A Scalable and Provably Secure Hash-Based RFID Protocol

Similar documents
Rainbow Tables ENEE 457/CMSC 498E

Loop-abort faults on supersingular isogeny cryptosystems

Authentication. Chapter Message Authentication

Identifying multiple RFID tags in high interference environments

Time-memory Trade-offs for Near-collisions

All-Or-Nothing Transforms Using Quasigroups

Lecture 4: DES and block ciphers

Cryptography and Security Final Exam

Lecture 1: Introduction to Public key cryptography

Polynomial Selection. Thorsten Kleinjung École Polytechnique Fédérale de Lausanne

A block cipher enciphers each block with the same key.

Fraud within Asymmetric Multi-Hop Cellular Networks

Square Always Exponentiation

Cracking Passwords with Time-memory Trade-offs. Gildas Avoine INSA Rennes (France), UCL (Belgium)

A Forgery Attack on the Candidate LTE Integrity Algorithm 128-EIA3 (updated version)

Physically Unclonable Functions

Anonymous Proxy Signature with Restricted Traceability

Cryptography and Security Final Exam

8.5. Applications of Electric and Magnetic Fields. RFID Chips

Cryptanalysis of the Algebraic Eraser

Asymmetric Encryption

Cryptographic Hash Functions

Vulnerability Analysis of a Mutual Authentication Scheme under the EPC Class-1 Generation-2 Standard

Quantum Algorithms. Andreas Klappenecker Texas A&M University. Lecture notes of a course given in Spring Preliminary draft.

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

A Security Proof of KCDSA using an extended Random Oracle Model

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Proactive Threshold Cryptosystem for EPC Tags

New Attacks on the Concatenation and XOR Hash Combiners

Breaking Plain ElGamal and Plain RSA Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Contents. ID Quantique SA Tel: Chemin de la Marbrerie 3 Fax : Carouge

Foundations of Network and Computer Security

8 Elliptic Curve Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Introduction to Cybersecurity Cryptography (Part 4)

Cryptographic Hashing

New Preimage Attack on MDC-4

ENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions

CPSC 467: Cryptography and Computer Security

Proactive Threshold Cryptosystem for EPC Tags

Practical Attacks on HB and HB+ Protocols

CORRECTNESS OF A GOSSIP BASED MEMBERSHIP PROTOCOL BY (ANDRÉ ALLAVENA, ALAN DEMERS, JOHN E. HOPCROFT ) PRATIK TIMALSENA UNIVERSITY OF OSLO

MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer

Activity Mining in Sensor Networks

Pruning and Extending the HB + Family Tree

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

ECM at Work. Joppe W. Bos 1 and Thorsten Kleinjung 2. 1 Microsoft Research, Redmond, USA

AN EFFICIENT GOLAY CODEC FOR MIL-STD A AND FED-STD-1045 ERIC E. JOHNSON NMSU-ECE FEBRUARY 1991

Solution of Exercise Sheet 7

IGBT V CES T j =25 C 1200 V I C T c =25 C 1110 A T j = 175 C T c =80 C 853 A I Cnom 600 A I CRM I CRM = 3xI Cnom 1800 A V GES

Time/Memory Tradeoffs

SIMATIC Ident Industrial Identification Systems

Provable Security in Symmetric Key Cryptography

Foundations of Network and Computer Security

Activity Identification from GPS Trajectories Using Spatial Temporal POIs Attractiveness

ECM at Work. Joppe W. Bos and Thorsten Kleinjung. Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland 1 / 14

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

We are going to discuss what it means for a sequence to converge in three stages: First, we define what it means for a sequence to converge to zero

Cryptography in a quantum world

Lecture 11: Key Agreement

Multiparty Computation

Public Key Cryptography

An Overview of Homomorphic Encryption

Lecture 38: Secure Multi-party Computation MPC

Lecture 14: State Tables, Diagrams, Latches, and Flip Flop

STRIBOB : Authenticated Encryption

Introduction to Cryptography. Lecture 8

Alternative Approaches: Bounded Storage Model

New attacks on Keccak-224 and Keccak-256

s 1 if xπy and f(x) = f(y)

Cryptanalysis of the SIMON Family of Block Ciphers

Today s Topics. Methods of proof Relationships to logical equivalences. Important definitions Relationships to sets, relations Special functions

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

RSA-OAEP and Cramer-Shoup

These are special traffic patterns that create more stress on a switch

Noisy channel communication

Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings

IMPERIAL COLLEGE OF SCIENCE, TECHNOLOGY AND MEDICINE UNIVERSITY OF LONDON DEPARTMENT OF ELECTRICAL AND ELECTRONIC ENGINEERING EXAMINATIONS 2005

A Note on Linear Approximations of BLUE MIDNIGHT WISH Cryptographic Hash Function

Detecting Wormhole Attacks in Wireless Networks Using Local Neighborhood Information

arxiv: v1 [cs.cr] 22 May 2014

CPSC 467: Cryptography and Computer Security

Observations on Linear Key Predistribution Schemes and Their Applications to Group Deployment of Nodes

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Mersenne factorization factory

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Divisible E-cash Made Practical

School of Computer Science and Electrical Engineering 28/05/01. Digital Circuits. Lecture 14. ENG1030 Electrical Physics and Electronics

Quantum Communication

ARMADILLO: a Multi-Purpose Cryptographic Primitive Dedicated to Hardware

Supporting Information

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Weaknesses in New Ultralightweight RFID Authentication Protocol with Permutation RAPP

Models and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5

Transcription:

PerSec 05 A Scalable and Provably Secure Hash-Based RFID Protocol EPFL, Lausanne, Switzerland ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE

Outline A Brief Introduction to the RFID Technology

A Brief Introduction to the RFID Technology

RFID Systems Radio Frequency Identification: Identification of objects remotely by embedding in these objects tiny devices (tags) capable of transmitting data tag database reader tag reader tag tag

Capabilities of the Tags communication distance current trend storage computation nothing xor symmetric asymmetric The boom which RFID technology is enjoying today relies essentially on the willingness to develop small and cheap RFID tags

Examples of Applications Management of stocks Pets identification Localization of people Libraries Speed up the checkouts in the shops Recycling Anti-counterfeiting Sensor networks

Traceability Issue The main security issue of the RFID technology is the traceability of people according to the tags they carry Easier to trace people using the RFID technology than other technologies because tags cannot be switched-off and can be almost invisible Moreover, it is easy to automatically analyze the logs of the readers and the trend is to increase the communication distance

Traceability Definitions Traceability: Given a set of readings between tags and readers, an adversary must not be able to find any relation between any readings of a same tag or set of tags Forward traceability: Given a set of readings between tags and readers and given the fact that all information stored in the involved tags has been revealed at time t, the adversary must not be able to find any relation between any readings of a same tag or set of tags that occurred at a time t t An RFID protocol should be such that an authorized party is able to identify a tag while an adversary should not able to trace it

Protocol Sketch System Adversary request information Tag From this information, the system is able to identify the tag Adversary should neither be able to identify the tag nor to track it Information needs to be randomized

Setup Each tag needs 2 hash functions G and H (in theory) Each tag needs an EEPROM capable of storing an identifier The personalisation of a tag T i consists in storing in its memory a random identifier si 1, which is also recorded by the database of the system Thus, the database initially contains the set {s 1 i 1 i n}

Interrogation of the Tag Reader Tag r k i r k+1 i r k+2 i G G G si k H si k+1 H s k+2 Identification k Identification k + 1 Identification k + 2 i

Identification by the System From each n initial identifiers si 1, the system computes the hash chains until it finds ri k or until it reaches a given maximum limit m on the chain length s 1 1 r 1 1 r 2 1 r m 1 1 r m 1 s 1 2 r 1 2 r 2 2 r m 1 2 r m 2 si 1 ri k = G(H k 1 (si 1)) r i m s 1 n r 1 n r 2 n r m 1 n r m n

Complexity Analysis The average complexity in terms of hash operation is mn (if the tag is owned by the system) because two hash operations are carried out mn/2 times Example: in a library, we consider 2 20 tagged books The length of the hash chains is 2 10 We assume that the system can carry out 2 24 hash operations per second The storage complexity is 16 megabytes and the average computation complexity is 2 30 ie 1 minute

General Concept The general idea of time-memory trade-offs is to reduce the time complexity by adding memory (or the inverse) Example: exhaustive search on a one-way function F : X X in order to find preimages N := X Extreme cases: Storage: 0 Pre-computation: 0 On-line computation: N Storage: N Pre-computation: N On-line computation: 0

Hellman s Trade-Off x 1 F x2 F F xm F x m+1 F F x2m F x 2m+1 F F x3m F Only the first and the last element of each chain is stored Given one output x i of F that we need to invert, we generate a F F F chain starting at x i : x i xi+1 xi+2 Each time we compute a new element, we check whether or not it is the end of a chain in the table We can then regenerate the complete chain and find x i 1

Reduction Function In practice, inputs and outputs of F are not in the same set X but F : X Y We need a reduction function R: Y X that generates an arbitrary input of F from one of its outputs x 1 F y1 R x2 F F ym R x m+1 F R F F y2m R x 2m+1 F R F F y3m R The computation time is T to = N 2 γ/m 2 where γ is a small factor depending on the probability of success and the particular type of trade-off being used [Oech03]

Function F suited to OSK In our case the function F is F : (i, k) r k i = G(H k 1 (s 1 i )) where 1 i n and 1 k m F is more complex than usual trade-offs because it is not a simple hash function: i and k are arbitrary results from R and we need m/2 + 1 hash operations to compute F (i, k) We need to store the n values s 1 i in order to compute F We can optimize by storing intermediate elements of the chain, sacrificing so memory but reducing the average complexity of F

Function R suited to OSK We need an arbitrary reduction function R, R : r k i (i, k ) where 1 i n, 1 k m For example, we take r R(r) = (1 + (r mod n), 1 + ( mod m)) n

Memory Since the brute force method needs n units of memory to store the n initial identifiers si 1, the amount of memory used by the trade-off is measured as a multiple c of this required memory 2( n + m ) bits are required to store one chain while s bits per chain of identifiers are needed in the brute force approach The conversion factor is µ = s /(2 n + 2 m ) We have : T to ( ) 3m 3 γ 2c µ 2 and T bf T to ( ) 2c 3 µ 2 n 3 m 2 γ

Example: Library Number of tags: n = 2 20 Hash-chain length: m = 2 10 Output length of F : s = 128 Storing 2 chains required less memory than storing one s: µ 2 Single back-end with 1 GB of memory: c = 64 We choose a success rate of 999%: γ = 8 T to ( 3m 2c ) 3 γ µ 2 ie 00016 seconds T precalc nm2 2 ie 10 hours

Conclusion 70 60 50 40 brute-force trade-off T 30 20 10 0 2 3 4 5 6 7 8 c

Website More information on Security and Privacy in RFID Systems

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback