Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings [1 ed.] 9781614993285, 9781614993278

Citation preview

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

RADIO FREQUENCY IDENTIFICATION SYSTEM SECURITY

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Cryptology and Information Security Series The Cryptology & Information Security Series (CISS) presents the latest research results in the theory and practice, analysis and design, implementation, application and experience of cryptology and information security techniques. It covers all aspects of cryptology and information security for an audience of information security researchers with specialized technical backgrounds. Coordinating Series Editors: Raphael C.-W. Phan and Jianying Zhou Series editors Feng Bao, Institute for Infocomm Research, Singapore Kefei Chen, Shanghai Jiaotong University, China Robert Deng, SMU, Singapore Yevgeniy Dodis, New York University, USA Dieter Gollmann, TU Hamburg-Harburg, Germany Markus Jakobsson, Indiana University, USA Marc Joye, Thomson R&D, France Javier Lopez, University of Malaga, Spain

Nasir Memon, Polytech University, USA Chris Mitchell, RHUL, United Kingdom David Naccache, École Normale Supérieure, France Gregory Neven, IBM Research, Switzerland Phong Nguyen, CNRS / École Normale Supérieure, France Andrew Odlyzko, University of Minnesota, USA Adam Young, MITRE Corporation, USA Moti Yung, Columbia University, USA

Volume 11 Recently published in this series Vol. 10. Vol. 9. Vol. 8. Vol. 7.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Vol. 6. Vol. 5. Vol. 4. Vol. 3. Vol. 2. Vol. 1.

M.M. Prabhakaran and A. Sahai (Eds.), Secure Multi-Party Computation S.G. Weber, Multilaterally Secure Pervasive Cooperation – Privacy Protection, Accountability and Secure Communication for the Age of Pervasive Computing N.-W. Lo and Y. Li (Eds.), Radio Frequency Identification System Security – RFIDsec’12 Asia Workshop Proceedings P. Junod and A. Canteaut (Eds.), Advanced Linear Cryptanalysis of Block and Stream Ciphers T. Li, C.-H. Chu, P. Wang and G. Wang (Eds.), Radio Frequency Identification System Security – RFIDsec’11 Asia Workshop Proceedings V. Cortier and S. Kremer (Eds.), Formal Models and Techniques for Analyzing Security Protocols Y. Li and J. Zhou (Eds.), Radio Frequency Identification System Security – RFIDsec’10 Asia Workshop Proceedings C. Czosseck and K. Geers (Eds.), The Virtual Battlefield: Perspectives on Cyber Warfare M. Joye and G. Neven (Eds.), Identity-Based Cryptography J. Lopez and J. Zhou (Eds.), Wireless Sensor Network Security

ISSN 1871-6431 (print) ISSN 1879-8101 (online)

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security RFIDsec’13 Asia Workshop Proceedings

Edited by

Changshe Ma South China Normal University, China

and

Jian Weng

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Jinan University, China

Amsterdam • Berlin • Tokyo • Washington, DC

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

© 2013 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-61499-327-8 (print) ISBN 978-1-61499-328-5 (online) Library of Congress Control Number: 2013952824 Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam The Netherlands fax: +31 20 687 0019 e-mail: [email protected]

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail: [email protected]

LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

v

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Preface This volume contains the papers presented at the 2013 Workshop on Radio Frequency Identification/Internet of Things Security (RFIDsec’13 Asia) held in Guangzhou, China on November 27, 2013. The workshop was co-hosted by South China Normal University and Jinan University. The General Chairs were Yingjiu Li, from Singapore Management University, and Yong Tang from South China Normal University. RFIDsec’13 Asia is aligned with the RFID security workshop (RFIDsec) which addresses security and privacy issues in Radio Frequency Identification (RFID). Since its inception in 2005, RFIDsec has been organized as a series of workshops held in Graz (2005/06), Malaga (2007), Budapest (2008), Leuven (2009), Istanbul (2010), Amherst (2011), Nijmegen (2012) and Graz (2013). RFIDsec’13 Asia is the fifth edition of this series of workshops to be held in Asia, following RFIDsec’09 Asia in Taipei (2009), RFIDsec’10 Asia in Singapore (2010), RFIDsec’11 Asia in Wuxi (2011) and RFIDsec’12 Asia in Taipei (2012). RFIDsec’13 Asia provides an international forum to address the fundamental issues in theory and practice related RFID/IoT technologies and applications. This year’s excellent program consists of 10 high-quality papers, selected after a rigorous review process by both members of the Program Committee and external reviewers. Many interesting topics are covered, including RFID authentication, mutual authentication and ownership transfer, security of RFID applications, NFC and the Internet of Things, and side channel attacks. All RFIDsec’13 Asia papers are published by IOS Press in the Cryptology and Information Security Series. RFIDsec’13 Asia was made possible thanks to the contributions of many individuals and organizations. First, we would like to thank all those authors who submitted their scientific papers. We would also like to thank the Program Committee members and external reviewers for reviewing and commenting on the submitted papers. Furthermore, we thank the Organization Committee for organizing this workshop. Last but not least, we are grateful to South China Normal University and Jinan University for hosting the workshop. Changshe Ma and Jian Weng November 2013

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

vii

Organization of the 2013 Workshop on RFID and IoT Security (RFIDsec’13 Asia) 27 Nov, 2013, Guangzhou, China Hosted by South China Normal University, China Co-hosted by Jinan University, China Supported by RFIDsec

General Chairs Yingjiu Li (SMU, Singapore) Yong Tang (SCNU, China)

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Program Chairs Jianying Zhou (I2R, Singapore) Changshe Ma (SCNU, China) Jian Weng (JNU, China) Program Committee Zhong Chen (PKU, China) Hung-Yu Chien (NCNU, Taiwan) Chao-Hsien Chu (PSU, US; SMU, Singapore) Xinxin Fan (University of Waterloo, Canada) Gerhard Hancke (Royal Holloway, UK) Miroslaw Kutylowski (Wroclaw UT, Poland) Tieyan Li (Huawei, Singapore) Nai-Wei Lo (NTUST, Taiwan) Di Ma (UM-Dearborn, US) Rodrigo Roman (I2R Singapore) Jörn-Marc Schmidt (TU-Graz, Austra) Kouichi Sakurai (Kyushu University, Japan) Huiping Sun (PKU, China) Shaohua Tang (SCUT, China) Yanjiang Yang (I2R, Singapore) Chan Yeob Yeun (KUSTAR, UAE) Yunlei Zhao (Fudan University, China) Publication and Publicity Chairs Anyi Liu (IPFW, US) Jie Shi (SMU, Singapore) Local Organization Committee Dehua Zhou (JNU, China) Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

ix

Contents Preface Changshe Ma and Jian Weng Organization of the 2013 Workshop on RFID and IoT Security (RFIDsec’13 Asia) 27 Nov, 2013, Guangzhou, China

v

vii

Regular Papers On RFID Authentication Protocols with Wide-Strong Privacy Nan Li, Yi Mu, Willy Susilo, Fuchun Guo and Vijay Varadharajan Chameleon RFID and Tracking Prevention Marek Klonowski, Mirosław Kutyłowski and Piotr Syga A Secure Elliptic Curve Based RFID Ownership Transfer Scheme with Controlled Delegation Shu Cheng, Vijay Varadharajan, Yi Mu and Willy Susilo IBIHOP: Proper Privacy Preserving Mutual RFID Authentication Roel Peeters, Jens Hermans and Junfeng Fan A Framework to Securing RFID Transmissions by Varying Transmitted Reader’s Power Fei Huo, Chouchang Yang, Guang Gong and Radha Poovendran

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

SSL Usage in Commercial Internet of Things Platforms Roy Fisher and Gerhard Hancke A Comparative Study of Stream Ciphers and Hash Functions for RFID Authentications Shugo Mikami, Dai Watanabe and Kazuo Sakiyama

3 17

31 45

57 69

83

Short Papers Securing NFC with Elliptic Curve Cryptography – Challenges and Solutions Xinxin Fan and Guang Gong Remote Attestation Mechanism for Embedded Devices Based on Physical Unclonable Functions Raja Naeem Akram, Konstantinos Markantonakis and Keith Mayes

97

107

A Survey of Side Channel Attacks on MPKCs Potential for RFID Weijian Li, Shaohua Tang and Daojing He

123

Subject Index

133

Author Index

135

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Regular Papers

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-3

3

On RFID Authentication Protocols with Wide-Strong Privacy 1 a

Nan Li a , Yi Mu a , Willy Susilo a,2 , Fuchun Guo a and Vijay Varadharajan b Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Wollongong, Australia e-mail: {nl864,ymu,wsusilo,fuchun}@uow.edu.au b Information and Networked Systems Security Research, Department of Computing, Faculty of Science, Macquarie University, Sydney,Australia e-mail: [email protected] Abstract. Radio frequency identification (RFID) tag privacy is an important issue to RFID security. To date, there have been several attempts to achieve the wide-strong privacy by using zero-knowledge protocols. In this paper, we launch an attack on the recent zero-knowledge based identification protocol for RFID, which was claimed to capture wide-strong privacy, and show that this protocol is flawed. Subsequently, we propose two zero-knowledge based tag authentication protocols and prove that they offer wide-strong privacy.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1. Introduction Radio frequency identification (RFID) tags have very limited computation and storage resources and are usually not tamper-resistant. For example, an attacker could physically access the RFID tag and collect its internal state. The RFID tag communicates with the RFID reader via a wireless interaction, and hence, there is a security concern. The attacker could be able to identify a tag by using the information collected from tag-reader communication. Therefore, the privacy of RFID tags has become an issue in RFID applications. Vaudenay [22] introduced the strong privacy model which captures a number of RFID privacy cases, which are corresponding to eight classes with respect to eight different privacy levels from weak to strong. The strongest level is the widestrong privacy. Later, Ng, Susilo, Mu and Safavi-Naini [16] refined the Vaudenay’s model and claimed that the wide-strong privacy is possible. Based on the BohliPashalidis’ model [2,3] and Vaudenay’s model, Hermans, Pashalidis, Vercautern and Preneel [10] proposed a new practical RFID privacy model which relies on the indistinguishability of tags. 1 This

2 This

work is supported by the Australian Research Council Discovery Project DP110101951. work is supported by ARC Future Fellowship FT0991397.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

4

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

Wide-strong privacy is achievable by using the public key cryptography (PKC) [22,16]. An RFID authentication protocol based on the IND-CCA2 secure public key encryption scheme is strong private for wide adversaries [10]. Deursen and Radomirovi´c [7] proposed the wide-strong private authentication protocol by employing the Cramer-Shoup encryption scheme. The digital signature is an alternative cryptographic primitive in PKC. However, a traditional digital signature is hard to preserve the tag’s privacy as the signature is publicly verifiable. Fortunately, we found that digital signatures, such as strong designated verifier signatures [11], can be obtained by applying INDCCA2 encryption schemes. Thus, it is possible to construct a wide-strong private identification protocol based on strong designated verifier signature schemes. The elliptic curve cryptography (ECC) based RFID authentication protocols are acceptable by low-cost RFID tags [9,15]. Many ECC based RFID authentication protocols [21,12,13,14,14,1] were proposed. Most of them are the variants of the Schnorr signature scheme. However, these schemes have been unfortunately broken later in [8,12,5,6,4]. Recently, a new and interesting protocol was proposed by Peeters and Hermans [18]. They claimed that the protocol achieves the widestrong privacy.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Our Contributions The contribution of this paper is twofold. First, in contrast to the claim made in [18], we demonstrate that Peeters and Hermans’ [18] protocol is vulnerable to our attack, which makes the tag traceable. Second, we propose two wide-strong private protocols based on zero-knowledge. The proposed protocols offer provable widestrong privacy in the model described in [10]. As features of our protocols, the reader can convince a third party, such as a client in the supply chain, the presence of the tag by signature which is extracted from a successful authentication and our (second) optimized protocol eliminates the modular operations in the prime field. Paper Organizations The rest of this paper is organized as follows. In Section 2, we describe some mathematical preliminaries and review the underlying privacy model. Section 3 demonstrates an attack launched by the wide-strong adversary against Peeters and Hermans’ protocol. We proposed a basic protocol and prove the privacy in Section 4 and Section 5, respectively. An optimized protocol is presented in Section 6. Section 7 concludes the paper.

2. Preliminaries In this section, we give the definitions of some mathematical preliminaries and present the adopted privacy model of this paper. 2.1. Bilinear Maps Let G1 , G2 and GT be three additive cyclic groups of same prime order q. P and V are generators of group G1 and G2 , respectively. The map e : G1 × G2 → GT

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

5

is a bilinear mapping (pairing) and (P, V, q, e, G1 , G2 , GT ) is a bilinear group. Let ψ be a computable isomorphism from G2 to G1 that ψ(V ) = P . We say it is a symmetric bilinear group if G1 = G2 = G. A bilinear pairing satisfies the properties as follows: • Bilinearity: for all P ∈ G1 , V ∈ G2 and a, b ∈ Z∗q , we have the equation e(P a , V b ) = e(P, V )ab . • Non-Degeneracy: for all P ∈ G1 , V ∈ G2 , if P, V are generators respectively, we have e(P, V ) = 1 is a generator of GT . • Efficiency: There is an efficient algorithm to calculate e(P, V ) for all P ∈ G1 , V ∈ G2 . 2.2. Complexity Assumptions Definition 1 (Computational Diffie-Hellman (CDH) assumption) Given a tuple < P, aP, bP >, where a, b ∈R Z∗q , P is a generator of the group G, there is no PPT adversary can find abP with advantage at least . 2.3. Privacy Model

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

In this paper, we use the privacy model defined in [10]. The oracles defined in the model are as follows. • CreateTag(ID) → Ti : Taking as input a tag’s identifier ID, the oracle sets up and registers a new tag to server. Then, it outputs the reference Ti of the tag. • Launch() → π, m: It launches a new session π and returns the first message m sent by the reader. • DrawTag(Ti , Tj ) → vtag: Taking as input a pair of tag references (Ti , Tj ), it outputs vtag which is a virtual tag reference linked to either Ti or Tj according to the value of g, where g ∈ {0, 1}. The oracle outputs ⊥, if Ti or Tj is already drawn. • Free(vtag): Taking as input a virtual tag vtag, it retrieves the tuple (vtag, Ti , Tj ) and moves (Ti , Tj ) to the set of free tags and resets Ti ’s (if g = 0) or Tj ’s (if g = 1) volatile memory. • SendTag(vtag, m) → m : Taking as input a virtual tag vtag and a message m, the oracle retrieves (vtag, Ti , Tj ) and sends m to the tag Ti (if g = 0) or Tj (if g = 1). It outputs the tag’s response m . • SendReader(π, m) → m : Taking as input an instance π and a message m, the oracle sends m to the reader in session π and outputs the reader’s response m . If the session π is not activated, the oracle outputs ⊥. • Result(π) → c: Taking as input an instance π, the oracle outputs the result c of the authentication if π exists, otherwise outputs ⊥. • Corrupt(Ti ) → s: Taking as input a reference Ti of the tag, the oracle outputs the state s of the tag if Ti is not drawn, otherwise outputs ⊥. The model defined eight different classes of privacy and adversary. In each class, the adversary is restricted by the capability of oracle access. The strongest Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

6

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

adversary in the model is the wide-strong adversary who can access the all above oracles as many times as he needs in polynomial time. The privacy experiment Expws−private for the wide-strong adversary is as follows: A,S 1. Setup: The system S sets up the system depending on the security parameter k and chooses a random bit g ∈ {0, 1}. 2. Learning: The adversary A can interact with S in polynomial time and queries all above oracles. 3. Guess: The adversary outputs a bit g  . If g  = g, the experiment outputs 1, 0 otherwise. We say that the adversary A wins the wide-strong privacy game if and only if the experiment outputs 1.

Definition 2 A RFID authentication protocol is privacy-preserving if there is no adversary A who wins the wide-strong privacy game in polynomial time t with the advantage AdvA at least , where   AdvA = Pr[Expws−privacy = 1] − A,S

 1  ≥ . 2

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

3. A Simple Attack

In RFID privacy models [22,10], the adversary is classified to “narrow” and “wide” according to whether allowed to query Result oracle during the simulation. A wide adversary can query the Result oracle to check whether a session is valid. Our attack exploits the capabilities of wide-strong adversaries where they can forge new sessions by using the tag’s private key and verify the validity of the forgery. In the attack, the adversary can query all oracles defined in Section 2.3. He chooses two tags T0 and T1 and queries the Corrupt oracle to both of them. Upon receiving the internal state of T0 and T1 , the adversary issues SendTag query to a virtual tag Tg which is either linked to T0 or T1 . The adversary generates a new response I ∗ by using the tag’s state and I ∗ which is the response of the tag. Then, the adversary submits I ∗ to the Result oracle. Based on the output of the Result oracle, the adversary can output a correct link between the virtual tag and the target tag. The attack is depicted as in Fig.1.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

V irtual T ag

Adversary

7

Challenger Corrupt(T0 ),Corrupt(T1 )

−−−−−−−−−−−→

state(T0 ),state(T1 )

←−−−−−−−−−−−

SendTag

Tg ∈R {T0 , T1 }

←−−−−−−−−−−− I∗

−−−−−−−−−−−→

Generate I ∗

Result(I ∗ )

−−−−−−−−−−−→

Accept or Reject

←−−−−−−−−−−−

Guess Tg = T0 or T1

Figure 1. Our attack.

3.1. Peeters and Hermans’ Protocol Recently, Peeters and Hermans [18] proposed an interesting RFID identification protocol based on zero-knowledge. They presented two protocols where the second one is an efficient optimized version. Here, we review their improved protocol. In the protocol, both tag and reader have a pair of public/private keys (x, X = xP ) and (y, Y = yP ), respectively. The public keys X and Y are mutually known to the reader and the tag. The protocol initiated with the tag generating a random number r ∈ Z∗q . The tag sends the reader R = rP and receives the reader’s response e, where e ∈ Z∗q . The tag computes

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

d = xcoord(rY ), s = x + er + d, where xcoord is a function which returns the value of x-coordinate of the input point, and sends s to the reader. Upon receiving the response, the reader computes d = xcoord(yR), X  = (s − d )P − eR, and accepts the tag if X  appears in the database. The protocol is depicted as in Fig. 2. The authors claimed that their protocol is wide-strong private, while we show that the protocol is vulnerable to our attack. Theorem 1 In Peeters and Hermans’ protocol (Figure 2), a wide-strong adversary ¯ = 1 − n. is able to break the tag’s private with advantage Pr[E] q Proof 1 Suppose that the public system parameters (P, Y ), where P is a generator of a goup G and Y is the reader’s public key, are known to the adversary. Given an instance of the protocol execution of the tag T0 or the tag T1 , the wide-strong adversary A aims to decide which tag involves the session. The adversary A issues two oracle calls, which are Corrupt(T0 ) and Corrupt(T1 ) to the challenger. The challenger respectively returns T0 and T1 ’s private keys x0

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

8

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

Reader(y, DB{Xi })

T ag(x, Y ) R

r ∈ Z∗q , R = rP

←−−−−−−−−−

e ∈ Z∗q

e

−−−−−−−−−→ s

d = xcoord(rY ) s = x + er + d

←−−−−−−−−−



d = xcoord(yR) X  = (s − d )P − eR ∈ DB? Figure 2. Peeters and Hermans’ protocol.

and x1 to the adversary. In the challenge phase, the challenger gives an instance I ∗ of the protocol execution, where I ∗ = (R∗ , e∗ , s∗ ). The instance is generated by using the tag T ∗ ’s private key x∗ , where x∗ = x0 or x∗ = x1 . Hence, we have s ∗ = x∗ + e ∗ r ∗ + d ∗ , where d∗ = xcoord(r∗ Y ). Then, A generates a new instance I ∗ = (R∗ , e∗ , s∗ ) as follows,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

R∗ = R∗ , e∗ = e∗ , s∗ = s∗ − x0 + x1 . Since A is a wide adversary, it queries the Result oracle on input a session I ∗ . The challenger then returns whether it accepts the session. If the challenger’s output is 1, it means that I ∗ is valid and A has s∗ = s∗ − x0 + x1 = (x∗ − x0 + x1 ) + e∗ r∗ + d∗ . Then, we have three cases: • Case 1 (x∗ − x0 + x1 = x0 ): With the new session wrt tag T0 , A has the solution that x∗ = 2x0 − x1 . • Case 2 (x∗ − x0 + x1 = x1 ): With the new session wrt tag T1 , A has the solution that x∗ = x0 . • Case 3 (x∗ − x0 + x1 = x2 ): With the new session wrt another tag T2 , where x2 is the private key of T2 , A has the solution x∗ = x2 + x0 − x1 . According to the knowledge that x∗ is either x0 or x1 and assuming tags have individual keys, Case 1 is impossible as it indicates x0 = x1 . A can deduce from Case 2 and Case 3 that x∗ = x0 or x∗ = x2 + x0 − x1 = x1 . Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

9

Then, A can guess the session I ∗ is related to the tag T0 with a high probability. If the challenger rejects the session I ∗ , A can decide I ∗ is related to the tag T1 . Therefore, the protocol is vulnerable to our attack. Let E be the event that there exists the tag T2 with the private key x2 = 2x1 − x0 . Since a tag’s private key is randomly chosen from Z∗q , it can be considered that 2x1 − x0 is also a random value. Event E occurs with a negligible probability nq , where n is the number of tags except T0 and T1 . Hence, the adversary outputs a correct guess with the probability ¯ =1− Pr[E]

n . q 2

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

4. Proposed Protocol Many ECC-based RFID identification protocols employ Diffie-Hellman keys to preserve the privacy of the tag. Usually, there are two approaches to generate the Diffie-Hellman key: 1) The tag uses its private key and the nonce(s) to compute with the reader’s public key (e.g., [1,12,13]); 2) The tag chooses a random number to compute with the reader’s public key (e.g., [18]). However, a strong adversary can compromise the tag and obtain the tag’s private key. Hence, the two ways provide the equal level of privacy protection under the strong attack. In this paper, we adopt the second approach. To withstand the attack described in Section 3, the tag’s response should not be transferable to another valid response even if the tag’s private key is known to the adversary. In our protocol, we protect the tag’s private key by using two random values. Given a valid tag’s response, anyone who does not have the tag’s temporary key or the reader’s private key cannot output a new valid tag’s response. Our protocol is a variant of the Schnorr identification protocol [19]. The identification process consists of two passes where the reader initiates the session. Prior to identifying the tag, both of the reader and the tag are required to store particular states. Let G is an additive group with the prime order p and P is a generator of the group. The public/private key pairs of the tag and the reader are (x, X = xP ) and (y, Y = yP ), respectively, where x, y ∈R Z∗q . Initially, the backend server inserts the tag’s public key X into the database DB as the tag’s identifier. The server sets the tuple (x, Y, P ) as the tag’s state and stores it into the tag. The reader receives its pair of public/private keys and it is allowed to access the database. To identify a tag, the reader randomly chooses C ∈ G and sends C as a challenge to the tag. Upon receiving the challenge, the tag firstly picks a random number r ∈ Z∗q and computes R = rP . Let h : G×G×G → Z∗q be a cryptographic hash function. The tag generates a signing message

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

10

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

v = h(R, rY, C), where rY is a temporary Diffie-Hellman key. The signing message is computable if and only if either the tag’s choice r or the reader’s private key y is known. It is significant to preserve the tag’s privacy. Then the tag computes s = xv + r

(mod q),

and sends (R, s) to the reader. On receiving the tag’s response, the reader extracts the tag’s identity as v  = h(R, yR, C), X  = (sP − R)v 

−1

.

If X  exists in the database, the tag is identified, otherwise it is rejected. The proposed basic RFID identification protocol is depicted as in Fig. 3.

Reader(y, X)

T ag(x, Y )

Choose c ∈R Z∗q , C = cP

C

−−−−−−−−−−→

R,s

Compute v  = h(R, yR, C)) −1 X  = (sP − R)v   check if X is in the database

r ∈R Z∗q , R = rP v = h(R, rY, C) s = xv + r (mod q)

←−−−−−−−−−−

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 3. Baisc protocol.

The reader can extract the tag’s signature after a successful tag authentication. Given yR and C, anyone who has the tag’s public key X can verify the validity of the signature (R, s). It is an important difference between the encryption based protocols and the zero-knowledge based protocols.

5. Privacy Analysis We analyse the privacy of the proposed basic protocol and show that it is widestrong private under the model [10]. Theorem 2 The proposed basic RFID authentication protocol is private against the wide-strong attack if the CDH problem is hard. Proof 2 Suppose that there is an adversary A who can (, qh , t)-distinguish the ‘left’ and ‘right’ world in the wide-strong privacy experiment. Let A has an advantage  to solve the CDH problem. We can construct an algorithm B run by

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

11

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

the challenger to solve the CDH problem using the adversary A. Given the CDH instance (P, aP, bP ), algorithm B aims to output abP . On behalf of the system S, B interacts with the adversary A as follows. • Setup: B sets P as the generator of the additive cyclic group G. Let the public key of the reader be Y = aP and the private key of the reader be y = a, which is unknown to B. B maintains the lists Lh = {< R, rY, C, v > }, LRef = {< vtag, Ti , Tj >}, LS = {< T, π, z >} and a database of tags T = {< ID, T, X, x >}, which are initially empty. B tosses a coin and sets g = 0 or g = 1, where Pr[g = 0] = Pr[g = 1] = 12 . The virtual tag reference vtag is an incremental counter starts from 0. • h Query: A issues hE query on input (Ri , ri Y, Ci ) at most qh times. B outputs vi if (Ri , ri Y, Ci ) is in the list Lh . Otherwise, B randomly selects vi ∈ Z∗q and sets h(Ri , ri Y, Ci ) = vi . Then, B outputs vi and adds < Ri , ri Y, Ci , vi > into the list Lh . • CreateTag Query: A issues the oracle query on input a tag identity IDi . If IDi is not in T , B sets up a new tag Ti and generates the tag’s pubic/private key pair (xi , Xi ), where xi ∈ Z∗q , Xi = xi P . B outputs the reference Ti and adds < IDi , Ti , Xi , xi > into the database T . If IDi exists, B ignores the query. • DrawTag Query: A issues the oracle query on input a pair of tag references (Ti , Tj ). If any of the issued tags is not free, which is currently referenced, the oracle outputs ⊥. If g = 0, B references vtag to Ti , Tj otherwise. B outputs vtag and adds < vtag, Ti , Tj > into the list LRef . • Free Query: A issues the oracle query on input a reference vtag. If vtag is in the list LRef , B deletes the entry < vtag, Ti , Tj > and erases the volatile memory of the referenced tag, which is Ti or Tj . • Corrupt Query: A issues the oracle query on input a tag reference Ti . If Ti is not in T , B firstly creates a new tag by using CreateTag Query. B then outputs the tag’s secret key xi . • SendTag Query: A issues the oracle query on input vtag and a message Ci . If the entry < vtag, Ti , Tj > is not in the list LRef , B outputs ⊥. Otherwise, B retrieves the the referenced tag Tg ’s secret key xg and computes as follows. ∗ Randomly selects zi ∈ Z∗q and let ri = b + zi . Then, B computes Ri = bP + zi P . ∗ B randomly picks wi ∈ Z∗q and lets vi = wi − xbg . ∗ Computes si = xg wi + zi and sets mi = (Ri , si ), πi = (Ci , mi ). B outputs mi and adds < Ti , πi , zi > into the list LS . We show that the simulation is perfect as si = xg wi + zi = xg (wi −

b ) + (b + zi ) xg

= x g v i + ri Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

12

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

• SendReader Query: Since there is no reply message from the reader, B ignores the query to this oracle. • Result Query: A issues the oracle query on input a session πi . B responses as follows. ∗ If πi is in the list LS , B accepts the session and outputs 1. ∗ If πi ,is not in the list LS , B looks up the list Lh . If < Ri , ·, Ci , vi > is not in Lh , B outputs 0 and rejects the session. ∗ B Computes Xi = (si P − Ri )vi−1 and verifies it by checking if Xi in the the database T . B outputs 1 if it exists, 0 otherwise. Eventually, the adversary has to output a bit g  ∈ {0, 1} in the guess phase. That is, to determine which world (‘left’ or ‘right’) the simulation has encountered. If the adversary successfully outputs g  = g, he wins the experiment and B can use it to solve the CDH problem. Since A has to query the hash oracle to determine which tag is referenced during the experiment, there is at least one query input (Ri , ri Y, ci ) to the Hash Query is correct. B retrieves ri Y from the list Lh and computes abP = ri Y − zi Y , where zi ∈ LS , to be a solution of the given CDH problem. The simulation fails when B rejects a valid session. It occurs when A issued a valid session π to Result while < Ri , ·, Ci , vi > is not in the list Lh . A valid session which is not generated by B implies that the adversary could find the DiffieHellman key ri Y or guess the correct si . Let the event E be that the simulation fails. We have the negligible probability Pr[E] ≤  + nq , where n is the number of tags in T . 2

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

6. Optimisation RFID tags are resource-constrained devices which have limited gates to implement protocols. The increase of the tag’s gates costs more in production. In terms of the hardware implementation of our basic protocol, the tag is required to do the modular in both of the prime field and the binary field. Although the modular is an efficient operation, it consumes large number of gates for the hardware implementation [17,20]. Unfortunately, most of RFID identification protocols which are based on public key cryptography need modular calculations in both of the prime field and the binary field. In this section, we propose an optimized protocol and show that the number of required gates are reduced. As a feature, there is no modular operation in the prime filed required to the tag. Instead, only the modular in the binary field is needed. 6.1. Protocol 2 The optimized protocol also consists of two passes where the reader initiates the session. Let G be an additive group with the prime order q and e be a bilinear pairing, where e : G × G → GT . P1 and P2 are two generators of the group G. Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

13

The public/private key pairs of the tag and the reader are (xP2 , X = e(P1 , xP2 )) and (y, Y = yP2 ), respectively, where x, y ∈R Z∗q . The backend server inserts the entry of the tag into the databse and stores the tuple (xP2 , Y, P1 , P2 ) into the tag. The reader receives its pair of public/private keys and it is allowed to access the database. To identify a tag, the reader randomly selects C ∈ G and sends C as a challenge to the tag. Upon receiving the challenge, the tag chooses a random number r ∈ Z∗q and computes R = rP1 . Then, the tag generate a signing message v as in the basic protocol, where v = h(R, rY, C). The tag computes S = vxP2 + rP2 , and sends (R, S) to the reader. On receiving the tag’s response, the reader extracts the tag’s identity as 





v = h(R, yR, C), X =

e(P1 , S) e(R, P2 )

v −1 .

If X  exists in the database, the tag is identified, otherwise it is rejected. The optimized RFID identification protocol is depicted as in Fig.4.

Reader(X = e(P1 , xP2 ), y, Y = yP2 ) Choose c ∈R Z∗q , C = cP2

T ag(xP2 , Y ) C

−−−−−−−−−−→

R,S

←−−−−−−−−−−



Copyright © 2013. IOS Press, Incorporated. All rights reserved.

r ∈R Z∗q , R = rP1 v = h(R, rY, C) S = vxP2 + rP2

Compute v = h(R, yR, C)  v −1 e(P1 ,S) X  = e(R,P 2)

check if X  is in the database Figure 4. Optimized protocol.

6.2. Privacy Analysis Theorem 3 The proposed optimized RFID identification protocol is private against the wide-strong adversary if the CDH problem is hard. Proof 3 Suppose that there is an adversary A who can (, qh , t)-distinguish the ‘left’ and ‘right’ world in the wide-strong privacy experiment. Let A has an advantage  to solve the CDH problem. Given an instance (P, aP, bP ), we can construct an algorithm B to find the solution abP of CDH problem using the adversary A. B interacts with the adversary A as follows.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

14

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

• Setup: B selects k, where k ∈ Z∗q and sets P1 , P2 , where P1 = kP, P2 = P , as two generators of the additive cyclic group G. Let the public key of the reader be Y = aP and the private key of the reader be y = a, which is unknown to B. B maintains the lists Lh = {< R, rY, C, v >}, LRef = {< vtag, Ti , Tj >}, LS = {< T, π, z >} and a database of tags T = {< ID, T, X, xP >}, which are initially empty. B tosses a coin and sets g = 0 or g = 1, where Pr[g = 0] = Pr[g = 1] = 12 . The virtual tag reference vtag is an incremental counter starts from 0. • h Query: A issues hE query on input (Ri , ri Y, Ci ) at most qh times. B outputs vi if (Ri , ri Y, Ci ) is in the list Lh . Otherwise, B picks vi ∈ Z∗q and sets h(Ri , ri Y, Ci ) = vi . Then, B outputs vi and adds < Ri , ri Y, Ci , vi > into the list Lh . • CreateTag Query: A issues the oracle query on input a tag’s identity IDi . B ignores the query if IDi exists. Otherwise, B randomly chooses xi ∈ Z∗q and computes Xi = e(kP, xi P ). Then, B creates a new tag and sets (Xi , xi P ) as its public and private key pair. B outputs the reference Ti and adds < IDi , Ti , Xi , xi P > into the database T . • DrawTag Query: A issues the oracle query on input a pair of tag references (Ti , Tj ). If any of the issued tags is not free, the oracle outputs ⊥. Depending on the value of g, B references vtag to Ti (if g = 0) or Tj (if g = 1). B outputs vtag and adds < vtag, Ti , Tj > into the list LRef . • Free Query: A issues the oracle query on input a reference vtag. If vtag is in the list LRef , B removes the entry < vtag, Ti , Tj > and erases the volatile memory of the referenced tag. • Corrupt Query: A issues the oracle query on input a tag reference Ti . If Ti is not in T , B creates a new tag by running CreateTag Query. B then outputs the tag’s secret key xi P . • SendTag Query: A issues the oracle query on input vtag and a message Ci . B outputs ⊥ If < vtag, Ti , Tj > is not in the list LRef . Otherwise, B retrieves the the referenced tag Tg ’s secret key xg P and randomly selects zi , wi ∈ Z∗q . Then, B computes Ri = kbP + zi kP, Si = wi xg P + zi P, and sets mi = (Ri , Si ), πi = (Ci , mi ). B outputs mi and adds < Ti , πi , zi > into the list LS . • SendReader Query: Since there is no reply message from the reader, B ignores the query to this oracle. • Result Query: A issues the oracle query on input a session πi . B outputs 1 if πi is in the list LS , otherwise B outputs 0 if < Ri , ·, Ci , vi > is not in e(P1 ,Si ) v −1 the list Lh . If < Ri , ·, Ci , vi > exists, B computes Xi = ( e(R ) i and i ,P2 ) outputs 1 if Xi appears in T , 0 otherwise. Eventually, if the adversary outputs a guess g  , where g  = g, B has at least one correct value of ri Y in the list Lh . B can find the solution of CDH problem as abP = ri Y − zi Y , where zi ∈ LS . The simulation fails when B outputs a false rejection with the negligible probability at most  + nq , where n is the number of tags in T . 2

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

15

7. Conclusion In this paper, we demonstrated an attack which is launched by the wide-strong adversary on the Peeters and Hermans’ identification protocol. Given a valid session, the adversary can make a new session and distinguish the tag based on the output of the result oracle. We proposed two zero-knowledge based RFID authentication protocols which are wide-strong private. The proposed protocols have been formally proved to be wide-strong private. Moreover, the reader can obtain the tag’s signature after a successful tag authentication. The optimized protocol eliminates the modular computations in the prime field. Acknowledgments We thank the anonymous reviewers for their fruitful comments of improving this work.

References [1]

[2] [3] [4]

[5]

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[6] [7]

[8] [9]

[10] [11] [12]

[13] [14]

Batina, L., Seys, S., Singel´ ee, D., Verbauwhede, I.: Hierarchical ecc-based RFID authentication protocol. In: Juels, A., Paar, C. (eds.) RFIDSec. LNCS, vol. 7055, pp. 183–201. Springer (2011) Bohli, J.M., Pashalidis, A.: Relations among privacy notions. In: Dingledine, R., Golle, P. (eds.) Financial Cryptography. LNCS, vol. 5628, pp. 362–380. Springer (2009) Bohli, J.M., Pashalidis, A.: Relations among privacy notions. ACM Trans. Inf. Syst. Secur. 14(1), 4 (2011) Bringer, J., Chabanne, H., Icart, T.: Cryptanalysis of ec-rac, a RFID identification protocol. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS. LNCS, vol. 5339, pp. 149–161. Springer (2008) van Deursen, T., Radomirovi´ c, S.: Untraceable RFID protocols are not trivially composable: Attacks on the rvision of ec-rac. IACR Cryptology ePrint Archive 2009, 332 (2009) van Deursen, T., Radomirovi´ c, S.: Ec-rac: Enriching a capacious RFID attack collection. In: Yalcin, S.B.O. (ed.) RFIDSec. LNCS, vol. 6370, pp. 75–90. Springer (2010) van Deursen, T., Radomirovi´ c, S.: Insider attacks and privacy of RFID protocols. In: Petkova-Nikova, S., Pashalidis, A., Pernul, G. (eds.) EuroPKI. LNCS, vol. 7163, pp. 91– 105. Springer (2011) Fan, J., Hermans, J., Vercauteren, F.: On the claimed privacy of ec-rac iii. In: Yalcin, S.B.O. (ed.) RFIDSec. LNCS, vol. 6370, pp. 66–74. Springer (2010) Hein, D.M., Wolkerstorfer, J., Felber, N.: Ecc is ready for RFID - a proof in silicon. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) Selected Areas in Cryptography. LNCS, vol. 5381, pp. 401–413. Springer (2008) Hermans, J., Pashalidis, A., Vercauteren, F., Preneel, B.: A new RFID privacy model. In: Atluri, V., D´ıaz, C. (eds.) ESORICS. LNCS, vol. 6879, pp. 568–587. Springer (2011) Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U.M. (ed.) EUROCRYPT. LNCS, vol. 1070, pp. 143–154. Springer (1996) Lee, Y.K., Batina, L., Verbauwhede, I.: Ec-rac (ecdlp based randomized access control): Provably secure RFID authentication protocol. In: RFID, 2008 IEEE International Conference on. pp. 97 –104 (2008) Lee, Y.K., Batina, L., Verbauwhede, I.: Untraceable RFID authentication protocols: Revision of ec-rac. In: RFID, 2009 IEEE International Conference on. pp. 178 –185 (2009) Lee, Y.K., Batina, L., Singel´ ee, D., Verbauwhede, I.: Wide-weak privacy-preserving RFID authentication protocols. In: Chatzimisios, P., Verikoukis, C.V., Santamar´ıa, I., Laddomada, M., Hoffmann, O. (eds.) MOBILIGHT. LNCS, Social Informatics and Telecommunications Engineering, vol. 45, pp. 254–267. Springer (2010)

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

16 [15] [16] [17]

[18] [19] [20]

[21]

Lee, Y.K., Sakiyama, K., Batina, L., Verbauwhede, I.: Elliptic-curve-based security processor for RFID. IEEE Trans. Computers 57(11), 1514–1527 (2008) Ng, C.Y., Susilo, W., Mu, Y., Safavi-Naini, R.: RFID privacy models revisited. In: ESORICS. LNCS, vol. 5283, pp. 251–266. Springer (2008) Oren, Y., Feldhofer, M.: A low-resource public-key identification scheme for RFID tags and sensor nodes. In: Basin, D.A., Capkun, S., Lee, W. (eds.) WISEC. pp. 59–68. ACM (2009) Peeters, R., Hermans, J.: Wide strong private RFID identification based on zeroknowledge. IACR Cryptology ePrint Archive 2012, 389 (2012) Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO. LNCS, vol. 435, pp. 239–252. Springer (1989) Shamir, A.: SQUASH - a new MAC with provable security properties for highly constrained devices such as RFID tags. In: Nyberg, K. (ed.) FSE. LNCS, vol. 5086, pp. 144–157. Springer (2008) Tuyls, P., Batina, L.: RFID-tags for anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA. LNCS, vol. 3860, pp. 115–131. Springer (2006) Vaudenay, S.: On privacy models for RFID. In: ASIACRYPT. LNCS, vol. 4833, pp. 68–87. Springer (2007)

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[22]

N. Li et al. / On RFID Authentication Protocols with Wide-Strong Privacy

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-17

17

Chameleon RFID and Tracking Prevention Marek Klonowski, Mirosław Kutyłowski 1 , Piotr Syga 2 Wrocław University of Technology, Faculty of Fundamental Problems of Technology, Poland Abstract. We propose a method for prevention of tracking RFID tags. We consider the model in which the adversary may eavesdrop a large fraction of interactions, but not all of them. We propose a scheme that we call Chameleon RFID. It is based on dynamic changes of identity during each interaction - flipping half of bits at random positions. The scheme is not based on any secrets shared by the systems and the tags but on their continuous interaction. We prove privacy properties of the scheme with means of rapid mixing of Markov chains and provide concrete estimations and experimental evaluation of the rate of convergence to the uniform distribution. We also present some specific applications of the method proposed. The most important one is leaving traces of unauthorized tag activation. Keywords. RFID identity management, traceability, privacy, limited view adversary, Markov chain, rapid mixing, coupling

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1. Introduction Today one of the most important concerns about usage of RFID tags are potential privacy violations via tracing people holding the tags. Equally alarming are possibilities of tracing traffic of items, e.g. in case of business espionage. For this reason, quite frequently RFID tags are not deployed despite of potential economic gains. In this paper we propose a new approach to management of RFID tags that may help to overcome the above mentioned problems. Our protocol, called Chameleon RFID, can be also effectively used in some non-standard application scenarios not discussed so far. 1.1. Main Assumptions Our target is to provide an efficient framework for privacy protection and untraceability for RFID based systems. Unlike most authors, we do not assume that an adversary is able to eavesdrop globally all interactions with an RFID tag. Instead, we assume that a certain number of interactions is not observed by the adversary. This is motivated by the fact 1 Corresponding Author: Wrocław University of Technology, Wybrze˙ ze Wyspia´nskiego 27, 50-370 Wrocław,

Poland; E-mail: [email protected]. 2 Author was supported by NCN project, decision number DEC-2012/07/N/ST6/02203 Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

18

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

that while it is possible to spy at many locations, it is rather infeasible to spy everywhere for a long time. We feel that this is more realistic, just as in the case of anonymous communication protocols where this model has been introduced [1]. The point is that this realistic approach makes design of schemes substantially easier. The second assumption is that the RFID tags are not tamper resistant. This is motivated by the fact that tamper resistance increases the fabrication costs substantially, while the most important advantage of RFID tags should be their low cost. On the other hand, majority of solutions from the literature is based on secrets stored by tags. Consequently, the tags may be exposed to attacks by adversaries with appropriate technical equipment. This motivates us to propose RFID tags that do not hold any secret keys. Draft of the Scheme Below we describe main idea of the scheme; details of the construction are given in Sect. 2 . The basic element of our approach is to change rapidly identifiers of the tags. Such approach has been already exploited by many authors, but usually the changes are determined by a common secret shared by the system database and the tag (see e.g. [2]). However, we propose that the identifier’s change is random and determined by the tag itself and not with a secret shared with the system’s database. Unlike [3] we assume that the changes occur at many positions. Namely, after sending the current identifier:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

• the tag chooses at random n out of 2n bit positions of the tag’s identifier, • each bit on a chosen position is flipped. Despite the fact that the number of flipped bits is large, there is a strong link between the old identifier and a new one stored by the tag, as the Hamming distance of exactly n is rather unlikely. For recognizing a tag, the system stores the last identifier seen from the tag together with its permanent ID stored only in the database. If the current identifier ID is sent by the tag, the systems searches in the database for an identifier ID such that Hamming distance between ID and ID is exactly n. When found, ID overwrites ID in the database. A single round of the scheme is depicted on Fig. 1. On the other hand, we shall see that if we perform two transitions of this kind, then we may reach an arbitrary identifier with positive probability. This means that if just a single interaction is not observed by an adversary, then the identifier of the tag may become any sequence of bits. Indeed, one transition occurs during the last interaction with the adversary (the result is not observed by the adversary), the second one during the interaction not observed by the adversary. We may consider a graph G over all strings of length 2n and say that there is an edge between nodes a and b if the Hamming distance between a and b is exactly n. Note that 2n the number of neighbors of each node on G is n which is (n + 1)Cn , where Cn is the n n-th Catalan number. As Cn ∼ √4 3 the neighbors of a node make a fraction of about √1 . nπ

n π

For concrete small values of n the fraction of neighbors of a given node in G is:

2n fraction of all 2n bit strings

10 0.246

20 0.176

30 0.144

40 0.125

50 0.112

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

60 0.103

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

19

Note that the probability of assigning a random tag as a transformed tag of a given tag is quite large if the length of the tags is small. Such case may lead to ambiguities. The way to allude this problem is to split the binary string into smaller substrings and in each of them execute the procedure separately and independently. Thereby, if we split the sequence of 60 bits into 6 parts, 10 bit each, we get the chance of coincidental neighborhood as ≈ 2−12 . For sequences of length 160 partitioned into subsequences of length 10 we get probability ≈ 2−32 . Such a collision can be treated manually (inspection of the serial number printed on the item).

2. Chameleon Scheme In this section we give more precise algorithmic description of the Chameleon protocol outlined in the previous section. Setup of the System The system consist of two basic components:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

RFID - tags: each RFID has its permanentID. However, it is not stored in the tag. Instead, the RFID stores two identifiers: previousID and currentID. Both identifiers are at the beginning a random bit strings of the length 2n with an even number of ones. Identifiers of RFID-tags are chosen independently. DB-System: this part of the system contains a central database and RFID readers capable of the remote communication with RFID-tags. For each RFID registered in the system there are two identifiers in a single record stored in a database of the system namely presentedID and permanentID. The identifier permanentID of an RFID tag is never changed. The identifiers previousID, currentID and presentedID are dynamic and changed at each successful interaction with the reader. At regular situation previousID = presentedID. That is, the temporary identifier stored by the system is one step behind the tag. However, in some fault circumstances it may happen that currentID = presentedID. Namely, it may happen that the system makes an update, but the RFID tag receives no authentication message from the reader. Description of a Round After each scanning the DB-system tries to recognize the tag (i.e. to match the value received from the scanned RFID to the proper ID kept in the database). On the side of the RFID-tag the identifiers are changed. In Fig. 1 we describe a single interaction of a reader with an RFID tag. In the procedure UPDATE the random subset of n bits is chosen out of 2n bits and flipped, i.e. the bits on chosen positions are negated. An example of several rounds of update procedure is shown in Fig. 2 . In order to convince that after just several iterations of the update procedure, the distribution of achievable IDs (i.e. ID with even number of 1’s) is close to uniform, we performed an experiment. Starting from an ID with all bits equal to 1 we performed 8 iterations of the update function. We repeated this procedure

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

20

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

RFID

DB-System SETUP

(currentID, previousID)

(presentedID, permanentID) where presentedID = previousID ROUND

1. z := currentID z

−−−−−−−−−→

2. 3.

find a record (presentedID, permanentID) where Hamming distance between z and presentedID is exactly n

4.

choose at random k positions where z and presentedID differ, let L be the list of these positions L

←−−−−−−−−−

5. 6. check that on positions from L the strings currentID and previousID disagree

update: presentedID := z

7. if result negative then abort 8. previousID := currentID 9. currentID := UPDATE(currentID)

Figure 1. Ideal case when the system and the RFID are synchronized

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

20000 times. Fig. 3 depicts results of the experiment for n = 6. One can learn the probability distribution of obtaining given a ID starting from ID0 after t rounds of the update procedure. Namely, let us identify the IDs as a binary representation of a number in range [0, 22n − 1]. Let v0 be a vector of length 22n consisting of 22n − 1 0’s and a 1 on the position corresponding to ID0 . Vector v0 represents probability distribution of the starting ID. The update is represented by a transition matrix U = [ui, j ] of the size 22n × 22n , where ui, j represents the probability of transition from IDx = i to IDx+1 = j. Clearly  ui, j =

1

(2nn) 0

if HD(i, j) = n , otherwise.

where HD(x, y) denotes Hamming distance between x and y. Probability distribution of IDs after t updates is calculated as vt = v0U t . Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

21

0 0 0 1 0 1 0 0 bits to be flipped 0 0 0 1 0 1 0 0 after flipping 1 0 1 0 0 1 1 0 bits to be flipped 0 0 0 1 0 1 0 0 after flipping 1 1 0 1 0 0 0 1 bits to be flipped 0 0 0 1 0 1 0 0 after flipping 0 1 0 0 1 1 1 0 Figure 2. Example of update procedure for 2n = 8 in 3 rounds (grey boxes mark bits to be flipped).

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

0.0012 0.0010 0.0008 0.0006 0.0004 0.0002

Figure 3. Histogram of different IDs’ frequency during 8 iterations of update procedure within 20000 trials, starting from ID0 = 111111111111.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

22

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

3. Protocol Modeling and Security Analysis We identify each RFID tag T with a bit string of length 2n denoted ID(T ). We also assume that n is even. According to the definition the Hamming weight of each ID is even. Apart from simplification of the analysis this enables us to say that the last bit of the ID is the parity bit added for error detection. First note that in two steps we can reach any ID of even Hamming weight. Indeed, let ID is a starting ID, and ID be an arbitrary ID of even Hamming weight. Let L denote the set of positions on which ID and ID differ. Obviously, L contains an even number of elements – otherwise ID would contain an odd number of 1’s. Let L1 and L2 be a partition of L into two sets of equal cardinality. Then we choose two sets of positions A1 and A2 such that L1 = A1 \ A2 , L2 = A2 \ A1 , and A1 ∩ A2 as an arbitrary set of n − |L|/2 positions disjoint with L (note that there are 2n − |L| such positions and that n − |L|/2 ≤ 2n − |L|). It is easy to see that applying transitions with sets A1 and A2 leads to transition from ID to ID . Possibility to reach any ID in just two updates does not mean that we can reach them with the same probability – in fact the probabilities are quite different. However, intuitively after a sufficient number of updates the probabilities of all possible IDs become almost the same and the adversary that is not capable of observing this tag for these updates is unable to find any link between the IDs. For this reason the adversary cannot trace the tag. The main question however, is to determine the number of transitions which are necessary until the probability distribution of the resulting IDs (of even weight) becomes almost uniform. Below we present a formal proof that this process of equalizing probabilities of different IDs is very fast. Consequently, the adversary looses linking possibility when it skips a few updates for a given RFID-tag.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

3.1. Notation Let E be the set of all bit strings of the length 2n with even number of ones. Let IDt ∈ E be the bit string on RFID tag after performing t transitions. Note that IDt is a random variable. Let [n] = {1, 2, . . . , n}. For a bit string s let s(i) be the ith bit of s. By b¯ we denote the bit b flipped, i.e. b¯ = 1 − b. Clearly, {IDt }t≥0 is a homogeneous Markov chain. Indeed, one can observe that the state IDt+1 depends only on IDt . For a bit string s and a subset A ⊆ [2n] we define T (s, A) as a bit string obtained from s by flipping bits on positions from A. That is, if T (s, A) = s , then s (i) = s(i) if and only if i ∈ A. Let H(s, s ) denote the Hamming distance between s and s . From now on we use notation Xt instead of {Xt }t≥0 , if it is clear from the context that we are talking about a Markov chain. Transition probabilities of the Markov chain IDt are as follows: 

Pr[IDt+1 = s |IDt = s] =

1

(2nn) 0,

,

if H(s, s ) = n , otherwise.

Note that if ID0 ∈ E , then IDt ∈ E for each t > 0 as well. Indeed, flipping a single bit changes the Hamming weight by +2 or −2, so a set of flips must change the Hamming weight by an even number. Thereby we see that the chain IDt over E is properly defined. Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

23

Fact 1. {IDt }t≥0 is an ergodic Markov chain that converges to uniform distribution over E. Proof. Since probability of transition from state a to state b is the same as the probability of transition from state b to state a, it is easy to see that the chain IDt is irreducible. One can also easily construct a cycle of 2n + 1 states such that transitions between consecutive states have positive probability. Existence of odd length cycles implies aperiodicity3 . Each aperiodic and irreducible chain converges to its unique stationary distribution. Since Pr[IDt+1 = s|IDt = s ] = Pr[IDt+1 = s |IDt = s], the uniform distribution is the only stationary distribution of this chain. The remaining (and most difficult) problem is to show that IDt converges to uniform distribution in a fast way. Let us recall some standard definitions regarding convergence of Markov chains to stationary distribution. Definition 2. For two discrete random variables X, Y we define total variation distance metrics as TVD(X, Y ) =

1 | Pr[X = x] − Pr[Y = x]| . 2∑ x

Definition 3. Let {Xt }t≥0 be an ergodic Markov chain converging to stationary probability distribution U. Let S be the space of possible states. We define the mixing time τ(ε) as follows: τ(ε) = max min{t ∈ N : TVD(Xt , U) ≤ ε ∧ X0 = s} .

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

s∈S

t

In other words, mixing time is the number of steps t so that after t steps the probability distribution is ε-close to its limit distribution independently of the initial state. One of the most efficient methods for proving mixing time bounds is so called coupling technique recalled below. Definition 4. A coupling for a Markov chain Mt is a joint process (Xt , Xt∗ ) such that each of its marginal processes, i.e. Xt and Xt∗ , is a faithful copy of Mt (which means that the transition probabilities are the same as for Mt ). Clearly processes of Xt and Xt∗ from a coupling can be dependent (and in all proofs for convergence of Markov chains they are dependent). The fundamental coupling lemma recalled below shows that by constructing a coupling for a Markov chain we can get an upper bound on its mixing time. Lemma 5. (Coupling lemma) Let Mt be an ergodic Markov chain converging to U. Let (Xt , Xt∗ ) be any coupling for Mt and X0 is distributed according to U. Then TVD(Xt , Xt∗ ) ≤ Pr[Xt = Xt∗ ] . 3 To be completely correct we need to assume that the process is lazy – i.e., with some fixed (possibly small) probability the state does not change in some rounds. Such assumption does not substantially change the protocol.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

24

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

Corollary 6. If (Xt , Xt∗ ) is a coupling for Mt such that Pr[XT = XT∗ ] ≤ ε for any initial states X0 = s and X0∗ = s , then τ(ε) ≤ T . 3.2. Coupling construction We follow coupling approach to prove that our process IDt is very close to uniform distribution after a few rounds. Let us construct a coupling for IDt denoted as (IDt , IDt∗ ). We call IDt the free process and IDt∗ the dependent process. For the sake of clarity let us assume that being in a given state IDt , the free process chooses the next state first. Then the dependent process tries to approach to IDt without violating the rule that the transition probabilities must the same as for the basic process. ∗ (i)} and Z¯ = [2n] \ Z . Let k = |Z¯ | = 2n − |Z | Let Zt = {i ∈ [2n] : IDt−1 (i) = IDt−1 t t t t t denote the number of bits that are different in both processes. In round t process IDt chooses a subset At of cardinality n according to the probability distribution defining the marginal process IDt . Let lt = |At ∩ Z¯t | denote the number of bits that are different in both processes after the step t − 1 and have been selected for flipping in round t by the free process. For the dependent process IDt∗ , we define the subset of bits to be changed as At∗ = (At ∩ Zt ) ∪ Bt , where:  random subset of cardinality lt from Z¯t \ At Bt = whole set Z¯t \ At and a random subset of cardinality 2lt − kt of At ∩ Z¯t

if lt ≤ if lt >

kt 2, kt 2.

One can easily notice that each subset of [2n] of cardinality n is chosen with the same probability by At∗ . Thus (IDt , IDt∗ ) is well defined coupling process. Some example steps of the coupling are depicted on Fig. 4 .

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

3.3. Rapid mixing We need to investigate what is the necessary T to have both processes coupled with 1 , i.e. for what T we have IDT = ID∗T with probability at least probability at least 1 − 2n 1 1 − 2n . Note that by the definition of the coupling process, if IDT = ID∗T , then IDt = IDt∗ for each t ≥ T . Definition 7. Random variable X has a hypergeometric distribution H (N, n, m) if mN−m Pr[X = x] =

x

Nn−x 

.

n

The hypergeometric distribution describes the number of black balls obtained when we draw n balls out of N − m white and m black balls without replacement. One can see that D kt+1 ∼ 2|H (2n, n, kt ) − k2t |. Indeed, the positions in Zt chosen for flipping play the role of chosen “black balls”. If their number h if lower than k2t , then kt+1 = 2( k2t − h), as we are able to couple the processes on 2h positions. In the opposite case, each position is flipped by at least one process, however 2h − kt = 2(h − k2t ) positions are flipped by both processes and thereby the processes still differ there.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

25

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

0 0 0 0 0 0 0 0 choice of bits for flipping

0 1 0 1 0 1 1 0 choice of bits for flipping

0 0 0 0 0 0 0 0

0 1 0 1 0 1 1 0

state after round 1

state after round 1

1 0 1 1 0 0 0 1 choice of bits for flipping

1 1 1 1 0 1 0 1 choice of bits for flipping

1 0 1 1 0 0 0 1

1 1 1 1 0 1 0 1

state after round 2

state after round 2

1 0 0 1 1 0 1 0 choice of bits for flipping

1 1 0 1 1 1 1 0 choice of bits for flipping

1 0 0 1 1 0 1 0

1 1 0 1 1 1 1 0

state after round 3

state after round 3

1 1 0 0 0 0 0 0

1 1 0 0 0 0 0 0

Figure 4. Coupling example for 2n = 8, the free process on the left and dependent process on the right (grey boxes mark bits to be flipped in current round, black boxes mark matching bits). D

Fact 8. Let X ∼ H (2n, n, k) and k be an even integer. Then    Pr |X − 2k | ≥ 4k ≤ 2 exp − 8k .

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2

t Proof. From the Sect. 2.1 in [5] we know that Pr[X ≤ EX − t] ≤ exp(− 2σ 2 ) for t ≥ 0, 2 where EX denotes expected value of X and σ denotes its variance. We need to notice k(2n−k) that EX = 2k and σ 2 = 4(2n−1) ≤ 4k . Moreover, Pr[X = 2k + f ] = Pr[X = 2k − f ] for any f.

Fact 9. For every 2n ≥ kt ≥ 2 following inequality holds Pr[kt+1 ≤

kt 2]

>

1 2

.

  Proof. From the Fact 8 let us note that 2 exp − 8k < 12 if k ≥ 11. Thus for every kt > 11 we have Pr[kt+1 ≤ k2t ] > 12 . The case kt < 11 can be checked easily by direct calculations of probabilities. Please be reminded that possible initial IDs and method of updating IDs assures that in every round we have 2|kt . We say that round t is successful if kt+1 ≤ k2t . Since k0 ≤ 2n we need at most log n + 1 successful steps to have all bits matched. Each round of the protocol is successful with probability at least 12 , independently of others. By Fact 9, the number of successful rounds in m consecutive rounds stochastically dominates the

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

26

M. Klonowski et al. / Chameleon RFID and Tracking Prevention Nr of rounds 14

12

10

8

6

4

2

200

400

600

800

n

Mean 1 Quantile

1 n

Figure 5. Number of rounds needed to finish coupling process for a tag with |ID| = 2n on average (blue) and in most cases (violet) in 14000 trials.

binomial distribution Bin(m, 12 ). Using a standard version of the Chernoff bound from [5] (Formula 2.14) we can find the number of steps necessary for having at least log n + 1 successful steps and consequently the protocol coupled.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Fact 10. After T > 3.6 log n + 1.6 steps of the coupling process ID∗T = IDT with proba1 . bility at least 1 − 2n The direct consequence of the Fact 10 and the Coupling Lemma (Lemma 5) we get the following theorem: Theorem 11. Let us consider a tag with ID of the length 2n starting from an arbitrary state with even number of ones. After 3.6 log n + 2 rounds its distribution differs from 1 . uniform distribution over 2n bit strings with even number of ones, by no more than 2n Fig. 5 depicts result of a numeric experiment on described coupling process. While Theorem 11 is based on general estimation method, for concrete n we can proceed in a different way. For example let us consider n = 4. We say that the coupling process is in state Si , if there are differences on i positions between the free process and the dependent process. Please note that due to protocol properties only even values of i are possible. So for n = 4 the possible states are S0 , S2 , S4 , S6 , S8 . We may build a directed weighted graph with vertices S0 , S2 , S4 , S6 , S8 , where an edge between Si and S j with weight p means that in state Si executing one round leads to state S j with probability p. Let Z¯ denote the set of positions where the free process and the dependent process have different values. For the case n = 4 one can see that:

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

27

• from state S8 the coupling always gets into state S0 , • from state S6 there are the following cases concerning the number z of positions from Z¯ which are flipped by the free process: z = 2: the next state is S2 , this case occurs with probability z = 3: the next state is S0 , this case occurs with probability z = 4: the next state is S2 , this case occurs with probability

15 70 ; 40 70 ; 15 70 ;

• from state S4 there are the following cases concerning the number z of positions from Z¯ which are flipped by the free process: z = 0: z = 1: z = 2: z = 3: z = 4:

the next state is S4 , this case occurs with probability the next state is S2 , this case occurs with probability the next state is S0 , this case occurs with probability the next state is S2 , this case occurs with probability the next state is S4 , this case occurs with probability

1 70 ; 16 70 ; 36 70 ; 16 70 ; 1 70 ;

• from state S2 there are the following cases concerning the number z of positions from Z¯ which are flipped by the free process: z = 0: the next state is S2 , this case occurs with probability z = 1: the next state is S0 , this case occurs with probability z = 2: the next state is S2 , this case occurs with probability

15 70 ; 40 70 ; 15 70 ;

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Following the above we get worst case mixing time bound (for n = 4) τ = 32 17 , that occurs if we begin in S4 . Based on the above derivations we get the transition matrix T for this graph. Then we may derive T t for any t and use the fact that T t defines probabilities of reaching nodes in a walk consisting of t steps. Note that S0 is an accumulating point, and we are looking for the probability of successful coupling after t steps, that is the probability of reaching S0 in t steps.

4. Applications Apart from the basic application of the protocol mentioned before, i.e. identifying objects immune against a passive adversary that may monitor only a fraction of the traffic, this protocol can be particularly efficiently used in some other scenarios that we describe below. Presence in Restricted Area Assume that the systems consists of a number of mobile units u1 , . . . uk that move within some restricted area S. Apart from location control within S run by the system, it must guarantee that any unit leaving S looses its status as a unit entitled to move within S. So we have to do with a friend-or-foe system, where leaving S immediately means that the unit is contaminated and should be considered as a foe. With Chameleon scheme, once a unit gets out of S and authentication is performed, then the scheme inside S will not recognize it as a “friend”. For this purpose the identifiers are administered by two separate databases of the system: the first database is kept inside

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

28

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

S, while the second one is a global one. Security policy is that there is a unidirectional flow of updates: from the local to the global database but not vice versa. It is easy to see that one can build a hierarchical system described by a tree, where each node is labeled by a area. We assume that if node with label S has a children node with label S , then S is a subset of S. In this scenario, if an update occurs within an area S, then information about the update is delivered to the parent node of S and an update is performed recursively at the parent node. It guarantees that if tag’s location corresponds to a node A with label S, then the tag will be recognized in all areas which are labels of the nodes on the path P from A to the root of the tree, except for the areas that are labels of sibling for the nodes of P and of the children nodes of A. Unauthorized Access Detection One of the basic threats for some high security systems is inspection of the items by unauthorized readers run by malicious parties. Alone the fact that the item has been inspected by such a party should be enough to exclude it from the further processing - a good example is delivery of access codes, passwords, PIN numbers etc. One solution of the problem are electronic artifacts that are authenticated with strong protocols based on asymmetric cryptography and including prior authentication of the verifiers (an example of this approach is [4]). However, this requires a complicated PKI infrastructure, attribute handling and special cryptographic hardware. Chameleon scheme is a lightweight solution to this problem: once an unauthorized party inspects the RFID tag, it becomes “corrupted”. As change of the identifier is automatic and irreversible, it cannot be prevented by the intruder. In the scenario concerned the RFID tags should contain two fields: the first one with a permanent ID, the second one modified via Chameleon scheme. Also, the protocol should be slightly changed: the transition of the ID of the tag should be performed after tag initialization and before presenting the currentID.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

RFID Ownership Transfer Chameleon scheme can be used as an efficient and simple RFID ownership transfer method. Once a tag is transferred to a new owner, a few interactions make it purely random for the previous owner. This is true even if the previous owner has access to all secrets from the tag (in fact, for Chameleon scheme there are no such secrets). 5. Conclusion In our paper we presented new privacy preserving protocol for RFID tag immune against an eavesdropping adversary that misses several communication rounds between the tag and the reader. Such an adversary model is justified as the communication between tags and the system takes place on multiple locations, so it is infeasible to eavesdrop the whole communication. The protocol is suitable even for very cheap tags as it requires only ability to choose a random subset of bits and bit negation, it does not require any secret that could be intercepted by the adversary, which would lead to corrupting whole system. We provided formal security analysis using total variation distance as a security measure. We also provide some numeric experiments depicting proven result.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

M. Klonowski et al. / Chameleon RFID and Tracking Prevention

29

References

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[1] Ron Berman, Amos Fiat, and Amnon Ta-Shma. Provable unlinkability against traffic analysis. In Ari Juels, editor, Financial Cryptography, volume 3110 of Lecture Notes in Computer Science, pages 266– 280. Springer, 2004. [2] Mike Burmester and Jorge Munilla. Lightweight RFID authentication with forward and backward security. ACM Trans. Inf. Syst. Secur., 14(1):11, 2011. [3] Jacek Cicho´n, Marek Klonowski, and Mirosław Kutyłowski. Privacy protection in dynamic systems based on RFID tags. In PerCom Workshops, pages 235–240. IEEE Computer Society, 2007. [4] Lucjan Hanzlik, Kamil Kluczniak, Łukasz Krzywiecki, and Mirosław Kutyłowski. Mutual restricted identification. In EuroPKI (to appear), 2013. [5] S. Janson, T. Łuczak, and A. Ruci´nski. Random Graphs. Wiley Series in Discrete Mathematics and Optimization. Wiley, 2011.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-31

31

A Secure Elliptic Curve based RFID Ownership Transfer Scheme with Controlled Delegation Shu CHENG a , Vijay VARADHARAJAN a Yi MU b and Willy SUSILO b a Information and Networked Systems Security Research Department of Computing, Faculty of Scicence Macquarie University, Sydney, Australia e-mail:{shu.cheng, vijay.varadharajan}@mq.edu.au b Centre for Computer and Information Security Research School of Computer Science and Software Engineering University of Wollongong, Wollongong, Australia e-mail:{ymu,wsusilo}@uow.edu.au

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Abstract. In practical applications, the owner of an RFID-tagged item can change. In this paper, we propose a new RFID ownership transfer protocol using ellipticcurve cryptography. The paper first considers security and privacy requirements in the ownership transfer process. Then the paper provides a detailed description of our ownership transfer scheme outlining various protocol phases. Key features of the proposed scheme are that it allows controlled delegation and authorisation recovery, and the ownership transfer is achieved without a trusted third party. We describe a security analysis of the proposed scheme and demonstrate that it meets the desired security and privacy requirements. We also illustrate the performance results and show that our scheme is feasible for lightweight RFID tags. Keywords. RFID, Ownership Transfer, Security, Privacy, Controlled Delegation

1. Introduction Radio Frequency Identification (RFID) has been long considered as a substitute for barcodes and offers several highly attractive features. RFID technology is widely used in many applications in our daily life, such as supply chain, access control, automatic payment, animal tracking and electronic passports [6]. RFID tags usually have limited memories and weak computational capabilities due to inexpensive cost and easy deployment. Therefore, RFID systems are vulnerable to various critical security threats. Over the recent years, several security and privacy concerns have been raised in many research works [6]. Communications between RFID tags and readers are vulnerable to various attacks. A tag could be eavesdropped and manipulated illegally since the communication between reader and tag are often via insecure wireless channel. In addition, each RFID tag contains a unique piece of information which can be used to identify itself. An adver-

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

32

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

sary can trace or distinguish a tag from other tags if the unique information is captured during communication between the tag and the reader. On the other hand, passive tags usually have limited memory and low processing capacity, and hence strong security approaches are infeasible in practice. Therefore, they are not usually tamper-resistant and are vulnerable to compromise. Ownership means that only the owner has access to the tag and is able to interact with it in the secure manner; hence the owner and the tag should be able to authenticate each other. However, in many applications, during the lifetime of a tagged item, the owner of an RFID may change several times. When the ownership transfers, the previous owner needs to pass the secure information to the new owner. As a result, both the previous and the new owner are able to authenticate and identify the tag, and moreover, communicate with it. This may cause a problem since the privacy of either the tag or the owners can be easily infringed. A number of papers have been published to provide proper solutions for tag ownership transfer [12,16,14,11,4,17,8,2,3,7,13]. Most of the schemes are based on symmetric-key cryptographic algorithms such as hash functions and pseudo-random number generators because of the simplicity compared to asymmetric-key cryptography. However, it has been shown that such schemes often result in scalability as well as security and/or privacy problems. Recent works show that it is feasible to employ elliptic curve cryptography on lightweight RFID tags [1,5,10]. In such schemes, it is assumed that the RFID tags are able to process modular additions, modular multiplications and elliptic curve scalar multiplications. We will be using this assumption and proposing an elliptic curve based RFID ownership transfer scheme.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1.1. Contribution and Paper Organisation In this paper, we propose an RFID ownership transfer scheme. To the best of our knowledge, this is the first elliptic-curve based ownership transfer protocol. We show that the proposed scheme is secure and private. Furthermore, it is able to achieve the features like controlled delegation and authorisation recovery. The rest of this paper is organised as follows. The ownership transfer protocols are reviewed in Section 2. In Section 3, we give the description of the preliminaries for our scheme and outline the security and privacy requirements. Our elliptic-curve based RFID ownership transfer protocol is proposed in Section 4. In Section 5, we provide the security analysis of our scheme. In Section 6, we show the performance results of our scheme. Section 7 concludes this paper.

2. Related Work Molnar, Soppera and Wagner [12] introduced the concept of ownership transfer in 2005. They proposed an RFID pseudonym protocol based on pseudo-random function and shared secrets. Their scheme employed a trusted centre in a tree structure to manage the shared secret with the tag. All the readers need the assistance from the trusted centre to authenticate the tag because only the trusted centre is able to identify the tag. The trusted centre controls the access privilege according to the ownership policy of the tag. After the ownership is transferred, the previous owner is not allowed to access the tag. Since the tag uses a unique pseudonym to each query, it is impossible for the previous owner to identify the tag without the help of the trusted centre. The trusted centre can also delegate

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

33

a reader limited access to the tag by giving it a derived key. For each query made by the readers, the tag generates a pseudonym using pseudo-random function and the derived key to protect its real ID. The tag also maintains a counter to determine the number of queries. After the counter reaches the maximum value designated by the trusted centre, the delegation automatically expires. There are several similar schemes [16,14,4,8] that also employ a trusted third party to control the ownership transfer. However, all of them are based on symmetric cryptographic primitives. The shared secret between the tag and the reader will be revealed to the adversary if the tag is compromised. Moreover, the privacy of the tag and the owner cannot be guaranteed. Besides the protocols based on trusted third party, there also exist several ownership tranfer schemes involing only tags and owners. Saito, Imamoto and Sakurai [16] presented an ownership transfer scheme without the trusted third party. Upon receiving the ownership from the previous owner, the new owner updates the secret shared with the tag. However, their scheme is built under a fairly strong assumption that it is difficult for the adversary to exploit the communication channel from the tag to the reader because the range of the channel is short. Song [17] proposed an ownership transfer protocol as well as a security property called authorisation recovery. The previous owner is able to recover the ownership and temporarily interact with the tag. This property is quite useful considering in an after-sales scenario, the seller may need to verify the product before providing a repair service. However, the protocol does not provide information and location privacy and an adversary can perform a denial-of-service attack by simply blocking and forging the second message in the protocol flow [15]. Also, Ng, Susilo, Mu and Safavi-Naini [13] argued that Song’s protocol changes the share secret to previous owner’s key for authorisation recovery, which actually means sharing ownership causing the ownership of the tag to become unclear. In RFIDSec’11, Fern´andez-Mir, TrujilloRasua, Castell´a-Roca and Domingo-Ferrer [3] introduced a novel ownership transfer protocol that provides controlled delegation without the need of a stored counter in the tag. The server maintains a table storing the hash chain of MAX size to identify a tag. However, this protocol is vulnerable to denial-of-service attack because an adversary can always block the update message MAX + 1 times. The time consumption and storage cost could become huge even though the system may set the value MAX to a relatively high value to prevent the attack.

3. Preliminaries In this section, first we outline the system model and assumptions, and then describe the security and privacy requirements for our scheme. 3.1. System Model and Assumptions Each owner has his/her own personal reader, which is securely connected to his/her own database. Therefore, we consider the reader and the database as an entity and refer it as the reader. This model removes the need for a trusted centre that is required in a centralised model to maintain the current and/or previous ownership of each tag. As there can be different settings in the same system model, we make the following assumptions for our model.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

34

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

• The manufacturer is trusted. The manufacturer creates items and attaches a tag to every single item. It also writes the initial state in every tag. • A tag has a rewritable memory, and is able to perform lightweight cryptographic operations. • A tag is vulnerable to compromise attacks. That is to say, an adversary can obtain the internal secrets of a tag. • An owner is an entity who engages in the ownership transfer. Each owner has a reader to communicate with the target tag. • An owner communicates with the target tag via insecure radio-frequency interface. However, the communication between two owners is assumed to be secure. • The current owner has the full control over its tag. 3.2. Security and Privacy Requirements

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

We now define our RFID security model. Firstly, the adversary is assumed to have complete control over the communication channel between tag and reader. Namely, it can observe, modify and block all exchanged messages, and generate new messages. The potential threats against the RFID system are listed as follows. • Replay Attack: An adversary maliciously repeats previous communications between a reader and a tag to perform a successful authentication. • Man-in-the-Middle Attack: An adversary inserts, modifies or deletes messages sent between a reader and a tag without being detected. • Denial-of-Service Attack (De-Synchronization Attack): An adversary blocks or tampers with messages passed on between a reader and a tag, which causes the reader and the tag to lose synchronisation so that they cannot authenticate each other in future communications. • Backward Traceability: An active adversary is able to identify a target tag from the past interactions between the tag and a reader, using the knowledge of the tag’s present internal state by corrupting the tag. • Forward Traceability: An active adversary is unable to identify a target tag from the future interactions between the tag and a reader, using the knowledge of the tag’s present internal state by corrupting the tag. In addition to the potential threats against general RFID systems, we also identify the security requirements from the previous ownership transfer schemes. • Previous Owner Privacy: When the ownership transfer protocol is completed, the new owner cannot trace past communications between the previous owner and the tag. • New Owner Privacy: When the ownership transfer protocol is completed, the old owner cannot trace future communications between the new owner and the tag. • Controlled Delegation: The present owner of the tag temporarily delegates the access right of the tag to another entity without giving out the ownership. The owner is able to cancel the delegation at anytime. Moreover, the delegation will automatically expires at some time. • Authorisation Recovery: The previous owner is able to access the tag with permission granted by the current owner. The current owner can cancel the temporary

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

35

authorisation at anytime. This security property can be considered as a special case of controlled delegation. The scheme that we are proposing in the paper aims to address the above security and privacy requirements.

4. Our Ownership Transfer Scheme 4.1. Setup Let E be an elliptic curve defined over a field Z∗p , where p is an k-bit prime number. Assume the point P is a generator of G, which is the group of points on the elliptic cure E. Let (SKoi , PKoi ) = (yoi , yoi P) be the public-private key pair of the ith Owner. Note that these key pair are used in tag-owner communications. The manufacturer is the special owner o0 . The manufacturer randomly chooses a public-private key pair SKt = x, PKt = xP for the target tag when creating the product that the tag is attached to, and sets the internal state of the tag (SKt , PKo0 ). 4.2. Protocol Phases In this section we describe different phases of our scheme. Our scheme is composed of key change protocol, transfer protocol, key update protocol and controlled delegation protocol. The notations used in our scheme is illustrated in Table 1.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Table 1. Notations of the proposed scheme Notation

Interpretation

SKt PKt

the private key of the tag the public key of the tag, also used as the tag’s identity IDt

PKo SKi PKi

the public key of the current owner stored in the tag the private key of the ith owner the public key of the ith owner

PKb c

the backup public key stored in the tag the counter stored in the tag

cm Auth(PKo )

the maximun value of the counter for delegation the tag authenticates the reader using the owner’s public key

Key Change Protocol. In this protocol, the current owner (denoted by Owneri ) updates its public key stored in the tag (denoted by Tag) with a temporary one so that the new owner (denoted by Owneri+1 ) will not be able to identify or trace the past interactions between the tag and the current owner after having the ownership of the tag. Prior to executing this protocol, we assume that the tag and the current owner both have each other’s public key. We also assume that the owner has determined which tagged item that s/he wishes to transfer the ownership of. The protocol is depicted in Figure 1 and detailed as follows.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

36

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

1. First, an Owneri chooses two random number r1 , r2 and sends A1 = r1 P, A2 = r2 PKt to Tag. 2. Tag generates a nonce rt and answers with the following information: M1 = rt PKo , M2 = SKt−1 rt A2 + SKt A1 . 3. Upon receiving M1 and M2 , Owneri computes r1−1 (M2 − r2 SKi−1 M1 ) and checks whether the value equals IDt . If not, Owneri rejects the Tag and terminates the protocol execution; otherwise it randomly picks a temporary private key y o , computes B1 = (r1 + r2 )P + SKi−1 y o M1 and B2 = y o PKt + SKi−1 M1 , and sends them to Tag. y o will be stored by Owneri and passed to the new owner as the ownership in the future. 4. Tag computes A1 + SKt−1 A2 + rt SK −1 (B2 − rt P) and checks whether the result equals to B1 . If so, it updates PKo with the value SKt−1 (B2 − rt P); otherwise Tag terminates the protocol execution.

Tag SKt = x, PKo = yi P

Owneri SKo = yi , IDt = PKt = xP r1 , r2 ∈R Z∗p A1 = r1 P, A2 = r2 xP A ,A

rt ∈R Z∗p M1 = rt yi P M2 = x−1 rt A2 + xA1

←−−1−−2−−

M ,M

1 2 −−−− −−→

IDt = r1−1 (M2 − r2 y−1 i M1 ) y o ∈R Z∗p

B1 = (r1 + r2 )P + y−1 i yo M1 −1

B2 = yo xP + yi M1

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

?

B ,B

PK = x−1 (B2 − rt P)

←−−1−−2−−

?

B1 = A1 + x−1 A2 + rt PK

update PKo = PK

Figure 1. Key change protocol for current owner

Transfer Protocol. Since the interactions between owners are secure under the assumption, we assume the protocol is a general public-key based encryption protocol. The new owner encrypts the ownership transfer request and the ID of the tag and sends the message to the current owner. Then after decrypting the message and authenticating the new owner, the current owner encrypts the temporary private key y o for interacting with the

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

37

Owneri+1 y o , SKi+1 = yi+1 , IDt = PKt = xP

Tag SKt = x, PKo = y o P

r1 , r2 ∈R Z∗p A1 = r1 P, A2 = r2 xP A ,A

←−−1−−2−−

rt ∈R Z∗p M1 = rt y o P M2 = x−1 rt A2 + xA1

M ,M

1 2 −−−− −−→

IDt = r1−1 (M2 − r2 y o −1 M1 ) B1 = (r1 + r2 )P + y o −1 yi+1 M1 B2 = (yi+1 + r1 )xP + y o −1 M1 ?

B ,B

PK

x−1 (B

2 − rt P) − A1 −1 B1 = A1 + x A2 + rt PK

update PKo = PK

=

←−−1−−2−−

?

Figure 2. Key update protocol for new owner

Tag

Owneri

Owneri+1

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Key change protocol

←−−−−−−−−−−→ Transfer protocol

←−−−−−−−−→ Key Change protocol

←−−−−−−−−−−−−−−−−−−−−−−−→

Figure 3. Protocol flows for ownership transfer

target tag, and sends the response back to the new owner. The new owner decrypts the message and get y o , thereby obtains the ownership of the tag. Key Update Protocol. This protocol is executed when the new owner Owneri+1 obtains the ownership of the target tag. Owneri+1 updates the owner’s public key stored in the tag with its own public key. This procotol protects the tag and the new owner from malicious previous owners so that they cannot identify or trace the interaction between the tag and the new owner after giving out the ownership. The protocol is a small modification of

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

38

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

key change protocol for the current owner. The protocol phase is depicted in Figure 2 and detailed as follows. 1. Owneri+1 randomly chooses r1 , r2 and sends A1 = r1 P, A2 = r2 IDt to Tag. 2. Tag randomly picks a nonce rt and responses M1 = rt PKo , M2 = SKt−1 rt A2 + SKt A1 . 3. Upon receiving M1 and M2 , Owneri+1 computes r1−1 (M2 − r2 y −1 o M1 ) and checks whether the value equals IDt . If not, Owneri+1 rejects Tag and terminates the protocol execution; otherwise it computes B1 = (r1 + r2 )P + y −1 o SKi+1 M1 and B2 = (SKi+1 + r1 )PKt + y o −1 M2 , and sends them to Tag. Owneri+1 will keep y o until it succeeds in communicating with Tag in future interactions. 4. Tag calculates A1 + SKt−1 A2 + rt (SKt−1 (B2 − rt P) − A1 ) and checks whether the result equals to B1 . If so, it updates PKo with the value SKt−1 (B2 − rt P) − A1 ; otherwise Tag terminates the protocol execution. The combination of key change protocol, transfer protocol and key update protocol is illustrated in Fig 3.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Controlled Delegation Protocol. Our delegation protocol uses counter stored in the tag, like [4,13], to control the delegation phases. The current owner Owner sends the maximum number of queries that can be made to Tag. After each query sent by the delegate (denoted by Delegate), Tag increases the inside counter by 1. Once the counter reaches the maximum value set by Owner, or Tag receives the cancellation command from Owner, the delegation will be terminated. The details of the controlled delegation protocol are described as follows. 1. First, Owner randomly chooses r1 , r2 and sends A1 = r1 P, A2 = r2 IDt to Tag. 2. Then, Tag generates a nonce rt and sends the following information: M1 = rt PKo , M2 = SKt−1 rt A2 + SKt A1 to Owner. 3. Upon receiving M1 and M2 , Owner verifies whether IDt equals the value of r1−1 (M2 − r2 SKi−1 M1 ). If not, Owner rejects Tag and terminates the protocol execution; otherwise it generates a private key yd for temporary delegation, and computes B1 = (r1 + r2 )P + SKi−1 yd M1 and B2 = yd PKt + SKi−1 M1 . Owner also picks cm , which is the maximum number of queries that can be made to Tag and calculates S = cm r2 P + r1 xP. Owneri sends B1 , B2 , cm and S to Tag. It also sends yd to Delegate securely to authorise the delegation. 4. Tag computes A1 + SKt−1 A2 + rt SKt−1 (B2 − rt P) and checks whether the value equals to B1 . It also compares S with cm x−1 A2 + xA1 . If both results are valid, Tag then stores the cm and the current owner’s public key PKo , and computes the temporary delegation key SKt−1 (B2 − rt P); otherwise Tag terminates the protocol execution. The step 1 to 4 are presented in Fig 4. 5. Delegate interacts Tag with the delegation key SKd given by Owner. Each time after being queried by Delegate, Tag adds the counter c by 1. Once c reaches the maximum value cm , Tag replaces the delegation public key with Owner’s public key so that no further queries can be made by Delegate. This procedure is described in Fig 5.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

Tag SKt = x, PKo = yP

39

Owner SKo = y, IDt = PKt = xP r1 , r2 ∈R Z∗p A1 = r1 P, A2 = r2 xP A ,A

rt ∈R Z∗p M1 = rt yP M2 = x−1 rt A2 + xA1

←−−1−−2−−

M ,M

1 2 −−−− −−→

IDt = r1−1 (M2 − r2 y−1 M1 ) yd ∈R Z∗p B1 = (r1 + r2 )P + y−1 yd M1 B2 = yd xP + y−1 M1 pick cm S = cm r2 P + r1 xP ?

B ,B ,cm ,S

PK = x−1 (B2 − rt P)

1 2 ←− −−−−−

?

B1 = A1 + x−1 A2 + rt PK

?

S = cm x−1 A2 + xA1 update PKb = PKo PKo = PK

c = 0 and store cm

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 4. Controlled delegation protocol - 1

6. Owner is also able to cancel the delegation protocol at any time. It chooses a random r and sends the tuple (r, (ryd + y)P) as a cancellation request to Tag. After verifying the validity of the request, Tag replaces the delegation public key with the stored Owner’s public key and cancel the delegation. This procedure is showed in Fig 6.

5. Security Analysis 5.1. Resistance to Attacks Our scheme is secure against the attacks mentioned in 3.2. 1. Fresh nonces are used in our scheme to prevent replay attack. An adversary is unable to gain privileges by reusing an expired message. 2. Man-in-the-middle attack is avoided because the tag and the owner in the scheme authenticate each other using the public-private key pairs, which provides the cor-

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

40

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

Tag SKt = x, PKo = yd P, PKb = yP c, cm

Delegate SKd = yd , IDt = PKt = xP

Query

←−−−−−− Auth(PKo ) Response

−−−−−−→ c = c+1 ?

c = cm update PKo = PKb

Figure 5. Controlled delegation protocol - 2

Tag SKt = x, PKo = yd P, PKb = yP

Owner yd , SKo = y, IDt = PKt = xP r ∈R Z∗p A = (ryd + y)xP r,A

←−−−−−− ?

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

A = x(rPKo + PKb ) update PKo = PKb

Figure 6. Controlled delegation protocol - 3

rectness of the messages so that an adversary cannot counterfeit any message that is valid. 3. Denial-of-service attack occurs when the tag and the reader are updating the keys. An adversary can block the message sent by the owner from reaching the tag in every protocol phases in order to desynchronise the tag and the owner. However, our scheme resists against denial-of-service attack in all the protocol phases. In key change protocol phase and the controlled delegation protocol phase, if an adversary blocks the messages and causes the tag’s failure to update to the temporary public keys, the current owner is still able to communicate with the tag and generate a new ownership transfer or controlled delegation key pair for the new owner or delegate. In key update protocol phase, the new owner keeps the temporary private key until it succeeds to communicate with the tag using its own public-private key pair in future queries. In addition, the tag always verifies the messages before updating the owner’s public key. Hence, an adversary is unable to manipulate the messages and cause the tag and the reader to lose synchronisation.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

41

4. Backward traceability and forward traceability are resisted by our scheme. An adversary will not be able to decipher the past or future messages between the tag and any owner even though it knows the tag’s private key. This is because all the messages involving the tag’s ID (i.e. the tag’s public key) are either encrypted by the owner’s private key or protected by a randomly generated session nonce, which is not publicly transmitted and only known by the sender. Since finding the discrete logarithm of a elliptic curve point is infeasible, the adversary is unlikely to identify the tag from the past or future transactions. 5.2. Privacy Preservation for Owners Previous owner privacy and new owner privacy are guaranteed by key change protocol and key update protocol. The previous owner randomly chooses a temporary public-private key pair and changes its public key stored in the tag before transferring the ownership to the new owner. After the ownership is transferred, the new owner is not able to reveal the past transactions between the tag and the old owner because there is no link between the temporary key and the key of the previous owner. Hence previous owner privacy is effectively assured. Later in the key update protocol, after authenticating the tag, the new owner sends a change request to update the temporary public key in the tag. Since the new owner’s public key is protected by the tag’s private key and a fresh nonce, it is unlikely the previous owner can extract or change the new owner’s private key. Hence the future communications between the tag and the new owner is protected from the previous owner and new owner privacy is also assured.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

5.3. Controlled Delegation and Authorisation Recovery In our scheme, the present owner gives the delegation key to a third party for delegation procedure. Since the key is temporarily generated, there is no linkage between the delegation key and the owner’s key. Also note that the tag stores the owner’s public key. Therefore, when the queries made by the delegate reaches the allowed times, or the owner sends the command for cancelling delegation, the owner can always regain the full control over the tag. The delegate must request the owner for further access to the tag after the allowed queries are made. Authorisation recovery is a special case of controlled delegation. The current owner stores the temporary key pair when it obtains the ownership from the previous owner. In the step 3 of controlled delgation protocol, the current owner simply transfers the temporary public key to the tag instead of a randomly chosen delegation key. It also does not need to send the private key to the previous owner since the previous owner is the one who generates the temporary key. As a result, the previous owner and the tag can communicate with each other using the temporary key pair. Just like the controlled delegation process, the authorisation recovery will expire when the counter in the tag reaches the maximum number set by the current owner, or when the tag receives the cancellation request from the current owner.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

42

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

6. Performance Aspects The proposed tag ownership transfer scheme depends on elliptic curve cryptography. The protocol phases use the operations, including modular additions and multiplications, and point multiplication on an elliptic curve. Among these three, point multiplication is the most complicated operation for passive tags. Our scheme can be easily implemented in the lightweight RFID processor architecture presented by Lee, Batina, Singel´ee and Verbauwhede in 2010 [9]. The RFID processor consists of a micro controller, a bus manager and a elliptic curve processor. With the operating frequency of 700 KHz, the power consumption of the processor is 13.8 μW and the cycles is 59, 790 per elliptic curve point multiplication. The performance results of RFID tags in our scheme are illustrated in Table 2. Therefore, our scheme is feasible for passive tags and any phases of our proposed scheme can be completed in less than 800 ms. Table 2. Performance results of our protocols Protocol phases

Point multiplications

Cycles

Time (ms)

Key change protocol Key update protocol Controlled delegation protocol - delegation Controlled delegation protocol - cancellation

7 7 9 2

418, 530 418, 530 538, 110 119, 580

598 598 769 171

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

7. Conclusion We have proposed a new RFID ownership transfer protocol in this paper. We describe the different phases of the protocol, such as key change protocol, transfer potocol, key update protocol and controlled delegation protocol. We have carried out analysis of the proposed protocol and have shown that it meets the required security and privacy features. The ownership transfer process is performed without a trusted third party. It also allows controlled delegation and authorisation recovery. Our scheme is feasible for lightweight RFID tags in terms of power consumption and processing time. To the best of our knowledge, our scheme is the first elliptic-curve based secure ownership transfer protocol.

References [1] [2] [3]

[4] [5]

L. BATINA , J. G UAJARDO , T. K ERINS , N. M ENTENS , P. T UYLS , AND I. V ERBAUWHEDE, Public-key cryptography for RFID-tags, in PerCom Workshops, 2007, pp. 217–222. K. E LKHIYAOUI , E.-O. B LASS , AND R. M OLVA, ROTIV: RFID ownership transfer with issuer verification, in RFIDSec, 2011, pp. 163–182. ` -M IR , R. T RUJILLO -R ASUA , J. C ASTELL A` -ROCA , AND J. D OMINGO -F ERRER, A A. F ERN ANDEZ scalable RFID authentication protocol supporting ownership transfer and controlled delegation, in RFIDSec, 2011, pp. 147–162. S. F OULADGAR AND H. A FIFI, A simple privacy protecting scheme enabling delegation and ownership transfer for RFID tags, Journal of Communications, 2 (2007), pp. 6–13. D. M. H EIN , J. W OLKERSTORFER , AND N. F ELBER, ECC is ready for RFID - a proof in silicon, in Selected Areas in Cryptography, 2008, pp. 401–413.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Cheng et al. / A Secure Elliptic Curve Based RFID Ownership Transfer Scheme

[6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]

A. J UELS, RFID security and privacy: a research survey, IEEE Journal on Selected Areas in Communications, 24 (2006), pp. 381–394. G. K APOOR , W. Z HOU , AND S. P IRAMUTHU, Multi-tag and multi-owner RFID ownership transfer in supply chains, Decision Support Systems, 52 (2011), pp. 258–270. L. K ULSENG , Z. Y U , Y. W EI , AND Y. G UAN, Lightweight mutual authentication and ownership transfer for RFID systems, in INFOCOM, 2010, pp. 251–255. Y. K. L EE , L. BATINA , D. S INGEL E´ E , AND I. V ERBAUWHEDE, Low-cost untraceable authentication protocols for RFID, in WISEC, 2010, pp. 55–64. Y. K. L EE , K. S AKIYAMA , L. BATINA , AND I. V ERBAUWHEDE, Elliptic-curve-based security processor for RFID, IEEE Transactions on Computers, 57 (2008), pp. 1514–1527. C. H. L IM AND T. K WON, Strong and robust RFID authentication enabling perfect ownership transfer, in ICICS, 2006, pp. 1–20. D. M OLNAR , A. S OPPERA , AND D. WAGNER, A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags, in Selected Areas in Cryptography, 2005, pp. 276–290. C. Y. N G , W. S USILO , Y. M U , AND R. S AFAVI -NAINI, Practical RFID ownership transfer scheme, Journal of Computer Security, 19 (2011), pp. 319–341. K. O SAKA , T. TAKAGI , K. YAMAZAKI , AND O. TAKAHASHI, An efficient and secure RFID security method with ownership transfer, in CIS, 2006, pp. 778–787. P. P ERIS -L OPEZ , J. C. H ERNANDEZ -C ASTRO , J. E. TAPIADOR , T. L I , AND Y. L I, Vulnerability analysis of RFID protocols for tag ownership transfer, Computer Networks, 54 (2010), pp. 1502–1508. J. S AITO , K. I MAMOTO , AND K. S AKURAI, Reassignment scheme of an RFID tag’s key for owner transfer, in EUC Workshops, 2005, pp. 1303–1312. B. S ONG, RFID tag ownership transfer, in RFIDSec, 2008.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[17]

43

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-45

45

IBIHOP: Proper Privacy Preserving Mutual RFID Authentication Roel PEETERS a , Jens HERMANS a and Junfeng FAN b a KU Leuven, ESAT/COSIC & iMinds, Leuven, Belgium. fi[email protected] b Nationz technologies, Shenzhen, China.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Abstract. One of the concerns that comes with the use of RFID tags is that these respond to any query. This can be overcome by having mutual authentication between reader and tag. However, the ordering between the two authentication steps is crucial. In this paper, we formalise mutual RFID authentication: capturing the necessary coupling between tag authentication and reader authentication as well as the ordering between these authentication steps. We show that the reader needs to authenticate first to the yet unknown tag to 1) preserve the tag’s privacy, 2) make it more resistant to side-channel analysis and 3) ensure that the end-user can observe the protocol’s output. We propose a generic construction to transform existing private RFID authentication protocols into proper private RFID mutual authentication protocols. Finally, we design a very efficient wide-strong private RFID mutual authentication protocol that requires the tag to compute only three scalar-elliptic curve point multiplications. We also show how this new protocol can be implemented efficiently in hardware.

1. Introduction Radio Frequency Identification (RFID) tags are already deployed in various consumer applications such as physical access tokens, car keys, contactless payment systems and electronic passports. Crucial for these applications is that the underlying protocols provide secure identification of the tag, and hence the supposed user. Also the (location) privacy (see Weis et al. [19]) of the end user needs protection, meaning that unauthorised parties should not be able to identify, trace or link tag appearances. Yet, all communication with RFID tags can easily be eavesdropped or modified and it has been shown that side-channel attacks may enable an adversary to extract secrets from the tag [9,10,16,13]. Additionally an adversary can typically learn the outcome of the identification protocol: successful identifications result in an unlocked door, unlocked car or processed payment; while failure has no outcome. One of the limitations of RFID tags is that these come without or with a very limited user-interface. This limitation is overcome by having a tag respond to any query made to it. Although this solution is ideal in terms of usability as no user interaction is required, it also makes tags even more vulnerable to attacks.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

46

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

By requiring mutual authentication in which the reader authenticates first (called ‘reader-first’ further on), the potential of RFID attacks is greatly reduced: tags will only respond to authorised queries that originate from a known reader. First, attackers cannot send any special structured query to the RFID tag under attack. Second, it is harder to mount side channel attacks since the only computations that could leak information about the secret happen only after successful reader authentication. In other words, an adversary will have to interact with both a reader and tag simultaneously to achieve reader authentication on the tag side. This means that the adversary’s possibilities to interfere with the protocol become more limited. By disrupting the protocol, reader authentication could fail and the tag could abort the protocol before releasing any identifying information. Third, while most RFID tags (even smart cards) have no or very limited user interface, the reader usually has some output user interface. As such, by observing the reader’s output, the end-user can assess whether or not the protocol between his tag and the genuine reader terminated correctly. Our goal is to provide an efficient protocol in which the tag will only respond with identifiable information to authorised queries from known readers. This implies that the reader first needs to authenticate its query to the yet-unknown tag. Because the tag’s identitity is unknown, the reader cannot authenticate efficiently to the tag using a shared secret between the tag and the reader. This means that public key based cryptographic techniques are necessary to reach our goal. Lee et al. [11] and Hein et al. [6] showed that public key cryptography, in particular Elliptic Curve Cryptography (ECC), can be realized on RFID tags. In terms of effiency, the effort required from the tag should be minized and the available circuit area on the tag should be used optimally. Ideally, no additional cryptographic building blocks, e.g., hash function or block ciphers are needed. The paper is structured as follows: in Sect. 2 we give an overview of related work and show the importance of ‘reader-first’ as opposed to ‘tag-first’ mutual authentication. Section 3 explicitly defines mutual authentication as the reader first authenticating to the yet-unknown tag, the tag authenticating to the reader and the coupling between them. In Sect. 4, we show how to transform existing private RFID authentication protocols into private RFID mutual authentication protocols using our generic construction. Furthermore, we propose a new protocol, named IBIHOP in Sect. 5. This protocol is very efficient since it only requires three scalar-EC point multiplications. Finally, in Sect. 6 we show how to implement this protocol efficiently in hardware.

2. Related Work 2.1. Model Paise and Vaudenay [15] proposed the only existing private RFID mutual authentication model, which is an extension of Vaudenay’s private RFID authentication model [18]. The motivation for this work is to overcome the users’ concerns of RFID tags responding to any query, by requiring that “a tag must be confident of the reader’s identity before sending any information or its ID”. Even

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

47

though this paper claims to provide a formalisation of mutual authentication in the RFID setting, it does not. Our critique is twofold: first the security definition (see Def. 1) does not cover mutual authentication, and second the issue of RFID tags responding to unauthorised queries is not covered by it. Definition 1 (Security (from Paise-Vaudenay [15])). A scheme provides security if it provides secure tag authentication and secure reader authentication. This definition does not capture that these two uni-lateral authentications steps need to be bound together, which is a necessary condition for mutual authentication. Additionally, this definition does not impose an ordering on tag authentication and reader authentication. To address mutual authentication, the definition of an RFID system from [18] is adapted such that the tag (and no longer the reader) outputs whether or not the protocol was successful. This indicates that tag authentication precedes reader authentication in this model. Towards completeness, an additional oracle to also learn the result from the reader should be defined since in several use cases the adversary also learns whether or not the reader accepted the tag (e.g., unlocked door, processed payment). Armknecht et al. [2] (and in consecutive work by Armknecht et al. [1]) also pointed out some issues of this model with regard to the blinder. To some extent these issues are also applicable to the underlying Vaudenay privacy model [18].

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2.2. Protocols Most proposed RFID mutual authentication protocols in literature are of the tagfirst class. When discussing protocols, it is important to also look at their intended use. For instance, when the goal of mutual authentication is merely to establish a secure connection to exchange data privately, the order of authentication is not important. We will now discuss some classes of reader-first and tag-first RFID mutual authentication protocols. 2.2.1. Reader-first When the reader authenticates first to the tag, tag privacy might be enhanced. A good example is the class of private search protocols [20], sometimes also referred to as private interrogation protocols [4]. In these protocols, the reader wants to know if a certain RFID tag is in the neighbourhood in a privacy-preserving way. These protocols are designed such that only the target RFID responds. Having the server first authenticate to the tag prevents adversaries from tracing tags. However, these protocols only provide mutual authentication for one specific tag and do not consider the more general setting, where the reader needs to prove its identity to a non-designated verifier. Another application of reader-first mutual authentication is the construction of RFID tags that are only to be used for a limited number of authentication instances, by only storing this number of coupons. Without reader-first mutual authentication, an adversary can mount a very simple denial of service attack, by depleting the available coupons.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

48

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

2.2.2. Tag-first Tag-first can provide stonger security guarantees for private RFID authentication protocols that rely on the tag and server to keep a synchronised state, which is updated after every instance of the authentication protocol. The tag will update his state and send some information allowing the server to compute the same state. To avoid desynchronisation attacks, the server first confirms the new state to the tag (and as a consequence, implicitly authenticates to the tag), before the tag updates its state. Paise and Vaudenay [15] also proposed a couple of enriched existing private RFID authentication protocols to achieve mutual authentication, i.e. with an extra message at the end authenticating the reader. However, this does not resolve the issue of a tag giving out identifying information before it is confident of the reader’s identity. Towards privacy, adversaries possibly learn additional information from the final message from the reader to the tag (also for adversaries that do not learn whether or not the tag was accepted by the reader) and from the tag’s result. We can conclude that the proposed private RFID mutual authentication protocols require additional effort from the RFID tag and do not result in stronger security or privacy guarantees when the goal is merely authentication.

3. Defininitions

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

3.1. Privacy Vaudenay [18] proposed the first general RFID privacy model. However, several issues with the blinder (discussed in Sect. 2) together with the fact that the strongest privacy guarantee is unreachable in this model, makes that we switched to the RFID privacy model of Hermans et al. [7]. This model is a robust general RFID privacy model based on indistinguishability, which makes it easier to apply. The intuition behind the RFID privacy model of Hermans et al. is that privacy is guaranteed if an adversary cannot distinguish with which one of two RFID tags (of its choosing), he is interacting through a set of oracles. Privacy is defined as a distinguishability game (or experiment) between a challenger and the adversary. This game is defined as follows. First, the challenger picks a random challenge bit and then sets up the system. Next, the adversary A can use a subset (depending on the privacy notion) of the system oracles to interact with the system. Finally, A outputs its guess for the challenge bit. We refer the reader to [7] for the formal definition of these oracles. For the purpose of this paper we redefine the Corrupt oracle to only return the non-volatile state of the tag. This restriction allows to exclude trivial privacy attacks on mutual authentication protocols (more in general on all multi-pass protocols). These protocols require that some information is stored in the tag’s volatile memory during the protocol run. Protocols can be classified according to the privacy notion they achieve. The privacy notions used here, were originally introduced by Vaudenay [18]. Strong attackers are allowed to use all available oracles. Forward attackers can only do other corruptions after the first corruption, protocol interactions are no longer

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

49

allowed. Weak attackers cannot corrupt tags. Independently of these classes, there is the notion of wide and narrow attackers. A wide attacker is allowed to get the result from the reader, i.e. whether the identification was successful or not; while a narrow attacker does not. The privacy notions are related as follows: Wide-Strong ⇒ Wide-Forward ⇒ Wide-Weak ⇓ ⇓ ⇓ Narrow-Strong ⇒ Narrow-Forward ⇒ Narrow-Weak .

3.2. Security First we define tag-authentication, for which the RFID tag authenticates to the RFID reader. We use Definition 4 from [18] which is built upon the concept of matching conversations. Definition 2 (Tag-authentication). We consider any adversary in the class Strong. We say the adversary wins if at least one protocol instance π on the reader identified an uncorrupted legitimate tag ID but π and ID did not have any matching conversation, i.e. they exchanged well interleaved and faithfully (but maybe with some time delay) transmitted messages until π completed. We call ID a target tag and π a target instance. We say that the RFID scheme is secure if the success probability of any such adversary is negligible. Similarly, reader-authentication is defined as a matching conversation between a tag and the reader resulting in the tag only accepting valid readers. In the case of reader-authentication the adversary wins the game if the tag accepts a reader in at least one protocol instance π for which there was no matching conversation.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Definition 3 (Mutual Authentication). Tag-authentication, as defined by Def. 2 is extended to include that reader-authentication was achieved in the same session before finishing tag-authentication. 3.3. Notation Our proposed protocol is based on Elliptic Curve Cryptography, hence we make use of additive notation. Points on the curve are represented by capital letters while scalars are represented by lowercase letters. In our protocol, we only make use of the x-coordinates of the points on the curve, denoted by [·]x . Assuming an elliptic curve E with prime order  over Fp , then for a point Q = {qx , qy } with qx , qy ∈ [0 . . . p−1], [Q]x maps Q to qx mod . 4. Generic Construction We only consider tag-privacy and not the reader’s. As such, any authentication protocol (whether or not it is privacy-preserving) can be used for reader authentication. However, we also need to provide the necessary binding between reader authentication and the following tag authentication. How to link these two uni-directional authentication instances is the most crucial design decision

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

50

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

for mutual authentication protocols. Our generic contruction makes use of a signature scheme, binding the reader’s request to some fresh randomness generated by the tag. One of the most efficient signature schemes is the Schnorr signature scheme [17], i.e. it only requires two scalar-EC point multiplications and a hash function evaluation to verify a signature. Our generic construction starts from a private RFID authentication protocol, in which the reader challenges the tag to establish its identity. To authenticate this query, the challenge from the reader together with some fresh randomness from the tag (to guarantee freshness) is signed by the reader and sent back to the tag together with the challenge. The tag can then verify the signature, establishing that the challenge came from the known reader. The additional effort required from the tag, in comparison with the original private RFID authentication protocol, is verifying one signature. To illustrate our generic construction, we transformed Vaudenay’s public key protocol [18] and Randomized Schnorr, proposed by Bringer et al. [5]. 4.1. Vaudenay’s Public Key Protocol

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

The reader has a public/private key pair (P K, pk). To verify that a tag with identity ID registered, the reader checks the additional value K by applying its secret key KM to the tag’s identity. At registration, the tag gets the value K from the reader. For an IND-CCA2 cryptosystem, this protocol is wide-strong private. Our generic construction prepends Vaudenay’s protocol with a message from the tag to the reader, containing a random number that was generated by the tag, to guarantee freshness. The reader signs its challenge concatenated with this randomness and sends the challenge along with the signature to the tag. Upon successful verification of the signature, the tag completes the protocol as in the original. If the verification fails, the tag aborts. As such, the RFID tag does not respond to unauthorised queries with identifiable information. ID, K, P K Tag T

pk, KM Reader R

r ∈R Z

ID, K, P K Tag T

r

pk, KM , DB : {IDi } Reader R a ∈R Z

a a ∈R Z

b ∈R Z

a, σ = signpk (r||a)

c = EncP K (ID||K||a||b)

verifyP K (σ, r||a)

˙ K|| ˙ a|| ID|| ˙ b˙ = Decpk (c) ? ? ˙ = ˙ a = a, ˙ K FKM (ID) ¯b = b˙ else ¯ b ∈R Z

c = EncP K (ID||K||a) ˙ K|| ˙ a˙ = Decpk (c) ID|| ? ? ˙ a = a, ˙ K˙ = FK (ID) M

(a) Our generic construction

¯b ? ¯b = b

(b) Paise-Vaudenay [15]

Figure 1. Generic constructions to achieve mutual authentication applied to Vaudenay’s Public Key Protocol[18].

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

51

Figure 1 depicts our enriched Vaudenay public key protocol as well as the enriched version by Paise and Vaudenay [15], for which we will now illustrate the differences between reader-first and tag-first mutual authentication. The upside of the Paise-Vaudenay construction is efficiency, it does not require the generation and verification of a signature. This is due to the fact that the reader already knows the identity of the tag to authenticate to and hence can authenticate very efficiently using shared information between the tag and reader. The main downside of this approach is that attackers can still send arbritray queries to the tag for which the tag sends responses, doing operations with the secret that potentially leak information through side-channels. For the generic construction, the adversary attacking the security and/or privacy of the tag is restricted to using fresh, genuine queries from a genuine reader. Another downside of the Paise-Vaudenay construction is the tag is expected to output whether or not the protocol was succesful. For most RFID tags this assumption is unrealistic as these have a very limited or even no output interface. This means that it is impossible for a user to tell whether or not mutual authentication was successful. Furthermore, in several use cases the reader will provide output indicating weather or not tag authentication was succesful before the tag outputs the result. This could be an additional point of attack for the adversary attack the tag’s privacy. 4.2. Randomized Schnorr The reader has a public/private key pair (Y = yP, y) and the tag has a public/private key pair (X = xP, x). The public key X of the tag will serve as its identity and has been registered with the reader. This protocol is narrow-strong private and secure against impersonation attacks (this security definition is weaker than the one used in this paper, i.e. requiring matching conversations).

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

x, Y = yP Tag T r1 , r2 ∈R Z

y, DB : {Xi = xi P } Reader R

R1 = r1 P, R2 = r2 Y

e, σ = signy (R1 , R2 , e) verifyY (σ, R1 , R2 , e)

e ∈R Z

s = ex + r1 + r2 ?

X˙ = e−1 (sP −R1 −y −1 R2 ) ∈ DB

Figure 2. Our generic construction applied to Randomized Schnorr [5].

Figure 2 depicts our enriched Randomised Schnorr protocol. The original Randomized Schnorr protocol is already a three pass protocol, in which, in the first pass, the tag commits to fresh randomness. Using our generic construction, we transform the protocol by having the reader put a signature on its exam concatenated with the commitments from the tag. The resulting protocol also

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

52

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

achieves security under matching conversations and as such wide-forward privacy.1 This example clearly shows that by having reader-first mutual authentication the privacy attacker’s capabilities can be reduced.

5. Our Protocol: IBIHOP Instead of applying our generic construction to existing private RFID authentication protocols, one could also design a specific private RFID mutual authentication protocol that is more efficient. Towards our goal of optimising the available circuit area, the use of a hash function should be avoided, if possible. In practice this also rules out signature schemes, as the message to be signed is hashed. We propose a new mutual authentication wide-strong private protocol, IBIHOP, that is shown in Fig. 3. IBIHOP is constructed by interleaving two interactive authentication protocols, resulting in a four pass protocol. x, Y = yP Tag T

y, DB : {Xi = xi P } Reader R e ∈R Z∗

ˆ ˜ [E]x = e−1 P x r ∈R Z∗

[R]x = [rP ]x ˆ ˜ f = [yR]x P x + e

ˆ ˜ e = f − [rY]x P x ?

eE = P

s = ex + r ?

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

X˙ = e−1 (sP − R) ∈ DB

Figure 3. The IBIHOP protocol.

For reader authentication, the reader first commits to the exam. Second the tag challenges the reader with R. To simplify our analysis we assume the reader rejects simultaneous sessions at the reader side with an identical R. The reader replies with f = [[yR]x P ]x +e. As such the reader showed knowledge of its private key y, corresponding to its public key Y = yP given the CDH assumption. Only the tag, using its knowledge of r, can extract the exam e = f − [[rY ]x P ]x and verify it against the commitment E. As such reader-authentication is achieved at the same time as providing the crucial coupling between the two authentication instances. Note that e is selected in Z∗ and cannot be zero, which is a necessary condition to be able to compute its inverse e−1 . 1 This follows from Vaudenay’s lemma [18, Lemma 8] that states that any secure (matching conversations) narrow-forward private protocol is wide-forward private.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

53

For tag authentication we used the standard Schnorr identification protocol (in which the tag proves knowledge of its private key x corresponding to its public key X = xP that also serves as identifier and has been registered with the reader), with the exception that the exam e is not sent over in the clear, but only known to the tag and the reader. The original Schnorr protocol has been proven secure under the One More Discrete Logarithm (OMDL) assumption by Bellare and Palacio [3]. Note that the tag selects r in Z∗ . Having r = 0 would completly destroy the security and privacy of the tag. 5.1. Security and Privacy Evaluation

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

We briefly sketch the general strategy to show the security and privacy properties of the protocol: • First, reader authentication is shown. The crucial property here is that an adversary is unable to compute [[yR]x P ]x , which contains a CDH value, and hence also cannot output a correct value for f . • Next, we show (under the Oracle CDH and DL assumption) that when a tag authenticates a reader there was a matching conversation for the first three messages (E, R, f ), i.e. that these were passed unmodified between tag and reader. The OCDH assumption is essential to show that an adversary cannot authenticate to the tag without calling the reader with the same R as the tag sent out. This ensures that the value of R cannot be manipulated and thus guarantees that both the reader and tag session are linked through this message. Due to the ordering of messages this simplifies the analysis. • Tag authentication can be shown by analogy to the Schnorr protocol. Since e is used in the tag authentication and was passed unmodified from reader to tag, mutual authentication is achieved. • Finally, wide-strong privacy is shown under the Inverse DDH (IDDH) assumption. When given an IDDH pair, this can be plugged into the value E = e−1 P and it’s (potential) inverse eP is used for computing R = sP −(ex)P to make sure that tag authentication is satisfied. Obviously when given a real IDDH instance a privacy adversary will function as required, when a random instance is given, the privacy adversary is working on random data and has negligible advantage. 5.2. Optimising IBIHOP The IBIHOP protocol requires roughly 4 scalar-EC point multiplications (ECPMs). The optimised IBIHOP protocol can be obtained by modifying f , i.e. replacing [[yR]x P ]x (marked in boldface in Fig. 3) with [yR]x . The optimised protocol requires only 3 ECPMs on the tag, which we believe is the minimum for a mutual authentication protocol that achieves such a high security and privacy level. The extra [(·)P ]x in the original protocol assures that yR was properly protected using a one-way function. However, this extra operation can be dropped since yR still remains adequately protected because of the addition of e. An adversary only obtains E = e−1 P and f = e + [yR]x . In this sense, yR is still protected by a one-way function, i.e. by the addition of the (unknown) discrete logarithm of E.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

54

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

6. Hardware Implementation Passive RFID tags are extremely resource-constrained devices. The tags draw energy from the magnetic field established by the reader. The reading distance is thus determined by two factors: the field strength, which is standardized, and the power consumption of the tag. Therefore, tags have strict power budget such that a reasonable reading distance is guaranteed. In addition, the area of the implementation should be minimized to reduce its tape-out cost. The IBIHOP protocol is optimized for lightweight implementations by design. The optimised IBIHOP protocol requires three ECPMs on the tag side. Note that all the ECPMs can be performed without using the y-coordinate. Explicit formulae that use only x-coordinate exist for point multiplications on both binary curves [12] and prime curves [8]. Using only x-coordinate speeds up the point multiplication and meanwhile reduces the storage (e.g. memory or register). Communication between the tag and reader is also reduced since only the x-coordinate of E and R is transmitted. Less data transmission leads to a lower power consumption and shorter execution time. Lee et al. [11] reported a compact ECC processor for passive RFID tags. It supports a binary elliptic curve defined over F2163 . The curve achieves about 80bit security. The processor uses an x-coordinate only point multiplication algorithm. It also support integer additions and multiplications. The ECC processor has an area of 15.4 kGates. Using the UMC 130nm process, the average power consumption is only 12.08 μW at the frequency of 323 kHz.2 We use this processor as a platform to evaluate the execution time and energy consumption of the optimized IBIHOP protocol.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Table 1. Execution time and storage for the optimized IBIHOP protocol (using the ECC processor from Lee et al.) Step

Operation

Delay [# cycle]

External Storage

R = rP

1 ECPM

78,544

r, [E]x

[rY ]x

1 ECPM

78,544

r, [E]x , [rY ]x

e = f − [rY ]x

Sub.

574

e, r, [E]x

T = eE

1 ECPM

78,544

e, r, [E]x

s = ex + r

Mul.+Add.

26,059

s

262,265

163×3

Total

Table 1 summarises the computation on the tag. The ECC processor uses Montgomery powering ladder, and each iteration uses 7 multiplications, 4 squarings and 3 additions in F2163 . An ECPM uses exactly 78,544 cycles. A modular integer addition and multiplication uses 574 and 25,486 cycles, respectively. Note that the IBIHOP protocol needs to keep some temporary variables. This is summarized in Table 1 as well. When running at 323 kHz, the execution time for the optimised IBIHOP protocol is finished in less than 0.82s. The total energy 2 These

are simulation results. See [11] for more details.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

55

consumption will be less than 10 μJ. The chip can also be clocked at higher frequency. For example, when running at 969kHz, the optimised IBIHOP protocol requires 0.27s. The power consumption of the chip will be higher at this speed, but it is still below 50 μW . Unlike signature-based protocols, IBIHOP does not use hash functions, which saves silicon area for hardware implementation. The smallest SHA-1 implementation [14] uses 5527 gates. When packing the SHA-1 module together with ECC processor, the area cost of SHA-1 will be smaller since memory and some logic unit are shared. Even though, the area cost due to the hash function is not negligible since the total area of an ECC implementation is already very small. Note that cryptographic implementations also face side-channel attacks and fault attacks. The ECC processor by Lee et al. deploys the Montgomery powering ladder, which resists against simple power analysis, and random projective coordinates, which resists against differential power analysis. In fact, the IBIHOP protocol is less vulnerable to physical attacks since the secret, x, is only used after a successful reader authentication. In other words, the attacker must possesses a legitimate reader in order to take useful side-channel measurements.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

7. Conclusions With mutual authentication protocols, the main issue of RFID tags responding to any query can be solved. However, one needs to bear in mind that this is only the case for mutual authentication protocols where the reader authenticates first to the tag. As a result the attacker’s power towards interacting with the tag is reduced, and this for attackers against tag-security as well tag-privacy. We put forward a proper definition of mutual authentication for RFID tags and show how to enhance existing private RFID authentication protocols with mutual authentication, according to this definition, in the form of a generic construction. Furthermore we also proposed a new provably wide-strong private RFID mutual authentication protocol, IBIHOP, which is very efficient as it only requires 3 scalar-EC point multiplications. Towards implementation, the protocol does not require additional cryptographic building blocks to be implemented in hardware (saving circuit area) and can be further optimised by only using the x-coordinates of the elliptic curve points (saving in computation and communication). As an added benefit, the resulting implementation provides higher resistance against side-channel analysis.

Acknowledgements The authors would like to thank Frederik Vercauteren for the fruitful discussions. The work leading to these results has received funding from the European Communitys Framework Programme (FP7/2007-2013) under grant agreement no 284862, and the Research Council KU Leuven: GOA TENSE (GOA/11/007).The paper was also partly supported by Shenzhen Development & Reform Commission (SDRC, Project [2013]993).

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

56

R. Peeters et al. / IBIHOP: Proper Privacy Preserving Mutual RFID Authentication

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

References [1] F. Armknecht, A.-R. Sadeghi, A. Scafuro, I. Visconti, and C. Wachsmann. Impossibility Results for RFID Privacy Notions. In Transactions on Computational Science XI, volume 6480 of LNCS, pages 39–63. Springer, 2010. [2] F. Armknecht, A.-R. Sadeghi, I. Visconti, and C. Wachsmann. On RFID Privacy with Mutual Authentication and Tag Corruption. In ACNS ’10, volume 6123 of LNCS, pages 493–510. Springer, 2010. [3] M. Bellare and A. Palacio. GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks. In CRYPTO ’02, volume 2442 of LNCS, pages 162–177. Springer, 2002. [4] J. Bringer, H. Chabanne, G. D. Cohen, and B. Kindarji. Private Interrogation of Devices via Identification Codes. In INDOCRYPT ’09, volume 5922 of LNCS, pages 272–289. Springer, 2009. [5] J. Bringer, H. Chabanne, and T. Icart. Cryptanalysis of EC-RAC, a RFID Identification Protocol. In International Conference on Cryptology and Network Security – CANS 2008, volume 5339 of LNCS, pages 149–161. Springer, 2008. [6] D. Hein, J. Wolkerstorfer, and N. Felber. ECC Is Ready for RFID — A Proof in Silicon. In R. Avanzi, L. Keliher, and F. Si, editors, Selected Areas in Cryptography – SAC ’08, volume 5381 of LNCS, pages 401–413. Springer, 2008. [7] J. Hermans, A. Pashalidis, F. Vercauteren, and B. Preneel. A New RFID Privacy Model. In ESORICS 2011, volume 6879 of LNCS, pages 568–587. Springer, 2011. [8] M. Hutter, M. Joye, and Y. Sierra. Memory-constrained implementations of elliptic curve cryptography in co-z coordinate representation. In AFRICACRYPT ’11, volume 6737 of LNCS, pages 170–187. Springer, 2011. [9] M. Hutter, J.-M. Schmidt, and T. Plos. RFID and Its Vulnerability to Faults. In CHES ’08, volume 5154 of LNCS, pages 363–379. Springer, 2008. [10] T. Kasper, D. Oswald, and C. Paar. New Methods for Cost-Effective Side-Channel Attacks on Cryptographic RFIDs. In RFIDSec’09, 15 pages. 2009. [11] Y. K. Lee, L. Batina, K. Sakiyama, and I. Verbauwhede. Elliptic Curve Based Security Processor for RFID. IEEE Transactions on Computers, 57(11):1514–1527, 2008. [12] J. L´ opez and R. Dahab. Fast Multiplication on Elliptic Curves over GF(2m ) without Precomputation. In CHES’99, volume 1717 of LNCS, pages 316–327. Springer, 1999. [13] S. Mangard, E. Oswald, and T. Popp. Power Analysis Attacks - Revealing the Secrets of Smart Cards. Springer, 2007. [14] M. O’Neill. Low-Cost SHA-1 Hash Function Architecture for RFID Tags. In RFIDSec ’08, pages 41–51, 2008. [15] R.-I. Paise and S. Vaudenay. Mutual Authentication in RFID: Security and Privacy. In ASIACCS’08, pages 292–299. ACM Press, 2008. [16] T. Plos. Evaluation of the Detached Power Supply as Side-Channel Analysis Countermeasure for Passive UHF RFID Tags. In M. Fischlin, editor, CT-RSA ’09, volume 5473 of LNCS, pages 444–458. Springer, 2009. [17] C.-P. Schnorr. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 4(3):161–174, 1991. [18] S. Vaudenay. On Privacy Models for RFID. In ASIACRYPT ’07, volume 4833 of LNCS, pages 68–87. Springer, 2007. [19] S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels. Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. In Security in Pervasive Computing ’03, volume 2802 of LNCS, pages 201–212. Springer, 2003. [20] Y. Zuo. Secure and Private Search Protocols for RFID Systems. Information Systems Frontiers, 12(5):507–519, 2010.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-57

57

A Framework to Securing RFID Transmissions by Varying Transmitted Reader’s Power Fei Huo a , Chouchang Yang b , Guang Gong a and Radha Poovendran b of Electrical and Computer Engineering, University of Waterloo, Waterloo, Ontario, N2L 3G1, Canada b Network Security Lab, Department of Electrical Engineering, University of Washington, Seattle, WA, 98195, USA

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

a Department

Abstract. RFID technology has gained tremendous popularity in the recent years. The tiny, inexpensive RFID tags can be easily attached to objects for seamless identification. However, one glaring weakness of RFID tags, especially passive RFID tags is its lack of capability for implementing strong crypto primitives for security purposes. When no or a weak crypto primitive is implemented, the adversary could easily eavesdrop to the communication session between the reader and the tag, he can potentially gain all the secrets about the tag. In doing so, the secrecy of the messages and the privacy of the tag is violated. In this paper, we introduce a new framework that would protect the messages transmitted from the tag to the reader. This framework makes use of the physical properties of RFID systems by sending a random time-varying waveform from the tag to the reader for power harvesting rather than a fixed amplitude waveform. We show theoretically this framework is secure against one eavesdropper by showing the eavesdropper’s decoding error probability is very close to 50%. Furthermore, we have implemented our framework, the experimental results also confirm with our theoretical results. Finally, we will discuss two more stronger forms of attack. Keywords. RFID, RFID Security, RFID Physical Layer

1. Introduction Radio frequency identification (RFID) has gained tremendous popularity and research attention in the recent years. There are two distinct advantages with RIFD systems [6]: First, RFID provides unique identifications of each object. Each RFID tag contains an unique identification (UID) number that distinguishes itself from all other tags. Second, the reading range could potentially go up to tens of meters while no line of sight requirement is needed. Since its invention, the RFID technology has found a wide range of applications. This includes passport, driver’s license, building access control and supply chain management just to name a few. Based on the power source that drives communications between the reader and the tag, RFID tags can be classified into active, semi-active and passive three classes [4]. Active and semi-passive tags all have on-board batteries, which provide them with rea-

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

58

F. Huo et al. / A Framework to Securing RFID Transmissions

RFID Reader

RFID Tag 1. Query

2. Response (May contain Tag’s secrets) 3. Reader to Tag Instructions

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 1. Reader Tag Communication

sonable computational capability. Passive RFID tags on the other hand can only harvest power from the reader. The first two classes of tags are powerful, implementations of secure cryptographic primitives on these tags are possible. Many RFID applications such as inventory control require the tag to be inexpensive, in these scenarios, only the passive RFID tags are applicable. However, passive tags are computationally constrained, their memory is generally also very limited. Therefore, one glaring weakness of the passive RFID system is its security and privacy concerns due to these constraints. Different RFID standards employee different protocols for communications between the reader and the tag. However, in general, this process can be roughly depicted as shown in Figure 1. When a reader tries to communicate with a tag, it first sends a query to the tag. Upon receiving the query, the tag replies with its response. The response may include tag’s secret information. The connection between them is also established. The reader then sends instructions to the tag to perform various tasks. It is imperative that the sensitive information such as a tag’s UID to be protected. Therefore, our motivation is to find a good method to safeguard the messages transmitted from the tag to the reader without disclosing any information to the adversary in a passive RFID system. There have been numerous attempts made in securing the transmissions between the reader and the tag. The most straightforward method is through the use of encryption. The computational complexity of public key cryptography is too high. Presently it is not feasible to passive tags. Generally, symmetric key cryptography is implemented. Due to the memory constraint, the key length is usually shorter than 80 bits, which is the presently accepted level for a symmetric key cryptography to be considered secure. Thus it cannot be considered to be secure. For example, the key length of popular EPCglobal Class 1 Gen 2 standard is only 32 bits [3]. This can easily be broken with the exhaustive search attack, and hence does not offer protection against a computationally powerful adversary. Consequently, other alternatives have been sought. In [1] and [7], the authors proposed adding a separate source which randomly generate 8-bit level of noise to the reader’s continuous waves to prevent the adversary from eavesdropping. Although the authors make the claim that the random noise amplitude is able to thwart an eavesdropper, no theoretical analysis supporting the claim was provided. Furthermore, the noise source and the reader requires perfect synchronization with each other in order to correctly decode the messages. In this paper, we present on a new physical layer approach to address the problem of securing transmission of messages from the tag to the reader and to ensure the privacy of the tag. This scheme is very simple to implement, it requires no extra complexity, and no pre-sharing of any secrets between the reader and the tag is needed. We think this

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

F. Huo et al. / A Framework to Securing RFID Transmissions

59

framework can be implemented to the existing RFID networks to provide an additional layer of security against the various attacks. The rest of the paper is organized as follows. In Section 2, we introduce the system as well as adversary models considered in this paper. In Section 3, we first present our framework, then we theoretically show this framework is secure against one eavesdropper. In Section 4, we implement our framework on a passive RFID system. We show the received and decoded messages for the legitimate reader and the adversary respectively. In Section 5, we explore two more stronger forms of attack. Namely multiple passive adversaries colluding together and active eavesdropping. Section 6 presents our conclusions and our future research.

2. System and Adversarial Model In this section, we introduce the system and adversarial model used throughout this work. 2.1. System Model In this work, we consider a passive RFID system where the tags are powered based on transmitted power of the reader. A simple passive RFID network consists of a reader and multiple passive tags. Each communication channel between a tag and a reader is independently secured. This can be achieved for example by ensuring that all tags share different keys at each run of the communication protocol. Therefore, our system model is of the simplest form, it is consisted of one reader and one tag. Furthermore, our scheme involves the reader generating a random, uniformly distributed time-varying waveform which would be send to the tag for the power harvesting purpose.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2.2. Adversarial Model We assume that the adversary is a passive eavesdropper that can listen to local communication (not global). We further assume that the adversary can be mobile. He can freely move around or stay constantly as he wishes. He also has the complete knowledge of all the protocols and frequencies used between the reader and the tag. Furthermore, we assume that while the adversary has knowledge about the time varying nature of the waveform at any given instant, he does not have the specific values chosen for the “random” amplitude of the waveform.

3. Framework and Analysis In this section, we first present our proposed framework. Then we present theoretical analysis showing that our proposed scheme is resilient against the passive eavesdropper. 3.1. Framework The idea makes use of the physical nature of passive RFID systems. After a reader has sent an instruction to the tag, it needs to continuously send a waveform to the tag which is used to keep the passive tag active. The tag then performs backscattering modulations

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

60

F. Huo et al. / A Framework to Securing RFID Transmissions

by setting the impedance to either low or high to return a 0 or 1 respectively. The returned signal seen at the reader would be a superposition of its transmitted continuous waveform and the backscattering modulated signal. In this new approach, whenever after a reader has issued a command to the tag, instead of providing the constant amplitude continuous waveform to the tag, the reader sends a time-varying waveform whose amplitude changes after elapsed time. The time-varying waveform pattern is random only known to the reader. Assuming the minimum and maximum transmitted amplitudes are xlow and xhigh respectively, then the distribution of the time-varying waveform is randomly uniformly distributed with a step size α x, ¯ where α is a constant which is a function of tag’s impedance and x¯ is the average amplitude given by:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

x¯ =

xlow + xhigh . 2

Intuitively, by adopting our approach, the tag could still harvest the energy from this random waveform, the reader can cancel the effect of time-varying waveform before performing the decoding. However, the adversary without knowing the amplitude pattern of the transmitted waveform would not be able to cancel the noise, his intercepted signal reveals no information about he transmitted messages. Thus, the secrecy of the messages transmitted from the tag to the reader can be achieved. One should notice that the power level of various continuous waveform from the reader is much larger than the power level of tag’s backscatter signal since tags can only backscatter partial energy from reader’s continuous waveform. Hence, an adversary always experience non-neglected interference from various continuous waveform which is larger than tag’s signal such that an adversary cannot decode tag’s data signal at any location alone. Unless the frequency of the time-varying waveform from the reader is much slower than the frequency of tags’ signal, in this case, each time varying amplitude spans over multiple tag’s data symbols. The adversary could treat this amplitude as a constant DC amplitude and remove it. Then he would potentially be able to decode the tags’ signal. However, in our scheme, we consider the frequency of time-varying waveform to be always same or faster than tag’s rate. Consequently, the adversary cannot separate the time-varying waveform and then decode the tag’s signal. 3.2. Analysis of the Proposed Scheme In the previous subsection, we have intuitively reasoned why our frame is secure against the eavesdropper. In this subsection, we provide detailed theoretical analysis to prove the security of our framework. Let the transmitted waveform by the reader be xi at time i, in an ideal situation, the received signal yi by the same reader when the tag’s backscattered signal is 0 or 1 can be modeled respectively by:

β xi , Tag returns 0 yi = (1) β (xi + αxi ), Tag returns 1, where β is the channel gain and α is a constant due to impedance of the tag. This implies when 0 is returned, no added amplitude is returned. When 1 is returned, some proportional amplitude will be superimposed on top of the existing waveform.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

F. Huo et al. / A Framework to Securing RFID Transmissions

61

Ideally, xi in (1) should be dependent on the time-varying amplitude at time i. However, if the difference between the minimum amplitude xlow and the maximum amplitude xhigh is small relatively to x, ¯ then (1) can be reasonably approximated as follows:

β xi , Tag returns 0 (2) yi = ¯ Tag returns 1. β (xi + α x), In our framework, we have chosen our step increment size to be α x. ¯ This matches the difference in the returning value of 0 and 1. Then there would be a total of m steps given by: m=

xhigh − xlow + 1, α x¯

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

we further assume the system is designed such that m is an integer. Consequently, for all m − 2 intermediate levels of transmitted amplitudes other than xlow and xhigh , if the tag returns an 0, then the tag whose input waveform is one step below with a return value of 1 would also have the same amplitude. Likewise, if the tag returns an 1, then the tag whose input waveform is one step above with a return value of 0 would also have the same amplitude. Assuming the probability of returning 0 and 1 by the tag is equally at 50% each, in the absence of the noise, the tag’s maximum likelihood detector will be unable to make a decision or the decoding error probability Pe = 50%. For the transmitted waveform is xlow , the decoding error probability is :

0, Tag returns 0 (3) Pe = 1 2 Tag returns 1, The first line is because the returned signal is uniquely decoded into 0, no error is introduced. The second line is due to the reason mentioned earlier. Similarly, for transmitted waveform xhigh , the decoding error probability is just the reverse of (3) due to the symmetry:

1 , Tag returns 0 Pe = 2 0, Tag returns 1, The overall total error probability Pt of our framework where the transmitted timevarying waveform is uniformly randomly distributed with m steps is: m−2 1 1 2 1 + m 2 2m2 1 m−1 = 2 m

Pt =

(4)

Equation (4) is a lower bound of the error probability for adversaries, by taking noise into account. We expect the attackers’ decoding performance to be further degraded. Namely, at any location, the bit error probability for adversaries is at least the same or higher than given in equation (4). With the reasonable value of m, i.e., m > 20, (4) results in an decoding error probability close to 12 , this guarantees that the eavesdropper would be indistinguishable of tag’s response regardless of the attacker’s location, channel quality and noise level.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

62

F. Huo et al. / A Framework to Securing RFID Transmissions

Figure 2. Reader’s transmitted continuous wave at Figure 3. Reader’s transmitted continuous wave at fast slow rate rate

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

4. Experiment In this section, we will verify our scheme through experiments. We have implemented our own RFID system on two USRP N210 with 900 MHz daughter board and Intel WISP tags. We have configured one USRP to be the legitimate reader, and the other to be the adversary. The antenna we used for both URSPs are near-field antenna specially designed for RFID signal measurements [5]. In setting up the experiment this way, we ensure that the legitimate reader and the adversary have equal capabilities. The Intel WISP tag is configured to be a pure passive tag. In these experiments, a baseband signal of regularly increasing step function is used as a various amplitude waveform with cosine carrier at 915MHz. We chose regularly increasing step function for easy demonstration purpose. In reality, random step functions should be used instead. This random time-varying waveform is known only to the reader, the adversary has no knowledge of this waveform pattern. We chose two different periods of each step function. For the first experiment, the period of each step function matches the tag’s data rate. This implies that each returned step wave contain no more than one bit of backscattered information. For the second experiment, the period of each step 1 of the tag’s data period. This implies 1 bit of tag’s backscattered signal waveform is 10 is spread over 10 step waveforms. The two transmitted waveforms are shown in Figures 2 and 3 respectively. Furthermore, we fix the tag’s backscattering modulated response to be a 16-bit response 0101, 0011, 0001, 0010. Once the response length exceeds this length, it will stop to sending for 5 symbol periods and repeat again from the first bit. This guarantees the comparability of our results under different settings. We will examine the received baseband signals for both the reader and the adversary. We will show for the case of the reader, after removing his own transmitted continuous wave, he can successfully decode the message. However, for the case of the adversary, without knowing the continuous wave pattern, the received signal in the eyes of the adversary would look like noise, thus he could not successfully decode it into messages. 4.1. Reader’s Recovered Signal The received results for each different rate are shown in Figures 4 and 5 respectively. Since the legitimate reader know the varying amplitude waveform and frequency rate, Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

F. Huo et al. / A Framework to Securing RFID Transmissions

63

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 4. Received signals with slow rate disturbance

Figure 5. Received signals with fast rate disturbance

the reader is able to remove the disturbance. Hence, the reader can recover tag’s data as shown in Figure 6. Figures 4 and 5 illustrates the received signals by the reader with the slow and high disturbance rate respectively. Figures 6 and 7 demonstrates the recovered results after removing the time-varying results. This is done by a signal processing script written in Matlab which automatically removes the effect of the transmitted time-varying waveform. From Figures 4 and 5, one can easily distinguish 0 and 1 (1 has a higher amplitude and 0 has lower amplitude). Using standard decoding algorithms, the waveforms started from samples 660 in Figure 4 and samples 700 in Figure 5 would be decoded into 0101, 0011, 0001, 0010, which matches our expected return response. There exists big fluctuations in the amplitude of the reader’s recovered signal as shown in Figures 6 and 7, it is more noticeable in Figure 7. This is due to the steep instantaneous change in the amplitude of the transmitted signal from the one period to another. It would take some

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

64

F. Huo et al. / A Framework to Securing RFID Transmissions

0.02 Received data at reader after removing amplitude disturbance 0.01 0

Amplitude

−0.01 −0.02 −0.03 −0.04 −0.05 −0.06

0

500

1000 Samples

1500

2000

Figure 6. Recover tag’s signal from slow disturbance

0.2 Received data after removing amplidute disturbance

Amplitude

0.15

0.1

0.05

0

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

−0.05

0

500

1000 Samples

1500

2000

Figure 7. Recover tag’s signal from fast disturbance

time for the tag to react to this change. This suggests the random waveform containing steep amplitude changes should be avoided as this may cause decoding errors. Comparing Figure 4 with Figure 6, one can observe that the magnitude of the reader’s transmitted signal is much greater than the tag’s backscattered signal. Therefore, the actual data containing signal are buried in the time-varying amplitude. Consequently, no decoding can be performed without removing the time-varying continuous wave. 4.2. Eavesdropper’s Intercepted Signal For the adversary who lacks the knowledge of the time-varying waveform cannot subtract the transmitted waveform to obtain tag’s signal, since our varying amplitude is equal or faster than tag’s data rate. As shown in Figure 8 and 9, the tag’s signal are collided with readers varying amplitude signal. Note that the recovery of these collided signal waveforms can be viewed as the collision problem. Since attackers may only know step

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

F. Huo et al. / A Framework to Securing RFID Transmissions

65

0.31 Received siganl at attacker side with slow rate disturbance 0.3

0.29

0.28

0.27

0.26

0.25

0.24

0

500

1000

1500

2000

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 8. Received signals with slow rate disturbance

Figure 9. Received signals with fast rate disturbance

function time period for each step, the uncertainty to remove disturbance in this scenario will be related to the numbers of level which step function can achieve. In here, we use 12 levels increasing step function for illustration purposes. In reality, randomly amplitude step functions should be used that comply with our framework. As discussed earlier, the more number of amplitude levels for continuous waveforms readers can have, the closer it is for the adversary to have a decoding error rate of 50%. However, there exists tradeoffs between the number amplitude levels and the system performance of the legitimate parites. For example, having amplitudes below a certain threshold would cause tags to unable harvest the energy, because it is below the detection range of the tag. This tradeoff will be studied in our future work.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

66

F. Huo et al. / A Framework to Securing RFID Transmissions

0.12

0.3 Received data at attacker 1

Received data at attacker 2

0.115 0.29 0.11 0.28 Amplitude

Amplitude

0.105 0.1

0.27

0.095 0.26 0.09 0.25 0.085 0.08

0

500

1000

1500

2000

2500

Samples

Figure 10. Attacker 1’s received signal

0.24

0

500

1000

1500

2000

2500

Samples

Figure 11. Attacker 2’s received signal

5. Discussions on Stronger Attacks In this section, we explore two stronger forms of attackers. The multiple passive colluding eavesdroppers and the active eavesdropping attack.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

5.1. Multiple Passive Colluding Eavesdroppers Up till this point, we have assumed that there exists only one adversary in the system. We have already shown our proposed scheme is resilient against this attack model. Now, we consider the attack model where there exist multiple passive colluding eavesdroppers. First, we consider the presence of two passive colluding eavesdroppers in the system. Other assumptions remain unchanged. We have re-conducted the experiment by adding another reader as the second eavesdropper with the exact same setup as the legitimate reader and the eavesdropper 1. We have used the same step functions for transmitted time-varying signal used by the reader as shown in Figure 2. The expected return response from the tag is still 0101, 0011, 0001, 0010. Furthermore, we placed the eavesdropper 1’s receiving antenna close to the reader’s transmitting antenna and attacker 2’s receiving antenna close to the tag. We hypothesize this setup provides the two eavesdropper with the best chance. The reason is when the receiving antenna is placed close to the reader, the intercepted signal is highly correlated to the time-varying signal, the signal strength of the backscattering modulation from the tag is considerably weaker. From this, the adversary 1 has the complete knowledge of transmitted time-varying waveform. When the receiving antenna is placed close to the tag, then the signal of tag’s backscattered data should be very strong. From this, the adversary has the complete knowledge of superimposed signals. Decoding is possible when the two adversaries collude together. Figures 10 and 11 are intercepted signals by the adversary 1 and 2 respectively. By observing Figures 10 and 11, we see that our hypothesis is true. When two adversaries are able to collude together and assuming their clocks are fully synchronized, from the intercepted the signals, they make an attempt to remove the time-varying signal as shown in Figure 12. The two eavesdroppers would decode the waveform in Figure 12 into binary data which exactly matches the tag’s returned data. Therefore, it is possible to decode the messages. When even more eavesdroppers are

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

F. Huo et al. / A Framework to Securing RFID Transmissions

67

−3

−2

x 10

−4

Amplitude

−6

−8

−10

−12 Recover data from two colluded attackers −14

0

500

1000

1500

2000

2500

Samples

Figure 12. Recovered data by two colluding attackers

present in the system and they all can freely collude with each other, then we expect their decoding ability to be even greater. Thus, this scheme is vulnerable to multiple colluding eavesdroppers. However, if we add the detection functionality in the reader which can detect the adversaries that are present using the method in [8], then this attack can be prevented.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

5.2. Active Eavesdropping We now consider a scenario where the attacker no longer just passively eavesdrops the communication session, but rather he is actively sending out signals in hopes to obtain useful information. This attack was first introduced in [2]. The attack targets the vulnerability in the RFID system design. The two most important criterion of a RFID system are: 1). It needs to be very convenient (the tag can be easily read and accessed by the reader). 2). The tags needs to be inexpensive. By design, RFID tags respond to whoever makes the query through a simple backscattering modulation. The adversary could exploit this property, after the reader has issued command to the tag, the adversary sends out his own continuous waveform at a different frequency than the legitimate reader’s frequency. This frequency however has to be within the allowed range of the tag. The tag’s received waveform would be the superposition of the two signals. However, the tag does not check the existence of the signal from the adversary. He simply performs the backscattering modulation and returns the data signal. Once the eavesdropper receives the backscattered signal, he first use a bandpass to filter out the legitimate reader’s signal, leaving only his own frequency component of the signal. The adversary can then successfully recover the response of the tag. Thus, this scheme is also vulnerable to this attack theoretically.

6. Conclusions and Future Work In this paper, we have presented a framework which exploits the physical nature of RFID system. This framework allows the messages to be securely transmitted from the tag to

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

68

F. Huo et al. / A Framework to Securing RFID Transmissions

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

the reader in the presence of one passive eavesdropper. Thus, the secrecy of the messages and the privacy of the tag is ensured. This framework is easy to implement and requires no pre-sharing of any secrets between the reader and the tag. We have conducted the theoretical analysis and demonstrated that the theoretical decoding error probability of the adversary without knowing the time-varying waveform is close to 50% for reasonable number of steps m. Two experiments were also performed, results from these two experiments confirm with our theoretical results. We think this framework can be implemented to the existing RFID networks to provide an additional layer of security against the eavesdropping attack. This framework is still vulnerable to multiple colluding adversaries and active eavesdropper attacks, which are two stronger forms of attack. These two attacks can be prevented by secure encryption primitives. However, we have reasoned this is either infeasible in the case of public key encryption or insecure in the case of symmetric key encryption. Related works we presented earlier which add a separate noise source too are all vulnerable to these two attacks. As a future work, we intend to consider stronger attack model with multiple colluding adversaries who are capable to conduct active eavesdropping attack. In addition to detecting passive eavesdroppers, another potential method to thwart the multiple colluding adversaries is to adopt the beamforming approach. Due to the constructive and destructive interferences of the signal, the adversary would only see a corrupted version of the signals, colluding between the different adversaries could prove to be much more difficult. Furthermore, adversaries do not know the amplitude variations of each of the legitimate reader’s transmitting signals, this would greatly increases the attacker’s decoding error probability. This is a future work we will consider. Secondly, we can use this framework to design a protocol for sharing keys between the reader and the tag. When the reader needs to securely communicate with the tag, the proposed scheme can be changed to a key transport scheme, where the key obtained by the tag can be transported to the reader by hiding it in the time-varying waveform.

References [1]

[2]

[3] [4] [5] [6] [7]

[8]

F. Achard, O. Savry, A cross layer approach to preserve privacy in RFID ISO/IEC 15693 systems, RFIDTechnologies and Applications (RFID-TA), 2012 IEEE International Conference on , vol. 85, no. 90, pp. 5-7, Nov. 2012 Q. Chai, G. Gong and D. Engels, How To Develop Clairaudience – Active Eavesdropping in Passive RFID Systems (invited), 3rd IEEE International Workshop on Data Security and Privacy in wireless Networks, D-SPAN’12, San Francisco, CA, USA, 2012. EPCGlobal, UHF class 1 gen 2 standard v. 1.2.0. 2008. A. Grover and H. Berghel, A survey of RFID deployment and security issues. Journal of information processing systems, vol. 7, no. 4, pp. 561–580, Dec. 2011. Impinj, RFID reader evaluation kit, Available: http://www.impinj.com/Speedway Reader Evaluation Kits.aspx. A. Juels, RFID security and privacy: A research survey. Journal of Selected Area in Communication (J-SAC), vol. 24, no. 2, pp, 381–395, 2006. O. Savry, F. Pebay-Peyroula, F. Dehmas, G. Robert, The RFID Noisy Reader: How to prevent from the eavedropping on the communication?, In P. Paillierand I.Verbauwhede, editors, CHES07, vol. 4727 of LNCS,.Springer, 2007. B. Wild and K. Ramchandran, Detecting primary receivers for cognitive radio applications, In Proc. IEEE Int. Symp. DySPAN, pp. 124-130, Nov. 2005.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-69

69

SSL Usage in Commercial Internet of Things Platforms Roy FISHER a,1 and Dr. Gerhard HANCKE b a University of Pretoria b City University of Hong Kong and University of Pretoria Abstract. The uses for the Internet of Things are growing and cloud platforms have become available to manage deployed devices. The security of the Internet of Things is an important consideration and a challenge. There are potentially a large number of devices of limited capability that need to be managed and are required to perform tasks that depend on data flow to the back-end platform. Most platforms use the current industry standard for secure online communication – SSL (HTTPS). However, SSL allows for many different configurations, some of which are not secure. This paper offers an initial study of SSL communications security between devices and platforms by investigating the SSL implementations offered for prominent Internet of Things platforms. It is found that amongst these platforms the strength of the SSL configuration supported vary greatly.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Keywords. Internet of Things, IoT communication, IoT Embedded Devices

1. Introduction The idea of an internet of things has been around since the early 1990’s and it is rapidly becoming a reality [1]. However, the term Internet of Things (IoT) was first used during an IBM presentation by Kevin Ashton [2] to describe a world in which all objects were connected to each other through the Internet. This connection of objects would create a pervasive presence which could be used by individuals or companies to interact with their world [3]. The change of the Internet to include both objects and devices will change the type of communication on the Internet from a human-human to a human-machine and machine-machine communication [4]. This could allow for a controller device situated in China to give a command to decrease production to a car manufacturing machine situated in South Africa through the Internet, in the blink of an eye, without any human interaction. This will allow industry to improve productivity by allowing the monitoring and control of their systems through these connected devices [5]. 1 Corresponding Author: Roy Fisher, University of Pretoria, Pretoria, South Africa; E-mail: [email protected]

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

70

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

Many important concepts need to be considered when implementing the IoT. Some of these concepts include: system security, network capability and device capability. The most important of these would be system security, especially when considering an industrial application. With the increase in cyber-crime and digital espionage, the ability of the system to protect itself against external influences is of profound importance. A well defined generic architecture for the Internet of Things is presented by Khan et al [3]. The higher layers of the architecture, the Business and Application layers, are responsible for presenting the data to the final consumers (System managements, visualisation, business logic). The Middle-ware layer stores and processes the data (Ubiquitous Computing, Database, Service Management, etc.). Typically this is where the platforms to be discussed later will reside. The network layer involves the devices and protocols that are responsible for the communication of the data between the devices and the central storage mechanisms(security, communication methods and protocols). The perception layer is where the embedded devices, actuators and sensors used to create the pervasive presence are represented. These are the ”things” that are spoken about within the Internet of Things; this layer is where the pervasive presence of the Internet of Things is created. This paper deals with two technologies enabling the Internet of Things: lowpower embedded devices and the cloud, especially cloud-based Internet of Things platforms [6,7]. These two technologies along with many others will play a huge role in creating the Internet of Things. We focus on the the network layer security between these devices and the cloud. This link is often secured using SSL, which is widely used in network communication. SSL allows for many different configurations, some of which are considered more secure that others. Some of these configurations have been found to contain security weaknesses, and this paper investigates the security of SSL implementations configured with low-resource IoT devices in mind. Section 2 introduces the basic concepts of IoT platforms and SSL and evaluates a number of IoT platforms against an accepted SSL security test. In Section 3 we provide an overview of SSL implementations for a number of different IoT embedded devices 2. Platforms A large number of options exist when industries or individuals try to implement an Internet of Things. One of the options available is deploying a centralized in house server and connecting the devices and things to the server through the Internet. The other option is to use the power of the cloud and implement the Internet of Things using an already created platform. A large number of both commercial and open-source platforms exist [8]. Many of the large companies have deployed instances of these platforms; all of these services have been deployed as a platform as a service (PaaS) [7]. By using the platform as a service the user can instead focus on developing their applications that will use the data. The embedded device sends the data to the servers using a REST (representational state transfer) based message format. This allows for a large number

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

71

of different devices to connect to the platforms and send information [9]. REST based formats typically use HTTP as the underlying communication protocol. This again allows for the easy expansion into many devices. There are a number of platforms that claim to be industry capable, however very little testing has been completed to validate these claims. 2.1. Platform Security The data that will traverse the Internet of Things could have a very high value, especially in a industrial implementation [10]. This will require that the security capabilities of both the Internet of Things platforms as well as the Internet of Things embedded devices will need to be adequate. The current industry standard for secure communication is to use HTTPS (SSL) [11], and it is therefore not surprising that it is used extensively in IoT platforms. The SSL tunnel encrypts all data passed between the device and and the platform. SSL uses cryptographic suites to ensure that the data that traverses through the tunnel is secure. To determine the keys to be used in the suites the protocol initially completes a SSL handshake. The SSL handshake involves many step but essentially can be summarised into the following steps [12]:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1. The client sends the SSL versions and cipher suites it supports to the server 2. The server sends a certificate as well as the capabilities to the client 3. Using public key cryptography (and the key from the servers certificate) the client sends a master secret to the server 4. The server and client both calculate private keys using the master secret 5. Each one sends an encrypted message indicating that the handshake procedure is over 6. All information is encrypted using the calculated keys To determine the overall security level of the platforms a standard test was used on each of the IOT platform servers. The security test used was created by Qualys SSL labs and tests the SSL capabilities of each of the servers2. The server address that receives the data from the device is the one that was tested. This is generally not the same address that controls user login. The results received from the Qualys SSL Labs tool are ranked with an overall symbol for the server and then the relative strength of the server in four key areas, namely: certificate, protocol support, key exchange and cipher strength. The overall score is a mark as a symbol ranging between A - F. The other values are provided as marks out of 100. This test was chosen because of the completeness of the results that are received. Not only does it highlight the areas of concerns but also explains why these areas are problematic. 2.2. Explanation on results A full discussion on how the results are calculated for each section can be found in the SSL guide [13]. The results attained from the Qualys SSL Labs test are 2 Found

at https://www.ssllabs.com/ssltest/index.html

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

72

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

divided into four sections, namely: certificate, protocol support, key exchange and cipher strength. 2.2.1. Certificate The certificate is rated according to either being a valid or invalid certificate. An invalid certificate results in a zero score being awarded and an automatic fail for the server. Any of the below reasons will force a certificate to be considered invalid: • • • • • •

Domain name mismatch Certificate not yet valid Certificate Expired Use of a self signed certificate Use of an untrusted certificate authority (CA) Use of a revoked certificate

Any of these errors result in a website achieving a zero result for the test and being assigned a F final mark. 2.2.2. Protocol Support In calculating the score of the protocol support section; each protocol is assigned a score out of 100 based on known weaknesses and strengths. The scores for the worst supported and the best supported are added together and an average is calculated. Copied below in Table 1 detailing the scoring guide:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Table 1. Protocol Support Rating, Key Exchange Rating Guide and Cipher Strength Rating by SSL Labs [13]

Protocol

Score

SSL 2.0

20%

SSL 3.0

80%

TLS 1.0

90%

TLS 1.1

95%

TLS 1.2

100%

Key Exchange Aspect

Score

Weak Key (OpenSSL flaw)

0%

Anonymous key exchange

0%

Cipher Strength

Key Length < 512 bits

20%

0 bits (no encryption)

0%

Key Length < 1024 bits

40%

< 182 bits

20%

Exportable Key Exchange

40%

< 256 bits

80%

Key Length < 2048 bits

80%

>= 256 bits

100%

Key Length < 4096 bits

90%

Key Length > 4096 bits

100%

Score

As can be seen from table 1 the SSL protocols are generally considered to be the weakest and the TLS protocols are considered to be the strongest. These rankings are generally aligned with the number of security flaws that the protocol is plagued by. The percentages are based on the current best practices for a secure SSL implementation on the Internet. These best practices are based on current trends and weaknesses shown in security research on SSL communication. 2.2.3. Key Exchange The key exchange scoring guide is shown in table 1. Servers which fall prey to known exploits are given a zero ranking otherwise the length of the servers private

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

73

key determines the strength of the cryptography. The key exchange strengths is scored against the length of the key. In SSL communication during the handshake phase the longer the key the harder for an outside party to decode the initial phases of communication between a client and a server. Initially this key is used in SSL as the encryption key used to communicate the session encryption key between client and server. 2.2.4. Cipher Suite Strength The cipher strength is calculated in the same was as the protocol support score. The strongest supported score is added to the weakest supported score and divided by 2. The scores for the cipher suite are based on the cipher length and can be seen in table 1. These percentage scores are again based on best practices in industry implementations. 2.3. Additional Security Concerns These are prominent security concerns related to SSL, which have been published but not covered by the scores detailed above.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2.3.1. RC4 The results obtained from the security scans that have been completed also highlight valid concerns with RC4 based encryption schemes. RC4 has for many years been considered to be less secure than other related encryption, this is mainly due to its use in WPA/TKIP encryption for WIFI connections. The initial concerns involving the RC4 algorithm were concerned with the manner in which RC4 was employed within the overall encryption structure. New more recent attacks instead target the RC4 algorithm and affect a much larger percentage of data communication [14]. The recent attacks are capable of decrypting any RC4 based encrypted data. The attack can only be prevented by completely disallowing the use of RC4 based encryption schemes. There are a number of countermeasures that can be employed to assist in mitigating the damage the attack is capable of inflicting. 2.3.2. BEAST, Lucky Thirteen and CRIME Attacks The CRIME attack exploits the TLS compression to inject predictable data and gain access to the information by using that data [15]. Disabling support for compression is a method to ensure that the CRIME attack is successfully prevented. The BEAST attack exploits a weakness in client side SSL setup. The attack is capable of decrypting encoded information stored within secure cookies and allowing a third party to view the information [16]. The Lucky Thirteen attack is a exploit released in 2013 by the Information Security Group at the Royal Holloway University. The attack is a new method of the padding Oracle attack which was previously believed to have been fixed. New versions of open source security toolkits, such as OpenSSL, have been updated and now successfully mitigate this attack.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

74

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

2.4. Platform Test Results 2.4.1. Arkessa Arkessa is a commercial Internet of Things platform. They provide services to many large companies and therefore the security of their platform should be well maintained. The results of the Arkessa SSL test can be found in Table 2. Table 2. Arkessa, Axeda and Bugswarm SSL Results Arkessa

Axeda

Bugswarm

Overall Result

C

Overall Result

B

Overall Result

F

Certificate

100

Certificate

100

Certificate

0

Protocol Support

85

Protocol Support

85

Protocol Support

85

Key Exchange

40

Key Exchange

80

Key Exchange

90

Cipher Suite

60

Cipher Suite

90

Cipher Suite

90

The overall rating for Arkessa was capped to a C value because of the low marks scored in both key exchange and cipher strength. The low marks for the cipher suite are scored because of the support for very weak cipher algorithms. The server offers support for a range of cipher algorithms, however, within this list is support for four algorithms with relatively short key lengths (56 and down) these are considered to be weak cipher types. The server preferred cipher algorithms are 128 bit and above. This server successfully mitigates both the BEAST and CRIME attacks. The server supports RC4 based encryption algorithms. Steps need to be taken to ensure that recent confirmed attacks for RC4 based encryption do not adversely affect the secure communication.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2.4.2. Axeda Axeda is another commercial Internet of Things platform. Again they provide a Internet of Things service to many large companies. On their website they claim to currently support over a million connected devices [17]. Unfortunately due to the fact that the platform does not have the option for a free account; the only server that could be tested was the developers server. As can be seen from Table 2 the overall result for Axeda is relatively good. Although having a relatively high set of scores the grade is capped to a B because the server does not mitigate two possible attacks. The two attacks are the CRIME attack and the BEAST attack and have been described above. The server supports RC4 based encryption algorithms. Steps need to be taken to ensure that recent confirmed attacks for RC4 based encryption do not adversely affect the secure communication. The preferred method of prevention is to disable support for RC4 based communication. 2.4.3. Bugswarm Bugswarm offers options for both paid and free users. The free users have a number of restrictions, like limiting the number of devices that can be connected. Table 2 shows that the server for Bugswarm has completely failed the test. The server fails the test because the certificate that it supplies does not match

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

75

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

with the web address of the server. The server reported that the certificate was for ”buglabs”. This certificate was expired and this needs to be rectified by the company for their clients. The certificate chain of trust is not complete and therefore not a trusted certificate. This untrusted certificate makes the communication vulnerable to man-in-the-middle attacks (MITM) [13]. The rest of the SSL requirements are met and this resulted in the cipher suites, protocol support and key exchange all scoring good marks. This server also does not mitigate the BEAST attack, however it successfully mitigates the CRIME attack by not supporting compression based communication. The server supports RC4 based encryption algorithms. Steps need to be taken to ensure that recent confirmed attacks for RC4 based encryption do not adversely affect the secure communication. 2.4.4. Carriots Carriots is similar to Bugswarm in that they offer a initial free startup option allowing ten devices to be connected. Once the ten devices have been used a pay-as-you use principle applies. Table 3. Carriots, Xively and Evrythng SSL Results

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Carriots

Xively

Evrythng

Overall Result

B

Overall Result

A

Overall Result

B

Certificate

100

Certificate

100

Certificate

100

Protocol Support

90

Protocol Support

90

Protocol Support

85

Key Exchange

80

Key Exchange

80

Key Exchange

90

Cipher Suite

90

Cipher Suite

90

Cipher Suite

60

Although the server achieved high scores in all the sections, the final grade is capped to a B because of the servers inability to mitigate the BEAST attack. This server successfully mitigates the CRIME attack as compression is not supported. The server is vulnerable to RC4 based exploits as it supports RC4 based encryption algorithms. Steps need to be taken to ensure that recent confirmed attacks for RC4 based encryption do not adversely affect the secure communication. 2.4.5. COSM/Pachube/Xively COSM3 (previously known as Pachube) is one of the original open source Internet of Things Platforms. COSM is one of the most well known and widely used Internet of Things platforms by open source developers. As can be seen from Table 3 the security implementation of the server scores very high and the server achieves a grade A rating. Although the platform scores the same scores as the Carriots platform, by prioritizing TLS 1,2 and RC4 encryption for other protocol versions the platform effectively mitigates the BEAST attack. By disabling support for compression the server also successfully mitigates the CRIME attack. The server supports RC4 based encryption algorithms. As explained above encryption based on the RC4 algorithm is widely considered to be insecure. 3 During

the writing of this report COSM changed its name again to Xively

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

76

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

2.4.6. Evrythng Evrythng is another commercially available option with current industry customers. Just like Carriots, Everythng offers free developer accounts. This allows possible consumers to test their product before they decide to implement it. A number of security issues are prevalent in this platform. The main issue is the support for a weak cryptographic algorithm. The algorithm in question is the use of DES, which has a key length of 56 bits. Another issue that the platform presents is allowing support for client-initiated renegotiation. Although not compromising the security of the information being sent, this opens the platform up to a Denial-of-Service (DoS) attack. This platform does not mitigate the BEAST attack but does successfully mitigate the CRIME attack by disabling support for TLS data compression. The server supports RC4 based encryption methods and is therefore also vulnerable to the recently discovered RC4 exploits. 2.4.7. Exosite Exosite offers similar solutions to Carriots. Having a pay as you use principle as well as a small developer account which is free for small implementations. Table 4. Exosite, Grovestreams and iDigiTab SSL Results

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Exosite

Grovestreams

iDigiTab

Overall Result

F

Overall Result

B

Overall Result

A

Certificate

100

Certificate

100

Certificate

100

Protocol Support

85

Protocol Support

85

Protocol Support

85

Key Exchange

80

Key Exchange

80

Key Exchange

90

Cipher Suite

60

Cipher Suite

90

Cipher Suite

90

The platform receives a grade of F because it allows for insecure client renegotiation. This allows for man-in-the-middle attacks. Other security issues with the platform is the support for two weak cipher suites both of which have a strength of 56 bits. The platform also supports many other cipher suites with a higher strength. This platform does not mitigate the BEAST attack. The server supports RC4 based encryption methods and is therefore also vulnerable to the recently discovered RC4 exploits. The server successfully mitigates the CRIME attack by disabling support for compression. 2.4.8. Grovestreams Grovestreams is a platform that is still under development. The current release is only scheduled as a beta version. They are allowing completely free accounts to any individual that registers on their site. The accounts are free for as long as the platform is a beta version. The platform scored well in all sections and supports two protocol types. The platform supports both SSL 3.0 and TLS 1.0; neither of these standards are known to be one hundred percent secure. The platform favours the stronger cipher suites (anything over 128 bit strength). The platform does not mitigate the BEAST attack but does successfully mitigate the CRIME attack by disabling support for compression. The platform is also vulnerable to RC4 based exploits as support for RC4 based encryption is still supported.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

77

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

2.4.9. iDigi/Device Cloud by Etherios Etherios offer a free account allowing the connection of five devices. This is similar to other commercial Internet of Things platforms. This platform scores well (as seen in table 4 in all of the categories and is therefore awarded with a high grade symbol. The platform does not support a large number of cipher suites, however, all of the supported suites have high strength enhancing the security. The platform successfully mitigates both the CRIME and BEAST attacks, however it is vulnerable to RC4 exploits as RC4 based encryption is still supported. 2.4.10. SensorCloud This platform like many others offers both free and paid accounts. The free accounts have a few restrictions placed on them. Table 5. Sensorcloud, Thingspeak and Yaler SSL Results Overall Result

B

Sensorcloud

Thingspeak

Yaler

Overall Result

B

Overall Result

C

Certificate

100

Certificate

100

Certificate

100

Protocol Support

85

Protocol Support

85

Protocol Support

85

Key Exchange

90

Key Exchange

80

Key Exchange

40

Cipher Suite

90

Cipher Suite

90

Cipher Suite

60

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

The platform, although scoring very high marks which should have placed it within an A grade, has instead been graded as a B because of a number of key security flaws. The platform supports client initiated renegotiation which would place it in danger of a Denial of Service (DoS) attack. The platform also does not mitigate the BEAST attack but does mitigate the CRIME attack. The server supports RC4 based encryption methods and is therefore also vulnerable to the recently discovered RC4 exploits. 2.4.11. Thingspeak Thingspeak is a open-source platform that is free to use. The platform is designed to allow any user to connect as many devices as they want. The platform supports a good collection of both cipher suites and protocol versions. The platform however allows for compression and is therefore vulnerable to the CRIME attack. The server does not mitigate the BEAST attack. The platform does not support RC4 based encryption methods and is therefore not vulnerable to the recently discovered RC4 exploits. 2.4.12. Yaler Yaler is slightly different to other Internet of Things platforms. Not only does it allow a user to send data from an embedded device to the platform, but also allows the platform to act as a relay, allowing external users to access the embedded device through the platform; even if the device is behind a firewall or similar security feature.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

78

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

The platform has a number of security issues. The main security concern is the strength of the public key used during the handshake phase of SSL communication. The second concern is the large number of weak security ciphers that are supported. Even ciphers that have weaknesses within their algorithms are supported. The platform supports client initiated renegotiation opening up the possibility of a DoS attack on the platform. The platform does not mitigate the BEAST attack but does successfully mitigate the CRIME attack. The server supports RC4 based encryption methods and is therefore also vulnerable to the recently discovered RC4 exploits. 2.5. Device Management

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Not only is it important to protect the information that the platform is receiving, it is also important to ensure that the data that is being received by the platform originates from a legitimate device/source [18]. Many of the platforms use a single API master key that gets sent from the device during any HTTP/S based request. Typically this master key is a long string of characters. Although allowing for a degree of security this does not specify device level access and allows any device or individual that obtains the key to send updates to the server. Another more recent approach, adopted by many of the platforms, is to first register each device with the platform and grant each device a specific key. The devices are also associated with a single stream and do not have the capability to update another information stream. As an example a RFID tag reader will only be able to update information concerning the tags that it has read and not information about the lighting conditions within the factory. This type of cross information stream updating was possible with the older single key approach. Although the new method requires a bit more user administration, the security and control benefits gained far outweigh the extra administration requirements. Rogue devices can be singled out and the information received from them can be terminated remotely.

3. Secure Communication Capabilities and Options 3.1. cURL and hURL cURL is a command line based tool for transferring information using URL syntax. cURL supports many protocols ranging from HTTP/S to FTP [19]. This is an excellent tool for rapid development of Internet of Things applications and devices. The tool however, requires that a fairly advanced Linux distribution is installed to be able to use. Devices capable of using cURL are the Raspberry Pi, Beaglebone and the more advanced devices. cURL abstracts a all the protocol specific communication requirements thus allowing for rapid development of embedded device technologies. The developer can focus on the information that needs to be gathered and abstract all communication with the platform simple by using the relevant cURL command. hURL is a similar tool to cURL; the major difference is that instead of being command line based, hURL is browser based. This tool is not as powerful for embedded devices as they seldom have access to a browser.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

79

3.2. Security Libraries Another option available to a developer is to use open source communication toolkits such as OpenSSL [20]. These options allow the developer to use library functionality of programming languages to create programs that can communicate with the required platforms. These toolkits are often not optimised for use with embedded device and could slow down the system by too great a margin. A number of toolkits are available, a collection of them are listed below: 1. 2. 3. 4.

OpenSSL Mozilla NSS yaSSL GnuTLS

There are also a number of proprietary toolkits available. One of the most popular toolkits is OpenSSL as it is a feature rich and powerful set of tools made available to the developer[21]. 3.3. Devices Recent advances in both low power device architecture and device capabilities has presented a wide array of devices capable of being embedded and enabling the Internet of Things. The operating systems traditionally used on these devices are customised versions of Linux.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

3.3.1. Raspberry Pi One of the options that was launched as recently as a year ago, is the Raspberry Pi. The Raspberry Pi is a credit card sized Linux computer. The Raspberry Pi runs on the ARM architecture and runs a Debian based Linux distribution known as Raspbian [22]. This is not a stripped down version of Debian, but is instead a full version with a KDE desktop and full package manager. The Raspberry Pi is capable of being considered a fully fledged computer and has built in support for HDMI (1080p) output, LAN based communication as well as two USB ports. One of the main advantages of a Raspberry Pi is its capability to support a complete Linux package management system. This allows for a more fully featured set of capabilities available for the developer to use. One example of this is the fully featured support of the latest version (version 1.0.1e) of OpenSSL available for the Raspberry Pi. This will allow for the device to be completely up to date, thereby allowing the OpenSSL security fixes to be applied as soon as they are available. 3.3.2. Other Options The Beaglebone is another ARM architecture based device. The device is similar to the Raspberry Pi, however, the device lacks a few of the features of the Raspberry Pi. The Beaglebone runs the Angstrom operating system. The Angstrom operating system is a Linux distribution specifically tailored to minimal resources embedded devices [23]. The package manager of the Angstrom distribution is known for supporting less features than the more popular apt package manager.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

80

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

At the time of writing this article the Angstrom Linux distribution only supported OpenSSL version 1.0.0. Which was originally released in March 2010. This device does not receive regular updates which could compromise overall security. Other embedded devices are available, such as the Arduino. The Arduino device does not have a fully featured Linux distribution. The ”operating system” is instead a set of code created by the developer and follows a set plan of execution [6]. This means that any SSL development involving these devices will be unable to make use of the libraries and toolkits above and instead will need to be created from scratch. 3.3.3. SSL in a Constrained Environment The devices available to the Internet of Things are typically low power and resource constrained devices [24]. This potentially places a large amount of strain on the communication of the system as a whole, particularly when implementing SSL capabilities on the system. Computationally intensive calculations such as those completed when performing encryption and decryption could slow the operation of these devices down and burden the entire communication network [25]. The effects of this need to be considered when implementing the system in a constrained device.

4. Conclusion As a summary to the results given in section 2.4, table 6 is included. These results vary greatly and highlight the number and range in security of options that are available for IoT development.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Table 6. Summary of evaluates scores and resistance to specific weaknesses Platform

SSL Result

RC4

BEAST

CRIME

Arkessa

C

N

Y

Y

Axeda

B

N

N

N

Bugswarm

F

N

N

Y

Carriots

B

N

N

Y

COSM/Pachube/Xively

A

N

Y

Y

Evrythng

B

N

N

Y

Exosite

F

N

N

Y

Grovestreams

B

N

N

Y

iDigi/Device Cloud

A

N

Y

Y

Sensorcloud

B

N

N

Y

Thingspeak

B

N

N

N

Yaler

C

N

N

Y

This paper has provided an initial study on the security of the communication between embedded devices and cloud platforms enabling the Internet-of-Things. Currently, a completely secure implementation does not exist but a number of platforms offer a good level of security. In some cases this might be sufficient.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

81

When sending data across a public medium such as the Internet, there will always be a security challenge. The goal of implementing security services is to ensure that the main risks are mitigated. Mitigating all threats are not feasible and in certain cases some threats could be seen as minimal. A good example of this would be the BEAST attack discussed earlier. To execute this attack a malicious party must first get the victim to access a link to a BEAST program. If a embedded device is autonomous then it is unlikely that it will access other websites and the attacker would need to compromise the device in some way first. On the other hand if the devices are controlled by a user it could be that these devices are directed to a link by the user. Each application environment must be considered on its own merits. That said, some platforms do offer little in terms of security and in many proprietary platforms the status of the security mechanisms are unknown. Further work needs to be conducted on platform security from both a communication security and a devices pairing perspective.

References [1] [2]

[3]

[4]

[5]

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[6] [7]

[8] [9]

[10] [11] [12] [13] [14] [15]

L. Atzori, A. Iera, and G. Morabito, “The Internet of Things: A Survey,” Computer Networks, vol. 54, no. 15, pp. 2787–2805, Oct. 2010. M. Wu, T.-l. Lu, F.-y. Ling, and H.-y. Du, “Research on the architecture of Internet of Things,” in 2010 3rd International Conference on Advanced Computer Theory and Engineering(ICACTE). IEEE, Aug. 2010, pp. V5–484–V5–487. R. Khan, S. U. Khan, R. Zaheer, and S. Khan, “Future Internet: The Internet of Things Architecture, Possible Applications and Key Challenges,” in 2012 10th International Conference on Frontiers of Information Technology. Ieee, Dec. 2012, pp. 257–260. M. Zorzi, A. Gluhak, S. Lange, and A. Bassi, “From Today’s INTRAnet of Things to a Future INTERnet of Things: A Wireless- and Mobility-Related View,” IEEE Wireless Communications, vol. 17, no. 6, pp. 44–51, 2010. M. Friedewald and O. Raabe, “Ubiquitous computing: An overview of technology impacts,” Telematics and Informatics, vol. 28, no. 2, pp. 55–65, May 2011. S. Hodges, S. Taylor, N. Villar, J. Scott, D. Bial, and P. T. Fischer, “Prototyping Connected Devices for the Internet of Things,” Computer, vol. 46, no. 2, pp. 26–34, 2013. M. Castro, A. J. Jara, and A. F. Skarmeta, “An Analysis of M2M Platforms: Challenges and Opportunities for the Internet of Things,” 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp. 757–762, Jul. 2012. Unknown, “Tracking the Internet of Things,” p. 1, 2012. [Online]. Available: http://postscapes.com/internet-of-things-platforms D. Pfisterer, K. R¨ omer, D. Bimschas, O. Kleine, R. Mietz, and C. Truong, “SPITFIRE : Toward a Semantic Web of Things,” IEEE Communications Magazine, no. November, pp. 40–48, Nov. 2011. R. H. Weber, “Internet of Things - New security and privacy challenges,” Computer Law & Security Review, vol. 26, no. 1, pp. 23–30, Jan. 2010. Administration, “Q10241 - FAQ: What is SSL?” p. 1, 2005. [Online]. Available: http://info.ssl.com/article.aspx?id=10241 W. Stallings, Network Security Essentials Applications and Standards, 4th ed. Prentice Hall, 2010. SSL Labs, “SSL Server Rating Guide,” 2013. K. Paterson, “On the Security of RC4 in TLS and WPA,” p. 1, 2013. [Online]. Available: http://www.isg.rhul.ac.uk/tls/ Ivanr, “CRIME: Information Leakage Attack against SSL/TLS,” p. 1, 2013. [Online]. Available: https://community.qualys.com/blogs/securitylabs/2012/09/14/crimeinformation-leakage-attack-against-ssltls

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

82 [16]

[17] [18] [19] [20]

[21] [22] [23] [24]

Unknown, “Mitigating the BEAST attack on TLS,” p. 1, 2013. [Online]. Available: https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-thebeast-attack-on-tls Anonymous, “Axeda,” p. 1, 2013. [Online]. Available: http://www.axeda.com/ G. A. N. Gang and L. U. Zeyong, “Internet of Things Security Analysis,” in Internet Technology and Application (iTAP), 2011 International, 2011, pp. 1–4. C. Jordan, “9 uses for cURL worth knowing,” p. 1, 2012. [Online]. Available: https://httpkit.com/resources/HTTP-from-the-Command-Line/ R. Bonetto, N. Bui, V. Lakkundi, A. Olivereau, A. Serbanati, and M. Rossi, “Secure Communication for Smart IoT Objects : Protocol Stacks , Use Cases and Practical Examples,” in World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2012, pp. 1–7. Anonymous, “OpenSSL About,” p. 1, 2013. [Online]. Available: http://www.openssl.org/about/ C. Edwards, “Not So Humble Raspberry Pi Gets Big Ideas,” Engineering and Technology, vol. 8, no. 3, pp. 30–33, 2013. Anonymous, “Angstrom,” p. 1, 2013. [Online]. Available: http://www.linuxtogo.org/gowiki/Angstrom R. Roman, P. Najera, and J. Lopez, “Securing the Internet of Things,” Computer, vol. 44, no. 9, pp. 51–58, 2011. [Online]. Available: http://ieeexplore.ieee.org/xpls/abs all.jsp?arnumber=6017172 T. Bingmann, “Speedtest and Comparsion of Open-Source Cryptography Libraries and Compiler Flags,” p. 1, 2008. [Online]. Available: http://panthema.net/2008/0714cryptography-speedtest-comparison/

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[25]

R. Fisher and G. Hancke / SSL Usage in Commercial Internet of Things Platforms

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-83

83

A Comparative Study of Stream Ciphers and Hash Functions for RFID Authentications

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Shugo MIKAMI a,1 , Dai WATANABE a and Kazuo SAKIYAMA b a Hitachi, Ltd., Yokohama Research Laboratory, Japan b Department of Informatics, The University of Electro-Communications, Japan Abstract. RFID tags are extensively used in many applications, even though RFID systems suffer from security and privacy risks, such as data forgery and tracking. RFID authentication protocols and lightweight cryptographic algorithms have been developed to overcome these risks. Saarinen et al. have studied some design requirements for the lightweight cryptographic algorithms from the viewpoint of implementation [33]. They have proposed lightweight stream ciphers to generate Tag-IDs. However, the Tag-ID length they evaluated is too short to realize secure RFID authentications and compact implementations of the lightweight hash functions are inappropriate for generating the Tag-IDs because they take a large number of clock cycles. In this paper, we evaluate hardware performance of certain lightweight stream ciphers for generating long Tag-IDs defined in RFID standards, such as the EPC Data Standard and ISO/IEC 15963. We evaluate hardware performance of certain lightweight hash functions with parallel implementation to meet a low area requirement and to achieve high speed performance. We show that as the Tag-IDs become longer, the hash functions take a large number of clock cycles while the stream ciphers take smaller number of clock cycles. Our results reveal that the lightweight stream ciphers are suitable for generating the Tag-IDs for RFID applications which require quick responses. Keywords. RFID, Tag-ID, hardware implementation, lightweight stream cipher, lightweight hash function

Introduction An RFID (Radio Frequency Identification) system consists of an RFID tag, a reader and a back-end system. The RFID tag is a small and an inexpensive device. The RFID tag communicates with the readers wirelessly. It sends data to the readers or does some operations. The reader communicates with the RFID tags. The back-end system is connected with the readers and stores necessary information. Applications using the RFID tags are numerous, such as supply chain, transportation, prevention of counterfeiting, pet tracking, luggage tracking, and library management. Data communicated between the RFID tags and the readers includes identification or location information, depending on the applications. 1 Hitachi, Ltd., Yokohama Research Laboratory, 292, Yoshida-cho, Totsuka-ku, Yokohama, Kanagawa, 2440817, Japan; E-mail: [email protected].

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

84

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

To protect the wireless communication from security and privacy risks, such as data forgery and tracking, RFID authentication protocols and lightweight cryptographic algorithms have been studied. In a basic RFID authentication protocol, a reader sends a random challenge C to the RFID tag. The RFID tag then uses a shared secret key K, which is stored in the memory of the RFID tag, and a cryptographic algorithm f to generate a response R = f (K,C). Then the RFID tag sends R to the reader. The reader verifies the RFID tag by checking whether R is equal to the value which the reader calculated. There are many variations of this scheme with block ciphers or hash functions as the cryptographic algorithms [9,14,24,25,26,32]. Lightweight block ciphers such as DESL [27], PRESENT [5], KATAN/KTANTAN [6], LED [18], Piccolo [34], and lightweight hash functions, such as SPONGENT [4], QUARK [1], PHOTON [17], MAME [37], and Lesamnta-LW 2 [22] have been developed. Saarinen et al. have studied some design requirements for the cryptographic algorithms from the viewpoint of implementation [33]. They have pointed out that works on the lightweight cryptographic algorithms had almost exclusively concentrated on minimizing area requirements, while generally ignoring the timing constraints. They have picked up a widely known RFID standard, namely the EPCglobal Class-1 Generation2 [12], and how suitably the lightweight hash functions meet the timing constraint originated from the standard. They have described that the lightweight hash functions they considered were inappropriate for the above RFID authentication because they take a very large number of clock cycles. They have mentioned that the lightweight stream ciphers might be used for the RFID authentication. However, two issues still remain open problems in the following sense. First, they have not taken care of the security strength. They have evaluated the clock cycles of the lightweight cryptographic algorithms needed to generate 16-bit outputs of the ciphers and intended to authenticate the RFID tags with them. However, we deduce that the security strength of the RFID tags is too small to be applied in practice. For example, it is not suitable for an RFID system having 28 tags to authenticate the RFID tags with the above basic RFID authentication with the 16-bit length of outputs, because the response R collides with another response R with a probability 1/28 . This results in the RFID tag authentication failure. Thus, we deduce that long Tag-IDs are important to realize secure RFID authentications. Several long Tag-IDs, namely ranging from 64 bits to 202 bits, are defined in the EPC Data Standard and ISO/IEC 15963. Second, the compact implementations, i.e. low area requirements, of the lightweight hash functions are not suitable for the RFID tags because they take a large number of clock cycles. Since hardware resources on the RFID tags are limited, the required area should be low. What has to be noticed is that high speed performance may also be required because there exist a timing constraint required to generate the response. Hence, the encryption process is completed within it. We deduce that the parallel hardware architecture of the lightweight cryptographic algorithms is suitable for the RFID tags. Since it takes a few more area requirements, while it takes smaller number of clock cycles compared with the serialized hardware architecture of them. A comparison of hardware evaluation results of some cryptographic algorithms which achieve different security strengths have been studied [15]. However, it is very important to evaluate cryptographic algorithms in terms of hardware performance under 2 Lesamnta

is a registered trademark of Hitachi, Ltd. in Japan.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

85

the condition that evaluated cryptographic algorithms achieve the same security strength. This is because there is typically a trade off between security strength and hardware performance, such as area requirements and clock cycles. In our previous work, we have evaluated hardware performance of certain lightweight cryptographic algorithms that can be used in OSK protocol [31] under the following conditions [28]. We have selected the algorithms, which achieve 80-bits security, and fixed the output length of the algorithms, namely 144 bits. In this paper, we show hardware evaluation results of certain cryptographic algorithms that can be used in RFID authentication to generate the Tag-IDs. Two possible Tag-ID generation procedures, named Case 1 and Case 2, are examined in this paper. In Case 1, the RFID tag starts the Tag-ID generation after the RFID tag receives a random challenge C. In Case 2, before the RFID tag receives C, the RFID tag starts key-dependent preprocessing, such as key-loading or generating intermediate values with the key. After the RFID tag receives C, the RFID tag generates the Tag-ID with the intermediate values and C. We select Grain-80 [23] adopted as an eSTREAM [11] Portfollio, Trivium [7] adopted as an ISO/IEC 29192-3 standard, and Enocoro-803 [19] adopted as an ISO/IEC 29192-3 standard. We select SPONGENT-160 [4] and D-QUARK [1] under the condition that these hash functions achieve the same security strength with the stream ciphers. We use the same interface to evaluate the cryptographic algorithms fairly. We select the parallel hardware architecture of the cryptographic algorithms above mentioned to take a low area requirement and to achieve high speed performance. Then we evaluate these cryptographic algorithms in terms of area requirements and clock cycles. Table 1 shows our evaluation results of the cryptographic algorithms in Case 1. The serialized hardware architecture of these algorithms and their hardware performance have been studied [1,4,16,30]. We also estimate the number of clock cycles of the algorithms with the studied results. We show them in the below 4 rows in Table 1 to compare our results. From our evaluation results, the following two results are obtained. First, the initialization process of the stream ciphers take the dominant part of the number of clock cycles. Second, the hardware performance of the cryptographic algorithms, especially the hash functions, are extremely different according to the hardware architectures. The hardware evaluation results of the cryptographic algorithms in Case 2 are shown in Table 3. The rest of this paper is organized as follows. Section 1 summarizes protocol and the Tag-IDs of the RFID standards. This section also describes how the cryptographic algorithms can be used in the standards. Section 2 reviews certain lightweight cryptographic algorithms. Section 3 describes the hardware architectures of the cryptographic algorithms and shows our evaluation results. Section 4 concludes this paper.

1. RFID Standards The EPCglobal4 Generation-2 is an important standard defined by the EPCglobal [12]. Four classes of the RFID tags are distinguished within the standard. Class-1 refers to write-once and read-many passive tags. The passive tag receives all operating power 3 Enocoro

is a registered trademark of Hitachi, Ltd. is a registered trademark of EPCglobal. Inc.

4 EPCglobal

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

86

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

Table 1. Hardware performance of the lightweight stream ciphers and the lightweight hash functions in Case 1. The first 5 rows show hardware evaluation results of our implementations. The below 4 rows show hardware performance of the algorithms with the serialized architectures. In [1,4] the number of clock cycles needed to hash only one message block have been reported, while we estimate the number of clock cycles needed to hash several message blocks in this table. That’s why our results are larger than that of studied previously. Clock cycles of SHA-1 needed to generate more than 160-bit Tag-IDs are written as “-”. Since SPONGENT-160 and D-QUARK are sponge construction based hash functions, these hash functions can generate more than 160-bit outputs, while the security strength is still 80 bits. On the other hand, since SHA-1 is built from a block cipher, SHA-1 does not generate more than 160-bit outputs. Algorithm

Area (GE)

Clock cycles 64

Tag-ID length (bits) 113 170 195

96

198

202

Grain-80

2750

47

51

54

61

64

64

65

Trivium

3520

173

177

180

187

190

190

191

Enocoro-80

2850

67

71

74

81

84

84

85

SPONGENT-160

3210

1173

1353

1533

1803

1983

1983

1983 1895

D-QUARK

3310

1121

1293

1465

1723

1895

1895

Grain-80 [16]

1294

233

265

282

339

364

367

371

Trivium [16]

2580

1226

1258

1275

1332

1357

1360

1364

SPONGENT-160 [4]

1329

59404

67324

71532

85639

91827

92569

93559

D-QUARK [1]

1702

19024

20432

21180

23688

24788

24920

25096

SHA-1 [30]

5527

332

336

339

-

-

-

-

from the reader’s radio frequency. We focus on this class because it seems to be widely known. A tag-access protocol using the Tag-ID is described in the EPCglobal Class-1 Generation-2 and the Tag-ID lengths are described in the EPC Tag Data Standard and ISO/IEC 15963.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1.1. Protocol in EPCglobal Class-1 Generation-2 The EPCglobal Class-1 Generation-2 defines the physical and logical requirements for the RFID systems operating in the 860-960 MHz frequency range. A tag access protocol between a tag and a reader is described in the EPCglobal Class-1 Generation-2, which is performed in the following manner. 1. A reader issues a query to a RFID tag. 2. The RFID tag responds with a 16-bit random number (RN16). 3. The reader acknowledges the RFID tag by issuing a code called ACK with the same RN16. 4. The RFID tag responds with the EPC (Electronic Product Code). 5. The reader issues request containing the same RN16. 6. The RFID tag responds with a 16-bit Tag-ID. 7. The reader accesses the RFID tag. The Tag-ID is used to authenticate the RFID tag in this protocol. In the EPCglobal Class1 Generation-2, it is described that an RFID tag shall implement a random or a pseudorandom number generator which shall generate 16-bit random or pseudorandom numbers and the Tag-ID.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

87

Table 2. Tag-ID lengths Standard

Tag-ID length (bits)

EPC Tag Data Standard [13]

96, 113, 170, 195, 198, 202

ISO/IEC 15963

64

We deduce that the stream ciphers and the hash functions can be used to generate the Tag-IDs. A stream cipher is an encryption mechanism which uses pseudorandom bit strings. It consists of two processes. Firstly, a pseudorandom number generator generates keystreams of arbitrary lengths taking as input a secret key and an initial vector (IV) of a fixed length. Secondly, it combines the keystreams and a plaintext to generate a cipher text. When the stream ciphers are used as f , it seems natural to take K and C as inputs to a secret key and an IV of the stream ciphers, respectively. On the other hand, a hash function takes variable-length messages as input. When the hash functions are used as f , it seems natural to take the concatenation of K and C as input to the hash functions. Thus the stream ciphers and the hash functions can be used to generate pseudorandom numbers, while several pseudorandom number generators are standardized [29]. 1.2. Tag-ID lengths Several long Tag-IDs are defined by RFID standards. Table 2 summarizes the Tag-ID lengths defined in the EPC Tag Data Standard Version 1.6 [13] and ISO/IEC 15963.

2. Lightweight Cryptographic Algorithms

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

In this section, we set the security strength of certain lightweight stream ciphers and certain hash functions. Then we briefly review these cryptographic algorithms. 2.1. Security Strength Some lightweight hash functions are sponge construction based hash functions. A sponge function instantiates the sponge construction, which is a simple iterated construction building a variable-length input variable-length output function based on a fixed length permutation. The security parameter of sponge-based hash function is half size of the c so called capacity [2,3]. On the other hand, the security parameter of the stream ciphers is key length. In this paper, we set 80 bits as the security strength. So far as the lightweight cryptographic algorithms are concerned, the security strength are generally 64 bits, 80 bits, 112 bits, and 128 bits. It is recommended that the smallest security strength is 80 bits for general purpose [10]. It is also mentioned that 64 bits offer only very poor protection. 2.2. Lightweight Stream Ciphers Grain-80, Trivium and Enocoro-80 are the lightweight stream ciphers supporting an 80bit key. Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

88

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

2.2.1. Grain-80 Grain-80 [23] is a bit oriented stream cipher designed by M. Hell et al. It accepts an 80-bit key and a 64-bit IV. Grain-80 has a 160-bit internal state and does not release the keystream output during the initialization process, which updates the internal state for 160 times. The update functions consist of nonlinear Boolean functions. After the initialization process, Grain-80 outputs 1 bit/clock. Grain-80 has a property that it is possible to increase the speed of the cipher at the expense of more hardware without extending the critical path by implementing the update functions of the internal state several times. This allows the speed to be easily multiplied by a factor t, which is up to 16. By increasing t, Grain-80 outputs t bits/clock and takes 160/t clock cycles in the initialization process. 2.2.2. Trivium Trivium [7] is a bit oriented stream cipher designed by C. De Canni`ere et al. It accepts an 80-bit key and an 80-bit IV. Trivium has a 288-bit internal state and does not release the keystream output during the initialization process, which updates the internal state for 1152 times. The update functions consist of nonlinear Boolean functions. After the initialization process, Trivium outputs 1 bit/clock. In a similar to Grain-80, the speed is easily multiplied by a factor t, which is up to 64. By increasing t, Trivium outputs t bits/clock and takes 1152/t clock cycles in the initialization process. 2.2.3. Enocoro-80

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Enocoro-80 [19] is a byte oriented stream cipher designed by Hitachi, Ltd. It accepts an 80-bit key and a 64-bit IV. Enocoro-80 has a 176-bit internal state and does not release the keystream output during the initialization process, which updates the internal state for 40 times. The update function consists of 8-bit Sboxes and a linear function. After the initialization process, Enocoro-80 outputs 8 bits/clock. 2.3. Lightweight Hash functions SPONGENT-160 and D-QUARK are the lightweight hash functions supporting a 160-bit capacity. 2.3.1. SPONGENT-160 SPONGENT [4] is a lightweight hash function family designed by A. Bogdanov et al. SPONGENT-160 is a variation of SPONGENT which has a 176-bit internal state. The internal state consists of a 160-bit capacity and a 16-bit rate. The 16-bit message blocks are XORed with the rate in the absorbing process. Then the internal state is processed with the permutation πb , 90 times. πb consists of 4-bit Sboxes and bit-permutation. The rate is output interleaved with applications of πb . 2.3.2. D-QUARK QUARK [1] is a lightweight hash function family designed by J.P. Aumasson et al. DQUARK is a variation of QUARK which has a 176-bit internal state. The internal state Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

89

    ᵱᶃᶐᶇᵿᶊᶇᶘᶃᶂᴾᵿᶐᶁᶆᶇᶒᶃᶁᶒᶓᶐᶃ

ᵮᵿᶐᵿᶊᶊᶃᶊᴾᵿᶐᶁᶆᶇᶒᶃᶁᶒᶓᶐᶃ ᶇᶌᶎᶓᶒ

ᶇᶌᶎᶓᶒ

ᵫ ᵳ ᵶ

ᵫᵳᵶ ᵤᵤ

ᵤᵤ

ᵤᵤ

ᶍᶓᶒᶎᶓᶒ

ᵤ

ᵤᵤ ᵤ

ᵤ

ᵤ

ᶍᶓᶒᶎᶓᶒ ᵤ

ᵤ

ᵤ

     Figure 1. Serialized architecture and parallel architecture

   

consists of a 160-bit capacity and a 16-bit rate. The 16-bit message blocks are XORed with the rate in the absorbing process. Then the internal state is processed with the permutation P, 704 times. P consists of nonlinear Boolean functions. The rate is output interleaved with applications of P. In a similar to Grain-80 and Trivium, the speed is multiplied by a factor t, which is up to 8. By increasing t, D-QUARK takes 704/t clock cycles for P.

3. Hardware Performances

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

In this section, we first describe practical hardware architectures of Grain-80, Trivium, Enocoro-80, SPONGENT-160 and D-QUARK. Then we show our evaluation results of them. 3.1. Hardware Architecture We implement the cryptographic algorithms using the parallel architecture. Two major hardware architectures are listed. One is the serialized architecture and the other is the parallel architecture as depicted in Figure 1. In Figure 1, FF, F and MUX mean a register, a function and a multiplexer, respectively. The serialized architecture is characterized by the property that data bits are stored in register chain and transformed with the function in a bit or byte wise fashion. On the other hand, the parallel architecture is characterized by the property that all bits of data stored in registers are transformed with the functions at the same time. Thus, to take a low area requirement and to achieve high speed performance, we select the parallel architecture for the cryptographic algorithms. We design the interface of the cryptographic algorithms based on a SRAM (Static random-access memory) of the 16-bit word width. A SRAM is a kind of volatile memory. Recently it has been studied the RFID tags equipped with a SRAM [8,20,21]. Thus, the RFID tags equipped with a SRAM and cryptographic modules, which are connected with a bus, are conceivable.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

90

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions ᶇᶌᶎᶓᶒᵽᵎ ᵏᵔᴾᶀᶇᶒᶑ

ᵫᵳᵶ

ᶇᶌᶎᶓᶒᵽᵏ ᵏᵔᴾᶀᶇᶒᶑ

ᵫᵳᵶ

ᶇᶌᶎᶓᶒᵽᶇ ᵏᵔᴾᶀᶇᶒᶑ

ᵫᵳᵶ

ᵤᵤ

ᵳᶎᶂᵿᶒᶃᴾᶄᶓᶌᶁᶒᶇᶍᶌ

ᵭᶓᶒᶎᶓᶒᴾᶄᶓᶌᶁᶒᶇᶍᶌ

ᶍᶓᶒᶎᶓᶒ

ᶀᶓᶄᶄᶃᶐ

   

ᵏᵔᴾᶀᶇᶒᶑ

   

Figure 2. Hardware architecture of the stream ciphers

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

   

We adjust the input length of the hash functions to that of the stream ciphers, namely 144 bits. This is because the number of clock cycles is affected with the input message lengths. This length is in accordance with the input length of the stream ciphers, which consists of an 80-bit Key and a 64-bit IV. We set the output lengths of the cryptographic algorithms as the Tag-ID lengths. We design the hardware architectures of Grain-80, Trivium and D-QUARK with the concurrency parameter t = 8. As described in Sects. 2.2.1,2.2.2 and 2.3.2, these cryptographic algorithms can be implemented with various values of the concurrency parameter t. As regards Grain-80, it has been studied that Grain-80 takes about 1 kGE larger while it takes 140 smaller clock cycles by increasing t from 1 to 8 [16]. It has been also studied that Grain-80 takes about 1 kGE larger while it takes only 10 smaller clock cycles by increasing t from 8 to 16 [16]. Thus from the view point of trade off between the area requirements and the number of clock cycles, we set t = 8. Figure 2 shows our hardware architecture of Grain-80, Trivium and Enocoro-80. In Figure 2, 16-bit buffer is implemented to keep the output of the ciphers up to 16 bits. One round update function of Enocoro-80 is processed within one clock cycle. As described above, one round update functions of Grain-80 and Trivium are implemented eight times parallelly, and they are processed within one clock cycle. Figure 3 shows our hardware architecture of SPONGENT-160 and D-QUARK. One round permutation πb of SPONGENT-160 is processed within one clock cycle. As described above, one round permutation P of D-QUARK is implemented eight times parallelly, and they are processed within one clock cycle. 3.2. Evaluation results In this section we show our evaluation results of Grain-80, Trivium, Enocoro-80, SPONGENT-160 and D-QUARK on ASIC (Application Specific Integrated Circuit). In order to evaluate the silicon area and the number of clock cycles, the circuits have been synthesized using Synopsys5 Design Compiler6 (Version C-2009.06-SP5) and TSMC 90 5 Synopsys 6 Design

is a registered trademark of Synopsys. Inc. Compiler is a product name of Synopsys. Inc.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

91

ᶇᶌᶎᶓᶒᵽᶇ

ᵎ ᵏᵔᴾᶀᶇᶒᶑ

ᵏᵔᴾᶀᶇᶒᶑ ᵫᵳᵶ

ᵎ ᵏᵔᵎᴾᶀᶇᶒᶑ

ᵫᵳᵶ

ᵤᵤ

ᵤᵤ

ᵏᵔᴾᶀᶇᶒᶑ

ᶍᶓᶒᶎᶓᶒ

ᶎᶃᶐᶋᶓᶒᵿᶒᶇᶍᶌ

   

    Figure 3. Hardware architecture of the hash functions

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

   

nm high performance library. The area results are based on systhesis and are given in gate equivalents (GE). The number of clock cycles also include I/O (Input/Output) for hashing (SPONGENT-160, D-QUARK) and pseudorandom number generating (Grain80, Trivium, Enocoro-80). Table 1 summarizes our results in Case 1. The following two results are obtained. First, as the Tag-IDs become longer, the hash functions take a larger number of clock cycles, while the stream ciphers take smaller number of clock cycles. Since the hash functions take short message blocks and generate short hash blocks, namely 16-bit length, the number of blocks is large. Then, the round function is applied for designated times interleaved with the block. Hence, the hash functions take large number of clock cycles as the Tag-IDs become long. On the other hand, the stream ciphers take the number of clock cycles in the initialization process. After the initialization process, the stream ciphers output the pseudorandom numbers every clock. Hence, the initialization process of the stream ciphers take dominant part of the number of clock cycles. Second, the hardware performance of the cryptographic algorithms, especially the hash functions, are extremely different according to the hardware architectures of the algorithms. Since the serialized architectures of the cryptographic algorithms use a few components of the algorithms, they take a low area requirement. However, as they process a few bits per clock, they take large number of clock cycles. Table 3 summarizes our results in Case 2. Before the stream cipher circuits receive C, the circuits can load K from the memory of the RFID tags. However, the circuits cannot proceed further because both K and C are required in the initialization process. Thus, the stream ciphers take clock cycles in K and C loading in the initialization process. On the other hand, before the hash function circuits receive C, the circuits can load K from the memory of the RFID tags and operate key absorbing process, which depend only on K. Since the circuits absorb only C blocks after the circuits receive C, the number of clock cycles becomes small. The specifications of some off-the-shelf RFID products are opened to the public. For example, the operating frequency is 134.2 kHz and the response time between the RFID tags and the readers are 6 ms or 17 ms [35,36]. The number of clock cycles available for computation are evaluated with these values, and they are 806 and 2281 with respect to

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

92

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

Table 3. Hardware performance of the lightweight stream ciphers and the lightweight hash functions in Case 2. This table is described in the same manner as Table 1. Algorithm

Area (GE)

Clock cycles Tag-ID length (bits) 64

96

113

170

195

198

202

Grain-80

2750

42

46

49

56

59

59

60 186

Trivium

3520

168

172

175

182

185

185

Enocoro-80

2850

62

66

69

76

79

79

80

SPONGENT-160

3210

723

903

1083

1353

1533

1533

1533

D-QUARK

3310

671

843

1015

1273

1445

1445

1445

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

the response time. The stream ciphers can meet these restrictions, while the hash functions cannot meet these restrictions in some cases. As far as we know, the specification of the RFID products operating in the 860-960 MHz frequency range are not opened. We reuse the source files of the cryptographic algorithms that we used to evaluate hardware performance of them in our previous work, since the interface of the cryptographic algorithms that can be used in OSK protocol [31] is the same as the one that can be used in the RFID authentication. Hence, the area requirements of them shown in Tables 1 and 3 are the same as our previous results in [28]. We deduce that the area requirements of these cryptographic algorithms with additional control circuits needed to realize the RFID authentication may be different from that needed to realize OSK protocol. OSK protocol and improved variants of OSK protocol, such as [24], have been proposed in addition to challenge-response based authentication protocols. Since in [24] the cryptographic algorithms take as input data whose length exceeds 144 bits, it is important to study how efficiently the stream ciphers can be used. We deduce calling the stream ciphers repeatedly.

4. Conclusion In this paper, we deduce that the lightweight stream ciphers and the lightweight hash functions can be used to generate the Tag-IDs, which are used in RFID authentications. The long Tag-IDs, i.e. ranging from 64 bits to 202 bits, are defined in standards, such as the EPC Data Standard, and ISO/IEC 15963. They are necessary to realize a secure RFID authentication. We select Grain-80, Trivium, Enocoro-80, SPONGENT-160 and D-QUARK under the condition that these cryptographic algorithms achieve the same security strength. We implement the cryptographic algorithms to take a low area requirement and to achieve high speed performance. Then we evaluate hardware performance of the cryptographic algorithms in terms of area requirements and clock cycles. From our evaluation results, we deduce that the lightweight stream ciphers we considered are appropriate for the RFID applications which require quick responses.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

93

Acknowledgments This research results have been achieved by the Commissioned Research of National Institute of Information and Communications Technology (NICT), JAPAN.

References [1]

[2]

[3] [4]

[5]

[6]

[7] [8]

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[9]

[10] [11] [12]

[13] [14]

[15] [16] [17]

[18]

J.P. Aumasson, L. Henzen, W. Meier, and M. N-Plasencia, QUARK: A Lightweight Hash, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2010, Vol. 6225 of Lecture Notes in Computer Science (2011), Springer-Verlag, 1–15, 2010. G. Bertoni, J. Daemen, M. Peeters, and G.V. Assche, On the Indifferentiability of the Sponge Construction, In International Conference on the Theory and Applications of Cryptographic Techniques – EUROCRYPT 2008, Vol. 4965 of Lecture Notes in Computer Science (2008), Springer-Verlag, 181–197, 2008. G. Bertoni, J. Daemen, M. Peeters, and G.V. Assche, Cryptographic sponge functions (2011), Available at http://sponge.noekeon.org/CSF-0.1.pdf A. Bogdanov, M. Kne˘zevi´c, G. Leander, D. Toz, K. Varıcı, and I. Verbauwhede, SPONGENT: A Lightweight Hash Function, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2011, Vol. 6917 of Lecture Notes in Computer Science (2011), Springer-Verlag, 312–325, 2011. A. Bogdanov, L.R. Knudsen, G. Leander, C. Paar, A. Poschmann, M.J.B. Robshaw, Y. Seurin, and C. Vikkelsoe, PRESENT: An Ultra-Lightweight Block Cipher, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2007, Vol. 4727 of Lecture Notes in Computer Science (2007), SpringerVerlag, 450–466, 2007. C. De Canni`ere, O. Dunkelman, and M. Knezˇevi´c, KATAN and KTANTAN - A Family of Small and Efficient Hardware-Oriented Block Ciphers, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2009, Vol. 5747 of Lecture Notes in Computer Science (2009), Springer-Verlag, 272– 288, 2009. C. De Canni`ere, and B. Preneel, TRIVIUM, In New Stream Cipher Designs, Vol. 4986 of Lecture Notes in Computer Science (2008), Springer-Verlag, 244–266, 2008. H.-J. Chae, D.J. Yeager, J.R. Smith, and K. Fu, Maximalist Cryptography and Computation on the WISP UHF RFID Tag. Available at http://web.media.mit.edu/∼jrs/WISP-RFIDSec07.pdf T. Dimitriou, A Lightweight RFID Protocol to protect against Traceability and Cloning attacks, In SECURECOMM ’05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks , 59–66, 2005. ECRYPT II Yearly Report on Algorithms and Key Lengths (2012). Available at http://www.ecrypt. eu.org/documents/D.SPA.20.pdf. The eSTREAM Project. Available at http://www.ecrypt.eu.org/stream/. EPCglobal Inc., EPC Radio-Frequency Identity Protocols Class-1 Generation-2 UHF RFID Protocol for Communications at 860 MHz - 960 MHz Version 1.2.0, 2008. Available at http://www.gs1.org/ gsmp/kc/epcglobal/uhfc1g2/uhfc1g2 1 2 0-standard-20080511.pdf GS1 AISBL, GS1 EPC Tag Data Standard 1.6, 2011. Available at http://www.gs1.org/gsmp/kc/ epcglobal/tds/tds 1 6-RatifiedStd-20110922.pdf M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, Strong Authentication for RFID Systems Using the AES Algorithm, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2004, Vol. 3156 of Lecture Notes in Computer Science (2004), Springer-Verlag, 357–370, 2004. M. Feldhofer, and J. Wolkerstorfer, Strong Crypto for RFID Tags - A Comparison of Low-Power Hardware Implementations, In ISCAS 2007, IEEE, 1839–1842, 2007. T. Good, and M. Benaissa, ASIC Hardware Performance, In New Stream Cipher Designs, Vol. 4986 of Lecture Notes in Computer Science (2008), Springer-Verlag, 267–293, 2008. J. Guo, T. Peyrin, and A. Poschmann, The PHOTON Family of Lightweight Hash Functions, In Advances in Cryptology – CRYPTO 2011, Vol.6841 of Lecture Notes in Computer Science (2011), Springer-Verlag, 222–239, 2011. J. Guo, T. Peyrin, A. Poschmann, and M. Robshaw, The LED Block Cipher, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2011, Vol. 6917 of Lecture Notes in Computer Science (2011), Springer-Verlag, 326–341, 2011.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

94

S. Mikami et al. / A Comparative Study of Stream Ciphers and Hash Functions

[19] Hitachi, Ltd., Pseudorandom number generator Enocoro. Available at http://www.hitachi.co.jp/ rd/yrl/crypto/enocoro/index.html. [20] D.E. Holcomb, W.P. Burleson, and K. Fu, Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags, In Conference on rfid security 07 –RFIDsec 2007. Available at http: //www.rfidsec07.etsit.uma.es/slides/papers/paper-12.pdf [21] D.E. Holcomb, W.P. Burleson, and K. Fu, Power-Up SRAM State as an Identifying Fingerprint and Source of True Random Numbers, IEEE Transactions on Computers, Vol.58, No.9 (2009), 1198–1210. [22] S. Hirose, K. Ideguchi, H. Kuwakado, T. Owada, B. Preneel, and H. Yoshida, An AES Based 256bit Hash Function for Lightweight Applications: Lesamnta-LW, IEICE Trans. Fundations, vol.E95-A, No.1, pp.89-99, January 2012. [23] M. Hell, T. Johansson, A. Maximov, and W. Meier, The Grain Family of Stream Ciphers, In New Stream Cipher Designs, Vol. 4986 of Lecture Notes in Computer Science (2008), Springer-Verlag, 179–190, 2008. [24] Y. Hanatani, M. Ohkubo, S. Matsuo, K. Sakiyama, and K. Ohta, A Study on Computational Formal Verification for Practical Cryptographic Protocol: The Case of Synchronous RFID Authentication, In Financial Cryptography and Data Security –FC 2011, Vol. 7126 of Lecture Notes in Computer Science (2011), Springer-Verlag, 70–87, 2011. [25] S. Han, V. Potdar, and E. Chang, Mutual Authentication Protocol for RFID Tags Based on Synchronized Secret Information with Monitor, In International Conference on Computational Science and Its Applications –ICCSA 2007, Vol. 4707 of Lecture Notes in Computer Science (2007), Springer-Verlag, 227–238, 2007. [26] S.M. Lee, Y.J. Hwang, D.H. Lee, and J.I. Lim, Efficient Authentication for Low-Cost RFID Systems, In International Conference on Computational Science and Its Applications –ICCSA 2005, Vol. 3480 of Lecture Notes in Computer Science (2005), Springer-Verlag, 619–627, 2005. [27] G. Leander, C. Paar, A. Poschmann, and K. Schramm, New Lightweight DES Variants, In International Workshop on Fast Software Encryption –FSE 2007, Vol. 4593 of Lecture Notes in Computer Science (2007), Springer-Verlag, 196–210, 2010. [28] S. Mikami, D. Watanabe, and K. Sakiyama, Implementations and Evaluations of Lightweight Cryptography for RFID Authentication Protocol, In The 30th Symposium on Cryptography and Information Security –SCIS 2013, 2013. [29] National Institute for Standards and Technology, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, NIST Special Publication 800-90A, January 2012. Available at http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf [30] M. O’Neill, Low-Cost SHA-1 Hash Function Architecture for RFID Tags, In Workshop on RFID Security –RFIDsec 2008. Available at http://events.iaik.tugraz.at/RFIDSec08/Papers. [31] M. Ohkubo, K. Suzuki, and S. Kinoshita, Cryptographic Approach to “Privacy-Friendly” Tags, In RFID Privacy Workshop. MIT, 2003. [32] K. Rhee, J. Kwak, S. Kim, and D. Won, Challenge-Response Based RFID Authentication Protocol for Distributed Database Environment, In Security in Pervasive Computing, Second International Conference –SPC 2005, Vol. 3450 of Lecture Notes in Computer Science (2005), Springer-Verlag, 70–84, 2005. [33] M.J.O. Saarinen, and D. Engels, A Do-It-All-Cipher for RFID: Design Requirements (Extended Abstract). Available at http://eprint.iacr.org/2012/317.pdf [34] K. Shibutani, T. Isobe, H. Hiwatari, A. Mitsuda, T. Akishita, and T. Shirai, Piccolo: An UltraLightweight Blockcipher, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2011, Vol. 6917 of Lecture Notes in Computer Science (2011), Springer-Verlag, 342–357, 2011. [35] Solid technologies, Available at http://www.soliddepot.com/index.php?main page=product info&products id=16. [36] Texas Instruments, RFID Tags and Readers. Available at http://www.ti.com/rfid/faqs.shtml. [37] H. Yoshida, D. Watanabe, K. Okeya, J. Kitahara, H. Wu, O. K¨uc¸u¨ k, and B. Preneel, MAME: A Compression Function with Reduced Hardware Requirements, In Workshop on Cryptographic Hardware and Embedded Systems –CHES 2007, Vol.4727 of Lecture Notes in Computer Science (2007), SpringerVerlag, 148–165, 2007.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Short Papers

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-97

97

Securing NFC with Elliptic Curve Cryptography – Challenges and Solutions Xinxin Fan and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario, N2L 3G1, CANADA Email: {x5fan, ggong}@uwaterloo.ca Abstract. Near Field Communication (NFC) is an emerging short-range wireless communication technology that is at the heart of an expanding spectrum of easyto-use, intuitive, and contactless applications. Unfortunately, the multiple operating modes and numerous application scenarios have made it particularly challenging for securing NFC based systems. In this paper, we review the potential security threats for NFC and summarize the efforts of standardization bodies and industry using elliptic curve cryptography (ECC) to protect NFC based systems in great detail. We also improve a key agreement and confirmation protocol in the ECMA-386 standard to an authenticated version and propose an entity authentication protocol based on the elliptic curve Diffie-Hellman (ECDH) primitive and the elliptic curve Qu-Vanstone (ECQV) implicit certificate scheme. Efficient and secure implementations of the ECDH scheme on NFC-enabled devices are discussed and reported. Keywords. Near field communication, security, standardization, elliptic curve cryptography, key agreement, authentication, implementation.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1. Introduction The Internet of Things (IoT) is a novel and promising paradigm, envisioned as a network of billions of smart devices (e.g., smart cards, RFID tags, sensors, actuators, etc.) communicating with each other [2]. This simple concept enables ubiquitous computing among global networked machines and physical objects and has the potential to dramatically alter how we interact with the world around us. One of the essential enablers for the IoT vision is the short-range, standards-based wireless connectivity technology termed as Near Field Communication (NFC), which allows communications to take place between devices that either touch or are momentarily held close together [23], thereby providing the possibility of linking virtual information between physical objects through proximity. While the NFC technology promises new levels of convenience for users of mobile devices and offers tremendous potential, frequent media reports about security issues of NFC-enabled products [17,18] suggest that NFC is a potentially unsafe technology. In order to resolve potential security issues in NFC based systems, standardization bodies have released few security standards, where the ECMA-385 [4] and ECMA-386 [5] standards specify the general security framework as well as the Elliptic Curve DiffieHellman (ECDH) and AES based primitives for NFC security in peer-to-peer operating mode. Moreover, the NFC Forum Signature Record Type Definition [23] defines the for-

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

98

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

mat of signature records for authenticating the data stored on NFC Forum tags. Those standards all employ elliptic curve cryptography (ECC) to provide required security services, thanks to its higher security strength per bit as well as compact key and certificate size. However, due to the multiple operating modes and numerous application scenarios, the current security standards and industry practices do not cover all aspects of security issues in NFC based systems and more research needs to be conducted in this field. In this work we investigate the challenges and solutions for NFC security using ECC, aiming to shed some light and stimulate further research in this area. To this end, we first classify the potential security threats and attacks for NFC based systems, followed by the review of the NFC security standards using ECC. In addition, we discuss the message and entity authentication mechanisms currently used in industry-leading NFC products. Based on the analysis of the NFC security standards and industry practices, we describe an improvement to the key agreement and confirmation protocol specified in ECMA-386 standard [5] by providing an authenticated version. Furthermore, we also propose another entity authentication protocol for NFC tags, which is more efficient than the ECDSA based scheme used in industry with respect to the computational and communication overhead. Both protocols are based on the ECDH primitive and benefit from the usage of compact Elliptic Curve Qu-Vanstone (ECQV) implicit certificates. To implement ECDH based security schemes efficiently and securely on NFC-enabled devices, we also discuss various optimization techniques and report some experimental results. The remainder of this paper is organized as follows. Section 2 gives a brief description about the NFC technology, followed by the classification of potential security threats and attacks for NFC in Section 3. In Section 4, we analyze the usage of ECC in the NFC security standards and industry products, and propose two ECC based protocols that complement or improve the existing solutions. In Section 5, we discuss efficient and secure implementations of the basic ECDH scheme on NFC-enabled devices. Finally, we conclude this paper in Section 6.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2. Near Field Communication Technology NFC technology is a short-range (typically around 4 cm) radio technology that enables communication between devices that either touch or are momentarily held close together. NFC operates at the unlicensed 13.56 MHz radio frequency band with amplitude-shift keying (ASK) modulation allowing transfer data rates up to 424 Kbit/s. 2.1. Operating Modes NFC-enabled devices can operate in three modes, as defined by the NFC Forum [23]: • Reader/Writer Mode: The NFC-enabled device initiates the communication and operates as an active reader/writer to read/modify the data stored in four types of NFC Forum mandated tags. The RF interface in this mode is compliant with ISO/IEC 14443 [12] and Felica [14] standards. • Peer-to-Peer Mode: Two NFC-enabled devices establish a bidirectional half duplex connection to exchange information. The RF interface in this mode is standardized by ISO/IEC 18092 as NFCIP-1 [13]. Moreover, NFC forum standardized a new data link layer protocol named LLCP (Logical Link Control Protocol) [23] to support reliable and error-free peer-to-peer communications.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

99

• Card Emulation Mode: The NFC-enabled device acts as a contactless smart card for existing readers and is fully compatible with the smart card standards based on ISO/IEC 14443 [12] and Felica [14]. This mode is important since it enables payment and ticketing as well as access control applications. A security element (SE) is usually involved in this mode due to the requirement of high security. 2.2. NFC Forum Type Tags and Data Exchange Format The NFC Forum defines four tag types [23] to ensure the interoperability between different NFC tag providers and NFC device manufactures. Each type of NFC tag has a different format and capacity and is suitable for specific task. While Type 1 and Type 2 tags have small memory and target a single application, Type 3 and Type 4 tags feature larger memory and are therefore more suitable for complex applications. To facilitate the data transfer between an NFC-enabled device and another NFC-enabled device or a passive NFC tag, the NFC forum has defined a universal set of rules for the data exchange format (i.e., NFC Data Exchange Format (NDEF) [23]) between NFC communication entities. NDEF is a lightweight binary message format that encapsulates one or more application-defined payloads of arbitrary type and size into a single message.

3. Security Threats and Attacks for NFC

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Since NFC based systems facilitate contactless transfer of information, they are subject to certain attacks [8,19,22,32] as classified below. However, the practical effect of those attacks must be evaluated in the context that NFC-enabled devices may operate in one of three operating modes and the communication range is extremely limited. • Eavesdropping and Skimming Attacks: NFC utilizes various wireless communication interfaces and therefore it is susceptible to eavesdropping and skimming attacks. Although two NFC-enabled devices can only communicate within a short distance, an attacker can build dedicated sniffer devices [7,8,16] that can retrieve valuable information up to a distance of 1 and 10 meters when a legitimate device operates in passive and active modes, respectively. • Data Manipulation Attacks: These attacks can be mounted to the communication process in NFC based systems by corrupting, modifying, or inserting the transmitted data [8], and to the NDEF records stored on NFC Forum tags [22,26,27,32]. Due to the lack of appropriate protection on NDEF records, it is possible for an adversary to alter the data and launch spoofing, phishing and denial of service attacks [22,32] through deploying numerous malicious NFC tags. • Man-in-the-Middle (MITM) Attacks: Thanks to the short distance capability of the communications, it is particularly difficult to launch a MITM attack on an NFC communication link [8]. However, using proximity as the only authenticator may not be sufficient to protect NFC based systems from MITM attacks, as pointed out in [1] for the current implementations of NFC based mobile payment systems. • Relay Attacks: These attacks are special types of MITM attacks which virtually extend the range of the radio frequency field between two NFC-enabled devices and violate the proximity assumption in NFC based systems. Practical relay attacks have been demonstrated between one NFC mobile phone and one USB NFC

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

100

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

device [33], two NFC mobile phones [6], and more recently a Google Wallet device and an external card emulator [28]. These attacks circumvent the underlying security mechanisms and cannot be prevented by cryptographic countermeasures. 4. NFC Security with Elliptic Curve Cryptography In this section, we review the ECC based security schemes specified in NFC security standards and adopted by NFC tag manufactures. We also discuss possible improvements and extensions to the existing solutions. 4.1. NFC Security Standards Using ECC In this section, we describe the usage of ECC in two NFC security standards, namely the ECMA-386 [5] and the NFC Forum Signature Record Type Definition [23]. 4.1.1. ECC in ECMA-386 Standard Security protocols for protecting NFC peer-to-peer operating mode (i.e., NFCIP-1 [13]) are standardized in ECMA-385 as NFC-SEC [4] and ECMA-386 as NFC-SEC-01 [5]. ECMA-385 specifies a protocol stack that enables application independent encryption functions on the data link layer. In particular, ECMA-385 defines two security services to thwart eavesdropping and data manipulation attacks in peer-to-peer operating mode:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

• Shared Secret Service (SSE): The SSE establishes a shared secret between two NFC-enabled devices in peer-to-peer operating mode and the resulting shared key can be used for proprietary encryption mechanisms. • Secure Channel Service (SCH): The SCH utilizes the shared secret established beforehand to derive a link key, which will be used to protect all subsequent communications according to the mechanisms specified by the cryptography standard. The general security framework described in ECMA-385 is complemented by ECMA386, which defines cryptographic mechanisms to implement the aforementioned two security services. More specifically, ECMA-386 specifies ECDH for key agreement and AES algorithm for data encryption and integrity. A standardized 192-bit NIST elliptic curve (i.e., P-192) [24] defined over a prime field F2192 −264 −1 has been selected to perform the ECDH key agreement protocol between two NFC-enabled devices. Considering the practical difficulty of mounting MITM attacks for NFC in peer-to-peer operating mode as well as the lack of a universal public key infrastructure (PKI) for NFC based systems, the security mechanisms specified in ECMA-386 do not protect against MITM attacks and no entity authentication is provided. 4.1.2. ECC in NFC Forum Signature Record Type Definition The NFC Forum Signature Record Type Definition [23] specifies the format used when signing single or multiple NDEF records, which aims to increase security for NDEF applications by providing authenticity and integrity to the NDEF data within an NFC Forum tag or device, thereby preventing potential data manipulation attacks. The latest candidate technical specification [23] provides a list of signature algorithms and certificate types that can be used to create the signature, where four standardized NIST elliptic

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

101

curves (i.e., P-192, P-224, K-233, and B-233 [24]) are specified to generate the signature using the Elliptic Curve Digital Signature Algorithm (ECDSA). In particular, the ECQV implicit certificate [31] has been introduced into the latest candidate technical specification. In an ECQV implicit certificate scheme, a signer’s public key and the signature of a certificate authority (CA) are encapsulated into a single value called reconstruction point. Upon receiving the signer’s ECQV certificate, a verifier can reconstruct the signer’s public key from the received ECQV certificate and the CA’s public key, thereby authenticating the signer implicitly. When compared to traditional X.509 certificates, ECQV implicit certificates are quite compact. For issuing a certificate with the elliptic curve P-192, the size of the resulting ECQV and X.509 certificates is 56 and 388 bytes, respectively [29]. As a result, using ECQV implicit certificates enables NFC tag manufactures to store the singed NDEF records on low-cost Type 1 and Type 2 tags, which cannot be achieved using traditional X.509 certificates due to the limited memory size on those cost-effective NFC Forum tags.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

4.2. Industry Practices for NFC Security Using ECC To the best of our knowledge, ECC has been currently used in two types of NFC tags in industry for various applications, namely a Type 2 NFC Forum tag NTAG210/212 [25] from NXP and a Type 4 NFC Forum tag VaultIC150D/160D [10] from INSIDE Secure. Since the size of the user programmable read/write memory on the NTAG210/212 is only 48/128 bytes, they employ a 128-bit elliptic curve (i.e., secp128r1) [30] and the ECDSA to sign the manufacture programmed 7-byte UID with an NXP private key. The resulting 32-byte signature is stored in a hidden part of the NTAG210/212 memory during the tag production [25]. The signature can be retrieved and verified by NFC-enabled devices using the corresponding ECC public key provided by NXP. Depending on whether the root certificate of the NXP public key is stored in NFC-enabled devices, the signature verification process can be conducted either online or offline. The entire message authentication procedure using a Type 2 NFC Forum tag is illustrated in Figure 1. Note that a Type 2 NFC Forum tag only contains a fixed and static signature record, thereby providing very limited protection against tag cloning and product counterfeiting.

Figure 1. The Message Authentication for the NDEF Records on Type 2 NFC Forum Tags

The Type 4 NFC Forum tag VaultIC150D/160D [10] is more powerful in terms of computational and storage capabilities, when compared to the Type 2 NFC Forum tag Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

102

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

NTAG210/212 [25]. The VaultIC150D/160D offers 1.5-Kbyte/16-Kbyte file system size, where 1 KByte is used for certificate. Four standardized NIST elliptic curves (i.e., B-233, K-233, B-283, and K-283 [24]) together with various cryptographic services (i.e., public key pair generation, digital signature, message digest, and deterministic random number generation) are supported on the VaultIC150D/160D. In addition to standard NFC Forum Type 4 Tag operations, the VaultIC150D/160D tags can also authenticate the NDEF records stored in the tags, which can be digitally signed using on-chip ECC. The message authentication process for the NDEF records using the VaultIC150D/160D is almost the same as that depicted in Figure 1 except that the signature is generated dynamically upon powered up by NFC enabled devices and the tag’s certificate is also retrieved from the tag. Besides authenticating the NDEF records, the VaultIC150D/160D is able to provide entity authentication using an ECDSA based challenge-response protocol, which is valuable for combating product counterfeiting [11]. The entity authentication process using a Type 4 NFC Forum tag is shown in Figure 2. Again, depending on whether the CA’s root certificate is available on NFC enabled devices, the entity authentication can be performed either online or offline.

Figure 2. The Entity Authentication for Product Anti-Counterfeiting using Type 4 NFC Forum Tags

4.3. Possible Improvements and Extensions to the Existing NFC Security Standards The existing NFC security standards (i.e., ECMA-385 & ECMA-386, and NFC Forum Signature Record Type Definition) only address the partial security issues in the peer-topeer and reader/writer operating modes1 . In this section, we discuss possible improvements and extensions based on the ECDH and AES primitives that have been specified in the ECMA-386 standard [5]. Note that the existing Type 1 and Type 2 NFC Forum tags are basically low-cost storage devices that do not have the capability of performing ECC based protocols. In addition, Type 3 NFC Forum tags employ a symmetric-key based authentication mechanism and do not support ECC either. Hence, our discussions below focus on Type 4 NFC Forum tags as well as other NFC enabled devices (e.g., smartphones). Moreover, we also assume there exists a universal PKI that is able to issue ECQV implicit certificates [31] to NFC-enabled devices. 1 The secure communications in the card emulation operating mode are handled by security elements that feature the same high security standards as regular smart cards.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

103

4.3.1. Authenticated Key Agreement in Peer-to-Peer Operating Mode As mentioned in Section 4.1.1, the practical risk of MITM attacks in peer-to-peer operating mode is relatively low. Thus the key agreement scheme in ECMA-386 does not provide entity authentication. However, for sensitive NFC applications using the peerto-peer operating mode (e.g., peer-to-peer money transfer), the entity authentication is highly desirable to minimize potential risks. Therefore, we extend the key agreement and confirmation scheme in ECMA-386 to an authenticated version by employing the ECQV implicit certificates. A high-level overview of the resulting authenticated key agreement and confirmation protocol is shown in Figure 3. In lieu of directly exchanging the longterm public keys QA and QB as specified in ECMA-386, the sender A and the recipient B will send their own ECQV certificates CertA and CertB to the other party. After receiving the ECQV certificates, both A and B will execute a certificate public key extraction process (i.e., Cert PK Extraction) as defined in [31] to extract the other party’s long-term public keys QA and QB , respectively. Upon retrieving the public keys, both parties will perform the ECDH and AES-based key confirmation protocols as specified in ECMA386 [5]. Due to the usage of the ECQV certificates, both A and B are able to implicitly authenticate the other party after the key confirmation process without explicitly verifying the certificates CertA and CertB . Under the setting of a 192-bit NIST elliptic curve P-192 [24], the size of an ECQV certificate and a public key in the compressed form is 56 and 25 bytes, respectively. Therefore, each party needs to transmit 31 bytes more in the authenticated key agreement and confirmation protocol, when compared to the unauthenticated version in ECMA-386 [5]. With respect to the computational overhead, one extra elliptic curve scalar multiplication needs to be computed for extracting the other party’s public key in the authenticated version. Recipient B

Sender A

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Generate Random Nonce NA Extract QB from CertB

CertA NA CertB NB

Extract QA from CertA Generate Random Nonce NB Compute Shared Secret z

Compute Shared Secret z Key Confirmation as Specified in ECMA-386

Figure 3. The Authenticated Key Agreement and Confirmation Protocol Overview

4.3.2. Entity Authentication in Reader/Writer Operating Mode While the NFC Forum Signature Record Type Definition [23] addresses the message authentication in the reader/writer operating mode, we did not realize any entity authentication schemes that have been standardized. Recall that the Type 4 NFC Forum tag VaultIC150D/160D [10] implements an ECDSA based challenge-response protocol for entity authentication (see Section 4.2). Here we propose another efficient entity authentication scheme for NFC in reader/writer operating mode, which is based on the challengeresponse protocol using ephemeral-static ECDH as shown in Figure 4. In this protocol, the reader first generates a random number 0 < r < n, where n is order of the base point

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

104

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

G on an elliptic curve. The reader then computes an elliptic curve scalar multiplication R = rG and sends the point R to the tag as a random challenge. Upon receiving the challenge, the tag calculates another scalar multiplication S = dT R and sends the point S together with its ECQV certificate CertT to the reader as the response, where dT is the private key of the tag. The reader executes the certificate public key extraction process [31] to obtain the tag’s public key QT and verify whether the equation rQT = S holds. If the verification succeeds, the tag (also the associated product) is authenticated. For a legitimate tag, the above equation holds because of rQT = S = (r · dT )G. It is not difficult to find that the security of this protocol is based on the ECDH problem. Both reader and tag need to transmit a point 2 and the tag also needs to send its ECQV certificate to the reader in this protocol. In terms of the computational overhead, the reader and the tag need to compute three and one elliptic curve scalar multiplications, respectively. When compared to the ECDSA based approach, the proposed entity authentication scheme can save one inversion and two multiplications over a finite field on both reader and tag sides. Moreover, the proposed protocol can be extended in a straightforward way to support mutual entity authentication in reader/writer operating mode. Tag

Reader Choose r ∈R Zn Compute R = rG

R CertT S

Compute S = dT R

Extract QT from CertT ?

Check rQT = S

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 4. The One-Way Entity Authentication Protocol for Type 4 NFC Forum Tags

5. Implementation Issues It is well-known that unprotected implementations of ECC based protocols are vulnerable to power analysis attacks [20]. Hence, it is important to protect NFC-enabled devices from potential power analysis attacks. In this section, we discuss efficient and secure implementations of the ECDH protocol that is the basic building block for the proposed key agreement and authentication protocols in this paper. Power analysis attacks exploit the dependence between the instantaneous power consumption of a cryptographic device and the data it processes and/or the instructions it performs, which can be classified into two categories, namely Simple Power Analysis (SPA) and Differential Power Analysis (DPA) [20]. While SPA attacks make use of distinctive key-dependent patterns shown in the power traces, DPA attacks use statistical tests to examine a large number of power consumption signals for recovering a secret key [15]. For protecting ECDH implementations from SPA attacks, we employ the memoryefficient Montgomery powering ladder method [21] to implement an elliptic curve scalar multiplication. Moreover, the optimized x-coordinate only formulae [9] are used to im2 In

fact, it is enough for each party to transmit only the x-coordinate of a point (See Section 5 for details).

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

105

plement the differential addition-and-doubling operations. Note that for the ECDH key agreement protocol, only the x-coordinates need to be transmitted between two parties. Thus, using the x-coordinate only formulae for computing the scalar multiplication is sufficient for our purpose. Regarding to protecting ECDH implementations from DPA attacks, we utilize the random project coordinates proposed in [3], which randomizes the homogeneous projective coordinates with a random number after each differential addition-and-doubling operation in the Montgomery powering ladder method. We implement a SPA and DPA protected ECDH protocol using three standardized NIST elliptic curves (i.e., i.e., P-192, P-224, and P-256) [24] defined over prime fields. The ECC software library is written in Java and tested on an Android smartphone Galaxy Nexus which features a 1.2GHz ARM Cortex-A9 dual-core processor, 1 GB RAM, and 16 GB internal flash memory. Our experimental results of the ECDH primitive using the above three elliptic curves are summarized in Table 1. Table 1. Performance of ECDH on a Galaxy Nexus Smartphone NIST Standardized Elliptic Curves P-192 P-224 P-256 ECDH

21.95 ms

30.51 ms

41.38 ms

From Table 1, we note that the performance of a secure ECDH implementation (i.e., containing countermeasures to both SPA and DPA attacks) on NFC-enabled smartphones is highly acceptable and the execution of ECDH based security schemes does not have significant impact on user experience. Therefore, ECC provides an effective and efficient security solution for protecting NFC based systems.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

6. Conclusions Achieving the highest level of security without compromising usability is critical to wide market success of NFC. In this paper, we investigate the challenges and solutions for securing NFC based systems with ECC. We classify the security threats and attacks for NFC and summarize the current security solutions from standardization bodies and industry. Moreover, we propose an authenticated version for the key agreement and confirmation protocol specified in ECMA-386. An ECDH based entity authentication scheme is also proposed which is more efficient than the ECDSA based approach currently used in industry. We also discuss secure and efficient implementations of the ECDH primitive on NFC-enabled devices and demonstrate its performance on an Android smartphone. References R. Anderson, “Position Statement in RFID S&P Panel: RFID and the Middleman”, The 11th International Conference on Financial Cryptography and Data Security - FC’07, LNCS 4886, S. Dietrich and R. Dhamija (eds.), Berlin, Germany: Springer-Verlag, pp. 46-49, 2007. [2] K. Ashton, “That ’Internet of Things’ Thing, in the real world things matter more than ideas”, RFID Journal, Jun 22, 2009. [3] J. Coron, “Resistance against Differential Power Analysis for Elliptic Curve Cryptosystems”, The First International Workshop on Cryptographic Hardware and Embedded Systems - CHES’99, LNCS 1717, C ¸ . K. Koc¸ and C. Paar (eds.), Berlin, Germany: Springer-Verlag, pp. 292-302, 1999.

[1]

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

106 [4] [5] [6]

[7] [8] [9]

[10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21]

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33]

X. Fan and G. Gong / Securing NFC with Elliptic Curve Cryptography

ECMA International. Standard ECMA-385 – NFC-SEC: NFCIP-1 Security Services and Protocol, 3rd Edition, 2013. ECMA International. Standard ECMA-386 – NFC-SEC-01: NFC-SEC Cryptography Standard using ECDH and AES, 2nd Edition, 2010. L. Francis, G. Hancke, K. Mayes, and K. Markantonakis, “Practical Relay Attack on Contactless Transactions by Using NFC Mobile Phones”, The 2012 Workshop on RFID and IoT Security (RFIDsec’12 Asia), vol. 8, N.-W. Lo and Y. Li (Eds.), Amsterdam, Netherlands: IOS Press, pp. 21-32, 2012. G. P. Hancke, “Practical Eavesdropping and Skimming Attacks on High-Frequency RFID Tokens”, Journal of Computer Security, Vol. 19, Iss. 2, pp. 259-288, 2011. E. Haselsteiner and K. Breitfuß, “Security in Near Field Communication – Strengths and Weaknesses”, Workshop on RFID Security 2006 - RFIDSec’06, Graz, July 12-14, 2006. M. Hutter, M. Joye, and Y. Sierra, “Memory-Constrained Implementations of Elliptic Curve Cryptography in Co-Z Coordinate Representation”, Progress in Cryptology - AFRICACRYPT 2011, LNCS 6737, A. Nitaj and D. Pointcheval (Eds.), Berlin, Germany: Springer-Verlag, pp. 170-187, 2011. INSIDE Secure. VaultIC150D/160D: Dual-Interface NFC Forum Type 4 Tag, 2013. INSIDE Secure. Application Note TPR0503AX: How to combat Counterfeiting using VaultIC100, 2011. ISO/IEC 14443-2:2010, Identification cards – Contactless integrated circuit cards – Proximity cards – Part 2: Radio Frequency Power and Signal interface, 2010. ISO/IEC 18092:2013, Information technology – Telecommunications and information exchange between systems – Near Field Communication – Interface and Protocol (NFCIP-1), 2013. JIS X 6319-4:2010, Specification of implementation for integrated circuit(s) cards – Part 4: High speed proximity cards, Japanese Standards Association, 2010. P. C. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis”, Advances in Cryptology - CRYPTO 1999, ser. LNCS 1666, M. Wiener (ed.), Berlin, Germany: Springer-Verlag, pp. 388-397, 1999. H. S. Kortvedt and S. F. Mjølsnes, “Eavesdropping Near Field Communication”, The Norwegian Information Security Conference – NISK’09, pp. 57-68, 2009. E. Lee, “NFC Hacking: The Easy Way”, DEFCON 20 Hacking Conference, Las Vegas, USA, July 2629, 2012. R. Lifchitz, “Hacking the NFC credit cards for fun and debit;)”, Hackito Ergo Sum 2012, Paris, France, April 12-14, 2012. G. Madlmayr, J. Langer, C. Kantner, and J. Scharinger, “NFC Devices: Security and Privacy”, The 3rd International Conference on Availability, Reliability and Security - ARES’08, pp. 642-647, 2008. S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards, New York, USA: Springer Science + Business Media, LLC, 2007. P. L. Montgomery, “Speeding up the Pollard and Elliptic Curve Methods of Factorization, Mathematics of Computation, 48(177):243-264, 1987. C. Mulliner, “Vulnerability Analysis and Attacks on NFC-Enabled Mobile Phones”, The 4th International Conference on Availability, Reliability and Security - ARES’09, pp. 695-700, 2009. NFC Forum. Available at http://www.nfc-forum.org/. National Institute of Standards and Technology (NIST). FIPS PUB 186-3: Digital Signature Standard (DSS), 2009. NXP Semiconductors. NTAG210/212: NFC Forum Type 2 Tag compliant IC with 48/128 bytes user memory, 2013. M. Roland and J. Langer, “Digital Signature Records for the NFC Data Exchange Format”, The 2nd International Workshop on Near Field Communication - NFC’10, IEEE, pp. 71C76, 2010. M. Roland, J. Langer, and J. Scharinger, “Security Vulnerabilities of the NDEF Signature Record Type”, The 3rd International Workshop on Near Field Communication - NFC’11, IEEE, pp. 65-70, 2011. M. Roland, J. Langer, and J. Scharinger, “Applying Relay Attacks to Google Wallet”, The 5th International Workshop on Near Field Communication - NFC’13, IEEE, pp. 1-6, 2013. T. Rosati and G. Zaverucha, “Elliptic Curve Certificates and Signatures for NFC Signature Records”, White Papers Contributed by NFC Forum Members, 2011. Standards for Efficient Cryptography Group. SEC2: Recommended Elliptic Curve Domain Parameters version 2.0, available at http://www.secg.org/index.php?action=secg,docs_secg. Standards for Efficient Cryptography Group. SEC 4: Elliptic Curve Qu-Vanstone Implicit Certificate Scheme (ECQV), available at http://www.secg.org/index.php?action=secg,docs_secg. R. Verdult and F. Kooman, “Practical Attacks on NFC Enabled Cell Phones”, The 3rd International Workshop on Near Field Communication - NFC’11, IEEE, pp. 77-82, 2011. M. Weiß, “Performing Relay Attacks on ISO 14443 Contactless Smart Cards Using NFC Mobile Equipment”, Master’s thesis, Technische Universit¨at Mnchen, May 2010.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-107

107

Remote Attestation Mechanism for Embedded Devices based on Physical Unclonable Functions Raja Naeem AKRAM a Konstantinos MARKANTONAKIS b Keith MAYES b Cyber Security Lab, Department of Computer Science, University of Waikato, Hamilton, New Zealand. Email: [email protected] b ISG Smart Card Centre, Royal Holloway, University of London, Egham, United Kingdom. Email: k.markantonakis, [email protected]

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

a

Abstract. Remote attestation mechanisms are well studied in the highend computing environments; however, the same is not true for embedded devices - especially for smart cards. With ever changing landscape of smart card technology and advancements towards a true multiapplication platform, verifying the current state of the smart card is significant to the overall security of such proposals. The initiatives proposed by GlobalPlatform Consumer Centric Model (GP-CCM) and User Centric Smart Card Ownership Model (UCOM) enables a user to download any application as she desire - depending upon the authorisation of the application provider. Before an application provider issues an application to a smart card, verifying the current state of the smart card is crucial to the security of the respective application. In this paper, we analyse the rationale behind the remote attestation mechanism for smart cards, and the fundamental features that such a mechanism should possess. We also study the applicability of Physical Unclonable Functions (PUFs) for the remote attestation mechanism and propose two algorithms to achieve the stated features of remote attestation. The proposed algorithms are implemented in a test environment to evaluate their performance.

1. Introduction Fundamentally, both the GlobalPlatform Consumer Centric Model (GP-CCM) [1] and User Centric Smart Card Ownership Model (UCOM) [2] are similar in a sense that they both advocate for the user’s “freedom of choice” – the users can install or delete any application as they please on their smart cards. In this paper, we focus on the UCOM; however, the proposed solutions are also applicable to the GP-CCM. The UCOM requires that smart cards must have adequate security and operational functionality to support a) enforcement of security policies stipulated by the card platform and individual Service Providers (SPs) for their respective applications, and b) operational functionality that enables an SP to manage its application(s), and a cardholder to manage her ownership privileges. The smart

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

108

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

card architecture has to represent this change in ownership architecture. For this purpose, we require a trusted module as part of the smart card architecture. The module would validate the current state of the platform to requesting entities in order to establish the trustworthiness of a smart card in the overall UCOM ecosystem. In the UCOM, the card manufacturers make sure that smart cards have adequate security and operational functionality (i.e. firewall, application sharing, tamper-evidence and secure execution environment etc.) to support the user ownership. The cardholder manages her relationship with individual SPs. These relationships enable her to request installation of their applications. Before leasing an application, SPs will require an assurance of the smart card’s security and reliability [3]. This assurance will be achieved through a third party security evaluation of the smart cards before they are issued to individual users [4]. Furthermore, to provide a dynamic security validation [4], the evaluated smart cards implement an attestation mechanism. The attestation mechanism should accommodate remote validation, as in the UCOM an SP will not always have physical access to the smart card. In addition, the attestation mechanism will certify that the current state of the smart card is as evaluated by the independent third party. Therefore, the trust architecture in the UCOM is based on the adequacy of the third party evaluation, and the security and reliability of the remote attestation mechanism.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1.1. Contributions In this paper, we briefly describe the core architecture of the remote attestation mechanism followed by a discussion regarding the fundamental design requirements for such a mechanism. Subsequently, we describe the proposed remote attestation mechanism, and two algorithms based on PUFs. Finally, we discuss an attestation protocol for the proposed remote attestation mechanism and present the implementation details and performance measurements. Section 2, discusses the core architecture of the attestation mechanism that provides security and reliability assurance to (remote) requesting entities. Subsequently, we extend the discussion to the remote attestation framework and the proposed algorithms in section 3. In section 4 we propose an attestation protocol; in section 5 we detail the test implementation results of the attestation protocol and proposed algorithms.

2. Attestation Mechanism Framework In this section, we discuss the core architecture of the attestation mechanism followed by the discussion on the design requirements and possible solutions. 2.1. The Core Architecture for the Attestation Mechanism On a typical smart card, several mechanisms are in place to test and verify the state of the platform (both software and hardware). At the software level, GlobalPlatform card specification has proposed the controlling authority (termed CA in the GlobalPlatform card specification) [5] and the Mandated Data Authentica-

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

109

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

tion Pattern (Mandated DAP) mechanism [5,6]. In the DAP mechanism, an offcard entity (controlling authority) signs applications that are being loaded onto a smart card, and this approval of the applications is verified by an on-card entity referred to as the GlobalPlatform card manager [6]. At the hardware level, the Known Answer Test (KAT) for cryptographic modules mandated by FIPS [7] and similar mechanism are deployed by the smart card manufacturers (i.e. RAM test, and checksum of non-volatile memory) [8]. However, there is no proposal for remote attestation of the smart card and applications installed on it. The UCOM proposes the Trusted Environment & Execution Manager (TEM) as a trusted module for embedded devices like smart cards. The TEM is fundamentally different from the Trusted Platform Module (TPM) [9] and Mobile Trusted Module (MTM) [10] in two respects. Firstly, the TEM implements a self-test mechanism that includes hardware parameters to provide remote attestation and a dynamically configurable integrity measurement mechanism that is based on a challenge-response framework. Secondly, the TEM is not based on a static architecture; in fact, it enforces platform security policies during the application execution rather than just generating the hash (once) at the start of the application execution. The concept of TEM is to group/provide similar and enhanced functionality that provides assurance and validation of the platform to requesting on-card or off-card entities. The TEM is independent of the platform configuration that is mainly concerned with the smart card runtime environment, which can be based on a technology such as Java Card or Multos. A detailed discussion on the TEM, its features and comparison with other trusted modules (i.e. TPM, and MTM) is beyond the scope of this paper. The proposed remote attestation mechanism is based on the following two TEM features; the attestation handler and the self-test manager, which are the core components of the attestation mechanism and are discussed in the following sections. 2.2. The Attestation Handler The attestation handler and the self-test manager are part of core architecture and the difference between these two modules is that the attestation handler focuses on the software and the self-test manager on the hardware. However, in the proposed attestation mechanism (section 3) they complement each other to provide proof that a smart card is secure, reliable and trustworthy. During the attestation mechanism, the attestation handler will verify the current state of the platform runtime environment (e.g. security and operationally sensitive parts of the Smart Card Operating System) and affirm to the appropriate SP or requesting entity that the platform is as secure and reliable as it is claimed to be in the security evaluation certificate discussed in [4]. In addition, respective SPs can ask the TEM to generate the state validation of their applications (e.g. a signed hash of the application) after they have been installed, ensuring that the application is downloaded without any errors. This function of the attestation handler is similar to the Data Authentication Pattern (DAP) [5,6].

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

110

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

2.3. Self-test Manager The self-test mechanism checks whether the smart card is tamper-resistant as certified by a security evaluation certificate [4]. The aim of the self-test mechanism is to provide a remote hardware validation in a way that enables a requesting entity (e.g. an SP) to independently verify that the smart card tamper-resistance mechanism is still secure and reliable. As our focus not at the hardware end of the smart card technology, we do not propose any hardware-based mechanism in this paper, which is one of the possible directions for future research. A self-test mechanism in the UCOM should provide the properties that are listed below:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

1. Robustness: On input of certain (random) data, it should always produce associated (random) output in an efficient manner. If on input of ‘i’ it generates ‘z’, the next time ‘i’ is used as input the output should be the same ‘z’. 2. Independence: When the same data is input to a self-test mechanism implemented on two different devices, they should output different (random) values. 3. Pseudo-randomness: The generated output should be computationally difficult to distinguish from a pseudo-random function. 4. Tamper-evidence: Any attack aiming to access the sefl-test function should cause irreversible changes which render the device unusable/inaccessible. 5. Unforgeable: It should be computationally difficult to simulatethe self-test mechanism. 6. Assurance: the self-test mechanism should provide assurance (either implicitly or explicitly) to independent verifiers. It should not require an active connection with the device manufacturer to provide the assurance. Table 1. Comparison of different proposals for self-test mechanism. Features

Active-Shield

HMAC

PRNG

PUF

Robustness

Yes

Yes

Yes

Yes

Independence

No

No

Yes

Yes

Pseudo-randomness

No

Yes

Yes

Yes

Tamper-evidence

Yes

–

Yes*

Yes

Unforgeable

No

Yes

Yes*

Yes

Assurance

Yes

No

Yes

Yes*

Note. “Yes” means that the mechanism supports the feature. “No” indicates that the mechanism does not support the required feature. The entry “Yes*” means that it can support this feature if adequately catered for during the design.

There are several possibilities for a self-test mechanism for smart cards including using active (intelligent) shield/mesh [11], the Known Answer Test (KAT) [7], and the Physical Unclonable Function (PUF) [12]. To provide protection against invasive attacks, smart card manufacturers implement an active shield/mesh around the chip. If a malicious user removes the

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

111

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

active shield then the chip will be disabled. The self-test mechanism can be associated with this shield to provide a limited assurance that the protective measures of the chip are still in place and active. Furthermore, Hash-based Message Authentication Code (HMAC) can be deployed with a hard-wired key that would be used to generate a checksum of randomly selected memory addresses that have non-mutable code related to the Smart Card Operating System (SCOS). This mechanism requires the involvement of the device manufacturer, as the knowledge of the correct HMAC key would be a secret known only to the manufacturer (or associated partners). Another potential protection strategy is to utilise Physical Unclonable Functions (PUFs) [12] to provide hardware validation. It is difficult to find a single and consistent definition of PUF in the literature [13]. Usual applications of the PUF described in the literature are in anti-counterfeiting [14], Intellectual Property protection [15], tamper-evident hardware [16], hardware based cryptography [17] and secure/trusted processors [18]. If a manufacturer maintains separate keys for individual smart cards that support the HMAC then it can provide the independence feature. However the HMAC key is hard-wired that makes it difficult to be different on individual smart cards of the same batch. It also requires other features to provide tamper evidence, like active-shield. Whereas, PUFs and adequately designed Pseudorandom Number Generators (PRNGs) can provide assurance that the platform state and the tamper-resistant protections of a smart card are still active. Based on the above listed features, table 1 shows the comparison between different possible functions that can act as the self-test mechanism. Although the debate regarding the viability, security, and reliability of the PUFs is still open in both academic circles and the industry [19]; for completeness, we use them as a self-test mechanism in our proposals because they meet most of the requirements listed in table 1.

3. Attestation Mechanisms In this section, we discuss the two attestation mechanisms based on nonsimulatable PUFs that combines the functionality of the attestation handler and self-test manager discussed in previous section. 3.1. Non-simulatable PUFs A non-simulatable PUF is a PUF that is computationally difficult to simulate including the device manufacturer, user (device owner) and malicious entities. This has made PUF a suitable candidate for the true/pseudo random number and secret key generators [20,21]. Based on non-simulatable PUFs, we describe two algorithms 1 and 2 that take into account the offline and online modes of the attestation mechanism. In the offline mode, the communication is only between the requesting entity (i.e., application provider) and the respective smart card. In the online mode, the card manufacturer or management authority is included in the attestation mechanism.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

112

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

Algorithm 1: Self-test algorithm for offline attestation based on a PUF Input : l; list (array) of selected memory addresses. Output : S; signature key of the smart card. Data: seed; temporary seed value for the PRNG set to zero. n; number of memory addresses in the list l. i; counter set to zero. a; memory address. k; secret key used to encrypt the signature key of the smart card. Se ; encrypted signature key using a symmetric algorithm with key k. Notation: x ←− y+z: first the operation on the right of the arrow will be performed and the result will be stored in x. This notation is common for all algorithms in this paper. 1 2 3 4 5 6 7 8 9 10

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

11

SelfTestOffline (l) begin while i < n do a ←− ReadAddressList (l,i) seed ←− Hash (ReadMemoryContents (a), seed) i ←− i+1 if seed = ∅ then k ←− nmPUF (seed) else return testfailed S ←− DecryptionFunction (k, Se ) return S

The offline algorithm is based on the function SelfTestOffline that takes a list of selected memory addresses (l) stored on the card by the card manufacturer. The list has memory addresses of critical components related to the security and reliability of the given smart card platform. The function SelfTestOffline iterates through the ‘l’ and generates a hash of the contents of the given memory location. The generated hash value is then stored as a seed. After traversing through the ‘l’, the SelfTestOffline checks the value of the seed. If the seed value is zero then throw an attestation fail exception; otherwise, proceed to the next step. The generated seed value is then input to the PUF that produces a sequence referred as ‘k’ in algorithm 1. Using the generated ‘k’, the SelfTestOffline will decrypt the signature key for the given device, then return the signature key to the attestation handler. The handler will generate a signature and send it to the requesting entity (e.g. the SP) along with the relevant cryptographic certificate. If the signature is verified correctly then the smart card state is in conformance to the evaluation state. The PUF based secret key and associated public key pair and certificate is generated at the time of card manufacturing. The private key is certified by the evaluation authority that also provides the security and reliability details of their

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

113

evaluation as part of the certificate [4]. The certificate hierarchy and associated keys in a smart card are discussed in section 3.2. Algorithm 2: Self-test algorithm for online attestation based on a PUF Input : c; challenge sent by the card manufacturer. n; random number send by the card manufacturer. Output : r; hash value generated on selected memory addresses, set at zero. p; response part of the CRP for the implemented PUF. Data: seedf ile; seed file that has a list of non-zero values. seed; temporary seed value for the PRNG set to zero. ns; number of entries in a seedf ile. s; unique reference to an entry in the seedf ile. nc; number of bytes in the n. i; counter set to zero. l; upper limit of memory address defined by the card manufacturer. m; memory address. mK; shared secret between a smart card and respective card manufacturer. Notation: x % y: represents x modulus y. This notation is common for all algorithms in this paper. 1 2 3

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

4 5 6 7 8 9 10 11

SelfTestOnline (c, n) begin mK ←− nmPUF(c) while i < nc do s ←− ReadSingleByte(n, i) % ns seed ←− ReadSeedFile(s) m ←− GenPRNG(seed) % l r ←− Hash(ReadMemoryContents(m), r, mK) if (nc − i) = 1 then p ←− nmPUF(r) i ←− i+1 return r, p

For online attestation, the card manufacturers will have to generate (limited) Challenge-Response Pairs (CRPs), which will be unique to the individual device. The rationale behind this is based on the design of a non-simulatable PUF in which the designer tries to make the CRP space sufficiently large to make it difficult for an adversary to simulate the PUF [22,20]. This design decision even makes it difficult for the card manufacturer to simulate the PUF. The limited set of generated CRPs will lead to a limited number of device validations (before they start to repeat), which is not a scalable solution. Therefore, we use a rolling

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

114

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

update mechanism in which at the end of each successful device validation (section 4) a new CRP will be generated for future use. A valid CRP response can also help the card manufacturer to ascertain that the device is not counterfeit as only the issued device’s CRPs are registered in its CRP database. The PUF-based online attestation mechanism represented in algorithm 2 implements a function SelfTestOnline that takes two parameters: a challenge ‘c’ and random number ‘n’ from the respective card manufacturer. The challenge ‘c’ is input to the PUF at line two and a response is generated, which is the response to the challenge ‘c’ and we treat it as a shared secret (mK). The function SelfTestOnline then treats the random number ‘n’ as a collection of bytes, reading one byte at a time and taking modulus of the byte with the length of the seedf ile. By doing so, we generate an index to the seedf ile and in the next step we read a seed value from that index. The seed value is used to generate a new random number, whose modulus with upper memory limit (l) defined by the manufacturer gives us a memory location. In the next step (line seven), we read and hash the memory contents from the memory location, and the result is stored in ‘r’. This process is repeated for the number of bytes the random number ‘n’ has, which is represented by the nc. At nc − 1 iteration, the value of “rnc−1 ” (the value of r at the iteration “nc − 1”) is used as input to the PUF again to generate a new CRP. In function SelfTestOnline, the generated ‘r’ and ‘p’ are then securely communicated back to the smart card manufacturer, which can verify the generated ‘r’ and stores the CRP. The card manufacturer can verify the ‘r’ by executing instructions from lines three to seven of the algorithm 2. The function SelfTestOnline does not send the challenge (“rnc−1 ”) which was used to generate the response ‘p’ because the card manufacturer can also generate the value of ‘r’ at iteration “ns − 1”.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

3.2. Key Generation Individual smart cards have a unique set of cryptographic keys that the card uses for different protocols/mechanisms during its lifetime. Therefore, after the hardware fabrication and masking of the SCOS is completed [8] the card manufacturer initiates the key generation process.

Figure 1. Certificate hierarchy in the UCOM.

Each smart card will generate a signature key pair (SCSign ) that does not change for the lifetime of the smart card. The SCSign is certified by the card manufacturer, and it is used to provide offline attestation. Furthermore, in the certificate hierarchy shown in figure 1, the SCSign is linked with the Platform Assurance Certificate (PAC) [4] via the card manufacturer’s certificate. The PAC is a cryptographic certificate that certifies the card manufacturer’s key for the

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

115

particular batch of smart cards that are evaluated by a third party like Common Criteria (CC) for their security and reliability. At present, such certificates are not issued however, the framework proposed in [4] can be adopted for such purposes. As discussed in section 3.1, the evaluation authority issues a certificate (e.g. PAC) which certifies that the signature key of the card manufacturer is valid only for the evaluated product. If an adversary can get hold of the manufacturer’s signature key pairs then he can successfully masquerade as the smart card; either as a dumb device or by simulating the smart card on a powerful device like a computer. Finally, the smart card and card manufacturer share an encryption key for symmetric algorithms (e.g. TDES, AES) and a MAC key. These keys will be used to encrypt and for generating MAC communication messages between the smart card and the card manufacturer.

4. Attestation Protocol The Attestation Protocol (ATP), involves the card manufacturer in the online attestation mechanisms. The aim of the protocol is to provide an assurance to a remote SP that the current state of the smart card is not only secure but also (dynamically) attested by the card manufacturer. The card manufacturer generates a security validation message that testifies to the requesting SP that its product is safe and still in compliance with the security evaluation indicated by the associated PAC.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

4.1. Intruder’s Capabilities The aim of an adversary A could be to retrieve enough information to enable him to successfully masquerade as a card manufacturer or as a smart card. Therefore, we assume an adversary A is able to intercept all messages communicated between a smart card and its manufacturer. In addition, A can modify, change, replay, and delay the intercepted messages. If A is able to masquerade as a card manufacturer then A can issue fake attestation certificates to individual smart cards, which might compromise the security and privacy of the user and related SPs. On the other hand, if A is able to compromise the smart card then he can effectively simulate the smart card environment. This will enable him to reverse engineer the downloaded applications and retrieve sensitive data related to the user and application (e.g. intellectual property of the SP). 4.2. Protocol Notation and Terminology Table 2 summarises the notation used in the proposed attestation protocol. 4.3. Protocol Description In this section, we describe the attestation protocol, and each message is represented by ATP-n, where n represents the message number. The structure of this Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

116

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Table 2. Protocol notation and terminology Notation

Description

SC

Denotes a smart card.

SP

Denotes a Service Provider.

CM

Denotes the respective card manufacturer of the SC.

CC

Denotes the respective Common Criteria evaluation laboratory that evaluates the SC.

Xi

Indicates the identity of an entity X.

NX

Random number generated by entity X.

h(Z)

The result of applying a hash algorithm (e.g. SHA-256) on data Z.

KX−Y

Long term encryption key shared between entities X and Y.

mKX−Y

Long term MAC key shared between entities X and Y.

BX

Private decryption key associated with an entity X.

VX

Public encryption key associated with an entity X.

eK (Z)

Result of encipherment of data Z with symmetric key K.

fK (Z)

Result of applying a MAC algorithm on data Z with key K.

SignX (Z)

Represents the signature on data Z with the signature key belonging to an entity X using a signature algorithm like DSA or based on the RSA function.

CertSX←Y

Represents the certificate for the signature key belonging to an entity X, issued by an entity Y.

CertEX←Y

Certificate for the public encryption key belonging to an entity X, issued by an entity Y.

VM

The Validation Message (VM) issued by the respective CM to a SC representing that the current state of the SC is as secure as at the time of third party evaluation, which is evidenced by the PAC [4].

X→Y :C

Entity X sends a message to entity Y with contents C.

X||Y

Represents the concatenation of data items X and Y.

SID

Session identifier that is used as an authentication credential and to avoid Denial of Service (DoS) attacks. The SID generated during the protocol run ’n’ is used in the subsequent protocol run (i.e. n+1).

Table 3. Messages in the Proposed Protocol. ATP-1.

SC SC → CM

: :

ATP-2.

CM CM → SC SC SC → CM

: : : :

ATP-3. ATP-4.

CM

:

CM CM → SC

: :

 ||CM ||ReqV al) mE = ekSC−CM (SCi ||NSC i SCi ||mE||fmkSC−CM (mE)||SID

 ||N mE = ekSC−CM (CMi ||NSC CM ||Challenge) mE||fmkSC−CM (mE)||SID  ||N mE = ekSC−CM (NSC CM ||NSP ||NSC ||Response||Optional) mE||fmkSC−CM (mE)||SID

V M = SignCM (CMi ||SCi ||NSP ||NSC ||P AC)

 ||V M ||SC + ||SID + ||CertS mE = ekSC−CM (NSC CM ) i mE||fmkSC−CM (mE)||SID

representation would be the protocol acronym (i.e. ATP for attestation protocol) followed by the message number. ATP-1 Before issuing the smart card to the user, the SC and CM will establish two secret keys; an encryption key KSC−CM and a MAC key mKSC−CM . The SC and CM can use these long-term shared keys to generate the session encryption

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

117

key kSC−CM and the MAC key mkSC−CM . The method deployed to generate session keys is left to the sole discretion of the card manufacturer. Each SC has a unique identifier SC i that is the identity of the smart card. To provide privacy to each smart card (and its user) the identity of the SC is not communicated in plaintext. Therefore, the pseudo-identifier SCi is used in the ATP-1, which is generated by the SC and the corresponding CM on the successful completion of the previous run of the attestation protocol. We will discuss the generation of SCi and SID in subsequent messages, as the generated SCi and SID during this message will be used in the next execution of the attestation protocol. A point to note is that for the very first execution of the attestation protocol, the smart card uses the pseudo-identifier (SCi ) that was generated by the card manufacturer and stored on the smart card before the card was issued to the user. The SID is used for two purposes: firstly to authenticate the SC and secondly, to prevent a Denial of Service (DoS) attack on the attestation server. The ReqV al is the request for attestation process. On receipt of the first message, the CM will check whether it has the correct values of SCi and SID. If these values are correct, it will then proceed with verifying the MAC. If the MAC is valid, it will then decrypt the encrypted part of the message.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

ATP-2 After the message is successfully decrypted, the CM generates a random number NCM and a Challenge. In case of the PRNG-based attestation mechanism, the Challenge would also be a random number; however, in case of PUFbased attestation mechanism it would be the pre-calculated challenge part of the CRP. ATP-3 After generating the Response using the algorithms discussed in section 3, the SC will proceed with message three. It will concatenate the random numbers generated by the SC, CM, and SP, with the Response. The rationale for including the random number from the SP in message three is to request CM to generate a validation message that can be independently checked by the SP to ensure it is fresh and valid. The function of the Optional element is to accommodate the CRP updates if the CM implements a PUF-based attestation process. While the SC was generating the Response based on the Challenge, the CM also calculates the correct attestation response. When the CM receives message three, it will check the values and if they match then it will issue the validation message. Otherwise the attestation process has failed and CM does not issue any validation message (V M ). ATP-4 If the attestation response is successful then the CM will take the random numbers generated by the SP and the SC during the Secure and Trusted Channel Protocols (STCPs) discussed in paper [23] and include the identities of the SC and CM. All of these items are then concatenated with the SC’s evaluation certificate PAC and then signed by the CM. The signed message is then communicated to the SC. In the ATP-4, the CM will also generate a SID and SCi that will used in the subsequent execution of the attestation protocol between the SC and CM. The SID and SCi for the subsequent run of the attestation protocol is represented as SID+ and SCi+ . The SID+ is basically a (new) random number that is associated

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

118

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

with the pseudo-identifier of the smart card that it will be used to authenticate in the subsequent attestation protocol runs. Furthermore, the SCi+ is generated as SCi+ = fmKCM (CMi ||NSC ||NCM ||SID), where mKCM is the MAC key that the CM does not share

5. Protocol Analysis In this section, we detail the test performance results.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

5.1. Implementation Results & Performance Measurements The test protocol implementation and performance measurement environment in this paper consists of a laptop with a 1.83 GHz processor, 2 GB of RAM running on Windows XP. The off-card entities execute on the laptop and for on-card entities, we have selected two distinct 16bit Java Cards referred as C1 and C2. Each implemented protocol is executed for 1000 iterations to adequately take into account the standard deviation between different protocol runs, and the time taken to complete an iteration of protocol was recorded. The test Java Cards (e.g. C1 and C2) were tested with different numbers of iterations to find out a range, which we could use as a common denominator for performance measurements in this paper. As a result, the figure of 1000 iterations was used because after 1000 iterations, the standard deviation becomes approximately uniform. Regarding the choice of cryptographic algorithms we have selected Advance Encryption Standard (AES) [27] 128-bit key symmetric encryption with Cipher Block Chaining (CBC) [28] without padding for both encryption and MAC operations. The signature algorithm is based on the Rivest-Shamir-Aldeman (RSA) [28] 512-bit key. We used SHA-256 [29] for hash generation. For Diffie-Hellman key generation we used a 2058-bit group with a 256-bit prime order subgroup specified in the RFC-5114 [30]. The average performance measurements in this paper is rounded up to the nearest natural number. The attestation mechanism implemented in our test environment executes all the instructions on a pair of Java Cards, except for the PUF whose execution time from [22] was added later. The performance measurement taken from two different 16-bit Java Cards are listed in table 4. The offline attestation mechanism based on PUF takes in total 2292 bytes of memory space. Similarly, the online attestation mechanism and associated attestation protocol based on PUF takes in total 6392 bytes. Table 4. Test performance measurement (milliseconds) for the attestation protocol. Measures Card Specification

Offline Attestation

Online Attestation

C1

C2

C1

C2

532.75

584.26

1128.65

1284.85

Best time

506

495

992

1075

Worse time

749

838

1312

1638

53.22

83.31

103.62

112.72

Average

Standard Deviation

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

119

6. Summary In this paper, we discussed the overall architecture of the attestation mechanism that includes hardware validation with the traditional software attestation. We proposed two modes for the attestation process: offline and online attestation. In designing the attestation process, we based our proposal on PUFs. To have an online attestation, we proposed the attestation protocol that communicates with the card manufacturer to get a dynamic validation of assurance (i.e., a signed message from the card manufacturer) that the smart card is still secure and reliable. We implemented offline and online attestation mechanisms, along with an attestation protocol on 16-bit Java Cards and detailed the performance measurements.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

References [1] “GlobalPlatform A New Model: The Consumer-Centric Model and How It Applies to the Mobile Ecosystem,” GlobalPlatform, Whitepaper, March 2013. [2] R. N. Akram, K. Markantonakis, and K. Mayes, “A Paradigm Shift in Smart Card Ownership Model,” in the 2010 Int. Conf. on Computational Science and Its Applications (ICCSA 2010), B. O. Apduhan and O. Gervasi, Eds. Fukuoka, Japan: IEEE CS, March 2010, pp. 191–200. [3] R. N. Akram, K. Markantonakis, and K. Mayes, “Application Management Framework in User Centric Smart Card Ownership Model,” in The 10th Int. Workshop on Information Security Applications (WISA09), H. Y. YOUM and M. Yung, Eds., Busan, Korea: Springer, August 2009, pp. 20–35. [4] R. N. Akram, K. Markantonakis, and K. Mayes, “A Dynamic and Ubiquitous Smart Card Security Assurance and Validation Mechanism,” in 25th IFIP Int. Information Security Conf. (SEC 2010), K. Rannenberg and V. Varadharajan, Eds. Brisbane, Australia: Springer, September 2010, pp. 161–172. [5] “The GlobalPlatform Proposition for NFC Mobile: Secure Element Management and Messaging,” GlobalPlatform, White Paper, April 2009. [6] GlobalPlatform: GlobalPlatform Card Specification, Version 2.2,, GlobalPlatform Std., March 2006. [7] FIPS 140-2: Security Requirements for Cryptographic Modules, Online, NIST Federal Information Processing Standards Publication, Rev. Supercedes FIPS PUB 140-1, May 2005. [8] W. Rankl and W. Effing, Smart Card Handbook, 3rd ed. NY, USA: John Wiley & Sons, Inc., 2003. [9] Trusted Module Specification 1.2: Part 1- Design Principles, Part 2- Structures of the TPM, Part 3- Commands, Trusted Computing Group Std., Rev. 103, July 2007. [10] “TCG Mobile Trusted Module Specification,” Trusted Computing Group (TCG), V1.0, June 2008. [11] K. Eagles, K. Markantonakis, and K. Mayes, “A Comparative Analysis of Common Threats, Vulnerabilities, Attacks and Countermeasures within Smart Card and Wireless Sensor Network Node Technologies,” in the 1st Int. Conf. on Information Security Theory and Practices, ser. WISTP’07. Springer, 2007, pp. 161–174. [12] B. Gassend, D. Clarke, M. van Dijk, and S. Devadas, “Silicon Physical Random Functions,” in Proceedings of the 9th ACM Conf. on Computer and Communications Security, NY, USA: ACM, 2002, pp. 148–160. [13] H. Busch, M. Sotáková, S. Katzenbeisser, and R. Sion, “The PUF Promise,” in Proceedings of the 3rd Int. Conf. on Trust and Trustworthy Computing. Springer, June 2010, pp. 290– 297.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

120

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

[14] D. Kirovski, “Anti-Counterfeiting: Mixing the Physical and the Digital World,” in Foundations for Forgery-Resilient Cryptographic Hardware, ser. Dagstuhl Seminar Proceedings, J. Guajardo, B. Preneel, A.-R. Sadeghi, and P. Tuyls, Eds., Germany, 2010. [15] S. S. Kumar, J. Guajardo, R. Maes, G.-J. Schrijen, and P. Tuyls, “Extended Abstract: The Butterfly PUF Protecting IP on every FPGA,” in Proceedings of the 2008 IEEE Int. Workshop on Hardware-Oriented Security and Trust. Washington, DC, USA: IEEE CS, 2008, pp. 67–70. [16] P. Tuyls, G.-J. Schrijen, B. Škorić, J. van Geloven, N. Verhaegh, and R. Wolters, “Readproof Hardware from Protective Coatings,” in Cryptographic Hardware and Embedded Systems Workshop, ser. LNCS, vol. 4249. Springer, October 2006, pp. 369–383. [17] R. S. Pappu, “Physical One-way Functions,” Ph.D. dissertation, MIT, March 2001. [18] G. E. Suh, C. W. O’Donnell, I. Sachdev, and S. Devadas, “Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Function,” vol. 33, pp. 25–36, May 2005. [19] D. Merli, D. Schuster, F. Stumpf, and G. Sigl, “Side-Channel Analysis of PUFs and Fuzzy Extractors,” in Trust and Trustworthy Computing, ser. LNCS, J. McCune, Eds. Springer, 2011, vol. 6740, pp. 33–47. [20] G. E. Suh and S. Devadas, “Physical Unclonable Functions for Device Authentication and Secret Key Generation,” in the 44th Annual Design Automation Conf., NY, USA: ACM, 2007, pp. 9–14. [21] A. Maiti, R. Nagesh, A. Reddy, and P. Schaumont, “Physical Unclonable Function and True Random Number Generator: a Compact and Scalable Implementation,” in Proceedings of the 19th ACM Great Lakes symposium on VLSI, ser. GLSVLSI ’09. New York, NY, USA: ACM, 2009, pp. 425–428. [22] S. Schulz, C. Wachsmann, and A.-R. Sadeghis, “Lightweight Remote Attestation using Physical Functions,” Technische Universitat Darmstadt, Darmstadt, Germany, TR-200106-11, July 2011. [23] R. N. Akram, K. Markantonakis, and K. Mayes, “A Secure and Trusted Channel Protocol for the User Centric Smart Card Ownership Model,” in 12th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-13). Australia: IEEE CS, 2013. [24] G. Lowe, “Casper: a compiler for the analysis of security protocols,” J. Comput. Secur., vol. 6, Jan 1998. [25] C. A. R. Hoare, Communicating Sequential Processes. NY, USA: ACM, 1978, vol. 21, no. 8. [26] P. Ryan and S. Schneider, The Modelling and Analysis of Security Protocols: the CSP Approach. Addison-Wesley Professional, 2000. [27] Joan Daemen and Vincent Rijmen, The Design of Rijndael: AES - The Advanced Encryption Standard. Berlin: Springer, 2002. [28] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography. CRC, October 1996. [29] FIPS 180-2: Secure Hash Standard (SHS), NIST Spec., 2002. [30] M. Lepinski and S. Kent, “RFC 5114 - Additional Diffie-Hellman Groups for Use with IETF Standards,” Tech. Rep., January 2008. [31] “Trusted Computing Group, TCG Specification Architecture Overview,” The Trusted Computing Group (TCG), Beaverton, Oregon, USA, revision 1.4, August 2007. [32] A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. Khosla, “SCUBA: Secure Code Update by Attestation in Sensor Networks,” in the 5th ACM workshop on Wireless security, NY, USA: ACM, 2006, pp. 85–94. [33] Y. Li, J. M. McCune, and A. Perrig, “SBAP: Software-based Attestation for Peripherals,” in Proceedings of the 3rd Int. Conference on Trust and Trustworthy Computing, Berlin, Springer, 2010, pp. 16–29. [34] A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla, “SWATT: SoftWare-based ATTestation for Embedded Devices,” Security and Privacy, IEEE Symposium on, vol. 0, p. 272, 2004.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

R.N. Akram et al. / Remote Attestation Mechanism for Embedded Devices

121

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[35] D. Schellekens, B. Wyseur, and B. Preneel, “Remote Attestation on Legacy Operating Systems with Trusted Platform Modules,” Sci. Comput. Program., vol. 74, pp. 13–22, December 2008. [36] H. Busch, S. Katzenbeisser, and P. Baecher, “PUF-Based Authentication Protocols - Revisited,” in Information Security Applications, ser. LNCS, H. Youm and M. Yung, Eds. Springer, 2009, pp. 296–308.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-61499-328-5-123

123

A Survey of Side Channel Attacks on MPKCs potential for RFID Weijian LI a,b , Shaohua TANG a,1 , Daojing HE a a School of Computer Science and Engineering, South China University of Technology, Guangzhou, China b School of Computer Science, Guangdong Polytechnic Normal University, Guangzhou, China Abstract. MPKC is one of the most promising public-key cryptosystems against cryptanalysis on quantum computer. Its efficient implementation is also suitable for low-resource portable devices such as smart cards and RFID tags. In this paper, we investigate the existing side channel attacks against MPKCs, give a survey of power analysis attacks and fault attacks, including DPA against SFLASH, and fault attacks against HFE. Keywords. Multivariate Public Key Cryptosystems, Power Analysis Attacks, SFLASH, Fault Attacks, HFE

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Introduction The emergence of quantum computer greatly threats the security of the traditional public key cryptosystems, which are built on integer factorization and discrete logarithm problem. RSA and elliptic curve cryptosystems can be compromised by Shors’ algorithm [1]. Therefore, researchers have been proposing new public-key cryptosystems to withstand such threat in quantum computers. Multivariate public key cryptosystem (MPKC) is one of the most promising public-key cryptosystems, whose security is built on solving nonlinear multivariable equations over finite field. It is an NP-hard problem, and quantum computers don’t show significant advantage on solving this problem. Multivariate public key cryptosystem was first proposed by Matsumoto-Imai [2] in 1988. Patarin broke the MI cryptosystem [3], and proposed enhanced versions such as SFLASH [4] to resist his cryptanalysis. Although some of these schemes have already been broken, others such as HFE [5] and Rainbow [6] have survived known attacks like Gr¨obner basis attacks, the rank attacks and the differential attacks. Further more, compared with traditional public-key cryptosystems, MPKC has a huge advantage in the low-resource portable devices because of its low-power and high speed computation. It is therefore very suitable for portable devices, such as smart cards, wireless sensors and active RFID tags, which have limited computing power, storage space and power consumption. Researches on high-efficiently implementation of MPKCs have become the focus. Akkar et al. [7] proposed a fast implementation to generate 1 Corresponding

Author ( E-mail:[email protected], [email protected] )

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

124

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

signature requiring only 60 ms on an Infineon SLE 66. Chen et al. [8] presented a SSE MPKC implementation on modern x86 CPUs. However, unprotected implementations of cryptosystems are vulnerable to side channel attacks. When implementing MPKCs in practice, it is necessary to protect them from side channel attacks, such as power analysis attacks and fault attacks. Differential Power Analysis is one of the effective methods to retrieve secret keys, which includes mono-bit DPA [9] , multi-bit DPA [9, 10] and Correlation Power Analysis (CPA) [11]. Fault attack was first introduced by Boneh et al. [12], which caused faults on the parameters in a target device. Although side channel attacks have been developed over the past 15 years, there are few such attacks against MPKCs. Steinwandt et al. [13] utilized XOR operations to reveal the secret parameters Δ s and t of SFLASH in theory. Okeya et al. [14] proposed an attack against addition operation modulo 232 to reveal Δ of SFLASH implemented on IC chip. Hashimoto et al. [15] proposed a fault attack on MPKCs to change coefficients of the central map. In this paper, we investigate the existing side channel attacks against MPKCs. The rest of this paper is organized as follows. Section 1 describes the the detail of MPKC, especially SFLASH and HFE. In Section 2 we present an overview on the existing power analysis attacks. In Section 3, we briefly introduce the fault attacks against HFE. Section 4 concludes the paper.

1. Multivariate Public Key Cryptosystems

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Figure 1 shows the general composition of maps of multivariate public key cryptosystems. The secret key includes s,t and F.

Figure 1. Composition of maps of Multivariate Public Key Cryptosystems.

Here s and t are invertible affine transforms over kn and km respectively, s(x) = s1 x + s2 ,

t(x) = t1 x + t2 ,

(1)

where s1 and t1 are n × n and m × m matrices, s2 and t2 are n and m column vectors, respectively. F is the central map, which is a quadratic map with a computationally feasible inversion and is different for each MPKC scheme. F is the public key that F = t ◦ F ◦ s.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

(2)

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

125

Given a message y = (y0 , · · · , yn−1 ), the signature is computed using the secret key as follows: x = s−1 ◦ F −1 ◦ t −1 (y).

(3)

The validation of the signature x is done with the public key by testing if F(x) = y.

(4)

1.1. SFLASH The composition of maps in the construction of SFLASH is shown in Figure 2. SFLASH makes use of two finite fields K := F2 [x]/(x7 + x + 1) and L := K[X]/(X 37 + X 12 + X 10 + X 2 + 1).

Figure 2. Composition of maps of SFLASH.

The value of n in SFLASH is equal to 37. s and t are invertible affine transforms each given by a 37 × 37 matrix and a 37 column vector. An 37-tuple x = (x0 , · · · , x36 ) ∈ K n can be mapped into X ∈ L by ϕ, X = ϕ(x) = ∑i=0 βi xi , Copyright © 2013. IOS Press, Incorporated. All rights reserved.

36

(5)

where β = (β0 , · · · , β36 ) is a basis of L. θ  = X q +1 , where θ satisfies Central map F = ϕ −1 ◦ F ◦ ϕ, F is defined as F(X) 11  = X 128 +1 . Its inverse F−1 can be comgcd(qθ + 1, qn − 1) = 1. SFLASH uses F(X)  −1 h  θ −1 puted by F (Y ) = Y , where h = (q + 1) mod (qn − 1). Signature Generation of SFLASH Given a message y = (y0 , · · · , yn−1 ), the signature generation of SFLASH can be described in SFLASH Signature below. ¯ −1 (y). x = s−1 ◦ ϕ −1 ◦ F−1 ◦ ϕ ◦ t −1 (y) = [F]

(6)

According to [13, 14], given a message M and secret key(Δ, s,t), where Δ ∈ {0, 1}80 is a secret 80-bit string, the signature generation algorithm is described below: Note that π maps {0, 1}7 → K, and is defined as π(b) = (b6 x6 + · · · + b1 x + b0 ) mod (x7 + x + 1). SFLASH Signature first computes 182-bit hash value V using message M, and 77-bit hash value W using V and secret parameter . The 259-bit string is then divided and mapped into a column vector (Y ||R) ∈ K 37 by Steps 4 to 5. Steps 6, 7 and 8 solve equations to get variables X = (X0 , · · · , X36 ), which are signature of message M.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

126

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

SFLASH Signature: Input: Message M, secret key (Δ, s,t) Output: Signature S 1. M1 = SHA-1(M), M2 = SHA-1(M1 ) 2. V = [M1 ]0→159 ||[M2 ]0→21 3. W = [SHA-1(V || )]0→76 4. Y = (π([V ]0→6 ), π([V ]7→13 ), · · · , π([V ]175→181 )) 5. R = (π([W ]0→6 ), π([W ]7→13 ), · · · , π([W ]70→76 )) 6. B = t −1 (Y ||R) 7. A = ϕ −1 (F −1 (ϕ(B))) 8. X = (X0 , · · · , X36 ) = s−1 (A) 9. S = π −1 (X0 )|| · · · ||π −1 (X36 ) 10. return(S) 1.2. Hidden Field Equation (HFE) Let K be a finite filed of cardinal q and characteristic p, LN be an extension of degree N of K. The design of HFE is very similar to that of SFLASH, the main difference is the map F is replaced with a new map: L N → LN  F(X) = ∑

0≤i≤ j≤d

i

j

i

αi j X q +q + ∑ βi X q + γ,

(7)

0≤i≤d

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

where d ≥ 1 is an integer, and the coefficients αi j , βi and γ are randomly chosen elements of LN . The inversion of F is computed by the Berlekamp algorithm, whose complexity  depends on the degree d of F.

2. Power analysis attacks 2.1. General description of Attacks on secret parameter

Signature generation algorithm SFLASH Signature makes use of hash function SHA1 [16] to compute hash values of message M and secret parameter . According to [14], we gives a briefly review of SHA-1 in Step 3 of SFLASH Signature in the below table. Note that Kt in Step 6.2 are constant values. The functions ft (x, y, z) in Step 6.1 are the following logical functions: ft (x, y, z) = (x y) (x¯ z), (t = 0, · · · , 19)   ft (x, y, z) = x y z, (t = 20, · · · , 39) ft (x, y, z) = (x y) (x z) (y z), (t = 40, · · · , 59)   ft (x, y, z) = x y z. (t = 60, · · · , 79) W0 , · · · ,W4 , [W5 ]0→21 , [W8 ]6→31 ,W9 , · · · ,W15 are dependent on V only and therefore known to attacker. [W5 ]22→31 ,W6 ,W7 , [W8 ]0→5 are dependent on Δ.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

127

SHA1 SFLASH Signature: Input: Message (V || ) in Step 3 of SFLASH Signature Output: Hashed value SHA-1(V || ) 1. padding: M0 = V ||Δ ||(1, 0, · · · , 0 , 1, 0, 0, 0, 0, 0, 1, 1, 0)     262 bit

240 zeroes

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2. initialization: H0 = 0x67452301, H1 = 0xe f cdab89, H2 = 0x98badc f e, H3 = 0x10325476, H4 = 0xc3d2e1 f 0 3. A = H0 , B = H1 ,C = H2 , D = H3 , E = H4 4. The 512-bit word M0 is divided into sixteen 32-bit words W0 , · · · ,W15 M0 = W0 || · · · ||W15 ; (Note that W0 , · · · ,W4 , [W5 ]0→21 , [W8 ]6→31 ,W9 , · · · ,W15 are known to attacker.) 5. for t = 16 to 79, do the following:    5.1 Wt = (Wt−3 Wt−8 Wt−14 Wt−16 ) 1 6. for t = 0 to 79, do the following: 6.1 T EMP1 = (A 5) + ft (B,C, D) + E mod 232 6.2 TEMP2 = TEMP1 + Wt mod 232 6.3 T EMP3 = T EMP2 + kt mod 232 6.4 E = D, D = C,C = B 30, B = A, A = TEMP3 7. H0 = H0 + A mod 232 , H1 = H1 + B mod 232 , H2 = H2 +C mod 232 , H3 = H3 + D mod 232 , H4 = H4 + E mod 232 8. return(H0 , H1 , H2 , H3 , H4 )

Remark: From the point of view of side channel attacks, there are several operations that are susceptible to SCA, especially Steps 5.1, 6.2 and 6.4.    1) 5.1 Wt = (Wt−3 Wt−8 Wt−14 Wt−16 ) 1 2) 6.2 T EMP2 = T EMP1 +Wt mod 232 3) 6.4 A = T EMP3 Steinwandt et al. [13] utilized XOR operations at Step 5.1 to reveal the secret parameter Δ in theory. Okeya et al. [14] made use of addition operation modulo 232 at Step 6.2 for revealing Δ and presented an experimental result of DPA on IC chip. However, there is no attack published against register storing operation at Step 6.4, the Hamming distance of register A before and after storing operation leaks significant information of secret, which is effective for side channel attacks against implementations on device of FPGA. We will discuss some existing side channel attacks below. 2.2. Attack against Addition operation modulo 232 Okeya et al. [14] proposed an attack against addition operation modulo 232 at Step 6.2. Since W0 , · · · ,W4 , [W5 ]0→21 , [W8 ]6→31 ,W9 , · · · ,W15 are dependent on V only and known to the attacker, he/she therefore aimed at revealing [W5 ]22→31 ,W6 ,W7 , [W8 ]0→5 through the operation at Step 6.2. Notice that some important Wt at Step 6.2 are computed by Step 5.1:

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

128

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

⎧ (1) W16 = (W13 ⊕W8 ⊕W2 ⊕W0 ) 1 ⎪ ⎪ ⎨ (2) W19 = (W16 ⊕W11 ⊕W5 ⊕W3 ) 1 (with W16 as in (1)) (3) W20 = (W17 ⊕W12 ⊕W6 ⊕W4 ) 1 ⎪ ⎪ ⎩ (4) W23 = (W20 ⊕W15 ⊕W9 ⊕W7 ) 1 (with W20 as in (3)).

(8)

Note that in Equation(3), W17 = (W14 ⊕W9 ⊕W3 ⊕W1 ) 1 is known to the attacker. For each right part of equations, only one word underlined is unknown. Now we demonstrate how to reveal four bits of W6 , the other bits can be revealed in the same way. The experiment assumed that the attacker had already detected the lower sixteen bits of W6 and his/her target was the next four bits [W6 ]16→19 . 1. Execute the signing algorithm with n different messages Mi and the same secret parameter Δ, recording the power consumptions Pi , 0 ≤ i ≤ n. Pi = ((Pi )0 , · · · , (Pi )k−1 ) is an k-sample power consumption during the execution of the signing algorithm with input Mi . 2. Choose selection function D(Mi , [W6 ]0→19 ) = HammingWeight([T EMP2]0→19 ). The attacker then uses Messerges’ multi-bit DPA [10] to exploit multiple selection bits to classify power consumptions and compute differential traces, as shown in 3 and 4 below. 3. For each key guess [W6 ]16→19 = d, 0 ≤ d ≤ 15, classify the inputs: if D(Mi , [W6 ]0→19 ) ≥ 13, the input belongs to G13,d , if D(Mi , [W6 ]0→19 ) ≤ 7, the input belongs to G7,d :

G13,d = {Pi , i = 1, 2, · · · , n|D(Mi , [W6 ]0−19 ) ≥ 13}, (9) G7,d = {Pi , i = 1, 2, · · · , n|D(Mi , [W6 ]0−19 ) ≤ 7}. 4. Compute the average differences of power consumptions of G13,d and G7,d for each key guess and sample point:

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

δd, j =

∑G13,d (Pi ) j ∑G7,d (Pi ) j − , |G13,d | |G7,d |

0 ≤ d ≤ 15; 0 ≤ j ≤ k − 1.

(10)

Note that |G13,d | and |G7,d | denote the number of power consumptions in group G13,d and G13,d respectively. After computing, the attacker has 16 k-sample differential traces δd = (δd,0 , · · · , δd,k−1 ). 5. Find the peak of the 16 k-sample differential traces, the corresponding value of d is the correct [W6 ]16→19 . Okeya et al. [14] presented an experimental result, and showed that about 1408 pairs of messages were enough to reveal secret parameter .

2.3. Attack against XOR operations at Step 5.1 Steinwandt et al. [13] utilized XOR operations at Step 5.1 to reveal the secret parameter Δ in theory. The attack aimed at revealing [W5 ]22→31 ,W6 ,W7 , [W8 ]0→5 also. As discussed above, Equation(8) shows the words and operations that the attack targets at. To reveal Δ bit by bit, they defined a selection function eμ (M, bμ ) for 0 ≤ μ ≤ 79, where M is the message to be signed, bμ is the μ-th bit of Δ. The output of eμ (M, bμ ) is the value of the corresponding bit in one of the XORs in the right part of Equation(8).

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

⎧ bμ ⊕ [W16 ⊕W11 ⊕W3 ]μ+22→μ+22 , ⎪ ⎪ ⎨ bμ ⊕ [W17 ⊕W12 ⊕W4 ]μ−10→μ−10 , eμ (M, bμ ) = bμ ⊕ [W20 ⊕W15 ⊕W9 ]μ−42→μ−42 , ⎪ ⎪ ⎩ bμ ⊕ [W13 ⊕W2 ⊕W0 ]μ−74→μ−74 ,

f or 0 ≤ μ ≤ 9, f or 10 ≤ μ ≤ 41, f or 42 ≤ μ ≤ 73, f or 73 ≤ μ ≤ 79.

129

(11)

After choosing selection function eμ (M, bμ ), the attacker applies classic mono-bit DPA [9] to compute k-sample differential trace δμ = (δμ,0 , · · · , δμ,k−1 ) for the μ-th bit of Δ as : δμ, j =

∑n−1 ∑n−1 (1 − eμ (Mi , bμ )) · (Pi ) j i=0 eμ (Mi , bμ ) · (Pi ) j − i=0 n−1 . n−1 ∑i=0 eμ (Mi , bμ ) ∑i=0 (1 − eμ (Mi , bμ ))

(12)

If the guess for bit bμ is incorrect, eμ (M, bμ ) is essentially uncorrelated to what was actually computed by the device, and one can expect the values of δμ, j to approach 0 for a sufficiently large number n of traces. On the other hand, if the guess for bμ is correct, then eμ (M, bμ ) is correlated to the corresponding intermediate result in the execution of the signing algorithm. And as the power consumption of the device during the execution of the signing algorithm is correlated to the values of the bits involved in the computation, a significant peak in the plot of δμ, j will reveal a correct guess of bμ .

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

2.4. Forging signatures using Δ After revealing Δ, the attacker computes Y and R by Steps 1 to 5 of SFLASH Signature. Therefore, the attacker is able to obtain full input (Y ||R) ∈ K 37 and output X = (X0 , · · · , X36 ), the security of SFLASH is reduced form C∗−− to C∗ . He/she is able to efficiently construct a dummy signature generation function using Patarin’s cryptanalysis [3]. Let X = (X0,k , · · · , X36,k ) be randomly chosen signatures, the attacker computes the ¯ which are equal to the image of these signatures by the public verification function F, values of Y in Step 4 of SFLASH Signature function. After mapping Y into V by the function π −1 , he/she can computes R by SHA-1(V || ). Denote these image by y = ¯ −1 , (y0,k , · · · , y36,k ). Therefore, the attacker can have pairs of whole input and output to [F] ∗ and the C problem is obtained. The attacker then makes use of the Patarin’s cryptanalysis to find a map [F¯ ∗ ]−1 :K 37 → 37 ¯ F¯ ∗ ]−1 (y)) = y. With the [F¯ ∗ ]−1 , the attacker is able to forge K , which satisfies: F([ dummy signatures.

3. Fault Attacks Hashimoto et al. [15] proposed a fault attack on the central map F, which caused a fault to change a coefficient of F. The steps of fault attack against HFE are described as follows: 1. Change the coefficient αi j in Equation(7) to αi j by the fault, denote the central map by F and F  respectively. 2. Decrypt randomly chosen message y = (y0 , · · · , yn−1 ) by the faulty map F  : x = (x0 , · · · , xn−1 ) = s−1 (F −1 (t −1 (y))), and therefore y = F¯  (x).

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

130

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

¯ 3. Encrypt x = (x0 , · · · , xn−1 ) by the correct public key F: ¯ z = (z0 , · · · , zn−1 ) = F(x). 4. Put δ = (δ0 , · · · , δn−1 ) = y − z, ¯ = t((F  − F)(s(x))). δ = F¯  (x) − F(x) (l) (l) 5. Rewrite δl = ∑ ai j xi x j + ∑ bi xi + c(l) , 0 ≤ l ≤ (m − 1), 0≤i≤ j≤n

0≤i≤n

(l) (l) ai j , bi , c(l)

are unknown coefficients. where 6. Substitute the pairs(x, δ ) to construct a system of linear equations of unknown (l) (l) variables ai j , bi , c(l) . The total number of unknown variables is (n + 1)(n + 2)/2 for a (l)

(l)

fiexed l. The attacker solves the equations to find ai j , bi , c(l) with (n + 1)(n + 2)/2 of (x(l) , δ (l) ). 7. Find s and t. i j ¯ ¯ For ΔF(X) = (F¯  − F)(X) = (ai j − ai j )X q +q , the rank of coefficient matrix of ¯ ΔF(X) is 2, Kipnis-Shamir’s attack [1, 17] for rank 2 will find (a part of) s and t.

4. Conclusion MPKC is one of the most promising public-key cryptosystems against cryptanalysis on quantum computer. Its efficient implementation is also suitable for low-resource portable devices such as smart cards and RFID tags. However, unprotected implementations of cryptosystems are vulnerable to side channel attacks. When implementing MPKCs in practice, it is necessary to protect them from side channel attacks, such as power analysis attacks and fault attacks. In this paper, we investigate the existing side channel attacks against MPKCs, give a survey of side channel attacks and fault attacks, including DPA against SFLASH, and fault attacks against HFE.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Acknowledgement This work is supported by the National Natural Science Foundation of China under Grant No. U1135004 and 61170080, and Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme (2011), and Guangzhou Metropolitan Science and Technology Planning Project under grant No. 2011J4300028, and High-level Talents Project of Guangdong Institutions of Higher Education (2012), and Guangdong Provincial Natural Science Foundation of China under grant No. 9351064101000003.

References [1] P.W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM journal on computing, 1997, 26(5): pp.1484-1509. [2] T. Matsumoto and H. Imai, Public quadratic polynomial-tuples for efficient signature-verification and message-encryption. Advances in Cryptology - EUROCRYPT’88, Springer Berlin Heidelberg, 1988, pp.419-453. [3] J. Patarin, Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt’88. Advances in Cryptology - CRYPTO’95, Springer Berlin Heidelberg, 1995, LNCS 963, pp.248-261.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

W. Li et al. / A Survey of Side Channel Attacks on MPKCs Potential for RFID

[4]

[5]

[6] [7] [8]

[9] [10] [11] [12]

[13] [14]

[15]

[16]

SFLASH, a fast asymmetric signature scheme for low-cost smartcards. Primitive specification and supporting documentation. Presented at First Open NESSIE Workshop, November 2000. At the time of writing available electronically at the URL https://www.cosic.esat.kuleuven.ac.be/nessie/workshop/submissions/sflash.zip. J. Patarin, Hidden Fields Equations (HFE) and Isomorphisms of Polynomials (IP): Two New Families of Asymmetric Algorithms. Advances in Cryptology - EUROCRYPT’96, Springer Berlin Heidelberg, 1996, vol.1070, pp.33-48. J. Ding and D. Schmidt, Rainbow, a New Multivariable Polynomial Signature Scheme. Applied Cryptography and Network Security, Springer Berlin Heidelberg, 2005, vol.3531, pp.164-175. M.L. Akkar, N. Courtois, R. Duteuil, and L. Goubin, A Fast and Secure Implementation of Sflash. PKC 2003, Springer Berlin Heidelberg, 2002, LNCS 2567, pp.267-278. A.I.T. Chen, M.S. Chen, T.R. Chen, C.M. Cheng, J. Ding, E.L.H. Kuo, F.Y.S. Lee, and B.Y. Yang, SSE Implementation of Multivariate PKCs on Modern x86 CPUs. Cryptographic Hardware and Embedded Systems - CHES 2009, Springer Berlin Heidelberg, 2009, LNCS, vol.5747, pp.33-48. P. Kocher, J. Jaffe, and B. Jun, Differential Power Analysis. Advances in Cryptology - CRYPTO’99, Springer Berlin Heidelberg, 1999, LNCS 1666, pp.388-397. T.S. Messerges, E.A. Dabbish, and R.H. Sloan, Investigations of Power Analysis Attacks on Smartcards. USENIX1999, Jun. 1999. http://www.usenix.org/. E. Brier, C. Clavier, and F. Olivier, Correlation power analysis with a leakage model. Cryptographic Hardware and Embedded Systems - CHES 2004, pp.135-152. D. Boneh, R. DeMillo, and R. Lipton, On the Importance of Checking Cryptographic Protocols for Faults. Advances in Cryptology - EUROCRYPT’97, Springer Berlin Heidelberg, 1997, LNCS vol.1233, pp.37-51. R. Steinwandt, W. Geiselmann, and T. Beth, A theoretical DPA-based cryptanalysis of the NESSIE candidates FLASH and SFLASH. Information Security, Springer Berlin Heidelberg, 2001, pp.280-293. K. Okeya, T. Takagi, and C. Vuillaume, On the importance of protecting Δ in SFLASH against side channel attacks. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences 88.1 (2005): pp.123-131. Y. Hashimoto, T. Takagi, and K. Sakurai, General fault attacks on multivariate public key cryptosystems. IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences 96.1 (2013): pp.196-205. Secure Hash Standard, Federal information processing standards publication 180-1, 1995. http://csrc.nist.gov/. J. C. Faug`ere, F. Levy-Dit-Vehel, and L. Perret, Cryptanalysis of minrank. Advances in Cryptology CRYPTO’08, Springer Berlin Heidelberg, 2008, pp.280-296.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

[17]

131

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

133

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved.

Subject Index 97 31 17 97 123 83 123 97 69 69 69 97 83 83 17 17

multivariate public key cryptosystems 123 near field communication 97 ownership transfer 31 power analysis attacks 123 privacy 17, 31 rapid mixing 17 RFID 31, 57, 83 RFID identity management 17 RFID physical layer 57 RFID security 57 security 31, 97 SFLASH 123 standardization 97 Tag-ID 83 traceability 17

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

authentication controlled delegation coupling elliptic curve cryptography fault attacks hardware implementation HFE implementation Internet of Things IoT communication IoT embedded devices key agreement lightweight hash function lightweight stream cipher limited view adversary Markov chain

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

135

Radio Frequency Identification System Security C. Ma and J. Weng (Eds.) IOS Press, 2013 © 2013 The authors and IOS Press. All rights reserved.

Author Index 107 31 45 97 69 57, 97 3 69 123 45 57 17 17 3 123

Ma, C. Markantonakis, K. Mayes, K. Mikami, S. Mu, Y. Peeters, R. Poovendran, R. Sakiyama, K. Susilo, W. Syga, P. Tang, S. Varadharajan, V. Watanabe, D. Weng, J. Yang, C.

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

Akram, R.N. Cheng, S. Fan, J. Fan, X. Fisher, R. Gong, G. Guo, F. Hancke, G. He, D. Hermans, J. Huo, F. Klonowski, M. Kutyłowski, M. Li, N. Li, W.

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

v 107 107 83 3, 31 45 57 83 3, 31 17 123 3, 31 83 v 57

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,

Copyright © 2013. IOS Press, Incorporated. All rights reserved.

This page intentionally left blank

Radio Frequency Identification System Security : RFIDsec'13 Asia Workshop Proceedings, edited by C. Ma, and J. Weng, IOS Press,