1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key...
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
1
Transcript of 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key...
![Page 1: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/1.jpg)
1
Dynamic Key-Updating: Privacy-Preserving Authentication for
RFID Systems Li Lu, Lei Hu
State Key Laboratory of Information Security, Graduate School of Chinese
Academy of Sciences Jinsong Han, Yunhao Liu, and Lionel M. Ni
Dept. of Computer Science and Engineering, Hong Kong University of
Science and Technology
![Page 2: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/2.jpg)
2
Why Privacy in RFID?
RFID (Radio Frequency Identification) has been very popular
TagReaderMost important usage
Identifying valid users or entities
A tag is attached
Bob’s car
![Page 3: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/3.jpg)
3
Basic Identification Procedure
iTReader Tag(1) Request
(2) IDiT
![Page 4: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/4.jpg)
4
A tag is attached
Bob’s car
However…
Automatic response Silent scanning
Adversary
I found Bob.
![Page 5: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/5.jpg)
5
Motivation
Concerns regarding RFID privacyAn attacker can’t determine which tag he is accessing and can’t get any information about the tag’s owner.
In ShortPrivate authentication
Keeping private information (ID, Name,…)Authenticating valid users
![Page 6: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/6.jpg)
6
Introducing Encryption into RFID
iTReader Tag(1) {Request,
P}
(2) {ID , P}KiT
K
Key-Searching
![Page 7: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/7.jpg)
7
Linear Key-Searching
iT
)(Pfik -- keyed one-way function
P -- a random number -- key shared by reader and tag
Reader Tag
ik
(1) Request, P
(2) )(, PfEPik
(3) searches the key space of all tags for a key
jjkK }{EPf
jk )(
Key-searching is linear search, O (n). Thus it is not practical in large scale systems.
k1 k2 kn..
![Page 8: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/8.jpg)
8
1,1k 2,1k
1,2k2,2k 3,2k 4,2k
1,3k 2,3k 3,3k 4,3k 5,3k6,3k
7,3k 8,3k
1T 2T 3T 4T 5T 6T 7T 8T
A binary key tree with eight tags
,),,( 4,32,21,1 kkk 4T
Tree-based Key-searching
![Page 9: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/9.jpg)
9
Authentication of Tree-based Protocols
1 Request, r
1 Nonce, r 2 Nonce, r
Reader Tag iT
),,(),,,(),,,(, 2132122112 rrkhrrkhrrkhr iii
Identification:
1T 2T 3T 4T 5T 6T 7T 8T
4T1,1k 2,1k
1,2k 2,2k
3,3k 4,3k
Compute ),,( and ),,( 212,1211,1 rrkhrrkh
),,( with comparethen 211 rrkh i
Compute ),,( and ),,( 212,2211,2 rrkhrrkh
),,( with comparethen 212 rrkh i
Compute ),,( and ),,( 214,3213,3 rrkhrrkh
),,( with comparethen 213 rrkh i
O(logn)
![Page 10: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/10.jpg)
10
Drawbacks:No forward security.Vulnerable to compromising attack.
Requires Key Updating
1,1k 2,1k
1,2k2,2k 3,2k 4,2k
1,3k 2,3k 3,3k 4,3k 5,3k6,3k
7,3k 8,3k
1T 2T 3T 4T 5T 6T 7T 8T
![Page 11: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/11.jpg)
11
Requirement of Key-Updating
Challenging issues:No interruption during authenticationAutomatically updating keys
We use two techniques to keep the consistency of key-updating: temporary key and state bit.
![Page 12: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/12.jpg)
12
Our Protocol: SPATemporary keys are used to store old
keys. State bits are used to record the key-updating status of nodes in the sub-trees.
0k
1,1k2,1k
1,2k 2,2k 3,2k 4,2k
1T 2T 3T 4T
0tk
1,1tk2,1tk
ls0rs0
ls 1,1rs 1,1
ls 2,1rs 2,1
For example: Temporary KeyState bit
![Page 13: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/13.jpg)
13
An Example of Key-Updating
4,2k
0 0 0 0
0 0
1 1
1
00
0k
1,1k 2,1k
1,2k2,2k 3,2k
1T 2T 3T 4T
0tk
1,1tk 2,1tkUsing , and to identify
0k 1,1k 1,2k1T
Using , and to identify
0k 1,1k 2,2k2T
)( 1,21,2 khk
Using , and to identify
0k 1,1tk 1,2k1T
The ’s second identification
1T
1
The ’s identification1TThe ’s identification
2T
)( 1,11,1
1,11,1
khk
ktk
)( 2,22,2 khk
Authentication:Basic tree-based identificationKey updating
Authentication sequence: T1, T2, T1
![Page 14: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/14.jpg)
14
New Tag Joining
20s
10s
ls 1,1rs 1,1 ls 2,1
rs 2,1ls 3,1
rs 4,1
30s New subtree00 ,tkk
1,11,1 ,tkk2,12,1 ,tkk
3,13,1 ,tkk
1,2k 2,2k 3,2k 4,2k
1T 2T 3T 4T5,2k
5T6,2k
![Page 15: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/15.jpg)
15
Tag Leaving
T1 T2 T4
20s
10s
ls 1,1rs 1,1 12,1 ls rs 2,1
k2,1 k2,2 k2,3 k2,4
k0, tk0
k1,1, tk1,1 k1,2, tk1,2
T5
ls 3,1
rs 4,1
k2,5 k2,6
30s
k1,3, tk1,3
![Page 16: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/16.jpg)
16
Which key is used?
Which keys is used?
1,1k
2,2k
3,3k 4,3k
1T 2T 3T 4T 5T 6T 7T 8T
1,1k1,1tk
2,2k 2,2tk
3,3k 4,3k
0k 0tk
Compromising Attack Resistance
![Page 17: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/17.jpg)
17
Security Analysis
Property\ProtocolStatic tree-
based approaches
Our design
Privacy Yes Yes
Untraceability Yes Yes
Cloning resistance Yes Yes
Forward security No Yes
![Page 18: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/18.jpg)
18
0 20 40 60 80 1000
0.2
0.4
0.6
0.8
1
Branching Factor
Co
rre
late
d-e
xpo
sin
g p
rob
ab
ility t=20,Static tree
t=20,SPAt=200,Static treet=200,SPA
Exposing Probability Comparison(Under Compromising Attack)
Each non-leaf node has 2 keys (1 working key and 1 temporary keys).
![Page 19: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/19.jpg)
19
0 2 4 6 8 100
500
1000
1500
2000
Tag accessing Frequency
Ke
y-U
pd
atin
g L
ate
ncy
( s
)
Upper boundSPALower bound
Key-Updating Latency
Each key updating needs less than 2 ms when the tag accessing frequency does not exceed 10 times per
second.
![Page 20: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/20.jpg)
20
Conclusion
By using dynamic key-updating scheme, SPA enhances the security of existing RFID private-authentication protocols.SPA is lightweight. The authentication efficiency is logarithmic and the key-updating latency is acceptable.SPA can effectively defend against both passive and active attacks including compromising attack.
![Page 21: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/21.jpg)
21
![Page 22: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/22.jpg)
22
Authentication
To protect reader from forged tags.Only authorized reader can read valid tags.
Is the tag which I am reading valid?Is the reader which scans tags authorized?
![Page 23: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/23.jpg)
23
However…
Authorized reader may be cheated by forged tags.A cloning tag may insert into a system while not be notified.A malicious reader can read the content in a tag easily.The goal of authentication: only authorized readers can get the content in valid tags, while private information would not be leaked if there exist dishonest entities.
![Page 24: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/24.jpg)
24
Private Authentication
Tradeoff between privacy and authentication:
Privacy is to hide the identity of RFID tag.Authentication needs to know the identity of tag before tag being authenticated.
Private authentication is to hide the identity of a tag in authentication procedure:
Reader identifies a tag at the end of authentication.
![Page 25: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/25.jpg)
25
System Initialization
The reader assigns the N tags to N leaf nodes in a balanced binary tree S. Each non-leaf node j in S is assigned with two keys, a working key and a temporary key .Initially, each key is generated randomly and independently by the reader, and for all non-leaf nodes. When a tag is introduced in the system, the reader distributes the keys from the root to a leaf node to this tag. for a non-leaf node j at the path, if , tag is assigned .
jkjtk
jj ktk
jj ktk jk
![Page 26: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/26.jpg)
26
Mutual Authentication Procedure
1 Nonce, r 2 Nonce, r
Reader iTTag
1 Request, r
),,(),...,,,(),,,(, 212122102 rrkhrrkhrrkhr id
ii
ationSynchroniz ,
Updating keys
Identifying iT
Computing),,( 21 rrkh i
d
Checking Updating keys
![Page 27: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/27.jpg)
27
Tag Identification
The tag identification procedure is similar to the previous tree-based approaches.The differences:
For each non-leaf node included in the identification, the reader uses not only the working key k, but also the temporary key tk. If some of the keys stored in a tag are temporary keys, the reader will record the level information of these keys in the synchronization message to inform the tag updating these keys.
![Page 28: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/28.jpg)
28
Key-updating Rules
Use hash function h to generating a new key.Let be the old key for node jA new key
To remain consistent, the non-leaf node j uses temporary key to store j’s old key. Use state bits to note the key state of non-leaf node j’s children nodes. 1 for having been updated, otherwise 0.If keys in all j’s children have been updated, j updates itself.
jk)('
jj khk
jtk
![Page 29: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/29.jpg)
29
Three Key Parameters
the correlated-exposing probability is mainly determined by three key parameters:
t, the number of compromised tags; , the branching factor of the key tree;a, the number of keys belonging to each non-leaf node
![Page 30: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/30.jpg)
30
A new tag joining
20s
10s
ls 1,1rs 1,1 ls 2,1
rs 2,1ls 3,1
rs 4,1
30s New subtree00 ,tkk
1,11,1 ,tkk2,12,1 ,tkk
3,13,1 ,tkk
1,2k 2,2k 3,2k 4,2k
1T 2T 3T 4T5,2k
5T6,2k
![Page 31: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/31.jpg)
31
Tag leaving
T1 T2 T4
20s
10s
ls 1,1rs 1,1 12,1 ls rs 2,1
k2,1 k2,2 k2,3 k2,4
k0, tk0
k1,1, tk1,1 k1,2, tk1,2
T5
ls 3,1
rs 4,1
k2,5 k2,6
30s
k1,3, tk1,3
![Page 32: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/32.jpg)
32
Linear Key-Searching
iT
)(Pfik -- keyed one-way function
P -- a nonce -- key shared by reader and tag
Reader Tag
ik
(1)
(1) Request, P
(2)
(2) )(, PfEPik(3) searches the key sp
ace of all tags for a key s.t.
jjkK }{EPf
jk )(
Key-searching is linear search, O (n). Thus it doesn’t fit large scale systems.
k1 k2 kn..
![Page 33: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/33.jpg)
33
Prototype Implementation
We have implemented the our design on 40 Mantis™-series 303 MHz asset tags and a Mantis™ II reader manufactured by RF Code. The back-end database is implemented on a desktop PC with the following configurations: Pentium M 3.2G dual core CPU, 1GBytes memory, and 40G hard disk. We use the SHA-1 algorithm as the secure hash function the system is able to maintain up to tags
202N
![Page 34: 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.](https://reader030.fdocuments.us/reader030/viewer/2022032800/56649d395503460f94a13937/html5/thumbnails/34.jpg)
34
0 20 40 60 80 1000
0.2
0.4
0.6
0.8
1
Branching Factor
Co
rre
late
d-e
xpo
sin
g p
rob
ab
ility t=20,Static tree
t=20,SPAt=200,Static treet=200,SPA
Comparison of Static Protocols (under compromising attack)
Each none-leaf node has 2 keys (1 working key
and 1 temporary keys).
0 20 40 60 80 1000
0.2
0.4
0.6
0.8
1
Branching Factor C
orre
late
d-ex
posi
ng p
roba
bilit
y t=20,Static treet=20,SPAt=200,Static treet=200,SPA
Each none-leaf node has 5 keys (1 working key and 4
temporary keys).