Upload
shino
View
26
Download
0
Embed Size (px)
DESCRIPTION
Randomized PRF Tree Walking Algorithm for Secure RFID. Leonid Bolotnyy and Gabriel Robins Department of Computer Science University of Virginia [email protected], [email protected]. Talk Outline. Identification Problem Secure Binary-Tree Walking Algorithm - PowerPoint PPT Presentation
Citation preview
Leonid Bolotnyy and Gabriel Robins
Department of Computer Science
University of Virginia [email protected], [email protected]
Randomized PRF Tree Walking Algorithm for
Secure RFID
Talk Outline
• Identification Problem– Secure Binary-Tree Walking Algorithm
• Reader-tag Authentication Problem• Multi-tag RFID Systems
Identification Problem
Tag IDTag ID
TagsReader
Local Server
Secure Identification Problem
Tag IDTag ID
TagsReader
Local Server
Passive vs. Active Adversary
Reader Tag Eavesdropper
Backward Range
Forward Range
Secure Binary-Tree Walkingi. Each tag generates a random numberii. Reader tree-walks these random numbersiii. Selected tag transmits its real-ID
Traverse(i, count) := Read random bit if collision on detected: Suspend all tags with == 1 Each suspended tag stores Traverse(i+
i
i
i
b ib
bi
1, 0) Wake up tags suspended on bit Traverse(i+1, 0) else if no collision on detected: if(count > threshold) Tree-Walk rem
i
i
b
aining tags else Traverse(i+1, count+1)
R. Rivest, S. Weis, EPCglobal, Inc.
0 1
11
111
10
110101100
01
011010
00
001000
Algorithm AnalysisMajor questions about the algorithm:
1. How to deal with collisions on real-IDs?2. How to choose optimal random number length?3. How to choose the threshold?
Number of tags per random number will have a Poisson distribution
( , ) * *cos bith n m t m t
(Expected number of random IDs with k tags)
(Expected total number of colliding tags)
(Cost function)
where t is the smallest exponent for which
2mn
( , , ) * *2!
kmf n m k e
k
2
2
( , ) ( , , )m
k
g n m f n m k k
1( ( , ), ) 1t tg m n mg g 2( , ) ( ( , ), )m n g g m n mg
n: number of tags, m: random number length
Optimal random number lengthUse average n over many traverse runs
309 ,200010 ,52 mnk
Determining threshold
For n = 2000, after about 11 bits, we expect zero, one, or two bits per branchStill have a “long” way to finish traversing the treeCostly over all branches if we traverse every branch to the end
Start the threshold at 2Increase threshold by 1 if collision occursDecrease threshold by 1 if over the entire traverse no collisions occurred
2i i
nt bits)(Expected number of tags on a branch after it
Pr[ tags match in threshold number of bits] = it ( 1)1
2 ithreshold t
Randomized PRF Tree Walking Algorithm
Goal: Efficiently solve reader-tag authentication problem in the presence of many tags
Steps of the algorithm:
1. Each tag generates a random number, and the reader performs a tree-walk on these numbers
2. Once a tag is selected, the reader and the tag engage in a tree-waking private authentication protocol
3. The reader moves the tag to a different position in a tree.
Binary Tree of Secrets
1, 0s
3, 4s3, 1s 3, 3s
1, 1s
3, 2s
2, 3s2, 1s
3, 0s
2, 0s
3, 7s3, 6s3, 5s
2, 2s
D. Molnar and D. WagnerPrivacy and Security in Library RFIDIssues, Practices, and Architecture
Step 1
Traverse(i, count) := Read random bit if collision on detected: Suspend all tags with == 1 Each suspended tag stores Traverse(i+
i
i
i
b ib
bi
1, 0) Wake up tags suspended on bit Traverse(i+1, 0) else if no collision on detected: if(count > threshold) Proceed to st
i
i
b
1ep 2 with ,..., Tree-Walk remaining tags else Traverse(i+1, count+1)
ir b b
Each tag generates a random number, and the readerperforms a tree-walk on these numbers
Step 2
1 2 n
1, 2, ,, , ..., {0,1}kb b k bs s s
n1 {0,1}i
Rr 1ir
,,2 1 2, (0, , )i bii i i
i s ir b f r r
,*
1 2(1, , )i bii i
s if r r
n2 {0,1}i
Rr
Hello, rt
for 1 to i k
, 1 2(0, , )i bii i
s if r r check that
,*
1 2(1, , )i bii i
s if r r check that
Reader Tag
Once a tag is selected, the reader and the tag engage in a tree-waking private authentication protocol
Step 3
1r
0 1
1 1 2 1
1
(0,0, )(0,1, ) ', (0,2, ) ',(0, , ) 2, 3 secrets 2
k
k k
k
s
s s
i s i
ID f rf r t f r bf i r s i
1 1
2 1
1
(0,1, )(0,2, )(0, , )
k
k
k
s
s
i i s
t f rb f rs f i r
compute
Reader Tag
0 1(0,0, )ksf r ID check that
The reader moves the tag to a different position in a tree
Properties of the Algorithm• Allows on-line addition and removal of tags• Provides security against active eavesdroppers• Offers security against foreign readers• Enables dynamic tradeoff between security,
privacy and singulation time• Effective against active attacks
– stealing a tag– tracking and hotlisting
• Requires a tag to be equipped with– pseudo-random function, XOR unit– random number generator– writable memory
Space and Time Complexity Evolution
is the total number of tags in the systemn
( )O n (1)O(log )O n ( )treeo depth( )treeO depth
D. Molnar and D. Wagner
Our algorithm
Our algorithm assuming secrets are hard to steal
Our algorithm assuming tags are read often and/orsecrets are very hard to steal
Random Number Generator
V
Random Bits
NoConnect
The voltage signal is amplified, disturbed, stretched, and sampled,resulting in random bits.
Will Warehttp://willware.net/hw-rng.html
New Idea: Multi-Tags
• Redundant Tags• Dual-Tags
– Own Memory Only– Shared Memory Only– Own and Shared Memory
• Triple-Tags• n-Tags
1 3 42
Attach more than one tag to an object
Benefits of Multi-Tag Systems
• Increased expected voltage on a tag• Increased expected communication range
– Increased availability• Increased memory• Increased reliability• Increased durability• Enhanced security
New applications
Our Current and Future Work
Let’s Collaborate!
Authentication algorithms with human protocolsA. Juels, S. Weis
D. Molnar, D. Wagner
A. Juels
New and emerging problems
Tag identification with delegation, ownership transfer
Efficient cloning-resistant identification algorithms
Find New and Improve Existing Algorithms