryption schemes cannot be used in this. 立. 政 治 大. low cost RFID communication protocol.. ‧ 國. 學. ‧. The other problem is the privacy protection of user. Users’ privacy can be divided into information privacy and location privacy. In order to protect these two types of privacy, the output of RFID tags should be encrypted and change dynamically. If the output of tags are not encrypted (using the ID of the tag directly), the attackers may track and obtain the identity of the holder. If the ID of tag remains unchanged in each connection, attackers can identify the holders of the tags by long-term observation and recording the output signals of the tags.. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. Therefore, a secure RFID communication protocol should satisfy security demands below and resist known attacks [2][5][8][9][10][11][13]. (In the next chapter we will explain in detail.) (1)Mutual authentication and data integrity (2)Tag anonymity and resistance to tracking (3)Data confidentiality (4)Forward secrecy (5)Resistance to replay attack (6)Resistance to DOS attack. (7)Resistance to forgery (8)Prevention of Man-in-the-middle Attack. 4.
(11) 1.3 Research Purpose and Contribution Many researchers have continually brought up communication protocol aimed at tags with the lowest cost (also called ultra-lightweight, we will introduce the categorization of the communication protocols in the next chapter), but there are still some security problems or weakness in the design of the communication protocol. Therefore, this thesis will provide some methods to alleviate the problems above, and redesign an Ultra-lightweight RFID communication protocol based on physical uncolonable function. In order to solve the problems of privacy and low cost, López et al. proposed a series of ultra-lightweight communication protocols in 2006, --- M2AP, LMAP, and EMAP, also known as UMAP Family (Ultra-ultra-lightweight Mutual Authentication Protocols family)[9][8][10], in hope to prevent illegal RFID reader from gaining the information of the tag. UMAP Family contains three main phases: Tag Identification. 立. 政 治 大. ‧. ‧ 國. 學. phase, Mutual Authentication phase and Pseudo ID and Key Updating phase. However, in 2007, Li and Wang [12] listed the weaknesses of UMAP Family separately, explaining that UMAP cannot resist synchronous destruction attack, tracing attack, and does not possess forward security. After UMAP Family, the most representative ultra-lightweight RFID communication protocol is SASI (Strong Authentication and Strong Integrity) [2], which was proposed by researcher Chien. He provided a great idea for ultra-lightweight RFID communication protocol. However, through many researches, we have known that SASI still possesses a few security problems [3]. For example, forward insecurity and vulnerability to resend attack and synchronous destruction attack.. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. Through this method we can indeed prevent illegal readers from getting the information of the tags, but the tags designed by the communication protocol above can easily get physically analytically cloned. So, to avoid physical cloning attack, R. Bassil’s article provided an ultra-lightweight RFID communication protocol based on PUF (physically unclonable functions) [1]. However, the reader and the tags of this protocol will be DOS (denied of services) attacked. The purpose of this thesis is that the design of ultra-lightweight RFID communication protocol should have high security and privacy protection for the user of the tags. Besides, this communication protocol should comply with the hardware limitation of ultra-lightweight tags, and resist attacks from physically analytical clone. This thesis provides an 5.
(12) ultra-lightweight RFID communication protocol based on PUF structure and improves the protocol proposed by R. Bassil.. 1.4 Overview Chapter 1 The introduction to this thesis includes research motivation, research purpose, contribution of research, the summary of each chapter, and relative backgrounds. Chapter 2 Introduction to RFID communication protocol, the categorization of tags, its security and privacy needs.. 立. 政 治 大. ‧. ‧ 國. 學. Chapter 3 Introduction to relative research on ultra-lightweight RFID communication protocol This section begins with a series of introductions to UMAP family communication protocols, and then introduces the SASI communication protocol and makes a description of the security problems of UMAP and SASI communication protocol.. n. al. er. io. sit. y. Nat. Chapter4 To solve physically analytic cloning that even the communication protocols above cannot conquer, we have to use physical unclonable function. This chapter gives the operation examples, purpose, and characteristics of physical unclonable function. And then we will introduce PUMAP, brought up by R.Bassil, which is based on PUF, and explain the existing security problems.. Ch. engchi. i Un. v. Chapter 5 We improve PUMAP to conquer the original security problems, and describe the security analysis of our protocol. Chapter 6 Conclusions of this thesis, findings and the contribution of research.. 6.
(13) Chapter 2 Classification and Security Analysis of RFID Communication Protocol. RFID radio frequency identification technology is very popular in recent years. The system possesses the characteristics of simplicity and diversity. It can read multiple RFID tags at the same time, work in a variety of harsh environments, and possesses larger electronic tag internal capacity compared with bar code etc…So the RFID system has been gradually replacing the traditional bar code, being widely used in daily lives. However, the current RFID communication systems still exist some controversies. For example, the present security is insufficient to effectively protect the privacy of users. RFID system is mainly used in open environments, and therefore there are always threats in insecure environments. In order to prevent illegal attacks, RFID authentication protocol plays the key role. Therefore, many researchers began to pay attention to this problem and to study authentication protocol of RFID. They classified the RFID communication protocols in accordance with practical needs. We will introduce the classification of RFID communication protocols and its security and privacy requirements in this chapter.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 2.1 Classification of Communication Protocol. Classification of RFID communication protocol was first proposed by López et al. [8]. By the cost of chips, they divided protocols into two types low cost and high cost. However, this classification is still too rough to meet the practical needs. Therefore, in 2007, Chien brought up a new idea of classification on the basis of chips, cost of production and computing capability [2]. He divided RFID communication protocols into four types: Full-Fledge, Simple, Lightweight, and Ultra-lightweight. The following table gives a comparison of the four RFID communication protocol 7.
(14) types [2]:. [Table 2.1] Comparison of RFID communication protocol types.. 1. Full-Fledge The protocols under the full-fledge class support cryptographic functions such as hashing, encryption, and even public key algorithms on tags. These protocols generally use the active tags to design. One of the main applications of these full-fledged protocols is E-passport.. 立. ‧ 國. 學. 2. Simple. 政 治 大. y. Nat. 3. Lightweight. ‧. The tags under the simple class should support random number function and hash functions but not encryption functions/public key algorithms.. sit. n. al. er. io. The lightweight RFID communication protocols do not require hashing function on tags. For example, the EPCglobal Class-1Gen-2 RFID tag [6] supports Pseudo-Random Number Generator (PRNG) and Cyclic Redundancy Code (CRC) checksum, but hashing function is excluded.. Ch. engchi. i Un. v. 4. Ultra-lightweight In ultra-lightweight communication protocols, the tags only involve simple bit-wise operations, such as XOR, AND, OR, and modular operation. These schemes are very efficient, and they only require about 300 gates. This thesis will put emphasis on the ultra-lightweight RFID communication protocol.. 2.2 RFID communication protocol must have security and privacy. Because RFID is an open data system, if the personal privacy is leaked during 8.
(15) communication process, it will cause security problems like privacy infringement and data disclosing. Therefore, to avoid these security problems, we have to consider the problems it might have when designing RFID communication protocol. In “Security in RFID and Sensor Networks”[19], it mentioned three notions of security in RFID communication protocols, which are: confidentiality, integrity, and availability. In [19], it defines: 1. Confidentiality: The information is accessible only to those authorized for access. Privacy information, such as the static identifiers transmitted by tags, fits into the confidentiality dimension. Furthermore, RFID technology allows the tracking of items. From a user’s perspective, tracking should be avoided. However, companies may control the flow of materials in the supply chains, increasing the productivity of their processes. 2.. 政 治 大 Integrity: To ensure that the messages will not be modified in transition. 立 Additionally, some systems provide the authenticity of messages. The receiver is ‧. ‧ 國. 學. able to prove that a message was originated by the purported sender, not a forgery (nonrepudiation). An example of this kind of attack is the spoofing attack.. n. al. er. io. sit. y. Nat. 3. Availability: System availability is determined by whether (or how often) a system is available for its intended users. This factor will determine the performance and the scalability level of the system. DOS (Denial-of-service) attacks are common threats for it (i.e., active jamming of the radio channel or preventing the normal operation of adjacent tags by using some kind of blocker tag).. Ch. engchi. i Un. v. Each researcher has different views for the details in the three types. This thesis consults many researches and lists security and privacy items that most of the researchers consider extremely important[2][5][8][9][10][11][13].. 1. Authentication and Mutual Data Integrity To ensure that readers/tags are all communicating with the legal tag/reader, we have to reach mutual authentication on the RFID communication protocol. Because the reader and the tag share the common private data, they can compute some communicated messages to verify whether they match or not, and accomplish mutual authentication requests. Besides, the internal memories of tags are recordable, so in the process of communicating verification, we have to ensure the security of it and prevent it from attacks that could cause incomplete data. Even if it’s obstructed by attackers and data 9.
(16) becomes incomplete, it can still revise it through mutual authentication.. 2. Tag Anonymity and Resistance to Tracking When the tag holders conduct communication protocol, it is necessary to ensure the tag holders’ privacies. If attackers eavesdrop on communication contents between tags and readers by open communication channels, they can only get meaningless contents. In other words, these eavesdropped contents cannot be recognized and thus the privacies of the tag holders are protected. Besides, after the tag holders conduct RFID communication protocol, even if the attackers eavesdrop on communication contents between the tag and reader, they still cannot identify whether that is the same tag or not. That is the resistance to tracking.. 3. Data Confidentiality. 政 治 大. The static ID of tag has to be kept confidentially. If the attackers get this ID, they can track communication between the tag and the reader. This is no doubt leaking the tag holders’ privacies, so the internal rewritable memory of the tag should be kept confidentially. In the process of communication, we should use pseudo ID to reach mutual authentication rather than the static ID of tag, and make sure that even if the attackers get contents, they still cannot confirm the identity of the tag through eavesdropped contents.. 立. ‧. ‧ 國. 學. y. Nat. sit. 4. Forward Secrecy. n. al. er. io. Suppose that the attackers can get data from the rewritable memory of the tag, they still cannot track the attacked tag or establish a legal communication if the attackers cannot recognize the contents the tag previously communicated legally.. Ch. engchi. i Un. v. 5. Resistance to Replay Attack If the attacker eavesdrops on all communication contents between the tag and the reader, a safe RFID communication protocol should be able to prevent the attacker from using the previous eavesdropped contents, passing the authentication of the tag or the reader through replaying the same communication data to camouflage the legal reader or tag.. 6. Resistance to Denial-of-Service Attack A safe RFID communication protocol should possess the ability to resist denial-of-service attack during the communication. When the attackers cause the information between the tag and the reader incomplete by forging, blocking messages or communication interference, making the internal data of the reader or the tag go 10.
(17) wrong or failing renewed, and disable the legal tag to conduct complete communication with the database of the reader, it is called denial-of-service attack (DOS attack). Therefore, a safe RFID communication protocol should be able to resist DOS attack.. 7. Resistance to Forgery When the attackers eavesdrop on the whole communication between the tag and the reader and create a new communication data which can pass the identification and authentication of the legal tag or reader, it is a successful forgery. A safe RFID communication protocol should possess the ability to resist it.. 8. Prevention of Man-in-the-middle Attack If the forgery sends out messages into the communication like a megaphone when tags are communicating with the reader, and adds forged data as legal tags or readers and destroys their communication, the forged data made by the attackers will not be perceived as attackers because the authentication has been made between the reader and the tags. Therefore, the tag or the reader will take the attackers as legal partners. This attack is called man-in-the-middle attack. And a secure RFID communication protocol should have means to prevent it.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 11. i Un. v.
(18) Chapter 3 Ultra-lightweight RFID Communication protocol. Ultra-lightweight RFID communication protocol means that all communication protocols are designed by using only simple bit-wise operations like XOR, AND, OR, and modulo addition. In each ultra-lightweight tag, only 250 to 3000 logic gates are used to support the security mechanism of the tag. On one hand, ultra-lightweight RFID communication protocols are very cheap and efficient due to its fewer amounts of logical gates. On the other hand, for the same reason, the computation ability is quite limited so it can only achieve limited security-requirements. In order to cover both the security and practicality, many researchers put their efforts on this field and proposed many ultra-lightweight RFID communication protocols[2][5][13][9][8][10][11]. In this section, we will review some of these protocols which are related to our later work.. 立. 政 治 大. ‧ 國. 學. 3.1 UMAP family. ‧ y. Nat. sit. er. io. UMAP (Ultra-lightweight Mutual Authentication Protocols Family) Family are proposed by López et al in 2006[9][8][10]. These protocols are the pioneer works concerning to ultra-lightweight RFID communication protocols.. n. al. i n C U hengchi UMAP family includes three protocols.. v. 1. M2AP (A Minimalist Mutual-Authentication Protocol) 2. LMAP (Ultra-lightweight Mutual Authentication Protocol) 3. EMAP (An Efficient Mutual-Authentication Protocol) protocol Each of them will be introduced in detail in the remaining of the section.. 3.1.1 M2AP. The M2AP (Minimalist Mutual-Authentication Protocol) protocol is the first ultra-lightweight RFID communication protocol of UMAP family [8]. This communication protocol was designed by López et al. in 2006. In this scheme, only simple logic operations such as bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), 12.
(19) modulo addition (mod +) and a pseudo-random number generator are used for the computation of the protocol. Moreover, the tag of M2AP communication protocol needs only less than 1000 logic gates in the design, so this protocol is classified as an ultra-lightweight RFID communication protocol.. 3.1.1.1 Basic Assumptions of M2AP. In order to design M2AP Ultra-lightweight RFID communication protocol, following assumptions are pre-assumed by López et al. 1. Assumptions of tags and channel Each tag of M2AP belongs to low-cost and passive tag. In the tag design, only 250-3000 logic gates can be used to support security mechanisms like authentication and key exchange every time the protocol is initiated by the reader. For the communication channel, they assume that the communication between the reader and the tag is in an open communication channel so the information transmitted via the channel is easily eavesdropped and tampered. On the other hand, the communication channel between the reader and the backend database is secure.. 立. 政 治 大. ‧. ‧ 國. 學. y. Nat. sit. n. al. er. io. 2. Assumptions of keys For security reasons, the backend database connected to the reader has to store each private key shared with the corresponding tag. It will be used to do the mutual authentication in the communication. There are four private keys required in the protocol, and the bit length of each key is assumed to be 96 bits.. Ch. engchi. i Un. v. 3. Assumptions of pseudo-random number generator (PRNG) In order to avoid the risk of information leakage in open communication channels, it is assumed that there is a pseudo-random number generator in the reader-side which is used to ensure the confidentiality of authentication on the communication. 4. Assumptions of types of operations Only the following operations are used in the M2AP communication protocol: bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +) 5. Assumptions of memory capacity of tags 13.
(20) In order to store four private keys (K1, K2, K3, K4) and pseudo id (IDS) in a tag, it is assumed that each tag has 480 bits of rewritable memory (EEPROM or FRAM). In addition, each tag also has 96-bit ROM memory to store the static identification number (ID).. 3.1.1.2 M2AP Ultra-lightweight RFID Communication Protocol. The following notations are used in the M2AP protocol. 立. 政 治 大. ‧. ‧ 國. 學. n. Ch. er. io. al. sit. y. Nat. [Table 3.1] The table of notations in the M2AP protocol. i Un. v. M2AP protocol consists of three phases; tag identification phase, mutual authentication phase and updating phase. In the statement below, we assume that the tag with the identity ID is going to communicate with a reader.. engchi. 1. Tag Identification: The reader first sends "Hello" message to the tag. After the tag receives this message, the tag sends back its pseudo ID (i.e. IDS) to the reader for identification. The reader will then look for its backend database to check whether IDS can be found or not. The communication will be terminated if IDS is not found in the database. However, if it exists in the database, the protocol will continue and the following steps will be performed. 2. Mutual Authentication of the Reader and the Tag: (1) After the end of identification of the tag, the step of mutual authentication of 14.
(21) the reader and the tag will be performed. First, the reader chooses two random numbers n1, n2, then the reader uses n1, n2, IDS, K1, K2 and K3to compute A, B, C, which are three encrypted messages computed as follows: = ⨁ 1⨁ 1 = ∧ 2∨ 1 = + 3+ 2 Then the reader sends A||B||C to the tag. (2) After the tag receives the message A||B||C, the tag uses its own IDS, K1 and ⨁ 1⨁ 1, ⨁ ⨁ 1 = 1), therefore the Ato do bitwise XOR (i.e. = tag can get the random number n1.Then the tag uses IDS, K2 and n1 to compute B’= ∧ 2 ∨ 1, and check if B’ is equal to B. If B’ matches B, then the tag authenticates the reader successfully. It means that the tag believes that this reader is a legal reader.. 立. 政 治 大. ‧ 國. 學. (3)The tag uses C to compute the value of 2 (i.e. = + 3 + 2, − − 3 = 2).Then the tag computes D, E that are two encrypted messages computed as follows:. ‧. = ∨ 4∧ 2 =( + )⨁ 1 Then the tag sends D||E to the reader for authentication and updates the values of the pseudo-ID and the private keys.. er. io. sit. y. Nat. al. v. n. (4) After the reader receives the message D||E, it uses IDS,K4and n2 to compute. Ch. i Un. the value D’= ∨ 4 ∧ 2, and checks if D’ is equal to D. If D’ matches D, then the reader authenticates the tag successfully. It means the reader believes that. engchi. this tag is a legal tag. And then the reader uses E to compute the value of (i.e. = ( + )⨁ 1, ⨁ 1 − = ). 3. Updating the Pseudo-ID and the Private Keys If the same pseudo-ID is used in two different sessions, then it can be easily tracked by attackers. That is, attackers can know that the two sessions are launched by the same tag with the same ID. On the other hand, attackers can easily launch replay attacks if private keys are not updated every time. For these reasons, it must update the pseudo-ID IDS and private keys K1, K2, K3 and K4 every time at the end of the protocol. Each value is computed as follows: 1. =( + ( 1⨁ 2))⨁ = 1⨁ 2⨁( 3 + ) 15.
(22) 2. = 2⨁ 2⨁( 4 + ) = ( 3⨁ 1) + ( 1⨁ ) = ( 4⨁ 1) + ( 2⨁ ). 3 4 Then communication is completed between the tag and the reader.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 16. i Un. v.
(23) 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. [Figure 3.1] The complete protocol of M2AP 17. i Un. v.
(24) 3.1.2 LMAP The LMAP (Ultra-lightweight Mutual Authentication Protocol) protocol is an ultra-lightweight RFID communication protocol of UMAP family [13]. This communication protocol was designed by López et al. in 2006. LMAP and M2AP are very similar, but still there are some differences between them. In this scheme, only simple logic operations such as bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +) and pseudo-random number generator are used for the computation of the protocol. Moreover, the tag of LMAP communication protocol needs only less than 1000 logic gates in the design, so this protocol is classified as an ultra-lightweight RFID communication protocol.. 政 治 大. 3.1.2.1 Basic Assumptions of LMAP. 立. ‧. ‧ 國. 學. In order to design LMAP Ultra-lightweight RFID communication protocol, the following assumptions are pre-assumed by López et al.. n. al. er. io. sit. y. Nat. 1. Assumptions of tag and channel Each tag of LMAP belongs to low-cost and passive tag. In the tag design, only 250-3000 logic gates can be used to support security mechanisms like authentication and key exchange every time the protocol is initiated by the reader. For the communication channel, they assume that the communication between the reader and the tag is in an open communication channel so the information transmitted via the channel is easily eavesdropped and tampered. On the other hand, the communication channel between the reader and the backend database is secure.. Ch. engchi. i Un. v. 2. Assumptions of keys For security reasons, the backend database connected to the reader has to store each private key shared with the corresponding tag. It will be used to do mutual authentication in the communication. There are four private keys required in the protocol, and the bit length of each key is assumed to be 96 bits. 3. Assumptions of pseudo-random number generator (PRNG) In order to avoid the risk of information leakage in open communication channels, it is assumed that there is a pseudo-random number generator in the reader-side 18.
(25) which is used to ensure the confidentiality of authentication on the communication. 4. Assumptions of type of operations Only the following operations are used in the LMAP communication protocol: bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +) 5. Assumptions of memory capacity of tags In order to store four private keys (K1, K2, K3, K4) and pseudo id (IDS) in a tag, it is assumed that each tag has 480 bits of rewritable memory (EEPROM or FRAM). In addition, each tag also has 96-bit ROM memory to store the static identification number (ID).. 政 治 大 3.1.2.2 LMAP Ultra-lightweight RFID Communication Protocol 立. ‧ 國. 學. The following notations are used in the LMAP protocol. ‧. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. [Table 3.2] The table of notations in the LMAP protocol LMAP protocol consists of three phases; tag identification phase, mutual authentication phase and updating phase. In the following statements, we assume that the tag with the identity ID is going to communicate with a reader. 1. Tag Identification: The reader first sends "Hello" message to the tag. After the tag receives this message, the tag sends back its pseudo ID (i.e. IDS) to the reader for identification. 19.
(26) The reader will then look for its backend database to check whether IDS can be found or not. The communication will be terminated if IDS is not found in the database. However, if it exists in the database, the protocol will continue and the following steps will be performed. 2. Mutual Authentication of the Reader and the Tag: (1) After the end of identification of the tag, the step of mutual authentication of the reader and the tag will be performed. First, the reader chooses two random numbers n1, n2, then the reader uses n1, n2, IDS, K1, K2 and K3to compute A, B, C which are three encrypted messages computed as follows: = ⨁ 1⨁ 1 = ∨ 2+ 1 = + 3+ 2 Then the reader sends A||B||C to the tag.. 立. 政 治 大. (2) After the tag receives the message A||B||C, the tag uses its own IDS, K1 and A. ‧ 國. 學. to do bitwise XOR (i.e. = ⨁ 1⨁ 1, ⨁ ⨁ 1 = 1), therefore the tag can get the random number n1.Then the tag uses IDS, K2 and n1 to compute. ‧. B’= ∧ 2 + 1, and check if B’ is equal to B. If B’ matches B, then the tag authenticates the reader successfully. It means that the tag believes that this reader is a legal reader.. sit. y. Nat. n. al. er. io. (3)The tag uses C to compute the value of 2 (i.e. = + 3 + 2, − − 3 = 2).Then the tag computes D that is an encrypted messages computed as follows:. Ch. engchi. i Un. v. + )⨁ 1⨁ 2 D=( Then the tag sends D to the reader for authentication and updating the values of the pseudo-ID and the private keys. (4) After the reader receives the message D, it uses IDS, n1, n2 and ID (through secure channel) to compute the value D’=( + )⨁ 1⨁ 2, and checks if D’ is equal to D. If D’ matches D, then the reader authenticates the tag successfully. It means the reader believes that this tag is a legal tag. 3. Updating the Pseudo-ID and the Private Keys If the same pseudo-ID is used in two different sessions, then it can be easily tracked by attackers. That is, attackers can know the two sessions are launched by the same tag with the same ID. On the other hand, attackers can launch replay 20.
(27) attacks if private keys are not updated every time. For these reasons, it must update pseudo-ID IDS and private keys K1, K2, K3 and K4 every time at the end of the protocol. Each value is computed as follows: 1 2. =( + ( 2⨁ 4))⨁ = 1⨁ 2⨁( 3 + ) = 2⨁ 2⨁( 4 + ) = ( 3⨁ 1) + ( 1⨁ ) = ( 4⨁ 1) + ( 2⨁ ). 3 4 Then communication is completed between the tag and the reader.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 21. i Un. v.
(28) 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. [Figure 3.2] The complete protocol of LMAP 22. i Un. v.
(29) 3.1.3 EMAP. The EMAP(An Efficient Mutual-Authentication Protocol) protocol is an ultra-lightweight RFID communication protocol of UMAP family [10]. This communication protocol was designed by López et al. in 2006. EMAP, LMAP and M2AP are very similar, but the biggest difference between EMAP and other members of UMAP family is that EMAP uses a unique parity function to update the private keys shared by the tag and the backend database. In this scheme, only simple logic operations such as bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +), parity function and pseudo-random number generator are used for the computation of the protocol. Moreover, the tag of EMAP communication protocol needs only less than 1000 logic gates in the design, so this protocol is classified as an ultra-lightweight RFID communication protocol.. 學. ‧ 國. 立. 政 治 大. 3.1.3.1 Basic Assumptions of EMAP. ‧. al. er. io. sit. y. Nat. In order to design EMAP Ultra-lightweight RFID communication protocol, following assumptions are pre-assumed by López et al.. v. n. 1. Assumptions of tag and channel Each tag of EMAP belongs to low-cost and passive tag. In the tag design, only 250-3000 logic gates can be used to support security mechanisms like authentication and key exchange every time the protocol is initiated by the reader. For the communication channel, they assume that the communication between the reader and the tag is in an open communication channel so the information transmitted via the channel is easily eavesdropped and tampered. On the other hand, the communication channel between the reader and the backend database is secure.. Ch. engchi. i Un. 2. Assumptions of keys For security reasons, the backend database connected to the reader has to store each private key shared with the corresponding tag. It will be used to do the mutual authentication in the communication. There are four private keys required in the protocol, and the bit length of each key is assumed to be 96 bits. 23.
(30) 3. Assumptions of pseudo-random number generator (PRNG) In order to avoid the risk of information leakage in open communication channels, it is assumed that there is a pseudo-random number generator in the reader-side which is used to ensure the confidentiality of authentication on the communication. 4. Assumptions of type of operations Only the following operations are used in the EMAP communication protocol: bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +) and parity function ( ( )). Definition: ( : )are the bit strings from the x-th bit to the y-th bit.. 立. 政 治 大. ( ): This function has a length of 96 bits input and has a 24-bits output. The. ‧. ‧ 國. 學. input is divided in blocks of 4 bits, which are processed to obtain an output bit. The 96-bit input X is divided into 24 4-bit blocks, so the output has 24 bits.. y. Nat. For example: Suppose that there is a 4-bit block: 0100.. sit. n. al. er. io. The formula to compute the output bit is XOR ∀ ! ∈{0,1}, for i=1,2,3,4. And then this output bit= # ⨁ $ ⨁ % ⨁ & =0⨁1⨁0⨁0=1. Ch. engchi. i Un. v. 5. Assumptions of memory capacity of tags In order to store four private keys (K1, K2, K3, K4) and pseudo id (IDS) in a tag, it is assumed that each tag has 480 bits of rewritable memory (EEPROM or FRAM). In addition, each tag also has 96-bit ROM memory to store the static identification number (ID).. 3.1.3.2 EMAP Ultra-lightweight RFID Communication Protocol. The following notations are used in the EMAP protocol. 24.
(31) 政 治 大. [Table 3.3] The table of notations in the EMAP protocol. 立. ‧. ‧ 國. 學. EMAP protocol consists of three phases; tag identification phase, mutual authentication phase and updating phase. In the following statements, we assume that the tag with the identity ID is going to communicate with a reader.. n. al. er. io. sit. y. Nat. 1. Tag Identification: The reader first sends "Hello" message to the tag. After the tag receives this message, the tag sends back its pseudo ID (i.e. IDS) to the reader for identification. The reader will then look for its backend database to check whether IDS can be found or not. The communication will be terminated if IDS is not found in the database. On the other hand, if it exists in the database, the protocol will continue and the following steps will be performed.. Ch. engchi. i Un. v. 2. Mutual Authentication of the Reader and the Tag: (1) After the end of identification of the tag, the step of mutual authentication of the reader and the tag will be performed. First, the reader chooses two random numbers n1, n2, then the reader uses n1, n2, IDS, K1, K2 and K3to compute A, B, C which are three encrypted messages computed as follows: = ⨁ 1⨁ 1 = ∨ 2⨁ 1 = ⨁ 3⨁ 2 Then the reader sends A||B||C to the tag. (2) After the tag receives the message A||B||C, the tag uses its own IDS, K1 and A 25.
(32) to do bitwise XOR (i.e. = ⨁ 1⨁ 1, ⨁ ⨁ 1 = 1), therefore the tag can get the random number n1. Then the tag uses IDS, K2 and n1 to compute B’= ∨ 2⨁ 1, and check if B’ is equal to B. If B’ matches B, then the tag authenticates the reader successfully. It means that the tag believes that this reader is a legal reader. (3)The tag uses C to compute the value of n2 (i.e. = ⨁ 3⨁ 2, ⨁ ⨁ 3 = 2).Then the tag computes D, E that are two encrypted messages computed as follows: = ∧ 4⨁ 2 =( ∧ 1 ∨ 2)⨁ ⨁ 1⨁ 2⨁ 3⨁ 4 Then the tag sends D||E to the reader for authentication and the update of the pseudo-ID and the private keys.. 政 治 大 (4) After the reader receives the message D||E, it uses IDS,K4 and n2 to compute 立 the value D’= ∧ 4⨁ 2, and checks if D’ is equal to D. If D’ matches D,. ‧ 國. 學. then the reader authenticates the tag successfully. It means the reader believes that. ‧. this tag is a legal tag. And then the reader uses E to compute the value of (i.e. E = ( ∧ 1 ∨ 2)⨁ ⨁ 1⨁ 2⨁ 3⨁ 4, ⨁ 1⨁ 2⨁ 3⨁ 4( ∧ 1 ∨ 2) = ).. sit. y. Nat. n. al. er. io. 3. Updating the Pseudo-ID and the Private Keys If the same pseudo-ID is used in two different sessions, then it is easily tracked by attackers. That is, attackers can know the two sessions are launched by the same tag with the same ID. On the other hand, attackers can launch replay attacks if private keys are not updated every time. For these reasons, it must update pseudo-ID IDS and private keys K1, K2, K3 and K4 every time at the end of the protocol. Each value is computed as follows: 1 2 3 4. = = = = =. ⨁ 2⨁ 1⨁ 2⨁( 2⨁ 2⨁( 3⨁ 1⨁( 4⨁ 1⨁(. Ch. engchi. 1 (1: 48)|| ( 1)|| ( (1: 48)|| ( 3)|| (. i Un. v. ( 4)|| ( 3)) 4)|| (49: 96)) ( 4)|| ( 2)) 1)|| (49: 96)). Then communication is completed between the tag and the reader.. 26.
(33) 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. [Figure 3.3] The complete protocol of EMAP 27. i Un. v.
(34) 3.1.4 Security Analysis of UMAP family López et.al claimed that UMAP family protocol can resist many attacks such as man-in-the-middle attack, replay attack, and forgery attack etc. However, in 2007, Li and Wang [12]listed the security weaknesses of the schemes separately. They explained that UMAP cannot resist synchronous destruction attacks [12]and forgery attacks[12].In this section, we will analyze the security of UMAP family. 3.1.4.1 De-synchronized Attack In the UMAP, the tag obtains the value of random number n1 from the message A, and then the tag uses n1 to compute the value of B’. The tag checks if B’ is equal to B or not, B being the message sent from the reader. If B’ matches B, then the tag authenticates the reader successfully. The tag uses C to compute the value of n2. The desynchronized attack can be launched at this moment. A man-in-the-middle attacker can first eavesdrop on the on-going message, and then the attacker changes A||B||C to A||B||C’ where C’ is a 96-bits random number generated by the attacker and C’ is not equal to C. Because A, B message remain unchanged, the tag authenticates the reader successfully. Therefore the tag must use incorrect value of n2 to update its private keys and IDS in the update phase. Accordingly, the corresponding data stored in the tag and that in the backend database become inconsistent. Then the tag is unable to communicate with a legitimate reader next time. This is called the De-synchronized Attack.. 立. 政 治 大. ‧. ‧ 國. 學. er. io. sit. y. Nat. al. v. n. 3.1.4.2 Forgery Attack Based on the method of attack above, the attacker can change C to C’. Even more, an. Ch. engchi. i Un. attacker can set C’=C⨁ , , and , =[0000….0001] (set the first 95 most significant bits of I as 0 and the least significant bit as 1). Based on the received message C’, the tag computes the incorrect value of D’, but this D’ may still deceive the reader into authenticating the tag successfully. Using LMAP as an example, C’=C⨁ , and C=IDS+K3+n2, the tag can get incorrect value of n2 (denoted it as n2’) and use it to compute an incorrect value of D (denoted as D’). D=(IDS+ID) ⨁n1⨁n2, so D’=(IDS+ID) ⨁n1⨁n2’. The attacker can then replace D with D’ and send D’ to the reader. If the reader accepts the value D’, then the forgery attack is successful. This means that the reader recognizes the attacker as a legal tag. Now we analyze the success rate as follows: (Define:-,is the least significant bit of X, HW(Y)is Hamilton weights of Y). 28.
(35) Consider C’=C⨁ , If , =0, then , ′=1 ⇒ If If If , =1, then , ′=0 ⇒ If If. 2, =1, then HW(n2⨁n2’) ≥2 2, =0, then n2’= n2⨁ , 2, =0, then HW(n2⨁n2’)≥2 2, =1, then n2’= n2⨁ ,. When n2’ = n2⨁ , ,it means that D’=(IDS+ID) ⨁n1⨁n2’=(IDS+ID) ⨁n1⨁n2⨁ , , so the attacker computes and sends D’⨁ , to the reader. Because the value D’⨁ , =((IDS+ID) ⨁n1⨁n2⨁ , ) ⨁ , =D, the reader authenticates the attacker as a legal tag successfully. Set C’=C⨁ , , the probability of n2’ = n2⨁ , is 50%. Consequently, the success rate of the attacker is 50%.. 3.2 SASI. 立. 政 治 大. ‧ 國. 學. M2AP, LMAP and EMAP were designed by López et al. in 2006. However, these communication protocols still exist some security problems. SASI was designed by Chien in 2007[2].In this scheme, only simple logic operations such as bitwise XOR. ‧. (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +), rotate function and pseudo-random number generator are used for the computation of the protocol. Moreover, the tag of communication protocol needs only less than 1000 logic gates in the design, so this protocol is classified as an ultra-lightweight RFID communication protocol. In order to prevent de-synchronized attacks, SASI represents a new idea that the tag stores two entries of private keys and IDS.. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 3.2.1 Basic Assumptions of SASI In order to design SASI Ultra-lightweight RFID communication protocol, the following assumptions are pre-assumed by Chien. 1. Assumptions of tags and channel Each tag of SASI belongs to low-cost and passive tag. In the tag design, only 250-3000 logic gates can be used to support security mechanisms like authentication and key exchange every time the protocol is initiated by the reader. For the communication channel, they assume that the communication between the reader and the tag is in an open communication channel so the information transmitted via the channel is easily eavesdropped and tampered. On the other 29.
(36) hand, the communication channel between the reader and the backend database is secure. 2. Assumptions of keys For security reasons, the backend database connected to the reader has to store each private key shared with the corresponding tag. It will be used to do the mutual authentication in the communication. There are two pairs of private keys: 1123 , 2123 , 4 5 1 be 96 bits.. ,. 2. , and the bit length of each key is assumed to. 3. Assumptions of pseudo-random number generator (PRNG) In order to avoid the risk of information leakage in open communication channels, it is assumed that there is a pseudo-random number generator in the reader-side which is used to ensure the confidentiality of authentication on the communication.. 立. 政 治 大. ‧ 國. 學. 4. Assumptions of type of operations Only the following operations are used in the SASI communication protocol:. ‧. bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +) and rotate function (Rot(x, y)).. y. Nat. al. n. 5. Assumptions of memory capacity of tags. Ch. er. io. sit. Definition: Rot(x, y) means to rotate the value of x left with y bits. i Un. v. In order to store two pairs of private keys ( 1 4 5 2 , 1123 4 5 2123 ) and pseudo ids ( , 123 ) in a tag, it is assumed that each tag has 576 bits of rewritable memory (EEPROM or FRAM). In addition, each tag also has 96-bit ROM memory to store the static identification number (ID).. engchi. 3.2.2 SASI Ultra-lightweight RFID Communication Protocol. The following notations are used in the SASI protocol. 30.
(37) 政 治 大. [Table 3.4] The table of notations in the M2AP protocol. 立. ‧. ‧ 國. 學. SASI protocol consists of three phases; tag identification phase, mutual authentication phase and updating phase. In which follows, we assume that the tag with the identity ID is going to communicate with a reader.. y. Nat. 1. Tag Identification: The reader first sends "Hello" message to the tag. After the tag receives this. sit. al. er. io. ) to the reader for message, the tag sends back its new pseudo ID (i.e. identification. The reader will then look for its backend database to check whether. v. n. can be found or not. The tag will send its old pseudo ID (i.e. 123 ) if is not found in the database. And then the reader will do the same thing again. The communication will be terminated if 123 is not found in the database. On the other hand, if or 123 exists in the database, the protocol will continue and the following steps will be performed.. Ch. engchi. i Un. 2. Mutual Authentication of the Reader and the Tag: (1) After the end of identification of the tag, the step of mutual authentication of the reader and the tag will be performed. First, the reader chooses two random numbers n1, n2, then the reader uses n1, n2, IDS, K1 and K2to compute A and B, which are two encrypted messages computed as follows: = =. ⨁ 1⨁ 1 ∨ 2+ 2. And reader computes 1 and 1=Rot( 1⨁ 2, K1). 2 which are two values computed as follows:. 31.
(38) 2=Rot( 2⨁ 1, K2) And then the reader computes C which is an encrypted message computed as follows: = ( 1⨁ 2)+ ( 1⨁ 2) Then the reader sends A||B||C to the tag. (2) After the tag receives the message A||B||C, the tag uses its own IDS, K1 and A to do bitwise XOR (i.e. = ⨁ 1⨁ 1, ⨁ ⨁ 1 = 1) and the tag uses own IDS,K2 and B to compute n2 (i.e. = ∨ 2 + 2, -( ∨ 2)= 2), therefore the tag can get the random number n1, n2. The tag can use K1, K2, n1, n2 to compute 1 and 2. And then the tag uses K1, K2, 1 and 2 to compute ′ = ( 1⨁ 2) + ( 1⨁ 2), and check if C’ is equal to C. If C’ matches C, then the tag authenticates the reader successfully. It means that the tag believes that this reader is a legal reader.. 政 治 大 (3) Then the tag computes D that is an encrypted message computed as follows: 立 = 6 2 + ID9⨁(( 1⨁ 2) ∨ 1) ‧. ‧ 國. 學. Then the tag sends D to the reader for authentication and the update of the values of the pseudo-ID and the private keys.. n. al. er. io. sit. y. Nat. (4) After the reader receives the message D, it uses ID, K1, K2, 1 and 2 to compute the value D’=6 2 + ID9⨁(( 1⨁ 2) ∨ 1), and checks if D’ is equal to D. If D’ matches D, then the reader authenticates the tag successfully. It means the reader believes that this tag is a legal tag.. Ch. i Un. v. 3. Updating the Pseudo-ID and the Private Keys If the same pseudo-ID is used in two different sessions, then it can be easily tracked by attackers. That is, attackers can know the two sessions are launched by the same tag with the same ID. On the other hand, attackers can easily launch replay attacks if private keys are not updated every time. For these reasons, it must. engchi. , , 2 ), update pseudo-IDs 123 and two pairs private keys ( 1 ( 1123, 2123 ) each time at the end of the protocol. Each value is computed as follows: 123. 1. =( =IDS =. +. )⨁6 2⨁ 19. 1. 2 = 2 1123 = K1 2123 = K2 32.
(39) And the backend database must update IDS, K1 and K2. Each value is computed as follows: =(. +. )⨁6 2⨁ 19. K1= 1 K2= 2 Then communication is completed between the tag and the reader.. 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 33. i Un. v.
(40) 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. [Figure 3.4] The complete protocol of SASI. 34. i Un. v.
(41) 3.2.3 Security Analysis of SASI Chien claimed that SASI is able to resist all attacks. However, in 2008, Cao et al. [3] listed the security weaknesses of this protocol separately. They explained that SASI cannot resist DOS attack and tracing attack. In this section, we analyze the security of SASI. 3.2.3.1 DOS attack An attacker can first eavesdrop on the on-going protocol. And then the message A||B||C is changed to A’||B||C’ by the attacker, where A’=A⨁ , , C’=C⨁ , , and , =[0000….0001] (set the first 95 most significant bits of I as 0 and the least significant bit as 1). Similarly, the attacker changes the reply D from the tag to D’=D⨁. 政 治 大 This procedure is specified in table 3.4.3 立. ,. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. [Figure 3.5] The DOS attack flowchart We analyze the success rate of such an attack: (1) Once the tag receives A’||B||C’, the probability that the tag accepts the message A’||B||C’ is not less than 1/(2n). Suppose that K2 is a random number; there is a probability equal to 1/n that K2 mod n = 0 and a 1/2 probability that the least significant bit of K2⨁K1 be 0. We note that for any X there is Rot (K2⨁X, K2) = K2⨁X when K2 (mod n) =0. In this case, we check the validity of the message A’||B||C’. Consider when C’=C⨁ , = [( 1⨁ 2) + ( 1⨁ 2)]⨁ , =( 1⨁ 2⨁ , )+ ( 1⨁ 2) 35.
(42) n1’=A’ ⨁IDS⨁K1=A⨁I, ⨁IDS⨁K1= (IDS⨁K1⨁n1) ⨁I, ⨁IDS⨁K1=n1⨁I, The operation on A is actually toggling the least significant bit of n1 Consider when n2’=B-(IDS∨K2)=(IDS∨K2)+n2-(IDS∨K2)=n2 1′= Rot ( 1⨁ 2, K1) = 1 2′= Rot ( 2⨁ 1′, K2) = 2⨁ , Therefore, C=( 1⨁ 2′) + ( 1′⨁ 2)= ( 1⨁ 2⨁ , )+ ( 1⨁ 2)=C’. In the case when K2 (mod n) =0 and the least significant bit of K2⊕K1 is 0, the tag will accept the message A’||B||C’. (2) Once the reader receives D’, the probability that the reader accepts the message D’ is not less than 1/2. If the least significant bit of ID is 0, the reader will accept D’. There is a 1/2 probability that the least significant bit of ID is 0. Consider when D’=D⨁ , =6 2′ + ID9⨁(( 1⨁ 2) ∨ 1)⨁ , =6 2⨁ , + ID9⨁(( 1⨁ 2) ∨ 1)⨁ , =6( 2⨁ , + ID)⨁ , 9⨁(( 1⨁ 2) ∨ 1) =6 2 + ID9⨁(( 1⨁ 2) ∨ 1)=D Once the reader accepts the value, the reader needs to update the secret information in. 立. 政 治 大. ‧. ‧ 國. 學. the tag with the pair (n1, n2). However, the tag uses another pair (n1⨁ , , n2) to update its secrets. It is obvious that there is a mismatch between the secrets stored at the tag and that at the reader. So there is a non-negligible probability value, that is, (1/n)*(1/2)*(1/2)=1/(4n) in succeeding in a DOS attack. In fact, this attack can be extended to toggle a single bit of A at any location i, so that it can be a general attack with the same 1/ (4n) success probability.. n. er. io. sit. y. Nat. al. C hAttack 3.3 Physical Analytic Cloning. engchi. i Un. v. SASI and UMAP family cannot resist the physical analytic cloning attack. If an attacker gets a tag, then this tag can be physically cloned for many times. This means that different users share the same tag by physically cloned technology. If this RFID system is used in the access control, then many people can use the same identity to pass the access control. It will lead to the Access control systems losing their effectiveness. Therefore, Bassil et al designed the PUMAP communication protocol to resist physical analytic cloning attack. We will introduce this protocol in the next chapter.. 36.
(43) Chapter 4 PUMAP Ultra-lightweight RFID Communication Protocol In order to resist physical analytic cloning attack, Bassil et al. introduced an ultra-lightweight RFID communication protocol based on a physical unclonable function (i.e. PUF). This communication protocol is called PUMAP. We will introduce a design of PUF and PUMAP communication protocol in this chapter.. 立. 政 治 大. 4.1 Physical Unclonable Function. ‧ 國. 學. Physically unclonable function is referred to as PUF. PUF is a one-way function that maps a. ‧. set of challenges to a set of responses based on an intractably complex physical system. PUF has two characteristics. The first characteristic is that it is easy for us to compute but difficult. y. Nat. to predict the output when using this function. The second characteristic is that even if. sit. the most sophisticated machine is used, for all manufactured PUF given the same set of. al. er. io. challenges, different responses can be created. This means that every PUF can create. v. n. responses that map different set challenges and thus has its own unique mapping table. Based. Ch. i Un. on the above two characteristics, PUF is very suitable for designing ultra-lightweight RFID. engchi. communication protocols. Therefore PUF is effective to resist physical clone attack. In this section, we will introduce the arbiter PUF design [4].. 4.1.1 Arbiter PUF The implementation of this PUF is created by slight delay of the circuit as what the following figure 1 shows, assuming that the bit length of input is 64 bits and that of output is 1 bit. This design concept of PUF compares difference between two lines. In the left-most position, the PUF gets a rising signal and then decides the output between 0 and 1, determining on which path (with equal length) the signal first reaches the right end of the Y side. The two paths will head to different results with different inputs. The following 64 boxes (dashed part), according to different inputs, 37.
(44) will change signal pathway. Input 64 bits were placed in the following figure X [0] ~ X [63] to decide whether the two routes exchange their paths of travel. If X [i] = 1, then these two signal paths exchange when the signal is traveling in the i-th box. If X[i] = 0, then these two signal paths will not exchange.. 立. [Figure 4.1] Arbiter PUF [4]. 政 治 大. ‧. ‧ 國. 學. For example (figure 2), assuming that the signals start to run in the leftmost figure, and X [0] = 1, the signal travels to the first box. Because X [0] = 1, the original signal travels at the top (dashed path). This original signal has to change the route to the bottom of the path, and then this signal will travel along this line after leaving the first box. The path of the solid line is in the same situation.. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. [Figure 4.2] Schematic diagram of transformation of the signal. If the final result of the execution is that the signal travelling at the top arrives (the D point) first, then the output is 1. Otherwise the output of the result is 0. The signal delay of each circuit has varying lengths of time, so even the electric 38.
(45) circuit with the same design will have different length of delay time. Therefore, even if the attacker knows the design of PUF electric circuit, and perfectly copies the processes, but given the same input signal, the output of two PUF will have different results. Therefore this function is called physical unclonable functions. Here is an example in which the function has an input length of 64 bits but the bits length of output is only a bit. If we need the function to have the bits length of output K bits while the input length is 64 bits, we can use the pseudo-random number generator (PRNG) to accomplish the task. By conducting the PRNG K times, we can get K values that the bits length of each value is 64 bits. Then we can use these K values as the PUF input, then K bits length of output is received.. 4.2 PUMAP. 立. 政 治 大. ‧ 國. 學. The PUMAP (A PUF-Based Ultra-Lightweight Mutual-Authentication RFID Protocol) protocol is an ultra-lightweight RFID [1]. This communication protocol was designed. ‧. by Bassil et al. In this scheme, only simple logic operations such as bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +), rotate function, PUF and pseudo-random number generator are used for the computation of the protocol. Bassil et.al claimed that the traditional ultra-lightweight RFID communication protocols (such as MAP family, SASI etc.) were insecure. Because the tag of these protocols could be physically cloned, it was possible that different users share the same tag by physical cloned technology. Therefore PUMAP communication protocol has to use PUF to resist physical analytic cloning attack.. n. er. io. sit. y. Nat. al. Ch. engchi. i Un. v. 4.2.2 Basic Assumptions of PUMAP. In order to design PUMAP Ultra-lightweight RFID communication protocol, the following assumptions are pre-assumed by López et al. 1. Assumptions of tag and channel Each tag of PUMAP belongs to low-cost and passive tag. In the tag design, only 250-3000 logic gates can be used to support security mechanisms like authentication and key exchange every time the protocol is initiated by the reader. 39.
(46) For the communication channel, they assume that the communication between the reader and the tag is in an open communication channel so the information transmitted via the channel is easily eavesdropped and tampered. On the other hand, the communication channel between the reader and the backend database is secure. 2. Assumptions of keys For security reasons, the backend database connected to the reader has to store each private key shared with the corresponding tag. It will be used to do the mutual authentication in the communication. A private key (SVR) is required in the protocol, and the bit length of each key is assumed to be 96 bits. 3. Assumptions of pseudo-random number generator (PRNG) In order to avoid the risk of information leakage in open communication channels, it is assumed that there is a pseudo-random number generator in the reader-side which is used to ensure the confidentiality of authentication on the communication.. 立. 政 治 大. ‧ 國. 學. ‧. 4. Assumptions of type of operations Only the following operations are used in the PUMAP communication protocol:. al. er. io. sit. y. Nat. bitwise XOR (⨁), bitwise OR (∨), bitwise AND (∧), modulo addition (mod +), rotate function (Rot(X, Y)) and PUF.. v. n. 5. Assumptions of memory capacity of tags In order to store the private keys (SVR) and the pseudo id (SVT) in the tag, it is assumed that each tag has 384 bits of rewritable memory (EEPROM or FRAM).. Ch. engchi. i Un. 4.2.3 PUMAP Ultra-lightweight RFID Communication Protocol. The following notations are used in the PUMAP protocol. 40.
(47) 政 治 大. [Table 4.1] The table of notations in the PUMAP protocol. 立. ‧. ‧ 國. 學. PUMAP protocol consists of three phases; tag identification phase, mutual authentication phase and updating phase. In the following statements, we assume that the tag with the identity ID is going to communicate with a reader.. n. al. er. io. sit. y. Nat. 1. Tag Identification: The reader first sends "Hello" message to the tag. After the tag receives this message, the tag sends back its pseudo ID (i.e. SVT) to the reader for identification. The reader will then look for its backend database to check whether SVT can be found or not. The communication will be terminated if SVT is not found in the database. On the other hand, if it exists in the database, the protocol will continue and the following steps will be performed.. Ch. engchi. i Un. v. 2. Mutual Authentication of the Reader and the Tag: (1) After the end of identification of the tag, the step of mutual authentication of the reader and the tag will be performed. First, the reader chooses two random numbers n1, n2, then the reader uses n1, n2, SVT and SVR to compute A, B, C, which are three encrypted messages computed as follows: = :;⨁ :<⨁ 1 = <=>( :< + 2, :;) = <=>( :;⨁ :<⨁ 1, 2) Then the reader sends A||B||C to the tag. (2) After the tag receives the message A||B||C, the tag uses its own SVT, SVR and 41.
(48) received messages A and B to compute n1 and n2 (i.e. = :;⨁ :<⨁ 1, ⨁ :;⨁ :< = 1 4 5 = <=>( :< + 2, :;), Rot B# ( , :;) − :< = 2), therefore the tag can get the random numbers n1 and n2. The tag uses SVT, SVR, n1, n2 to compute ′ = <=>( :;⨁ :<⨁ 1, 2), and check if C’ is equal to C. If C’ matches C, then the tag authenticates the reader successfully. It means that the tag believes that this reader is a legal reader. (Rot B# is the inverse function of rotate function) (3)The tag computes D that is an encrypted message computed as follows: = <=>(<=>(( 1 + 2⨁ :;) + :<, 2), 1) Because the tag believes that this reader is a legal reader, the tag updates its IDS (SVT) and private key (SVR), which are the updated messages. :; = CD ( ) :< = CD ( :; ) And then the tag computes message E and F, which are the encrypted message.. 立. 政 治 大. ‧. ‧ 國. 學. E=Rot( :; ⨁ 2, 1) F=Rot( :< ⨁ 1, 2) Then the tag sends D||E||F to the reader for authentication and the update of the pseudo-ID and the private keys.. y. Nat. (4) After the reader receives the message D||E||F, it uses n1, n2, SVT and SVR to. sit. n. al. er. io. compute the value D’=<=>(<=>(( 1 + 2⨁ :;) + :<, 2), 1), and checks if D’ is equal to D. If D’ matches D, then the reader authenticates the tag successfully. It means the reader believes that this tag is a legal tag. And then the. Ch. i Un. v. reader uses messages E and F to compute the values of :; and :< (i.e. E=Rot( :; ⨁ 2, 1), Rot’ (E, n1)⨁ 2 = :; and F=Rot( :< ⨁ 1, 2), Rot’ (F, n2)⨁ 1 = :< ).. engchi. .. 3. Updating the Pseudo-ID and the Private Keys If the same pseudo-ID is used in two different sessions, then it can be easily tracked by attackers. That is, attackers can know the two sessions are launched by the same tag with the same ID. On the other hand, attackers can launch replay attacks if private keys are not updated every time. For these reasons, it must update Pseudo-ID SVT and private key SVR each time at the end of the protocol. Each value is computed as follows: SVT= :; SVR= :< Then communication is completed between the tag and the reader. 42.
(49) 立. 政 治 大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. [Figure 4.3] The complete protocol of PUMAP 43. i Un. v.
相關文件
Students should also be able to appreciate the interrelation between bonding, structures and properties of substances by learning the properties of metals, giant ionic
If growing cities in Asia and Africa can provide clean, safe housing, the future of the people moving there should be a very good one... What is the main idea of the
This kind of algorithm has also been a powerful tool for solving many other optimization problems, including symmetric cone complementarity problems [15, 16, 20–22], symmetric
The closing inventory value calculated under the Absorption Costing method is higher than Marginal Costing, as fixed production costs are treated as product and costs will be carried
⚫ Students should be able to create interactive user selection, such as the 2-level interdependent select list, pull down menu and click-to-expand menu. Students should be able
• A formal usage policy and procedures should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and
Teacher then briefly explains the answers on Teachers’ Reference: Appendix 1 [Suggested Answers for Worksheet 1 (Understanding of Happy Life among Different Jewish Sects in
After the desired content has been identified, the control point needs to determine which transfer protocol and data format should be used to transfer the content from the
