Low-Cost Untraceable Authentication Protocols for
RFID
Yong Ki Lee, Lejla Batina,Dave Singelée, Ingrid
Verbauwhede
BCRYPT workshop on RFID SecurityFebruary 5, 2010, Leuven
Outline of the talk Challenges in RFID networks
Security problems Privacy problems
Cryptographic building blocks ECC-based authentication protocols Search protocol Hardware architecture Conclusion
RFID technology
Radio Frequency Identification as we explain it to Dave’s tech-savvy grandmother:
1. Passive tag2. Battery assisted (BAP)3. Active tag with onboard power source
RFID applications Asset tracking Barcode replacement RFID passports Mobile credit card payment systems Transportation payment systems Sporting events (timing / tracing) Animal identification …
RFID security problems (I)
Impersonation attacks Genuine readers Malicious tags
=> Tag-to-server authentication
RFID security problems (II)
Eavesdropping Replay attacks Man-in-the-middle attacks Cloning Side-channel attacks …
RFID privacy problems (I)
[A. Juels. RSA Laboratories]
Mr. Jones in 2020
RFID privacy problems (II)
[A. Juels. RSA Laboratories]
Mr. Jones in 2020
Wigmodel #4456 (cheap polyester)
Das Kapital and Communist-
party handbook
1500 Eurosin wallet
Serial numbers:597387,389473
…30 items of lingerie
Replacement hipmedical part #459382
RFID privacy problems (III) RFID Privacy problem
Malicious readers Genuine tags
=> Untraceability
RFID privacy problems (IV)
Untraceability Inequality of two tags: the (in)equality
of two tags must be impossible to determine
Theoretical framework of Vaudenay [ASIACRYPT ‘07]: Narrow vs wide privacy Weak vs strong privacy
Cryptographic authentication protocol
Tag proves its identity Security (entity authentication) Privacy
Challenge-response protocol
Reader Tag
Challenge
Response
Technological requirements Scalability Implementation issues
Cheap implementation Memory Gate area
Lightweight Efficient
=> Influence on cryptographic building blocks
Implementation cost Symmetric encryption
AES: 3-4 kgates
Cryptographic hash function SHA-3: 10 – 30 kgates)
[ECRYPT II: SHA-3 Zoo]
Public-key encryption Elliptic Curve Cryptography (ECC): 11-15 kgates
=>Public key cryptography is suitable for RFID
ECC-based authentication protocols
Rely exclusively on ECC !!! Wide-strong privacy Two sub-modules
ID-transfer scheme Pwd-transfer scheme
Combination => 3 protocols Computational requirements Security requirements
System parameters
16
Example: Secure ID Transfer
Server: y
Tag: x1, Y=yP
T1
T2
rt1 € Z T1← rt1 P
rs1 € Z
T2←( rt1 + x1)P
(y-1T2 – T1) ( ) -1= x1P
1sr
1s
r
1s
r
ID-transfer scheme (protocol 1)
ID + Pwd-transfer scheme (protocol 3)
Search protocol (I) Linear search: scalability issues Search for one particular tag Design requirements:
One-round authentication Dedicated authentication Security against replay attacks Wide-weak privacy
Combine with ECC-based authentication protocol
Search protocol (II)
Hardware architecture
Performance comparison
Circuit Area (Gate Eq.) 14,566
Cycles for EC point multiplication
59,790
Frequency 700 KHz
Power 13.8 µW
Energy for EC point multiplication
1.18 µJ
Conclusion
Security & privacy in RFID networks Challenging research problem Public-key cryptography is suitable
for RFID tags ECC hardware implementation Wide-strong authentication protocols Search protocol
Questions??
EXTRA SLIDES
Pwd-transfer scheme
ID + Pwd-transfer scheme (protocol 2)