1 Prove You Owned Me One Step beyond RFID TagMutual Authentication

2025-04-29 1 0 509.62KB 13 页 10玖币
侵权投诉
1
Prove You Owned Me: One Step beyond RFID
Tag/Mutual Authentication
Shaoying Cai, Yingjiu Li, Changshe Ma, Sherman S. M. Chow, Robert H. Deng Fellow, IEEE
Abstract—Radio Frequency Identification (RFID) is a key
technology used in many applications. In the past decades, plenty
of secure and privacy-preserving RFID tag/mutual authentication
protocols as well as formal frameworks for evaluating them have
been proposed. However, we notice that a property, namely proof
of possession (PoP), has not been rigorously studied till now,
despite it has significant value in many RFID applications. For
example, in RFID-enabled supply chains, PoP helps prevent dis-
honest parties from publishing information about products/tags
that they actually have never processed.
We propose the first formal framework for RFID tag/mutual
authentication with PoP after correcting deficiencies of some
existing RFID formal frameworks. Our framework is based on
a new privacy notion–unp#-privacy, and a new security notion–
PoP credential unforgeability. We provide a generic construction
to transform an RFID tag/mutual authentication protocol to
one that supports PoP using a cryptographic hash function, a
pseudorandom function (PRF) and a signature scheme. We prove
that the constructed protocol is secure and privacy-preserving
under our framework if all the building blocks possess desired
security properties. Finally, we show an RFID mutual authen-
tication protocol with PoP. Arming tag/mutual authentication
protocols with PoP is an important step to strengthen RFID-
enabled systems as it bridges the security gap between physical
layer and data layer, and reduces the misuses of RFID-related
data.
I. INTRODUCTION
Radio Frequency Identification (RFID) technology has
greatly facilitated collection and management of identification
information in a wide range of applications, from supply
chain and access management to stock tracing and payments.
RFID systems consist of three main components: tags, readers,
and backend servers. Tags are radio transponders attached
to physical objects. Readers are radio transceivers that com-
municate with tags to identify or authenticate them based
on information stored on backend servers. RFID technology
enables automatic identification and information collection due
to the wireless communication property. When combined with
internet and networking technology, RFID-related information
can be integrated, shared, and queried in real time.
The wireless communication property of RFID is a double-
edge sword. Despite enhancing efficiencies and reducing costs
on manpower, it also causes RFID-enabled systems to be vul-
nerable to a variety of attacks. An adversary may eavesdrop,
S. Cai is with the College of Computer Science and Electronic Engineering,
Hunan University, China. Y. Li is with the Computer and Information Science
Department, University of Oregon, USA. C. Ma is with the School of
Computer, South China Normal University, China. S. Chow is with the
Department of Information Engineering, The Chinese University of Hong
Kong, Hong Kong. R. H. Deng is with the School of Computing and
Information Systems, Singapore Management University, Singapore.
replay, and manipulate RFID communications to obtain tag
identifiers, track tag locations, impersonate RFID tags and
RFID readers, and trigger denial of service without tag owners’
awareness. Also, if an adversary compromises any RFID tags
(e.g., via side-channel attack [1]), they may access all secret
information stored on the tags.
Plenty of efforts have been devoted to securing commu-
nications between RFID readers and tags [2]. Secure and
privacy-preserving tag/mutual authentication is the most fun-
damental functionality to protect RFID systems against various
attacks. RFID tags should be identified with assurance in
the presence of attacks, and meanwhile without disclosure
of any valuable information. Hundreds of RFID tag/mutual
authentication protocols (e.g., [3]–[16]) as well as dozens of
formal frameworks (e.g., [17]–[22], [24]–[37]) for evaluating
them have been proposed. However, an indispensable property,
proof of possession (PoP), which was briefly discussed in [48],
has not been rigorously studied till now.
PoP is highly valuable to RFID applications in which
information about real-world events related to RFID tags
are stored for future use and/or shared over networks. For
example, access management systems require that the logs of
visiting events related to authenticated access cards be kept
for identifying suspicious visitors when anomalies happen.
In supply chain management, visibility event data related to
authenticated tags may be shared among supply chain parties
through various platforms such as EPCglobal Network [38],
[39] and blockchain-based product management platforms
[40], [41]. These application scenarios require RFID systems
to not only authenticate tags, but also prove to other parties
that they indeed have authenticated the tags. Otherwise, the
information about real-world events related to RFID tags may
be manipulated even if the underlying tag/mutual authenti-
cation protocol works well. For example, malicious access
system administrator may manipulate the logs of visiting
events related to authenticated access cards, and dishonest
supply chain parties may make up visibility data about certain
tags/products without actually processing them.
We propose to extend tag/mutual authentication protocols to
support PoP. Our major contributions are summarized below.
We study the existing formal frameworks for RFID
tag/mutual authentication protocols. We refine Deng et
al.s RFID system model [30] to allow terminations
during protocol executions. We correct Yang et al.s
claim [29] about the relationship between two major
RFID privacy notions, unp-privacy and ind-privacy, and
discuss the deficiencies of their privacy notion, unpτ-
privacy.
arXiv:2210.10244v1 [cs.CR] 19 Oct 2022
2
We propose the first formal framework for RFID
tag/mutual authentication with a new security notion,
named PoP credential unforgeability, and a new privacy
notion, named unp#-privacy. Unp#-privacy can be ap-
plied for analysing any RFID reader-tag communication
protocols.
We provide a generic construction to transform an RFID
tag/mutual authentication protocol to additionally support
PoP using a cryptographic hash function, a pseudo-
random function (PRF), and a signature scheme. We
conduct formal security analysis of our construction, and
then discuss its practicability.
We refine a secure and unp-privacy-preserving RFID
mutual authentication protocol, and then extend it to
support PoP according to our generic construction. We
prove that the refined protocol with PoP is secure and
privacy-preserving under our framework. We also discuss
its implementation.
II. RELATED WORK
A. RFID authentication protocols
The existing RFID tag/mutual authentication protocols can
be classified in two categories: symmetric key-based and PKC-
based. With symmetric key-based protocols, a reader and a tag
conduct unidirectional or bidirectional authentication based on
some shared secrets. Current symmetric key-based protocols
include cyclic redundancy code (CRC) checksum-based ones
(e.g., [4], [5]), one-way hash function-based ones ( e.g., [6]–
[9]), and symmetric encryption algorithms-based ones (e.g,
[3]), to name a few. However, symmetric key-based tag/mutual
authentication protocols inherently cannot support PoP.
Elliptic curve cryptography (ECC) is the most lightweight
PKC and has been shown to be applicable in resource-
constrained RFID settings [42], [43]. Researchers have pro-
posed many ECC-based RFID authentication protocols. How-
ever, most of them are shown to be vulnerable [44], and only
a few remain secure till now [10]–[14]. We discover that some
ECC-based protocols (e.g., [12]–[14]) are actually symmetric
key-based in terms of tag authentication, thus cannot support
PoP as well. Only a couple of protocols [10], [11] can be
potentially extended to support PoP, but have not been further
explored yet.
B. RFID formal frameworks
Formal RFID security and privacy frameworks are funda-
mental to the design and analysis of robust RFID protocols.
In general, an RFID tag/mutual protocol should satisfy (a)
correctness, which means a valid tag/reader should always
be accepted; (b) security, which means an invalid tag/reader
should always be rejected; and (c) privacy, which means tags
should not be identified or traced by unauthorized entities. Till
now, many formal RFID frameworks have been proposed (e.g.,
[17]–[22], [24]–[37]).
Correctness and security definitions in existing RFID formal
frameworks appear to be, to a large extent, equivalent. Among
them, Deng et al.s [30], [32] is considered more elaborate
than others [19]. It is full of subtleties in developing rigorous
and precise privacy notions. Dozens of other privacy notions
have been proposed, and are systematically discussed in [33],
[45]–[47]. Below we briefly introduce typical RFID privacy
notions.
a) Indistinguishability-based privacy notion: Intuitively,
it requires that any adversary cannot distinguish two uncor-
rupted tags [17], [18] or two groups of tags [19]. It is easy to
apply for proving the privacy of protocols which are built with
ind-secure primitives, such as an IND-CCA secure encryption
scheme.
b) Unpredictability-based privacy notion: Intuitively, it
requires that any adversary cannot distinguish protocol mes-
sages from random strings. The unpredictability-based privacy
notions are easy to apply for proving the privacy of symmetric
key-based protocols, which form the majority of existing RFID
protocols. We will disucss more on unpredictability-based
privacy notions [25]–[29] in Section III.
c) Vaudenay’s privacy notion [20]: Intuitively, it requires
that for any adversary, there exists a blinded adversary such
that the advantage of the adversary to win the privacy game
over the blinded one’s is negligible, where the blinded ad-
versary does not ‘use’ the communication captured during the
protocol run in order to determine its output. Vaudenay defined
the most comprehensive adversary types. There are following
works [21]–[23] to consolidate adversary type, extend the
definitions to address mutual authentication, and etc.
d) Zero-knowledge-based privacy notion: Intuitively, it
requires that whatever information an adversary can obtain
from interacting with a target tag, there exists a simulator
who can provide indistinguishable similar information without
interacting with the tag. Zk-privacy was proposed by Deng
et al. [30]. Moriyama et al. [33] showed that zk-privacy is
equivalent to ind-privacy [18] which was proposed by Juels
and Weis.
e) Universal composable (UC) model-based privacy no-
tion: UC is a powerful notion proposed by Canetti [51]
to describe cryptographic protocols that behave like ideal
functionality, and can be composed in arbitrary way. This
is known as the strongest (computational) security model for
cryptographic protocols. Several UC-based frameworks have
been proposed for achieving RFID privacy [34]–[37].
III. DISCUSSIONS ON UNPREDICTABILITY-BASED PRIVACY
NOTIONS
Each category of privacy notion has its own advantages. The
unpredictability-based privacy notions can be easily applied
for analysing symmetric key-based protocols. These protocols
rely on relatively resource-friendly building blocks such as
hash function and block cipher, and are suitable for low-cost
RFID tags.
The first unpredictability-based privacy notion, called unp-
privacy, was proposed by Ha et al. [25], and further strength-
ened to unp’-privacy [26], then unp-privacy [28], and finally
unpτ-privacy [29]. In [29], Yang et al. claimed that unp-
privacy does not imply ind-privacy, which is in contrast to the
previous belief that unp-privacy is stronger. We will show
that their claim is not sound, and discuss the deficiency of
unpτ-privacy.
3
A. Unp-privacy
We first briefly review the RFID system model and the
adversary model of unp-privacy. An RFID system consists
of a reader Rand a set of tags T. An RFID tag/mutual
authentication protocol contains three rounds. A reader first
sends a challenge cto a tag, then the tag responses with a
message r, and finally the reader sends the last message f.
Pc,Pr, and Pfare c,r, and fs message spaces respectively.
An adversary is given access to the following oracles:
O1: Upon queried, the reader initializes a session, and
returns (sid, c).
O2: On inputs (Ti, sid, c), it returns a message r.
O3: On inputs (sid, c, r), it returns a message f.
O4: On an input Ti, it returns the tag Tis secret keys and
internal state information.
Let Odenote the set of the four oracles {O1, O2, O3, O4}
specified above. An adversary is a (t, n1, n2, n3, n4)-
adversary, if it makes oracle queries to Oiwithout exceeding
nitimes respectively, where 1i4, and the running time
is at most t.
We use the following notations. If A(·,·,· · · )is a ran-
domized algorithm, then y← A(x1, x2, . . . ;ρ)means that
yis assigned with the unique output of algorithm Aon
inputs x1,x2,. . . and coins ρ, while y← A(x1, x2, . . .)is
a shorthand for first picking ρat random and then setting
y← A(x1, x2, . . .).y← AO1,...,Oυ(x1, x2, . . .)denotes that
yis assigned with the output of algorithm Awhich takes
x1, x2, . . . as inputs and has oracle accesses to O1, . . . , Oυ.
Pr[E]denotes the probability that an event Eoccurs.
Now we introduce unp-privacy. Intuitively, achieving unp-
privacy requires protocol transcripts to be unpredictable, and
protocol execution results to be unobservable. The experiment
Expunp
A[κ, l, n1, n2, n3, n4], denoted as Expunp
Afor short,
is illustrated in Figure 1. Given the security parameter κ, an
RFID system is set up with a reader Rand a set of ltags,
where lis polynomial to κ. An adversary Acan launch oracle
queries without exceeding n1,n2,n3, and n4overall calls to
O1,O2,O3, and O4respectively throughout the experiment.
Aconsists of two algorithms, A1and A2, which run in two
stages, the learning stage and the guess stage, respectively. In
the learning stage, A1queries the four oracles, and outputs an
uncorrupted challenge tag Tcand state information st. Then
the experiment chooses bR{0,1}. In the guess stage, if
b= 1, the experiment forwards A2s queries to the oracles
and returns the results, so that A2can really interact with the
reader and Tc; else, the experiment returns random values from
appropriate message spaces. Finally, A2guesses bs value and
outputs b0. The experiment outputs 1 if b0=b, and outputs 0
otherwise.
Definition 3.1: The advantage of adversary Ain the exper-
iment Expunp
Ais defined as:
Advunp
A(κ, l, n1, n2, n3, n4)
=|Pr[Expunp
A(κ, l, n1, n2, n3, n4) = 1] 1
2|,
where the probability is taken over the choice of the tag set
Tand the coin tosses of the adversary A.
Experiment Expunp
A[κ, l, n1, n2, n3, n4]
1. run Setup(κ)to setup (R, T).
//learning stage
2. {Tc, st}←AO
1(R, T).
3. select bR{0,1}.
//guess stage
4. b0← AO1,O2,O3
2(R, Tc, st);
in this stage, when A2queries O1,O2, and O3,
if b= 1, return the results from the oracles;
else, return a random element from Pc,Pr, and Pf
respectively.
5. output 1 if b0=b; else, output 0.
Fig. 1: Unp-Privacy Experiment
Definition 3.2: An adversary A(, t, n1, n2, n3, n4)-breaks
the unp-privacy of the RFID system (R, T)if the advantage
Advunp(κ, l, n1, n2, n3, n4)of Ain the experiment Expunp
A
is at least , and the running time of Ais at most t.
Definition 3.3 (Unp-Privacy): An RFID system (R, T)
is said to be (, t, n1, n2, n3, n4)-unp-private, if for all
sufficiently large κthere exists no adversary who can
(, t, n1, n2, n3, n4)-break the unp-privacy of (R, T)for any
(, t), where tis polynomial in κand is non-negligible in κ.
B. Correction on the relation between ind-privacy and unp-
privacy
Li et al. proved that unp*-privacy implies ind-privacy [28].
However, Yang et al. claimed that unp-privacy does not
imply ind-privacy [29]. To support this claim, they provided
a counterexample, formally proved that it satisfies unp-
privacy, and then showed that it does not satisfy ind-privacy
through a traceability attack. However, we discover that the
counterexample does not satisfy unp-privacy in the first place.
We review the counterexample first. Let F:{0,1}lk×
{0,1}ld→ {0,1}lrbe a PRF family, ctr ∈ {0,1}lrbe a
counter, and pad ∈ {0,1}lpad be a padding, where lc+lpad =
ldand lcis the length of the challenge. Each tag Tihas
a unique identity ID i, and is assigned with a secret key
kiR{0,1}lk.Tistores ki, a counter ctriwith an initial
value 1, and a one-bit tag state stiwith an initial value 0. The
protocol works as follows.
1) The reader Rchooses cR{0,1}lcand sends it to Ti.
2) Upon receiving c, the tag Tichooses r2R{0,1}lrfirst.
Then Ticalculates r1=Fki(c||pad)ctriif sti= 0; else
r1=Fki(c||r2)ctri.1Finally, Tiupdates the counter
as ctri=ctri+ 1 , sets sti= 1, and sends (r1, r2)to R.
3) Upon receiving (r1, r2)from Ti, the reader Rsearches
for the matching tag in its database. If Rdiscovers a
tuple (k, ctr, ID )such that ctr =Fk(c||pad)r1, then
accepts Tias the tag with ID . Then Rupdates ctr =
ctr + 1, computes f=Fk(c||ctr||r2); else if there exists
(k, ctr, ID )such that ctr =Fk(c||r2)r1, then Raccepts
Tias the tag with ID , updates ctr =ctr + 1, computes
f=Fk(c||ctr||r2); or else, Rrejects Tiand chooses
fR{0,1}lr. At last, Rsends fto Ti.
1In the counterexample, some inputs of Fare not with the length ld. We
do not correct these mistakes.
摘要:

1ProveYouOwnedMe:OneStepbeyondRFIDTag/MutualAuthenticationShaoyingCai,YingjiuLi,ChangsheMa,ShermanS.M.Chow,RobertH.DengFellow,IEEEAbstract—RadioFrequencyIdentication(RFID)isakeytechnologyusedinmanyapplications.Inthepastdecades,plentyofsecureandprivacy-preservingRFIDtag/mutualauthenticationprotocols...

展开>> 收起<<
1 Prove You Owned Me One Step beyond RFID TagMutual Authentication.pdf

共13页,预览3页

还剩页未读, 继续阅读

声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!

相关推荐

更多
立即下载
分类:图书资源 价格:10玖币 属性:13 页 大小:509.62KB 格式:PDF 时间:2025-04-29

开通VIP享超值会员特权

  • 多端同步记录
  • 高速下载文档
  • 免费文档工具
  • 分享文档赚钱
  • 每日登录抽奖
  • 优质衍生服务

作者详情

相关内容

更多

热门标签

人际关系 配电装置 动力学连接体 力的合成 高考理综 全宋诗作者索引 公务员考试
/ 13
评分 收藏
分享
立即下载
客服
关注