A New Ultralightweight RFID Authentication Protocol with Permutation

cribabsurdΗλεκτρονική - Συσκευές

27 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

98 εμφανίσεις

1

A New Ultralightweight RFID
Authentication Protocol with
Permutation

Source:

IEEE Communications Letters, Vol. 16, No. 5,
pp. 702
-
705, May 2012

Authors:

Yun Tian, Gongliang Chen and Jianhua Li

Speaker:

Wei
-
Yuan Hsueh

Date:


2012/09/20

2

Outline


Introduction


Proposed scheme


Comparisons


Conclusions


3

Reader

Introduction (1/5)





Architecture of the RFID system


Antenna

Tag

Backend Database

Reader

4

[1]

Chien (2007)
-

SASI (Strong Authentication and Strong Integrity)


A new ultralightweight RFID authentication protocol

[2]

Phan (2009)


Tag tracking (unbalanced operations)

[3]

Sun et al. (2011)


de

synchronization, replay attack


Introduction (2/5)

[1]

H.
-
Y. Chien, “SASI: a new ultralightweight RFID authentication protocol providing strong
authentication and strong integrity,”
IEEE
Transactions on

Dependable and Secure Computing
, vol.
4, no. 4, pp. 337

340, Oct.
-
Dec. 2007.

[2]

R. C.
-
W. Phan, “Cryptanalysis of a new ultralightweight RFID authenticaion protocol

SASI,”
IEEE
Transactions on

Dependable and Secure Computing
, vol. 6, no. 4, pp. 316

320, Oct.
-
Dec.
2009.

[3]

H.
-
M. Sun, W.
-
C. Ting, and K.
-
H. Wang, “On the security of Chien’s ultralightweight RFID
authentication protocol,”
IEEE Transactions on Dependable and Secure Computing
, vol. 8, no. 2, pp.
315

317, Mar.
-
Apr. 2011.

5

Name

key

A0

x

Name

key

A0

x

Name

key

A1

y

A0

x

interrupts

database

tag

Name

key

A0

x

Name

key

A2

z

Name

key

A1

y

A0

x

Name

Key

A2

z

A0

x

Hello

A1

Hello

A0

11100

Hello

A0

10010

update


eavesdrops


(1) Attacker
eavesdrops, interrupts


reader

(2)

Introduction (3/5)
-
desynchronization, replay attack

new

old

6

Name

key

A2

z

A0

x

Name

key

A1

y

A0

x

A2

Hello

Hello

A0

10010

(3) Attacker
imitates as a valid reader

he cannot find (pretends)

replays the recorded message

interrupts

attacker

tag

Introduction (4/5)
-
desynchronization, replay attack

desynchronized

Name

key

A2

z

Database(reader)

7


Not to use unbalanced operations



Resist de
-
synchronization attack


the last messages in the protocol run are sent by the
reader



both the old value and the new value of the shared
keys should be stored in the database



Introduction (5/5)
-

improve

8


ID
: Tag’s unique identity


IDS
: Tag’s preshared pseudonym with the
backend database


K1,

K2, K3
: Tag’s preshared secret keys with the
backend database



: bitwise XOR


Rot
(
x, y
): left rotate x by wt(
y
) bits


Per
(
x, y
):

the permutation of x

according to

y


Proposed scheme (1/8)

9

Proposed scheme (2/8)
-

Per(x,y)

0

1

0

0

1

0

1

0

0

1

1

1

0

1

0

P
y


P
x


1

0

0

0

0

1

1

0





The computation of the example :

y

x

Per(x,y)

1. wt
(
Per
(
x,y
)) =
wt
(
x
)

2. Per
(
x,y
) =
Per
(
x,y’
)

0

1

0

0

y’

Per(x,y’)

10

Proposed scheme (3/8)


wt
(
Per
(
x,y
)) =
wt
(
x
)


Solve: permutation takes random numbers as input and the
result is always XOR with other values


Per
(
x,y
) =
Per
(
x,y’
)


Solve: add rotation operation to shift
LSB
in the second input of
permutation


11

Proposed scheme (4/8)


The scheme is divided into three phases


Tag identification


Mutual authentication


IDS

and Secrets Updating


12

Reader




Tag

{
IDS
old
, IDS
new
, K1
old
, K1
new
,
K2
old
, K2
new
, K3
old
, K3
new

}

{
IDS, K1, K2, K3
}

(I) Tag identification


Hello

IDS


look up the tag in
the database


Proposed scheme (5/8)

13

Reader

Tag

(II) Mutual authentication


Chooses a random number
n
1

Computes

A
,
B

Extracts
n
1

Verifies


?=B

Computes

C

Verifies
C

Proposed scheme (6/8)

,
2 1 1
( )
A Per K K n
 
,
1 1 1 3
( )
C Per n K n K ID
   
,,,
1 2 1 1 1 1
( ( )) ( )
B Per K K Rot n n Per n K
  
,,,
1 2 1 1 1 1
( ( )) ( )
Per K K Rot n n Per n K
 
14

(II) Mutual authentication

Reader

Tag

Chooses a random number

Computes

D,E

Extracts

Verifies


? = E

Proposed scheme (7/8)

,2
3 2
( )
D Per K K n
 
,,,
3 2 2 1 3 2
( ( )) ( )
E Per K Rot n n Per n K K
  
,,,
3 2 2 1 3 2
( ( )) ( )
Per K Rot n n Per n K K
 
2
n
2
n
15

(III)
IDS

and Secrets Updating


Reader

(1) If is received

(2) If is received

Proposed scheme (8/8)

1 2 1 2 3
1 1 1 2
2 2 2 1
3 3 1 2
(,)
(,)
(,)
(,)
new old old old old
new old old
new old old
new old old
IDS Per IDS n n K K K
K Per K n K
K Per K n K
K Per K n n IDS
    
 
 
  
1 1
2 2 3 3
1 2 1 2 3
1 1 1 2
2 2 2 1
3 3 1 2
,
,
(,)
(,)
(,)
(,)
old new old new
old new old new
new old old old old
new old old
new old old
new old old
IDS IDS K K
K K K K
IDS Per IDS n n K K K
K Per K n K
K Per K n K
K Per K n n IDS
 
 
    
 
 
  
old
IDS
new
IDS
Tag

*
1 2 1 2 3
*
1 1 1 2
*
2 2 2 1
*
3 3 1 2
*
*
1 1
*
2 2
*
3 3
(,)
(,)
(,)
(,)
IDS Per IDS n n K K K
K Per K n K
K Per K n K
K Per K n n IDS
IDS IDS
K K
K K
K K
    
 
 
  




16

Comparisons

SASI
[1]

Gossamer
[4]

Ours (RAPP)

Communication operations

+,

, OR,
Rot

+,

,
Rot, MixBits


,
Rot, Per

Storage requirement

7L

7L

5L

Communication messages

2L

2L

2L

Resistance to de
-
synchronization attacks

No

No

Yes

Resistance to replay attack

No

No

Yes

Resistance to tag tracking

No

Yes

Yes

[1]

H.
-
Y. Chien, “SASI: a new ultralightweight RFID authentication protocol providing strong authentication
and strong integrity,”
IEEE
Transactions on

Dependable and Secure Computing
, vol. 4, no. 4, pp. 337

340,
Oct.
-
Dec. 2007.

[4]

P. Peris
-
Lopez, J. C. Hernandez
-
Castro, J. M. E. Tapiador, and A. Ribagorda, “Advances in ultralightweight
cryptography for low
-
cost RFID tags: Gossamer protocol,” in
Proc. 2008 International Workshop on
Information Security Applications
, pp. 56

68.


L
: 96bits

17


T
h
is

proposed scheme
provides
good
performance

and the resistance to various
attacks.

Conclusions

18

Appendix

1 2 1 1 1 1
(,(,)) (,)
B Per K K Rot n n Per n K
  
2 1 2 2 2 2
(,(,)) (,)
E Per K K Rot n n Per n K
  
1 2 1 1 1 1
( (,(,))) ( (,))
wt Per K K Rot n n wt Per n K
   
1 2 1 2 1 2
( ) ( ) ( ) ( )
wt K K wt n wt K K wt n
     
1 2
( ) ( )
wt n wt n
 
2 1 2 2 2 2
( (,(,))) ( (,))
wt Per K K Rot n n wt Per n K
 
2 1 1 2
( ) ( ) ( ) ( ) ( ) ( )
wt A wt D wt K wt n wt K wt n
    
1 2 2 1 1 2
( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( )
wt B wt E wt A wt D wt n wt n wt K wt n wt K wt n
        
2 1
( ) ( )
wt K wt K
 
( ) ( ) ( )
wt B E wt B wt E
  
wt
(
Per
(
x,y
)) =
wt
(
x
)

1 2 2
(,)
D Per K K n
 
2 1 1
(,)
A Per K K n
 