-
A Novel RFID Authentication Protocol with Ownership Transfer.doc下载
资源介绍
A Novel RFID Authentication Protocol with Ownership Transfer
Han Jia1, Jun Wen2
School of Computer Science and Technology, University of Electronic Science and Technology of China,Chengdu, China
1depart@126.com, 2wenjun@uestc.edu.cn
Abstract. RFID technology has a wide application in many fields. However, there are many security and privacy issues. The paper presents a RFID security proposal to enhance security levels. It is established as following steps. It first builds a security communication channel, then implements tags and corresponding reader authentication, finally solves the ownership transfer issue. This protocol involves minimal interaction between tags and corresponding reader, which can efficiently lower the computational burden on the tag. Its security is verified by BAN logic.
Keywords: Radio Frequency Identification; authentication; BAN; security and privacy
1 Introduction
RFID is one of the rapidly developing techniques in recent years. It is widely used in many fields, such as retail trade, libraries, car tracking, product identification and passport. It would play an important role in the future. RFID system consist of tags, readers and a database server. In the life of tag, it may transfer ownership on many occasions, for example, it occurs when a manufacture delivers it to a retailer. Therefore, the seamless ownership transfer of tag is required in RFID system. It may suffer from attacks when both of previous owner and new owner accessed the information of the tag during the processing of ownership transfer. After the operation, the previous owner cannot access the information of tag. Typically, the tag have 5~10K logic gates, can store only hundreds bits. With the limit logic gates, about between 300 and 3000 gates can be devoted to security function. There is no such security transfer mechanism in RFID system due to limited computation capabilities and storage on tags. RFID system may suffer from some security threats. They are listed as follows:
Replay attack: An attacker transmits the information he got and spoofs legitimate tag. This attack may leak out the information of tag.
Impersonation: An attacker forges a tag or a reader as an authenticated one to steal the information in the database server.
Eavesdropping: It is easy for eavesdroppers to get the signal from the open wireless circumstance, which lead to leak the business information.
Dos attack: An attacker transmits some messages to interrupt the communication among tags, readers and database servers.
De-synchronization attack: The difference between the key in tags and the one in database results in the authenticated tag cannot be recognized.
Windowing problem: During the process of ownership transfer, both the old and new owners possess the information to authenticate the tag.
This paper proposes a RFID protocol that can resist the above attacks. It adopts random numbers to make sure every round of access is fresh. The message transmitted in the channel is cipher text to preventing leakage of the tag’s information. If the bad occasion of de-synchronization happens, this protocol provides the corresponding mechanism to recover it.
The major contribution of this paper is to present a novel security and privacy RFID method with group ownership transfer. This protocol involves minimal interaction between reader and tags. The proposed method provides not only security but also efficiency.
This paper is organized as follows. Section 2 describes related work of RFID. Section 3 presents a new mutual authentication method. Section 4 verifies this protocol’s security by BAN Logic. Section 5 draws a conclusion.
2 Related work
Previous papers have done some research in RFID security. [1] pointed out there are several practical scenarios of group transfer. In addition, group transfer can substantially expand the application of RFID system. [2] is one of the earlier ownership transfer protocol. Unfortunately, there is a flaw in their solution that allows killing of the tag. [3] improved the protocol [2], [3]added some message to the last message form the database to the reader. However, this would lead to de-synchronization, and it cannot resist Dos attacks. [4] proposed a protocol to achieve group ownership transfer with the help of database server, which played a role of trusted third party. However, it may leak out the owner’s privacy. [5] adopted a dynamic ID to avoid a replay attack, but it may suffer form a Dos attack. [6] adopted one-time secret to prevent attacks in his protocol, the secrets shared between tags and servers are changed once ownership transfer occurs. It may lead to de-synchronization even if a trusted third party is used. [7] achieved ownership transfer without TTP. This protocol vulnerable to suffer from eavesdropping attacks by the previous owner, and it cannot resist Dos attacks.
The above solutions can be divided into two kinds according to the involvement of a Trusted Third Party (TTP). One not involving a TTP requires many rounds to complete authentication. The other involving a TTP relies on the security and robustness of server, which required the TTP to be online anytime.
3 Paper Preparation A novel RFID security protocol
An RFID security method that achieves all requirements based on xor and public key Infrastructure is proposed. The notations using throughout this paper are listed in table1.
Table1
Ek() Encryption function (under key k); It maybe xor , symmetrical encryption or asymmetric encryption , which depends the capability of computation about entity.
D ( ) Decryption function ;
K&K1; The key for encryption ; Different group owner have different key , so it can identify the owner of tag. In this paper, K1 represent a new owner.
ID The unique identifier of tag ;
Rt The random number generate by tag ;
Rr The random number generate by reader;
Rs The random number generate by database server;
⊕ XOR operation;
Info(ID) The specific information of tag which has this ID .
Assume public key infrastructure has been constructed between a reader and a server. The process of protocol is depicted as follows:
A section to establish a secure communication channel is as follows:
1. A reader generates a random number Rr, and transmits a ClientHello(contains Rr) which is encrypted using the public key of the server to the database server.
2. A server generates a random number Rs after receiving the random number Rr from the reader. ServerHello(contains Rr and Rs) is encrypted using the reader’s public key, then sends ServerHello to the reader.
3. The Reader checks whether the random number received from server equal to Rr. If true, stores the random number Rs and sends ClientHelloDone to the server. Else it disposes this message and goes to step 1.
4. The server sends ServerHelloDone to the reader when the server receives ClientHelloDone from the reader. In this case, a secure communications channel has been established.
A section of mutual authentication is as follows:
5. The Reader sends a request (contains Rr) to a tag.
6. The tag stores Rr and generates a random number Rt. The tag sends Ek(Rt), Ek(ID) to the reader.
7. The reader encrypts Ek(ID)⊕Rs, Ek(Rt), Rs using public key of server and sends them to the server.
8. The server checks whether the random number received from reader equals to Rs. If false, the protocol is terminated, else the server gets Ek(ID) by computing Ek(ID)⊕Rs⊕Rs. The real ID is gotten by decryption function Dk(Ek(ID)). The server searches ID in the database. If it is found, authentication process is successful. The server sends Info(ID) encrypted using the public key of the reader to the reader. If it fails, decrypt Ek(ID) using the last successful authenticated key. If ID is found, the authentication process is successful. The server sends info(ID) encrypted using public key of the reader to the reader and goes to step 9. Else the protocol is terminated.
Figure 1 . Authentication Process
A section of ownership transfer is as follows:
9. The server gets the public key K1 of new group owner. The server sends Ek(ID⊕Rt), Rt⊕K1, Ek(Rt)and Rr encrypted using the public key of the reader to the reader. Then updates the public key of owner to K1 and stores K as the last successful authentication key.
10. The reader checks whether the Rr is equal to the random number the reader stored. If them equal, goes to the next step, else terminate the protocol.
11. The Reader sends Ek(ID⊕Rt), Ek(Rt)⊕Rr and Rt⊕K1 to the tag.
12. The tag gets Rr by computing Ek(Rt)⊕Rr⊕Ek(Rt) and checks whether Rr equals to the random number the tag stored. If not equal, terminates the protocol. Else the reader is authenticated.
13. The tag checks whether Ek(ID⊕Rt) equals to what it stored. If true, goes to the next step, else terminates the protocol.
14. The tag gets the public key K1 of new group owner by computing Rt⊕K1⊕Rt, and then replaces K with K1. The process of group owner transfer is finished.
Figure 2 . Ownership Transfer Process
Figure 1 shows the process of mutual authentication. Figure 2 shows the process of group ownership transfer. This protocol can help resist the attack mentioned above. This protocol can adapt the capability of tag computation. If tag has strong computing capability, it can adopt hash or PKI Infrastructure. If tag has weak computing capability, it can adopt xor instead of Ek(), but the premise is public key large enough.
4 Analyzing Protocol with BAN Logic
Whether this protocol can achieve the security goal to expect can be proved by formal methods. BAN logic is a well-known authentication logic. Protocol security can be verified by BAN logic to decide whether a protocol can reach expected target and some flaws can thus be found. Syntax and Semantics of BAN logic is shown as follows [8]:
P|≡X : P trusts the message X is true , P believes X .
PX : P received a message contains X , P sees X .
P|~X : P has transmitted a message contains X . P said X .
P|⇒X : P controls X
#(X) : X is fresh . X has not been transmitted in any message before.
PQ : P and Q communicate to each other with the shared key K . No one discovered K except P , Q or a third party trusted by P or Q .
{X}K: It means that X is encrypted under K.
Rules of BAN Logic
message-meaning rule
Rule 1 : P|≡PQ , P{X}K ┣ P|≡Q|~X
nonce-verification rule
Rule 2 : P|≡#{X} , P|≡Q|~X ┣ P|≡Q|≡X
jurisdiction rule
Rule 3 : P|≡Q|X , P|≡Q|≡X ┣ P|≡X
seeing rules
Rule 4 : p(X,Y) ┣ PX
Rule 5 : PK ┣PX
Rule 6 : P|≡PQ , P{X}K ┣ PX
freshness rule
Rule 7 : P|≡#{X} ┣ P|≡#{X,Y}
belief rules
Rule 8 : P|≡X ,P|≡Y ┣ P|≡(X,Y)
Rule 9 : P|≡(X,Y) ┣ P|≡X
Rule 10 : P|≡Q|≡(X,Y) ┣ P|≡Q|≡X
Rule 11 : P|≡Q|~(X,Y) ┣ P|≡Q|~X
Assume A represents a tag, B represents a reader, and S represents a database server. KBS represents the shared key between B and S. The initial assumptions are as follows:
B|≡B S (1)
S|≡B S (2)
A|≡AS (3)
S|≡AS (4)
A|≡S|⇒AS (5)
A|≡#(Rt) (6)
B|≡#(Info(ID)) (7)
B|≡S|⇒Info(ID) (8)
A|≡S|⇒K1 (9)
The idealization of the RFID protocol is listed as follows:
B→S :
S→B :
B→A : Rr
A→B:
B→S :
S→B :
S→B :
B→A : , Rr
According to BAN Logic, the interpretation of the RFID protocol is as follows:
S (10)
B (11)
A (12)
B (13)
S (14)
B (15)
B (16)
A, Rr (17)
The goals expected to achieve:
B|≡Info(ID), A|≡SA
Under the Rule 1, formula(15) and the assumption(1) is to obtain the following:
B|≡S|~Info(ID) (18)
Under the Rule 2, formula(18) and the assumption(7) is to obtain the following:
B|≡S|≡Info(ID) (19)
Under the Rule 3, formula(19) and the assumption(8) is to obtain the following:
B|≡Info(ID)
So the goal of B|≡Info(ID) has been proved.
Under the message-meaning rule, formula(17) and the assumption (3) is to obtain the following:
A|≡S|~ (20)
Under the Rule 5 and assumption(6) is to obtain the following :
A|≡# (21)
Under the Rule 2, formula(20) and (21) is to obtain the following:
A|≡S|≡ (22)
Under the Rule 9 and formula(22) is to obtain the following :
A|≡S|≡ (23)
Under the jurisdiction rule, formula(23) and assumption(9) is to obtain the following:
A|≡SA
From the initial assumption, the goals are deduced by applying logic rules. By analyzing the RFID protocol with BAN Logic, it can verify that the RFID protocol is secure and flawless.
The protocol security of above issues is analyzed as follows:
This paper adopts random numbers to make sure that every round of communication is fresh. The random numbers are produced every round to prevent the replay attack. The message transmitted in the channel is cipher text so that attacker cannot figure out the original message. If an attacker forge a tag to involve the process of exchanged information, the database server can detect the identification does not exists in database, which will deny its next operations. When de-synchronization happens, the database server can identify the tag by using old owner’s secret key. Then the database server sends the new secret key once again to recover it. This protocol transfers ownership by one-step operation. If this operation success, the old owner cannot access the tag because it does not know the new secret key; otherwise, the tag cannot identify the new owner, it will deny its access. By the way, it can resist windowing problems.
5 Conclusions
This paper proposes a RFID protocol, which can be implemented in either high-cost tags or low-cost tags. This protocol’s security has been proved by BAN Logic. In this protocol, three random numbers are involved. How to reduce the random numbers in the protocol and simplify operations is what will be done in the future.
References
1. A. Juels.: Yoking-proofs for RFID Tags. Second IEEE Annual Conference on Pervasive Computing and Communications Workshops, Washington DC, USA, 2004, PP. 138-142.
2. K. Osaka, T. Takagi, K. Yamazaki and O. Takahash.: An Efficient and Secure RFID Method with Ownership Transfer. Computational Intelligence and Security, vol. 2, 2006, pp. 1090-1095.
3. Jappinen, P. Hamalainen, H.: Enhanced RFID Security Method with Ownership Transfer. Proceedings of the International Conference on Computational Intelligence and Security. (2008) PP 382-385
4. H. Lei and T. Cao.: RFID Protocol enabling Ownership Transfer to protect against Tractability and Dos attacks. The First International Symposium on Data, Privacy and E-Commerce, 2007(ISDPE 2007). 1-3 Nov. 2007, pp. 508-510.
5. S.Tripathy and S. Nandi.: Robust Mutual Authentication for Low cost RFID Systems. 2006 IEEE International Conference on Industrial Informatics, Aug, 2006, pp, 949-954
6. L. Kulseng.: Lightweight mutual authentication, owner transfer, and secure search protocols for RFID systems. Master of Science thesis, Electrical & Computer Engineering Department, Iowa State University, 2009.
7. T. Dimitrious.: RFIDDOT:RFID delegation and ownership transfer made simple. in Proc.International Conference onComputational Intelligence and Security,2008,PP. 382-385.
8. Kernal Bicakci , Nazife Baykal.: One-Time Passwords:Security Analysis Using BAN Logic and Integrating with Smartcard Authentication[J]. Lecture Notes in Computer Science, 2003:794-801.