Leonid Bolotnyy and Gabriel Robins

Department of Computer Science

University of Virginia lb9xk@cs.virginia.edu, robins@cs.virginia.edu

Randomized PRF Tree Walking Algorithm for

Secure RFID

Talk Outline

• Identification Problem– Secure Binary-Tree Walking Algorithm

• Reader-tag Authentication Problem• Multi-tag RFID Systems

Identification Problem

Tag IDTag ID

TagsReader

Local Server

Secure Identification Problem

Tag IDTag ID

TagsReader

Local Server

Passive vs. Active Adversary

Reader Tag Eavesdropper

Backward Range

Forward Range

Secure Binary-Tree Walkingi. Each tag generates a random numberii. Reader tree-walks these random numbersiii. Selected tag transmits its real-ID

Traverse(i, count) := Read random bit if collision on detected: Suspend all tags with == 1 Each suspended tag stores Traverse(i+

i

i

i

b ib

bi

1, 0) Wake up tags suspended on bit Traverse(i+1, 0) else if no collision on detected: if(count > threshold) Tree-Walk rem

i

i

b

aining tags else Traverse(i+1, count+1)

R. Rivest, S. Weis, EPCglobal, Inc.

0 1

11

111

10

110101100

01

011010

00

001000

Algorithm AnalysisMajor questions about the algorithm:

1. How to deal with collisions on real-IDs?2. How to choose optimal random number length?3. How to choose the threshold?

Number of tags per random number will have a Poisson distribution

( , ) * *cos bith n m t m t

(Expected number of random IDs with k tags)

(Expected total number of colliding tags)

(Cost function)

where t is the smallest exponent for which

2mn

( , , ) * *2!

kmf n m k e

k

2

2

( , ) ( , , )m

k

g n m f n m k k

1( ( , ), ) 1t tg m n mg g 2( , ) ( ( , ), )m n g g m n mg

n: number of tags, m: random number length

Optimal random number lengthUse average n over many traverse runs

309 ,200010 ,52 mnk

Determining threshold

For n = 2000, after about 11 bits, we expect zero, one, or two bits per branchStill have a “long” way to finish traversing the treeCostly over all branches if we traverse every branch to the end

Start the threshold at 2Increase threshold by 1 if collision occursDecrease threshold by 1 if over the entire traverse no collisions occurred

2i i

nt bits)(Expected number of tags on a branch after it

Pr[ tags match in threshold number of bits] = it ( 1)1

2 ithreshold t

Randomized PRF Tree Walking Algorithm

Goal: Efficiently solve reader-tag authentication problem in the presence of many tags

Steps of the algorithm:

1. Each tag generates a random number, and the reader performs a tree-walk on these numbers

2. Once a tag is selected, the reader and the tag engage in a tree-waking private authentication protocol

3. The reader moves the tag to a different position in a tree.

Binary Tree of Secrets

1, 0s

3, 4s3, 1s 3, 3s

1, 1s

3, 2s

2, 3s2, 1s

3, 0s

2, 0s

3, 7s3, 6s3, 5s

2, 2s

D. Molnar and D. WagnerPrivacy and Security in Library RFIDIssues, Practices, and Architecture

Step 1

Traverse(i, count) := Read random bit if collision on detected: Suspend all tags with == 1 Each suspended tag stores Traverse(i+

i

i

i

b ib

bi

1, 0) Wake up tags suspended on bit Traverse(i+1, 0) else if no collision on detected: if(count > threshold) Proceed to st

i

i

b

1ep 2 with ,..., Tree-Walk remaining tags else Traverse(i+1, count+1)

ir b b

Each tag generates a random number, and the readerperforms a tree-walk on these numbers

Step 2

1 2 n

1, 2, ,, , ..., {0,1}kb b k bs s s

n1 {0,1}i

Rr 1ir

,,2 1 2, (0, , )i bii i i

i s ir b f r r

,*

1 2(1, , )i bii i

s if r r

n2 {0,1}i

Rr

Hello, rt

for 1 to i k

, 1 2(0, , )i bii i

s if r r check that

,*

1 2(1, , )i bii i

s if r r check that

Reader Tag

Once a tag is selected, the reader and the tag engage in a tree-waking private authentication protocol

Step 3

1r

0 1

1 1 2 1

1

(0,0, )(0,1, ) ', (0,2, ) ',(0, , ) 2, 3 secrets 2

k

k k

k

s

s s

i s i

ID f rf r t f r bf i r s i

1 1

2 1

1

(0,1, )(0,2, )(0, , )

k

k

k

s

s

i i s

t f rb f rs f i r

compute

Reader Tag

0 1(0,0, )ksf r ID check that

The reader moves the tag to a different position in a tree

Properties of the Algorithm• Allows on-line addition and removal of tags• Provides security against active eavesdroppers• Offers security against foreign readers• Enables dynamic tradeoff between security,

privacy and singulation time• Effective against active attacks

– stealing a tag– tracking and hotlisting

• Requires a tag to be equipped with– pseudo-random function, XOR unit– random number generator– writable memory

Space and Time Complexity Evolution

is the total number of tags in the systemn

( )O n (1)O(log )O n ( )treeo depth( )treeO depth

D. Molnar and D. Wagner

Our algorithm

Our algorithm assuming secrets are hard to steal

Our algorithm assuming tags are read often and/orsecrets are very hard to steal

Random Number Generator

V

Random Bits

NoConnect

The voltage signal is amplified, disturbed, stretched, and sampled,resulting in random bits.

Will Warehttp://willware.net/hw-rng.html

New Idea: Multi-Tags

• Redundant Tags• Dual-Tags

– Own Memory Only– Shared Memory Only– Own and Shared Memory

• Triple-Tags• n-Tags

1 3 42

Attach more than one tag to an object

Benefits of Multi-Tag Systems

• Increased expected voltage on a tag• Increased expected communication range

– Increased availability• Increased memory• Increased reliability• Increased durability• Enhanced security

New applications

Our Current and Future Work

Let’s Collaborate!

Authentication algorithms with human protocolsA. Juels, S. Weis

D. Molnar, D. Wagner

A. Juels

New and emerging problems

Tag identification with delegation, ownership transfer

Efficient cloning-resistant identification algorithms

Find New and Improve Existing Algorithms