Designing Low-Cost Untraceable Authentication Protocols for RFID

Dave Singelée

IFIP WG 11.2 Seminar Istanbul

June 07, 2010

Outline of the talkn Introductionn RFID authentication protocols

n Security requirementsn Privacy requirementsn Implementation requirements

n ECC-based RFID authentication protocols

n Design challengesn Conclusion

RFID technologyn Radio Frequency Identification

n RFID setupn Back-end servern Readern Tag

Online vs offline scenarion Online

n Offline

RFID tags

n Various types of tags

1. Passive tag2. Battery assisted (BAP)3. Active tag with onboard power source

RFID authentication protocols

n Tag proves its identityn Challenge-response protocol

Reader Tag

Challenge

Response

Requirements

n Securityn Entity authentication

n Privacyn Untraceability

n Implementation issuesn Scalabilityn Low-cost

RFID security problems (I)

n Impersonation attacksn Genuine readersn Malicious tags

=> Tag-to-server authentication

RFID security problems (II)

n Eavesdroppingn Replay attacksn Man-in-the-middle attacksn Cloningn Side-channel attacksn …

RFID privacy problems (I)

n RFID Privacy problemn Malicious readersn Genuine tags

=> Untraceability

RFID privacy problems (II)

n Anonymityn The (fixed) identity of a tag must be

impossible to determine

n Untraceabilityn Inequality of two tags: the (in)equality of

two tags must be impossible to determine

n Untraceability > anonymity

RFID privacy problems (III)n Theoretical frameworkn Vaudenay [ASIACRYPT ‘07]:

n 8 privacy classes

Narrow

Wide

Weak StrongForward Destructive

X X X X

X X XX

n Public-key cryptography needed to achieve certain privacy properties!!!

Implementation issues

n Scalabilityn Low-cost implementation

n Memoryn Gate area

n Lightweightn Efficient

=> Depends on cryptographic building blocks used in the protocol

Implementation costn Symmetric encryption

n AES: 3-4 kgates

n Cryptographic hash functionn SHA-3: 10 – 30 kgates)

[ECRYPT II: SHA-3 Zoo]

n Public-key encryptionn Elliptic Curve Cryptography (ECC): 11-15 kgates

=>Public key cryptography is suitable for RFID

ECC-based RFID authentication protocols

n Rely exclusively on ECC !!!n Security requirementsn Privacy requirementsn Implementation requirements

n Schnorr protocoln Randomized Schnorrn ID-transfer schemen …

ID-transfer scheme [WISEC 2010]

Tag: x1, Y=yP

T1

T2

1sr

r , T r Pt1 1 t1∈ ←¢

( )12 1 1T r r x Yst

← +g

1 1( )( )12 1 1y T T r x Ps

− −− =g

1rs

∈¢

Server: y, X = x1P

Design challenges (I)

n Readers share same private key yn Online scenario: OKn Offline scenario:

n NOT OKn 1 compromised reader => no privacy

n How to solve the problemn Give unique private key to each reader?n Key updates / revocation / ... ??

Design challenges (II)

n ECC-based RFID protocols in literaturen Narrow-strong: OKn Wide-weak: NOT OK

n Man-in-the-middle attacksn Insider attacks

⇒ Increase privacy protection⇒ Low cost solutions

Design challenges (III)

n Secure and privacy-preserving extensions of basic RFID authentication protocolsn Search protocoln Grouping proofsn ...

n Physical layer securityn Distance boundingn Physical layer fingerprintsn ...

Design challenges (IV)

n Improve efficiencyn Lower # EC point multiplicationsn Decrease communication costn ...

n Further improve ECC hardware architecturen Arean Speedn Power consumption

Conclusion

n Security & privacy in RFID networksn Need for public-key based RFID

authentication protocolsn ECC is feasible on RFIDn Designing protocol is challenging task

n Various open research problems

Questions??

Dave.Singelee@esat.kuleuven.be

mailto:Dave.Singelee@esat.kuleuven.be

EXTRA SLIDES

ECC hardware architecture

Performance results

Circuit Area (Gate Eq.) 14,566

Cycles for EC point multiplication 59,790

Frequency 700 KHz

Power 13.8 µW

Energy for EC point multiplication 1.18 µJ

Schnorr protocol [CRYPTO ‘89]

Server: X = -xP Tag: x

R1

v

2r

r , R r P1 1 1∈ ←¢

2 1v xr r← +

2 1vP r X R+ =

2r ∈¢

Schnorr protocol (II)

n Security: OKn Privacy: vulnerable to tracking attacks

1 ( )2 1

X r R vP−= ⋅ −

Randomized Schnorr [CANS ‘08]

Server: y, X = xP Tag: x, Y = yP

T1 , T2

v

s 1r

, 2r rt1 t ∈¢

1 2 1v r r xr

t t s← + +

1 1( )1 1 2

r vP T y T Xs− −⋅ − − =

1rs

∈¢T r P , T r Y1 t1 2 t2← ←

Randomized Schnorr (II)

n Security: OKn Privacy

n Narrow-strongn Not wide-weak: vulnerable to man-in-the-

middle attackn Combine data from old protocol run with current

protocol instancen Server accepts => same tag=> Traceability

Randomized Schnorr (III)

ID-transfer scheme (protocol 1)