Low-Cost Untraceable Authentication Protocols for

RFID

Yong Ki Lee, Lejla Batina,Dave Singelée, Ingrid

Verbauwhede

BCRYPT workshop on RFID SecurityFebruary 5, 2010, Leuven

Outline of the talk Challenges in RFID networks

Security problems Privacy problems

Cryptographic building blocks ECC-based authentication protocols Search protocol Hardware architecture Conclusion

RFID technology

Radio Frequency Identification as we explain it to Dave’s tech-savvy grandmother:

1. Passive tag2. Battery assisted (BAP)3. Active tag with onboard power source

RFID applications Asset tracking Barcode replacement RFID passports Mobile credit card payment systems Transportation payment systems Sporting events (timing / tracing) Animal identification …

RFID security problems (I)

Impersonation attacks Genuine readers Malicious tags

=> Tag-to-server authentication

RFID security problems (II)

Eavesdropping Replay attacks Man-in-the-middle attacks Cloning Side-channel attacks …

RFID privacy problems (I)

[A. Juels. RSA Laboratories]

Mr. Jones in 2020

RFID privacy problems (II)

[A. Juels. RSA Laboratories]

Mr. Jones in 2020

Wigmodel #4456 (cheap polyester)

Das Kapital and Communist-

party handbook

1500 Eurosin wallet

Serial numbers:597387,389473

…30 items of lingerie

Replacement hipmedical part #459382

RFID privacy problems (III) RFID Privacy problem

Malicious readers Genuine tags

=> Untraceability

RFID privacy problems (IV)

Untraceability Inequality of two tags: the (in)equality

of two tags must be impossible to determine

Theoretical framework of Vaudenay [ASIACRYPT ‘07]: Narrow vs wide privacy Weak vs strong privacy

Cryptographic authentication protocol

Tag proves its identity Security (entity authentication) Privacy

Challenge-response protocol

Reader Tag

Challenge

Response

Technological requirements Scalability Implementation issues

Cheap implementation Memory Gate area

Lightweight Efficient

=> Influence on cryptographic building blocks

Implementation cost Symmetric encryption

AES: 3-4 kgates

Cryptographic hash function SHA-3: 10 – 30 kgates)

[ECRYPT II: SHA-3 Zoo]

Public-key encryption Elliptic Curve Cryptography (ECC): 11-15 kgates

=>Public key cryptography is suitable for RFID

ECC-based authentication protocols

Rely exclusively on ECC !!! Wide-strong privacy Two sub-modules

ID-transfer scheme Pwd-transfer scheme

Combination => 3 protocols Computational requirements Security requirements

System parameters

16

Example: Secure ID Transfer

Server: y

Tag: x1, Y=yP

T1

T2

rt1 € Z T1← rt1 P

rs1 € Z

T2←( rt1 + x1)P

(y-1T2 – T1) ( ) -1= x1P

1sr

1s

r

1s

r

ID-transfer scheme (protocol 1)

ID + Pwd-transfer scheme (protocol 3)

Search protocol (I) Linear search: scalability issues Search for one particular tag Design requirements:

One-round authentication Dedicated authentication Security against replay attacks Wide-weak privacy

Combine with ECC-based authentication protocol

Search protocol (II)

Hardware architecture

Performance comparison

Circuit Area (Gate Eq.) 14,566

Cycles for EC point multiplication

59,790

Frequency 700 KHz

Power 13.8 µW

Energy for EC point multiplication

1.18 µJ

Conclusion

Security & privacy in RFID networks Challenging research problem Public-key cryptography is suitable

for RFID tags ECC hardware implementation Wide-strong authentication protocols Search protocol

Questions??

EXTRA SLIDES

Pwd-transfer scheme

ID + Pwd-transfer scheme (protocol 2)