What differentiates the existing protocols is the way in which information sent by the tag, i. As shown in Fig. If the adversary is active and not constrained on the number of successive requests that she can send to the tag, then she will eventually be able to trace the tag or ensure that the system itself can no longer identify it. Thus from a traceability point of view, these protocols, for example, [18, 23, 26, 28,43], are only secure when considering a weak adversary model.
Section 2 introduces some protocols based on this approach. Such protocols are given in Sect. This simple idea, however, requires a large amount of memory to store the pseudonyms, otherwise, the tag becomes traceable as soon as the pseudonyms have been used once.
For each protocol, we exhibit weaknesses or attacks that endanger the privacy of the tags. In some cases, the threat appears because the authors focused on a too restricted adversary model that is not realistic. In some other cases the threat is due to weaknesses in the protocol design.
Other attacks rely on the fact that the tag sends values that are distinguishable from random values, e. Another important problem that we explain below is the desynchronization between the tag and the system: Some protocols assume a kind of synchronization between the system and the tags it manages. We illustrate these recurrent weaknesses in the examples given below. Data in the database and in the tags are initially synchronized. The reader sends a request to the tag. The database checks the validity of these values according to its recorded data.
Thus two entries per tag are used in turn. Avoine 2. Note, however, that it is easier to inject than to modify a message into a wireless channel.
We therefore propose a practical variant of this attack: When a reader queries a tag, the adversary queries this tag as well before the reader carries out the third step. Receiving the request from the adversary, the tag increases k. Consequently, the hash value sent by the reader seems to be incorrect since k has now changed. Combined with a relay attack [5,19,20,33], this attack is even easier to put into practice.
Hence, the tag cannot detect the attack. First of all, the adversary eavesdrops an interaction between her targeted tag and a legitimate reader. We recall that encryption with the Elgamal scheme [13] of a message m under the public key y and a random number r is myr , gr , where g is a generator of G.
Below, we expand Golle et al. Let q be the order of G, and g a generator. As depicted in Fig. The authors say that this attack does not allow the tag to be traced, it will only harm the normal functioning of the system. However, Golle et al. Thus, she is able afterward to decrypt the content of the tag and trace it. Recently, Ateniese, Camenisch, and de Medeiros [3] suggested an approach to thwart this attack. Their solution is based on a new cryptographic primitive, called insubvertible encryption.
Indeed, since the tag sends in the second message what it received in the third message of the previous execution, an adversary is able to trace the tag by eavesdropping the communication. We describe the attack below. In this case, the queried tag is her target with high probability. While the tag could detect such an attack by testing that IDnext does not verify P, there are other invariant properties, i i i i i e. They subsequently suggested two RFID protocols based on [18].
If not, the tag does not renew its content. The primary difference compared to [18] is G. Since the tag is not able to carry out the exponentiations itself, precalculations are carried out by the database and sent to the tag from time to time. Below, we expand the protocol.
The tag also contains a variable k that is the session number, as well as a secret S. All these data are shared with the database. The procedure unfolds in the following way see Fig.
If not, the tag does nothing. In other words, the oracle responds whether or not we are dealing with the traced tag. Let us, however, note that this response from the oracle is internal to the tag. So the adversary proceeds as follows. She queries the tag once again. Since the adversary has to be present during the update which is only carried out from time to time , she can force the update using a man-in-the-middle attack.
No authentication is used in the protocol. The session number prevents a replay-attack, not a man-in-the-middle attack. Here, if an adversary causes the database to send the update message while the tag cannot receive it, then the session number stored by the database will be higher than that stored by the tag.
Consequently, all the subsequent updates will fail as the calculation of the key X, which authorizes the update, takes into account the current session number. Below, we explain our attack. The authors of [25,46] distinguish the reader from the back-end database whereas up until now, we have considered them as a unique entity.
In Fig. At the beginning, the tag and the system share three random values k1 , k2 , and C. Three exchanges are required in this protocol: 1. The system queries the tag with a value S. The precise content of S is not relevant in the attack. More details are available in [25, 46]. As an illustration, the protocols proposed by Peris-Lopez et al. Such an approach avoids the attacks presented in Sect. Proof of security can even be supplied under certain assumptions.
Thus, protocols based on self-refreshment seem to be precisely what we need both in theory and in practice. However, we will show in Sect. Such a function is still rather heavy to implement in very low cost tags [1, 12, 14] and can only deal with tags that are a bit more expensive.
Sometimes, Interaction and Search phases are interleaved. In this protocol see Fig. Below we give the three phases of the protocol. Weis et al. Consequently, they suggest another construction that relies on pseudorandom functions.
The exchanges are depicted in Fig. Avoine Note that [14] does not precise whether or not the same secret s is used for all tags. The paper is a bit ambiguous regarding this point. The difference is that the hash is deterministic rather than randomized. Thus, an adversary tampering with the tag is not able to trace it in the past. Two hash functions G and H are chosen.
One hash function is enough if a one-bit parameter is added to the function. The exchanges between the system and the tag can be represented as follows. The main advantage of this protocol compared to the previous challenge— response protocols is that it also assures forward secrecy.
However, it does not prevent replay attacks. They are based on classical challenge—response protocols denoted CR in what follows , and so are secure in terms of untraceability, assuming that the hash functions and ciphers behave like pseudorandom functions. So, CR-based protocols are quite expensive in terms of computation: in a system which n tags belong to, existing protocols require O n cryptographic operations to identify one tag and O n2 in order to identify the whole system.
Molnar and Wagner [35] have suggested a method to reduce the complexity to O log n. We then show that it degrades privacy if the adversary has the possibility to tamper with at least one tag [8, 11, 36].
Leuven Belgium. These tags also make the check-out and check-in of books much easier. Nor should the adversary be able to track him a posteriori, when the book has been brought back to the library. Indeed, the adversary could borrow the book and tamper with its tag to track the past events of the tag. In other words, the protocol should assure forward privacy. In a library scenario, it is realistic to assume that the tags can contain a secret-key cipher or a hash function because they are not disposable.
Thus, a slightly higher cost is conceivable. This value is rather arbitrary since it depends on the cryptographic building block itself, either an encryption function or a hash function. However, our goal is to choose a rather realistic value just to compare the protocols in a fair way, disregarding the underlying building blocks. We assume that inputs and outputs of the cryptographic functions are bit long.
The library manages tags. Current implementations allow a single reader to read several hundreds of tags per second, meaning that the system should spend at the most a few milliseconds to identify one tag. In the following sections, tP denotes the average time to identify one tag using a protocol P. Because certain applications in libraries, in amusement parks, etc.
Thus, the system should be capable of identifying the whole set of tags it manages in only a few seconds e. It prevents an adversary from impersonating, tracing, or identifying tags. They also share a secret key s. To initiate the authentication, the reader sends a nonce a to the tag.
The tags are the leaves of this tree and each edge is associated with a value. Each tag has to store the values along the path from the root of the tree to itself. This sequence makes up its secret, and each value is called a block of secret. On the other side, the reader knows all the secrets. We describe the protocol below.
Each edge in the tree is valued with a randomly chosen secret ri, j where i is the level in the tree and j is the branch index. The secret of a given tag is the list of the values ri, j from the root to the leaf. For example, the secret of T5 in Fig. If the reader has been successfully authenticated at each level, the protocol succeeds.
Given that [s1 ,. However, we will see below that having a small branching factor enables tracing the tags. The attack consists of three phases: 1. The adversary has one tag T0 e. For the sake of calculation simplicity, we assume that T0 is put back into circulation. She then chooses a target tag T. She can query it as much as she wants but she cannot tamper with it.
Avoine et al. They consequently assume that the adversary cannot carry out an exhaustive search over the secret space. Hence, the only way for an adversary to guess a block of secret of a given tag is to query it with the blocks of secret she obtained by tampering with some other tags. When she tampers with only one tag, she obtains only one block of secret per level in the tree. Thus, she queries T , and then T1 , and T2 with this block.
If either T1 or T2 but not both has the same block as T0 , she is able to determine which of them is T. If neither T1 nor T2 has the same block as T0 , she cannot answer. We formalize the analysis below. We denote the secrets of T , T0 , T1 , and T2 by [s1 ,. We consider a given level i where s1i and s2i are in the same subtree. The same assumption also applies to Ci2 , Ci3 , and Ci4. Tampering With Several Tags Avoine et al. Avoine 4. The protocol is depicted on Fig.
Each tag stores a key kg that is shared with all the other members of the group, and a personal key kt that is used to uniquely authenticate the tag within the group.
When it succeeds, this means that it authenticated the group the queried tag belongs to. The dual property to complexity is privacy. Outside the library, tags can be queried by foreign readers.
This avoids maintaining synchronization between the tag and the system. Note that if we had considered that readers of the library may read foreign tags held by people in the library , then the complexity would tend toward to 2mn because the system would have to explore the whole database to determine whether or not a tag is owned by the system.
Note that even if tags and readers were able to stay synchronized, for example when the RFID system is deployed in a closed environment, the complexity of OSK cannot be better than CR if no additional memory is used. Instead, they use a counter c and apply H only when the counter reaches its upper bound.
Unfortunately, this technique degrades forward privacy because an adversary can trace the c last events of the tag in the worst case if she is able to tamper with it.
Still worst, the value of the counter is sent to the reader each time the tag is queried and therefore it may be traced according to this value, which is not random.
This type of trade-off reduces the amount of work T needed to invert any given value in a set of N outputs of a one-way function E with the help of M units of memory. The basic idea of time-memory trade-off techniques consists in chaining almost all the possible outputs of E using a reduction function R that generates an arbitrary input of E from one of its outputs. By alternating E and R on a chosen initial value, a chain of inputs and outputs of E can be built. If enough chains of a given length are generated, most outputs of E will appear at least once in any chain.
Given one output r of E that should be inverted, a chain starting at r is generated. If r was part of any stored chain, the last element of a chain in the table will eventually be reached. To assure a high success rate, several tables have to be generated with different reduction functions.
The exact way of doing this is what differentiates existing trade-off schemes. Scalability Issues in Privacy-Compliant RFID Protocols In what follows, perfect rainbow tables are used because they have been shown to perform better than other types of tables [37]. The characteristic of the rainbow tables is each column of a table having a different reduction function. So, when two chains collide, they do not merge except if they collide at the same position in the chain.
When the residual merged chains are removed during the precomputation step, the tables are said to be perfect. Otherwise, the system would have no advantage over the adversary. Consequently, it is important to choose E such that its input space is as small as possible.
First, the brute force method of OSK needs n s units of memory to store the n values s1i while usual brute-force methods do not require any memory.
Thus, it makes sense to measure the amount of memory needed by the trade-off in multiples of n s. We call c the ratio between the memory used by the trade-off and the memory used by the brute-force.
The memory used to store the tables is a multiple of the size of a chain while it is a multiple of s in the case of the brute-force. A stored chain is represented by its start and end point that can either be the output of E or its input.
In the present case the input is smaller. Second, when used in the trade-off, E is more complex than when used in the brute-force. Indeed, in the brute-force, the hash chains are calculated sequentially, thus needing just one H and one G calculation at each step. In the trade-off, i and k are arbitrary results from R and have no incremental relation with previous calculations. We can now rewrite the trade-off relation as: G. From 1 , we can compute the time required to identify one tag.
The former value enables the reader to identify the tag and the latter one allows to detect replay attacks. Since the chains contain arbitrary hashes, we need to generate slightly more than nm hashes to ensure that each hash appears at least once in the tables with a high probability. This complexity is reduced by the fact that we store intermediate elements of the chains in some part of the memory.
If the set of tags in the system stays the same, the tables only need to be calculated once. If new tags must be added, the tables must be recalculated. Extra tags can be included in the tables, so that they need not be recalculated for every single new tag. Every time the tables are recalculated we can also remove tags that are no longer in use. Typically the tables could be recalculated off-line every night, week, or month.
Keeping m low increases the advantage of the trade-off over the brute-force method. The following procedure can be applied to keep m small. In the database that contains the s1i we can keep track of how many times each tag was read. We know that the next time we read the tag, the result will be further down the hash chain. If tag i has been read k times, we can thus replace s1i by ski in the database when the next recalculation of the tables occurs.
Thus m is no longer the number of times a tag is read in its lifetime but the maximum number of times it is read between two recalculations of the tables or the maximum number of times it is read by a foreign reader. Note that the adjustment of s1i makes both the trade-off and the brute-force method faster but increases the speed-up factor between the two. Time-memory trade-offs are probabilistic, thus there is an arbitrarily small chance that a tag may not be found in the tables because a particular ski is not part of any chain that was generated.
A pragmatic approach to this problem is simply to G. A more deterministic approach would be to keep score of the hash values that are generated when the tables are calculated and to eliminate the s1i for which not all hash values have appeared. We presented several examples of exotic protocols where this complexity problem does not occur.
Unfortunately, all the reader-aided ID-refreshment protocols are weak in terms of untraceability. Then, we introduce the protocols based on self-refreshment. We show that they are secure in terms of untraceability but they all suffer from a high computation complexity that avoids their use in large-scale applications. We summarize below their main advantages and drawbacks. First, we consider the storage aspect.
Next, we address the complexity question. Considering the example of the library, one can show that the required time to authenticate one tag is about 62 s with the classical CR and 16, s with OSK. These values show that none of these two protocols can be used in large-scale applications. The same problem occurs with ABHV even though it is mitigated in this case. The probability to trace tags is far from being negligible.
However, RFID manufacturers do not seem affected by this problem. The only deployed application we know that addresses the malicious traceability problem is the e-passport. In this application, the complexity issue is overcame by printing the material needed to generate the key on the passport itself. I am so quite grateful to both of them. Aigner and M. Secure symmetric authentication for RFID tags. Anderson and M. Low cost attacks on tamper resistant devices. Christianson, B.
Crispo, M. Lomas, and M. Ateniese, J. Camenisch, and B. Untraceable RFID tags via insubvertible encryption. Available Online, 7. A scalable and provably secure hash based RFID protocol. Reducing time complexity in RFID systems. Preneel and S. Avoine 9. Avoine, P. Junod, and P. Time-memory trade-offs: False alarm detection using checkpoints. Avoine, L. Holczer, and I. Group-based private authentication. Optimal key-trees for tree-based private authentication.
Dominikus, E. Oswald, and M. Symmetric authentication for RFID systems in practice. A public key cryptosystem and a signature scheme based on discrete logarithms. Feldhofer, S. Dominikus, and J. Joye and J. Adopting fair information practices to low cost RFID systems.
An RFID bill of rights. Technology Review, October Girault and D. Public key authentication with one online single addition. Universal re-encryption for mixnets. A practical relay attack on ISO proximity cards. Manuscript, February Hancke and M. An RFID distance bounding protocol. A cryptanalytic time-memory trade off. Sandhu and R. Ferscha and F. Minimalist cryptography for low-cost RFID tags. Blundo and S. Juels and J. Soft blocking: Flexible blocker tags on the cheap. De Capitani di Vimercati and P.
Juels and R. Juels and S. Authenticating pervasive devices with human protocols. Juels, R. Rivest, and M. Karjoth and P. Picking virtual pockets using relay attacks on contactless smartcard systems.
Li and R. Nohl and D. Quantifying information leakage in tree-based hash protocols. Making a faster cryptanalytic time-memory trade-off. Peris-Lopez, J. Hernandez-Castro, J. Estevez-Tapiador, and A. November , Springer, Berlin Enhancing privacy of universal re-encryption scheme for RFID tags. Jang, M.
Guo, G. Gao, and N. Avoine Physical security devices for computer subsystems: A survey of attacks and defenses. Hutter, G. Stephan, and M. Yang, J. Lee, K. Ren, and K. Mutual authentication protocol for low-cost RFID. We propose the policy-based dynamic privacy protection framework leveraging globally mobile RFIDs. In this paper, we describe privacy infringements for the mobile RFID service environment and requirements for personal privacy protection, and develop privacy protection service based on a user privacy policy.
The proposed framework provides a means for securing the stability of mobile RFID services by suggesting personal privacypolicy-based access control for personalized tags. This means a technical solution to privacy protection for the mobile RFID service system. The current excessive limitations to RFID tags and readers make it impossible to apply present codes and protocols.
The technology for information and privacy protection should be developed in terms of general interconnection among elements and their characteristics of RFID to such technology that meets the RFID circumstances [33—35, 37]. Park, D. Therefore, in this paper, we described a privacy preserving enhanced trust building mechanism that extends the extant to which trust building service mechanisms for mobile RFID networks can gain many advantages from its privacy control and dynamic capabilities.
Figure 1 shows the structure of how a mobile phone communicates with an RFID tag. Figure 2 represents the entities of the mobile RFID service network architecture.
This refers to an information system that reads a tag and records its history to trace information on when the tag-attached product was rolled out, how it was distributed, and what processes it went through. Its main purpose is to track objects in the supply chain management SCM. The Object Information Service OIS system server retains details about a certain object, and they could be any information. The Web server also offers a variety of contents through the HTTP protocol, and does not rely on a particular information scheme.
However, the mechanism to access the OIS is different from that of other servers. While the existing Web server directly accesses the requested content, using Uniform Resource Locator URL , an OIS server provides detailed information on a particular product only after receiving its serial number, even though the server has the same content.
That is, the Web server and OIS server are different in accessing even the same content. The WAP and Web servers are contents servers that provide wireless Internet contents such as news, games, music, videos, stock trading, lotteries, images, and so forth. Here, the mobile RFID device driver is the device driver software provided by the reader chip manufacturer [19, 20, 23—25, 29]. A cellular phone requires a common control interface between the various RFID readers and the application or the middleware; to that end, EPCglobal, Inc.
Won 1. Code Query 3. Content Request 5. The code resolution protocol is identical with the DNS protocol. The ODS server in Fig. Finally, the mobile RFID phone requests contents or a service from the designated server whose location has been acquired from the ODS server.
The code resolution process follows the DNS operation system; whereby, it starts with the root ODS and then other servers in an iterative way.
From the point of view of information protection, a serious problem for the RFID service is the threat of privacy [6, 32, 38]. Here, the damage of privacy is of exposing the information stored in tags and the leakage of information includes all data of the person possessing the tag, tagged products, and location.
The privacy protection of the RFID system can be considered from two points of view. One is the privacy protection between the tag and the reader, which takes advantage of ID encryption, prevention of location tracking, and the countermeasure of the tag being forged.
The other is of the exposure of what the information server contains along with tagged items [26, 40]. First of all, we will examine the exposure of information caused between tag and reader, and then discuss the solution proposed in this paper.
Typical exposures include threats to individual privacy due to the approval of unlimited access to an RFID tag owned by a person. Access to the information must be limited to those who need it for an application. An individual RFID tag also may become a means to track and locate its owner. The infringement of privacy in the Internet world results from the collection, storage, and use of customers by companies, but it has grown more serious in the mobile RFID world in that anyone with an RFID reader can read any information on anyone who keeps a tag-attached object.
It is also possible to hack tags, prevent the normal use of tags, or get incorrect information from them by altering tag information or using a tag-kill function. Security is also vulnerable to jamming, replay attack, and covert reading.
Especially, as the mobile RFID service is the end-user service, the issue of privacy protection must inevitably become a serious issue to consider, and N. Won as content accessibility increases due to the off-line hypertext property of RFID, the authentication for adult services is also highly likely to become another important issue for consideration. It uses RFID tags, which make the privacy protection issue all the more important.
With an RFID tag, a party with proper equipment can know where the owner is located, which device the owner is using, and which information the owner is reading through interpreting the tag codes. However, passive tags used in mobile RFID services do not support the access control function to the tag code. In other words, when an open tag is read, the reader can immediately transmit information of the mobile RFID terminal to the application service or contents provider through the network of a mobile telecommunication company.
Not only the location data of the person who has a mobile RFID terminal but also how often the person collects that information in which way and which information the person tends to access can be collected by the application service or contents provider.
Therefore, privacy protection shall be secured for the owners of a tag-attached object who need to keep using RFID services. For example, privacy protection may be provided through the RPS system. Through an interface with the RPS service, the mobile RFID service can allow individual users to select and modify their privacy protection levels. When privacy protection is enabled by the RPS system, the user data contained in the RFID tag shall include the default privacy level that was given at the time of privacy impact evaluation.
The mobile RFID reader shall provide a default privacy level when negotiating the contents to allow access by the application server. Won — Approach of privacy level This technology is intended to solve the infringement of privacy or random acquisition of personal information by those with RFID readers from those with RFID attached objects in the mobile RFID circumstance except when taking place in companies or retail shops that try to collect personal information.
There are many ways to interfere with RFID circumstances, issues which are not only approved theoretically but also possible practically. This circumstance requires proper security technologies. There are seven standards with the ISO series as follows:. ISO and ISO are international standards that regulate the RFID of animals, which is usually accomplished by implanting, introducing, or attaching a transponder containing a microchip to an animal.
ISO specifies the structure of the identification code, including transponder data transmission method and reader specification, working on ISO specifies how a transponder is activated and how the stored information is transferred to a transceiver. RFID tags from different manufacturers can be read using a common reader according to this standard. Besides, transponder size is not specified in the standard, so it can be designed in a variety of shapes to suit different animals, such as glass tubes, earmarks, or collars.
They are close-reading protocols. The main difference between A and B lies in their modulation, coding schemes, and anti-collision methods.
Strong anti-interference ability but poor power stability, mainly used in the field of transportation, urban construction access cards, bus cards, and small stored value consumption cards, with a high market share. Good stability, high security, but relatively vulnerable to external environment interference. Because the encryption coefficient is relatively high, it is more suitable for CPU card, generally used for ID card, passport, bank card, etc.
This book includes coverage of fundamentals, security protocols and techniques, and hardware implementations of cryptographic algorithms dedicated to RFID. The book is written for those interested in wireless networks and mobile communications, especially researchers and engineers interested in communications as it relates to RFID Security. Skip to main content Skip to table of contents.
Advertisement Hide. This service is more advanced with JavaScript available. Editors view affiliations Paris Kitsos Yan Zhang. The first book to comprehensively cover RFID security issues and solutions Provides a reference for engineers to develop efficient security algorithms in practical RFID systems Provides a comprehensive reference on state-of-the-art technologies for RFID security Details the hardware implementation for the algorithms and protocols in RFID security Allows easy cross-referencing via the broad coverage on a variety of security issues and solutions.
0コメント