Emulated RFID Security without Extensive Cryptography

locpeeverElectronics - Devices

Nov 27, 2013 (3 years and 11 months ago)

103 views

Emulated RFID Security without Extensive Cryptography


1

Emulated RFID Security without Extensive
Cryptography

B. Venkatalakshmi
1
, V. Akilandeswari
2

and R. Karthick Narayanan

TIFAC
-
CORE, RFID & Sensors Lab

Velammal Engineering College

E
-
mail:
1
venkatalakshmib@velammal.org
,
2
akilandeswariv@velammal.org

ABSTRACT
:

Radio Frequency Identification (RFID) has recently received a lot of focus as an augmentation
Technology in the Ubiquitous Computing domain. RFID system uses Tags which are small, wireless devices that
help in identifying objects and people. When read ran
ge permits, clandestine scanning of tags is a plausible threat.
In consequence, a person carrying an RFID tag effectively broadcasts a fixed serial number to nearby readers
providing a ready vehicle for clandestine physical tracking conventional cryptograp
hic algorithms aiming to attack
this problem are limited by the size and cost considerations. We propose an algorithm which is computationally
simple mechanism since it requires simple matrix multiplication. The proposed algorithm is tested in an emulated
RFID environment of HF and the results confirm the improved performance.

Keywords

Radio Frequency Identification, Ubiquitous Computing
Domain
,
Matrix Multiplication
, RFID
Environment
.

INTRODUCTION

ADIO FREQUENCY IDENTIFICATION (RFID) is a
technology for

automated identification of objects and
people. An RFID device

frequently just called an RFID
tag

is a small microchip designed for wireless data
transmission. It is generally attached to an antenna in a
package that resembles an ordinary adhesive sticker
. The
microchip itself can be as small as a grain of sand, some


0.4 mm [1].

An RFID system contains two principals: a tag and a
reader. An RFID tag transmits data over the air in response
to interrogation by an RFID reader.

Many types of RFID
ex
ist,
d
ivide RFID device into two classes: active and
passive. Active tags require a power source

they’re either
connected to a powered infrastructure or use energy stored
in an integrated battery. Latter, a tag’s lifetime is limited by
the stored energy, b
alanced against the number of read
operations the device must undergo
.
However, batteries
make the cost, size, and lifetime of active tags impractical
for retail trade.

Passive RFID tags are of interest because
the tags don’t require batteries or maintenan
ce. The tags
also have an indefinite operational life and are small
enough to fit into a practical adhesive label. A passive tag
consists of three parts: an antenna, a semiconductor chip
attached to the antenna, and some form of encapsulation

R
FID function
s as a medium for numerous tasks including
managing supply chains, tracking livestock, preventing

counterfeiting, controlling building access, supporting

automated checkout, arrangement of books at some
libraries, developing smart home appliances, locating

children, and even foiling grave robbers.

RFID tags, like other pervasive technologies such as
sensor motes, represent a culmination of evolution toward
wireless infrastructure and low cost embedded computers.
RFID tags are now

available with

the size of
a grain of rice
and have built in logic, a coupling element and memory.

SECURITY AND PRIVACY

PROBLEMS

Most current RFID applications use pallet/crate tagging.
Individual item tagging enhances the utility of RFID
systems. For example, libraries can use RFID

tags to

track
books [
2
]; toll booths can automatically collect toll by
inspecting a tag attached to the windshield of a car.
RFID
tags are being used in
e
-
passports

including security [3].
However, privacy concerns hamper the widespread
adoption of

the te
chnology.

The security problems in RFID system arise from the
following: data transmission between

Tag and Reader is
unencrypted; Tags do not provide tamper resistant because
Tags are inexpensive micromini devices. Hence Tag and
Reader communicate in inse
cure. Recent papers have
reported that RFID systems have to achieve the following
requirements: (
i
) the security that the attacker cannot
distinguish output of Tag (Indistinguishability
[4]
), (
ii
)

the
security that past data are secure even if present data

on
Tag leaked out to the attacker (Forward Security
[4]
),

(
iii
) the security against the attack that the attacker spoofs
as legitimate Tag (Replay Attack
[5]
), (
iv
) the security
against the DoS attack that broadcasts large amount of
Query to T
ag, then stops its working (Tag Killing [
6
]),

(
v
) ownership is transferable without invasion of owner’s
privacy (Ownership Transfer [
7
]). The previous methods
have been proposed to achieve only some of the above

mentioned requirements individual
ly [
8
,
9
,
4
,
7
, etc].

RFID tags respond to reader interrogation without
alerting their owners or bearers. Thus, where read range
permits, clandestine scanning of tags is a plausible threat.
As discussed above, most RFID tags emit unique
identifiers, even
tags that

protect

data with cryptographic
algorithms [1
1
].

In consequence, a person carrying an
RFID tag effectively broadcasts a fixed serial number to
nearby readers, providing a ready vehicle for clandestine
physical tracking. Such tracking is possible
even if a fixed
R


Emulated RFID Security without Extensive Cryptography


127

tag serial number is random and carries no intrinsic data.
The threat to privacy grows when a tag serial number is
combined with personal information. For example, when a
consumer makes a purchase with a credit card, a shop can
establish a
link between her identity and the serial numbers
of the tags on her person. Marketers can then identify and
profile the consumer using networks of RFID readers

both inside shops and without. The problem of clandestine
tracking is not unique to RFID, of cou
rse. It affects many
other wireless devices, such as Bluetooth
-
enabled ones [10].

Scarce computational and storage capabilities of the tag
make designing security systems for RFID challenging. For
example, the use of extensive cryptography
-
based
authentica
tion or high
-
quality random numbers on the tag
-
side may not be possible. Extensive cryptographic
operations can be shifted to the reader
-
side. However, this
requires the tag to either store large keys or frequently
communicate with the reader over a secure

out
-
of
-
band
channel to obtain authorization information. The former
option is impractical due to limited tag
-
side storage; the
latter one decreases the utility of an RFID system as a time
and cost saving identification technology. Scalability is an
additi
onal concern that an RFID security system designer
has to address: the reader should be able to identify
multiple tags that share the same radio channel.

PROPOSED SECURITY AL
GORITHM

RFID security system consists of the three components
(Database, Reader an
d Tag).

Database holds the unique IDs
of each Tag, and administrates the information related to
the ID the information related to the ID.

We describe the
protocol of the RFID security system that is treated in this
paper

In any application, the tag which i
s attached to a certain
item is resource constrained.

Ta
gs

have limited amount of
data and performing elementary operations such as byte
-
size integer addition and multiplication. Tag is capable of
running a timer. The reader has sizable computational
facil
ities and access to a database for fast lookup and
update of the information related to the tag and tagged
item. The intruder is an entity which is used to directly
identify the tag. The intruder may attempt to track, backlist
or profile the tagged item.

T
he tag and the reader

communicate over an insecure
channel (radio). All the information

exchange over this
channel
is

available
in to
intruder. The intruder
, however,

gains the access to neither database records nor to the
internal memories of the tag or t
he reader.

ALGORITHM DESCRIPTIO
N

Every tag stores two square p

×

p matrices: M
1

and M
2

1
.

The reader maintains another two matrices: M
2
and M

1

of
the same size. The Matrices M
1

1

and M
2

1

are the inverses
of M
1
and M
2



respectively.

The tag and the reader
also
share a key which is a vector of size q,

where q

=

rp.

Factor
r is an integer. The matrices and the key are randomly
chosen per each tag.

As a slight abuse of notation we denote A

=

MB, where
M is a P × P matrix and B is a vector of size q, a
componen
t wise multiplication of M and B. i.e. Each p
-
element componet Ai of vector A, Where 1

<

i

<

r, is
obtained by multiplying M and the following elements of
B: bp(i

1)+1,… bpi. and also assume that in our
calculations the vector is always properly transposed

so as
to be compatible with the matrix.

Key is selected such that product X

=

M
1
K is unique for
each tag in the system. The tag information stored in the
reader’s database is indexed by X. A fresh key is used for
every identification session.





















Fig.

1:
Secure identification algorithm

Tag identification

The identification session has two parts:



Tag identification.



Reader identification.

In the tag identification session is initiates by reader, it
contacting the tag. The tag replies with X

=

KM
1

(key). The
tag starts a timer. Reader gets the confirmation whether X
uniquely identifities the tag and it obtain the rest of the
information about the tag and tagged items from its
database. In that search, X is identified from the database
then on
ly reader accepted the tag; otherwise it blocks the
particular tag.

TAG SECURITY ALGORIT
HM

Begin


Assign the variable to the signal


Signal

=

tagid




Send signal to the tag.

Assign the Variable to the count;


Count

=

total no
.

of keys

Reader


Tag

Compute

X

KM
1
M
2

1

Start Timer

Stop Timer

X

Y, Z


V
erify
YM
2

1

=

(
K
1


K
2




Kr
),


get fresh key

K

ZM
2

1


Identify
tag by
matching
X


pick K
new
, compute

Y

-
(
K
1

K
2

…(+)
Kr
)
M
2

Z

K
new
M
2


M
1
¯
1
, M
2

K, M
1
, M
2

1

128


Mobile and Pervasive Computing (CoMPC

2008)

For i to count do


S
earch key with tag key


If

key found in the table then


Assign the key to the temp variable


Update tag table with unblock variable


Else key not found in the table then


Assign the tag key in the variable.


Update tag table with block variable.

End if

REA
DER AUTHENTICATION

In the reader authentication, reader authenticates itself the
tag and supplies it with a new key. For authentication, the
reader proves to the tag that it is in possession of the key.
To save the tag resources, the reader uses exclusive
o
r
bitwise on the p
-
size components of K and multiplies the
result by M
2
. To calculate a fresh key, the reader selects
unique X
new

and obtains the key as k new


X
new

M
1

1
.
The
reader sends both vectors to the tag. The tag verifies the
reader’s credentials

and accepts the new key. In case the
reader authentication fails or the reader fails to respond
before the timeout expires, the tag stops further
communication until reset. The tag is allowed to participate
in only one authentication session at a time.

R
EADER SECURITY ALGOR
ITHM

Begin

Assign the signal variable


Signal

=

reader signal


If key found in the database then



Tag accepts the reader



Reader assigns the new key to the tag



Key modified in the key table


Else key not found in the table


Tag b
lock the reader

Block command update
d

in the table


End if

VALIDATION IN FEATUR
ES

The security of our algorithm is based on the difficulty of
recovering the multiplicand or multiplier from the product
of matrix multiplication [1
2
].

Hence, the intruder cann
ot discover the key or the
matrix used by the tag and the reader. This prevents the
intruder from identifying the tag. Observe that the
algorithm is only

secure against known
-
cipher text attacks.
However, we assume that such guarantee is sufficient for
RFI
D systems. Let us consider the security of our
algorithm against the

RFID
-
specific threats. Since the
intruder cannot identify the tag, the intruder cannot mount
either a hot listing or profiling attack. The tracking threat is
more sophisticated

as the int
ruder does not have to identify
the tag to succeed. Notice however, as the intruder cannot
deduce either the key or the matrices, he cannot
authenticate himself to the tag. Thus, any identification
session with the intruder is aborted.

The tag does not par
ticipate in multiple authentication
sessions, neither does it respond to identification requests
after an unsuccessful session. Thus, there may be at most.
One aborted session per tag. Observe that during each
session, including the single aborted session,

the tag and
the reader send data
,

based on a fresh key. Since the
intruder

cannot decode the transmission, he cannot match
the tag across multiple sessions. Hence, the intruder may
not be able to track the tag.

EXPERIMENTAL SETUP

Technical Specifications

Operating Frequency

13.56 MHz

Supporting Standards


ISO 15693,

Supporting Protocol

RS232/ USB/Ethernet

Read Range

Upto 45 cm for 300 × 30
0 mm

Baud Rate

57600 b/s (fixed)

Flash RAM


64 kB

EXPERIMENTAL RESULT

In
the above experimental setup, wit
h simulated algorithm
the tags were tested. The specifications are ISO 15693
compliance,
13.56 MHz Operating Frequency
,

Read/Write
capability with data locking

o
ption
,
Upto 2000 bits user
memory

Simultaneous Identification
. We tested around 50
tags with ou
r algorithm successfully.

IMPLEMENTATION CONSI
DERATIONS AND
FUTURE WORK

Let us estimate the resource requirements placed on the

tag
by our algorithm. Key size of 8 bytes provides sufficient
key space for most RFID applications. The matrices of 4

×

4

bytes
provide adequate security [1
2
]. Byte
-
size integer
counters are necessary to implement multiple tag
sequencing. In identification session, the reader and the

tag
exchange a message, as well as two messages of 8 and 9
bytes respectively. Thus, the storage re
quirements of our
algorithm are rather modest and most of the chip
-
space

is to
be occupied by the byte
-
multiplier unit
.
To provide extra
security assurance, this mechanism can also be used to
periodically

refresh the matrices installed on each tag
.

Potenti
ally the intruder may launch a

denial of service
attack. The intruder can block the tags from further
identification by starting spurious authentication sessions
with them. Blocked tags have to be reinitialized.

Protection against this kind of attack would

be an
interesting extension of our algorithm.

Intruder is not
Emulated RFID Security without Extensive Cryptography


129

capable of matching multiple authentication sessions of the
same tag through non
-
radio means. If this is a possibility,
the intruder may be able to deduce the product of
M
1



M
2

1

by observing
subsequent authentication sessions of the
same tag. To prevent this kind of attack, the reader and the
tag have to share another key, whose length exceeds the
capacity of the intruder to follow the authentication
sessions of the same tag

[1
3
]
.

Refreshing t
ag
-
side information over the out
-
of
-
band
channel may be time consuming, especially if the inventory
is large or is not easily accessible. An algorithm that
minimizes or eliminates secure channel communication
would be

desirable for these kinds of applicati
ons. Notice
that the combined key and the matrix size in our algorithm
is 24 bytes.

const



q: integer [key size]



k[1::q]: integer [key]

var


collide : boolean [trial outcome]

cfront; pfront: integer, initially 0


[currently and previousl


number of

gro
wth points in front]


cback; pback: integer, initially 0


[currently and previously number of growth points

behind]



for i

1 to q do


for j

1 to pfront do


collide

trial()


cfront

cfront + 1


if collide = true then


cfront

cfront + 1


collide

trial()


if

collide = true then


if key[i] = 0 then



cback

cback + 1

else



cfront

cfront + 1


for j

1 to pback do


collide

trial()


cback

cback + 1


if collide = true then


cback

cback + 1

pback

cback

cback

0

pfront

cfront

cfront

0

REFERENCE
S

[1]

Takaragi, K.
,

Usami, M
.
,

Imura, R.
,

Itsuki, R. and Satoh, T.
,

“An ultra small

individual recognition security chip,”
IEEE
Micro
, vol. 21, no. 6, pp.

42

49, 2001.

[2]

David Molnar and David Wagner. Privacy and security in
library RFID: issues, practices, and architectures. In CCS
'0
4: Proceedings of the 11
th

ACM conference on Computer
and communications security, pages 210

219, New York,
NY, USA, 2004.

ACM Press.

[3]

Ari Juels, David Molnar and David Wagner
, Security and
privacy issues in E
-
Passprt system,

http://eprint
.

iacr.org/2005/09
5.pdf

[4]

Ohkubo, M.
,

Suzuki, K. and Kinoshita
,

S.
,
Cryptographic
approach to “privacy
-
friendly” tags. In
RFID Privacy
Workshop
,

2003.

[5]

Rhee, K.
,

Kwak, J.
,

Kim, S. and Won
,

D.
,

Challenge
-
response based RFID authentication protocol for distributed
database envir
onment. In
SPC 2005
, volume 3450 of
LNCS
,
2005.

[6]

Han, D.G.
,

Takagi, T.
,

Kim, H.W. and Chung
,

K.I.
,
New
security problem in RFID systems tag killing. In
ACIS 2006
,
volume 3982 of
LNCS
, pages 375

384. Springer
-
Verlag,
2006.

[7]

Saito
,

J.

and Sakurai
,

K.
,
Owner tr
ansferable privacy
protection

scheme for RFID tags. In
CSS 2005
, volume 2005
of
IPSJ Symposium Series
, pages 283

288, 2005.

[8]

Avoine, G.
,

Dysli, E. and Oechslin
,

P.
,
Reducing time
complexity

in RFID systems. In
SAC 2005
, volume 3897
,
LNCS
, pages 291

306. Spr
inger
-
Verlag, 2005.

[9]

Kinoshita, S.
,

Hoshino, F.
,

Komuro, T.
,

Fujimura, A. and
Ohkubo
,

M.
,
Low
-
cost RFID privacy protection scheme.
IPSJ
, 45(8):2007

2021, 2004.

[10]

Jakobsson
,

M.

and Wetzel
,

S.
,

“Security weaknesses in
Bluetooth,” in
The Cryptographer’s Track at

RSA
, D.
Naccache, Ed. New York: Springer
-
Verlag, 2001, vol. 2020,
Lecture Notes in Computer Science, pp. 176

191.

[11]

Ari juels RFID security and privacy: A Research survey in
IEEE Journal on selected Areas in communications, Vol. 24,
No.

2, February 2006.

[12]

Wi
lliam Stallings. Cryptography and network security:
principles and practice. Prentice
-
Hall, Englewood Cli_s, NJ
07632, USA, second edition, 1999.

[13]

Sindhu Karthikeyan and Mikhail Nesterenko,
RFID Security
without Extensive Cryptography Computer Science
Depar
tment Kent State University Kent, OH, USA
.