Privacy Models for RFID Authentication Protocols

Transcription

1 Prvacy Models for RFID Authentcaton Protocols Jan Shen 1,2, Jn Wang 1,2, Yuan Me 1,2, Ilyong Chung 3 1 Jangsu Engneerng Center of Network Montorng, Nanjng Unversty of Informaton Scence &echnology, Nanjng,210044,Chna 2 School of Computer & Software, Nanjng Unversty of Informaton Scence &echnology, Nanjng, , Chna 3 Department of Computer Engneerng, Chosun Unversty, Gwangju, , South Korea E-mal: s_shenjan@126.com Abstract. Prvacy s a major concern n RFID systems, especally wth wdespread deployment of wreless enabled nterconnected personal devces. In ths paper, we consder prvacy ssues n RFID systems where the authorzed readers must be able to dentfy tags wthout an adversary beng able to trace them, and provde a formal securty model for prvacy n RFID system. Under ths model, we analyze the recently proposed RFID authentcaton protocol named anonymous RFID authentcaton protocol and show attacks on them that compromse the prvacy. Keywords: Prvacy, RFID, authentcaton, untraceablty, de-synchronzaton. 1 Introducton A passve rado-frequency dentfcaton (RFID) tag s a mcrochp that s capable of transmttng a statc dentfer or seral number for a short dstance. It s typcally actvated by a query from a nearby reader, whch also transmts power for the operaton of the tag. Nowadays, RFID s used n a wde varety of applcatons, from the small plaques mounted on car wndshelds for the purpose of automated toll payment to the theft-detecton tags attached n shops to consumer goods, and the proxmty cards used to control physcal access to buldngs. Prvacy s a sgnfcant concern that needs to be addressed n terms of tag anonymty and tag untraceablty when RFIDs are to be as wdely deployed as conceved by proponents. ag anonymty requres that the tag ID should be kept anonymous n order to solve the problem of leakng nformaton pertanng to the user belongngs. ag untraceablty requres that the output of the tag should not be constant n order to avod adversary trackng. If the output of the tag s fxed, the adversary can easly track the tag. In addton, n the worst case,.e., secret nformaton n the tag can be obtaned by an adversary due to the tag beng not the he correspondng author ICS 2013, ASL Vol. 25, pp , 2013 SERSC

2 Proceedngs, he 2nd Internatonal Conference on Informaton echnology and Computer Scence tamper-resstant hard-ware, forward securty s requred for preventng an adversary from trackng the past events. In ths paper, we focus on provdng a securty model for solvng the above prvacy ssues and analyzng the recently proposed RFID authentcaton protocol named anonymous RFID authentcaton protocol [1] by Shen et.al. n order to show ts vulnerablty. Untl now, a rgorous treatment of prvacy for RFID models s stll beng developed. It s worth notng that some famous models have already been proposed by Avone [2], Juels and Wes [3], Le Burmester and de Mederos [4], and Vaudenay [5]. Recently, Cosel et.al. revst the prvacy models for RFID, and present the advantages and dsadvantages of the RFID prvacy models. It s worth notng note these models dffer manly n ther treatment of the adversary s ablty to corrupt tags. In ths paper, our model s based on Juels-Wes model and allows the adversary to corrupt tags to obtan the secret nformaton. he rest of ths paper s organzed as follows: In the followng secton, some related works are brefly ntroduced. A securty model for prvacy s descrbed n detal n Secton 3. Securty analyss of the anonymous RFID authentcaton protocol s presented n Secton 4. Fnally, the conclusons of ths paper are covered n Secton 5. 2 Related Works he success of RFID tag mplementatons depends on addressng prvacy and securty ssues surroundng the use of RFID tags. People always hope that ther prvacy and securty are able to be protected. However, a majorty of exstng RFID tag mplementatons are not secure, even though the RFID technology ncreases the safety of food and drugs through proper montorng and counterfet preventon. hese tags can broadcast nformaton about ther presence so that an adversary can slently track and montor the presence of an RFID tag from a dstance wthout the knowledge of the person holdng the tagged object [6]. Lots of researches focus on desgnng authentcaton protocols n RFID-tagged systems to protect the prvacy and securty of the use of RFID tags. Interested readers can refer to recent survey papers [7] for more detals. Many smple challenge-response protocols have been proposed. he Ohkubo- Suzuk-Knoshta protocol (OSK) [8] made forward prvacy possble. A few attempts have been made to really formalze prvacy n RFID protocols. One of the frst attempts was made by Avone [2]. Followng ther model, prvacy s formalzed by the ablty to dstngush two known tags. Juels and Wes [3] extended ths model usng sde-channel nformaton and makng the two target tags chosen by the adversary. Another model was proposed by Burmester and de Mederos [4]. Our securty model s defned based on Juels and Wes model. Recently, Shen et.al proposed an anonymous RFID authentcaton protocol [1]. However, under the well defned securty model below, t s vulnerable to actve attacks and volates the prvacy requrements. 392

3 Prvacy Models for RFID Authentcaton Protocols 3 Securty Model and Defntons 3.1 Model Communcaton between readers and tags s provded va a wreless network, upon whch thrd partes can easly eavesdrop and whch s easly cut or dsturbed. A protocol party s a ags or R Readers nteractng n protocol sessons as per the protocol specfcatons untl the end of the sesson upon whch each party outputs Accept f t feels the protocol has been normally executed wth the correct partes. Adversary A controls the communcatons between all protocol partes (tag and reader) by nteractng wth them as defned by the protocol, formally captured by A s ablty to ssue queres of the followng form: Execute(R,, ) query. hs models passve attacks, where adversary A gets access to an honest executon of the protocol sesson between R and by eavesdroppng. Send(U 1, U 2,, m) query. hs query models actve attacks by allowng the adversary A to mpersonate some reader U 1 n some protocol sesson and send a message m of ts choce to an nstance of some tag U 2. It s worth notng that U 1 can also be tag and U 2 can be reader. Corrupt(, K) query. hs query allows the adversary A to learn the stored secret K of the tag, and whch further sets the stored secret to K. It captures the noton of forward securty or forward prvacy and the extent of the damage caused by the compromse of the tag s stored secret. est(u, ) query. hs query s the only query that does not correspond to any of A s abltes or any real-world event. hs query allows to defne the ndstngushabltybased noton of untraceable prvacy (UPrv). If the party has accepted and s beng asked a est query, then dependng on a randomly chosen bt b {0, 1}, A s gven b from the set { 0, 1 }. Informally, A succeeds f t can guess the bt b. In order for the noton to be meanngful, a est sesson must be fresh, whch means the party has not been sent a Corrupt query. 3.2 Prvacy Defnton It s worth notng that anonymty can be easly acheved, so we defne the untraceablty n detal here. Defnton 1 (RFID Untraceable Prvacy) Untraceable prvacy (UPrv) s defned usng the game G played between a malcous adversary A and a collecton of reader and tag nstances. A runs the game G whose settng s as follows. 393

4 Proceedngs, he 2nd Internatonal Conference on Informaton echnology and Computer Scence Phase 1 (Learnng): A s able to send any Execute, Send, and Corrupt queres at wll. Phase 2 (Challenge): 1. At some pont durng G, A wll choose a fresh sesson on whch to be tested and send a est query correspondng to the test sesson. Note that the test sesson chosen must be fresh, whch means the party has not been sent a Corrupt query. Dependng on a randomly chosen bt b {0, 1}, A s gven b from the set { 0, 1 }. 2. A contnues makng any Execute, Send, and Corrupt queres at wll, subjected to the restrctons that the partes have not been sent Corrupt queres. Phase 3 (Guess): Eventually, A termnates the game smulaton and outputs a bt b, whch s ts guess of the value of b. he success of A n wnnng G and thus breakng the noton of UPrv s quantfed n terms of A s advantage n dstngushng whether A receved 0 or 1. It means that A correctly guesses the value of b. hs s denoted by Adv UPrv A ( k ) where k s the securty parameter. We conclude that an RFID authentcaton protocol wth securty parameter k s untraceable prvate f: UPrv 1 1 AdvA ( k) = Pr[ A wn] = Pr[ b' = b] 1/ poly( k), 2 2 where 1/poly(k) denotes a neglgble functon, whch can also be expressed as ε(k). 4 Securty Analyss of the Anonymous RFID Authentcaton Protocol 4.1 Revew of the Anonymous RFID Authentcaton Protocol he anonymous RFID authentcaton protocol proposed by Shen et.al [1] s depcted n Fg. 1. All the used notatons are showed n able 1. Even though the paper [1] provdes strong prvacy and securty wth low computaton and communcaton cost, there are stll two vulnerabltes under the above securty model. 394

5 Prvacy Models for RFID Authentcaton Protocols able 1. Notatons Symbol R r R r ID P S x BS h( ) Descrpton RFID reader Random number generated by RFID reader R RFID tag Random number generated by RFID tag Statc dentty of RFID tag Pseudonym of RFID tag Safeguard of P Secret for RFID tag Back-end server One-way hash functon: {0,1}* {0,1} l Exclusve-OR (XOR) Fg. 1. he anonymous RFID authentcaton protocol. 4.2 Securty Analyss 1) Volaton of untraceablty Let be the protocol sesson. Let us assume that the adversary breaks nto the tag s memory at tme. he adversary sends Corrupt query thus gets the protocol and wats for the tag memory to get updated to x { 1}. It then follows x +. Note that, the 395

6 Proceedngs, he 2nd Internatonal Conference on Informaton echnology and Computer Scence adversary dd nothng after gettng x and allowed the tag to contnue and complete the protocol wth the server for the sesson. After the tag memory has been updated to +1, the adversary accesses the memory and gets x + at sesson +1. Moreover, the adversary has got the protocol transcrpts of sesson ( r, r, P, M, N ' ) va the publc channel. Now, the adversary can compute the R ID { + 1} = x x M. hus, the ID of the tag s revealed. Next, the followng: adversary has got the protocol transcrpts of sesson -1 ( r, r { 1}, P { 1}, M, N ' ) va the publc channel. From ths, the R { 1} { 1} x = x M ID. hus, the forward securty s adversary can compute: broken. Once the ID s revealed, the tag s no more anonymous and no more resstant to trackng. hus, the protocol volates the tag untraceablty. 2) Volaton of de-synchronzaton he proposed protocol s not fully resstant to de-synchronzaton attacks as well. Let us assume that at some pont the adversary has blocked the two consecutve N ' values ( N ' of two consecutve sessons). he server has thus already updated tself, but the tag has not. he tag and the server wll reman de-synchronzed from then. Let us elaborate the above scenaro: At sesson, the tag has x. he server has x, x. ag has been authentcated successfully. he server updates ts memory to x, x +. he adversary has blocked N '. So, the tag cannot update ts memory. he tag stll has x n ts memory. At sesson +1, the tag has x. he server has x, x +. ag has been authentcated successfully usng. he server updates ts memory to { 1} x + { 2}, x +. he adversary has blocked N ' +. So, the tag cannot update ts memory. he tag stll has x n ts memory. At sesson +2, the tag has x. he server has x + { 2}, x +. Hence, tag cannot be authentcated successfully snce the x n ts memory anymore. he tag and server get de- server does not have synchronzed. x 5 Conclusons In ths paper, we consder prvacy ssues n RFID system where the authorzed readers must be able to dentfy tags wthout an adversary beng able to trace them, and provde a formal securty model for prvacy n RFID system. Under ths model, we analyze the recently proposed RFID authentcaton protocol named anonymous RFID authentcaton protocol and show attacks on them that compromse the prvacy. 396

7 Prvacy Models for RFID Authentcaton Protocols In partcular, the attacks lke de-synchronzaton are very dffcult to prevent. We can assume that the attacker can only block the transmsson only one tme to acheve ths requrement. In addton, forward prvacy s very mportant to protect the hstory output. In the future, we want to defne a more general model to analyze the RFID authentcaton protocols wth formal securty proofs. Acknowledgement. hs work was supported by the research fund from Nanjng Unversty of Informaton Scence and echnology under Grant No. S , Natonal Scence Foundaton of Chna under Grant No , and Natural scence fund for colleges and unverstes n Jangsu Provnce under Grant No. 12KJB References 1. Shen, J., Cho, D., Moh, S., Chung, I.: A Novel Anonymous RFID Authentcaton Protocol Provdng Strong Prvacy and Securty. In: 2nd Int. Conf. on Multmeda Informaton Networkng & Securty (MINES 2010), pp , IEEE Press (2010) 2. Avone, G.: Adversaral Model for Rado Frequency Identfcaton. Cryptology eprnt Archve, report 2005/049 (2005) 3. Juels, A., Wes, S.A.: Defnng Strong Prvacy for RFID. In: IEEE PerCom 07, pp (2007) 4. Le,.V., Burmester, M., Mederos, B.: Unversally Composable and Forward-Secure RFID Authentcaton and Authentcated Key Exchange. In: ASIACCS 07, pp (2007) 5. Vaudenay, S.: On Prvacy Models for RFID. In: Advances n Cryptology Asacrypt 07, LNCS 4833, pp (2007) 6. Reback, M. R., Crspo, B., anenbaum, A. S.: he Evoluton of RFID Securty. IEEE Pervasve Comp., vol. 5, no. 1, pp (2006) 7. Juels, A.: RFID Securty and Prvacy: A Research Survey. IEEE Journal on Selected Areas n Communcatons, vol. 24, no. 2, pp (2006) 8. Cosel, I., Martn,.: Untanglng RFID Prvacy Models. Journal of Computer Networks and Communcatons, vol (2013) 397