Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Designing Low-Cost Untraceable Authentication Protocols for RFID
Dave Singelée
IFIP WG 11.2 Seminar Istanbul
June 07, 2010
Outline of the talkn Introductionn RFID authentication protocols
n Security requirementsn Privacy requirementsn Implementation requirements
n ECC-based RFID authentication protocols
n Design challengesn Conclusion
RFID technologyn Radio Frequency Identification
n RFID setupn Back-end servern Readern Tag
Online vs offline scenarion Online
n Offline
RFID tags
n Various types of tags
1. Passive tag2. Battery assisted (BAP)3. Active tag with onboard power source
RFID authentication protocols
n Tag proves its identityn Challenge-response protocol
Reader Tag
Challenge
Response
Requirements
n Securityn Entity authentication
n Privacyn Untraceability
n Implementation issuesn Scalabilityn Low-cost
RFID security problems (I)
n Impersonation attacksn Genuine readersn Malicious tags
=> Tag-to-server authentication
RFID security problems (II)
n Eavesdroppingn Replay attacksn Man-in-the-middle attacksn Cloningn Side-channel attacksn …
RFID privacy problems (I)
n RFID Privacy problemn Malicious readersn Genuine tags
=> Untraceability
RFID privacy problems (II)
n Anonymityn The (fixed) identity of a tag must be
impossible to determine
n Untraceabilityn Inequality of two tags: the (in)equality of
two tags must be impossible to determine
n Untraceability > anonymity
RFID privacy problems (III)n Theoretical frameworkn Vaudenay [ASIACRYPT ‘07]:
n 8 privacy classes
Narrow
Wide
Weak StrongForward Destructive
X X X X
X X XX
n Public-key cryptography needed to achieve certain privacy properties!!!
Implementation issues
n Scalabilityn Low-cost implementation
n Memoryn Gate area
n Lightweightn Efficient
=> Depends on cryptographic building blocks used in the protocol
Implementation costn Symmetric encryption
n AES: 3-4 kgates
n Cryptographic hash functionn SHA-3: 10 – 30 kgates)
[ECRYPT II: SHA-3 Zoo]
n Public-key encryptionn Elliptic Curve Cryptography (ECC): 11-15 kgates
=>Public key cryptography is suitable for RFID
ECC-based RFID authentication protocols
n Rely exclusively on ECC !!!n Security requirementsn Privacy requirementsn Implementation requirements
n Schnorr protocoln Randomized Schnorrn ID-transfer schemen …
ID-transfer scheme [WISEC 2010]
Tag: x1, Y=yP
T1
T2
1sr
r , T r Pt1 1 t1∈ ←¢
( )12 1 1T r r x Yst
← +g
1 1( )( )12 1 1y T T r x Ps
− −− =g
1rs
∈¢
Server: y, X = x1P
Design challenges (I)
n Readers share same private key yn Online scenario: OKn Offline scenario:
n NOT OKn 1 compromised reader => no privacy
n How to solve the problemn Give unique private key to each reader?n Key updates / revocation / ... ??
Design challenges (II)
n ECC-based RFID protocols in literaturen Narrow-strong: OKn Wide-weak: NOT OK
n Man-in-the-middle attacksn Insider attacks
⇒ Increase privacy protection⇒ Low cost solutions
Design challenges (III)
n Secure and privacy-preserving extensions of basic RFID authentication protocolsn Search protocoln Grouping proofsn ...
n Physical layer securityn Distance boundingn Physical layer fingerprintsn ...
Design challenges (IV)
n Improve efficiencyn Lower # EC point multiplicationsn Decrease communication costn ...
n Further improve ECC hardware architecturen Arean Speedn Power consumption
Conclusion
n Security & privacy in RFID networksn Need for public-key based RFID
authentication protocolsn ECC is feasible on RFIDn Designing protocol is challenging task
n Various open research problems
Questions??
mailto:[email protected]
EXTRA SLIDES
ECC hardware architecture
Performance results
Circuit Area (Gate Eq.) 14,566
Cycles for EC point multiplication 59,790
Frequency 700 KHz
Power 13.8 µW
Energy for EC point multiplication 1.18 µJ
Schnorr protocol [CRYPTO ‘89]
Server: X = -xP Tag: x
R1
v
2r
r , R r P1 1 1∈ ←¢
2 1v xr r← +
2 1vP r X R+ =
2r ∈¢
Schnorr protocol (II)
n Security: OKn Privacy: vulnerable to tracking attacks
1 ( )2 1
X r R vP−= ⋅ −
Randomized Schnorr [CANS ‘08]
Server: y, X = xP Tag: x, Y = yP
T1 , T2
v
s 1r
, 2r rt1 t ∈¢
1 2 1v r r xr
t t s← + +
1 1( )1 1 2
r vP T y T Xs− −⋅ − − =
1rs
∈¢T r P , T r Y1 t1 2 t2← ←
Randomized Schnorr (II)
n Security: OKn Privacy
n Narrow-strongn Not wide-weak: vulnerable to man-in-the-
middle attackn Combine data from old protocol run with current
protocol instancen Server accepts => same tag=> Traceability
Randomized Schnorr (III)
ID-transfer scheme (protocol 1)