Hash-based Authentication Protocol for RFID Applicable to Desynchronization between the Server and Tag with efficient searching method

서버와 태그 비동기시에도 효율적으로 검색이 가능한 해시기반 RFID 인증 프로토콜

Abstract

The RFID system provides undeniable advantages so that it is used for various application. However recent RFID system is vulnerable to some attacks as eavesdropping, replay attack, message hijacking, and tag tampering, because the messages are transmitted through the wireless channel and the tags are cheap. Above attacks cause the tag and reader impersonation, denial of service by invalidating tag, and the location tracking concerning bearer of tags, A lot of RFID authentication protocol bas been proposed to solve the vulnerability. Since Weis, Sanna, Rivest, and Engel, proposed the bash-based RFID authentication protocol, many researchers have improved hash-based authentication protocol and recent bash-based authentication protocols provide security and desirable privacy. However, it remains open problem to reduce the tag identification time as long as privacy and security are still guaranteed. Here we propose a new protocol in which the tags generate the message depending on the state of previous communitions between tag and reader. In consequence, our protocol allows a server to identify a tag in a reasonable amount of time while ensuring security and privacy, To be specific, we reduced the time for the server to identify a tag when the last session finished abnormally by at least 50% compared with other bash-based schemes that ensure levels of security and privacy similar to ours.

RFID 시스템은 여러 장점을 가지며 다양한 곳에서 이용되고 있다. 그러나 현재의 RFID 시스템은 무선통신과 저가 태그의 사용으로 인해 도청, 재전송 공격, 메시지 탈취, 태그에 대한 물리적 공격에 취약하다. 이런 공격들은 태그와 리더 사칭, 태그 무능화를 통한 서비스 거부공격, 태그 소지자의 위치 추적등을 유발한다. 이런 취약점을 해결하기 위해 다수의 RFID 인증 프로토콜이 제안되었다. 특히 Weis, Sarma, Rivest, Engels이 해시 기반 RFID 인증 프로토콜을 제안한 이래로, 많은 해시 기반 RFID 인증 프로토콜이 제안되었고 최근의 해시 기반 프로토콜은 보안성과 만족할 만한 수준의 프라이버시를 제공한다. 그러나 보안성과 만족할 만한 수준의 프라이버시를 제공하는 동시에 서버에서의 태그 인식 시간을 줄이는 것은 여전히 풀리지 않는 문제다. 이에 우리는 태그가 이전 통신 상태에 따라 응답 메시지를 생성하는 프로토콜을 제안한다. 그 결과 보안성과 프라이버시를 보장하는 동시에 서버에서 합리적인 시간안에 태그를 인식할 수 있다. 구체적으로 제안하는 프로토콜은 세션키와 롱텀 고정키를 모두 사용해서 이전 세션이 비정상 종료 된 경우에 비슷한 수준의 안전성을 제공하는 기존의 연구결과에 비해 태그 인식시간이 50%로 절감한 효과를 제공한다.

Ⅰ. Introduction

The radio frequency identification (RFID) system identifies a tagged item through a wireless channel. Currently, it is used for various purposes and provides advantages in various applications, including supply chain management, access control systems, library systems, inventory control, and identification and tracking of livestock and pets〔1〕-〔3〕. Thus, RFID technology is ex­ pected to play an important role in a ubiq­ uitous environment. Therefore, tagged items will become widely used in the near future.

However, like other telecommunication systems, the RFID system has security problems. For example, it is open to im­ personation and denial of service (DoS) 〔4〕-〔6〕. Moreover, several RFID systems are not privacy-friendly because some tags emit their naive, unique identifier which might represent the character of the items, although the bearer of the tag may not be aware of the lack of privacy. Thus, an ad­ versary who eavesdrops on communications between tags and readers can learn what the tag holder owns and where he stayed which is- an invasion of privacy ⑸-〔7〕.

In order for the system to guarantee se­ curity and privacy against adversarial threats, numerous schemes have been proposed. The schemes are based on the public key cryptosystem, the symmetric key cryptosystem, the hash operation, or the bit operation [8], In this paper, we focus on authentication schemes based on the hash operation, rather than other operations. Though Weis et al. introduced a hash func­ tion in RFID authentication, their s사leme cannot ensure both security and privacy. However, their proposal has inspired many researchers to study methods that guaran­ tee security and privacy using a hash function.

Among the various hash-based schemes, hash chain protocol〔7〕has inspired studies of the RFID server scalability because of its poor scalabilty; the server identifies a tag after executing the hash operation ni times, where n and i are the number of tags and the number of renewed IDs, respectively (the next section provides more details). As a result, the protocol which seemed effi­ cient as well as secure and private was pro­ posed in 2006 ⑹.In that protocol, a server can usually identify a tag by hashing three times. However, a server must operate the hash function n+3 times on average to iden­ tify a tag if the last session is incomplete. Thus, we study the threats to an RFID system and the RFID protocol requirements in detail. We review the RFID hash-based authentication protocols to achieve se­ curity, privacy, and efficiency in section II. Next, analyses of existing protocols are presented. Then, we propose our new effi­ cient protocol, which is secure and private, in Section III. Finally, we present our con­ clusions after analyzing the security, pri­ vacy, and performance of our protocol.

Ⅱ. The requirements for RFID system

To identify a tag successfully, an RFID system must meet some requirements. These requirements protect the RFID sys­ tem from adversaries so that the server can identify a tag smoothly. Here, the adver­ sary is characterized by his goals of and his tools for attack〔3〕. An adversary attacks in order to achieve his attack goal using his tools for attack. In this section, we study the requirements for an RFID system to successfully fend off an adversary. Then, we investigate the existing hash-based au­ thentication protocols to determine whether or not they meet the requirements.

2.1 Requirements of RFID protocal

The requirements for an RFID system have been presented and the general con­ sensus is that the RFID protocol must ach­ ieve security, privacy, and efficiency〔3〕, 〔6〕, 〔7〕, 〔9〕. The details of each require­ ments are presented below.

2.1.1 Security

An RFID system is secure if it perfectly frustrates the goals of an adversary, such as impersonating a tag and DoS. An adver­ sary whose goal is tag impersonation may carry out attacks, including eavesdropping, message hijacking, replay attack. Since the tag communicates with the reader over the wireless channel, above attacks are rela­ tively easy. Tag responds automatically when reader asks a query to identify a tag. If tag responds with a its naive identifier, an adversary can obtain information about tag through eavesdropping. It causes an in­ vasion of privacy and other attacks includ­ ing replay attack against security. An ad­ versary sends eavesdropped message to a reader (respectively, a tag), then an adver­ sary can impersonate a tag(respecti'vely, a reader). Above attacks threaten the se­ curity of RFID system, Hence we design a secure RFID protocol, with an emphasis on preventing above attacks. However we do not treat the interleaving attacks as an ad- verserial tool for impersonating a tag. An adversary who use interleaving attacks in order to impersonate a legal entity takes part in the current session, and he uses the combined messages obtained from commu­ nicating with the legal tag and reader si­ multaneously 〔4〕. Furthermore, in this pa­ per we exclude attacks that send excessive queries to a tag and server in order to cause DoS.

2.1.2 Privacy

Because the tags are attached to personal items that represent the individuality of the tag holder, noting information about the tag is the same as recognizing the pri­ vate information of tag holder, which may be a severe invasion of privacy. An RFID system guarantees privacy if the system completely thwarts the adversarial goal of obtaining personal information about a tag holder. At this point, personal information is defined as the information about the be­ longings of the tag holder and where the tag holder has stayed. When the former is revealed, the item privacy is infringed (or simply information leakage is happened). Moreover, location privacy is invaded if the latter is revealed. There are two types of location privacy, anonymity and forward privacy, according to the adversary's ability to corrupt the tag. If an attacker cannot trace the previous location of a tag holder when he does not corrupt the tag, then the system ensures anonymity. If he cannot trace the previous location even though the tag is compromised, the system ensures for­ ward privacy.

2.1.3 Efficiency

If the server's process for identification of certain protocol has a high time complexity, the protocol is unlikely to be acceptable for a real system, even if the protocol ensures strong security and privacy. Thus, an RFID protocol must also be efficient. In partic­ ular, hashbased RFID protocols in which tags emit a fresh message every session have trouble identifying a tag when the previous session between that tag and the server ends abnormally, i.e., when the com­ munication message was lost. To increase efficiency, some methods have been pro­ posed- utilizing distributed servers or adopting a group ID [4], 〔10〕-〔14〕. The for­ mer, delegation, can cause serious privacy infringement when any one distributed server is compromised. Molnar et al. repre­ sented delegation as too coarse-grained to def원at such a problem〔15〕. The latter de­ creases th젼 server workload, but it is not a fundamental solution: rather, it is an assis­ tant solution that can be applied to any protocol.

2.2 Review of existing protocols

As cited Subsection 2.2., it is undesirable for a tag to emit its naive ID in response to a reader query because it allows someone who has an RFID reader to easily obtain private information regarding the tag bear­ er, i.e., th른 tag holders list of possessions and location information. Additionally, for­ warding a naive ID can allow impersonation of a legal tag.

To solve these problems, Weis et al. pro~ p쟝s@d hash-locking and randomized ha웜 kx±ing schemes [1J. In 난le former, the tag responds to a query with h(ID), where h is a hash function, while in the latter, the tag responds to a query with h(ID^r). However, this does not completely sol룔응 the problem because the tag sends its ID through an in- s양cure channel in the last flow.

The identification protocol called hash chain protocol(OSK) was proposed by Ohkubo, Suzuki, and Kinoshita〔7〕, In this scheme, a tag updates its ID every session using the hash function h, while the server does not. The tag transmits g(lD) where g is a different hash function. As a result, this protocol can ensure forward privacy, as well as item privacy and indistinguishability. However, it has trouble with security and scalability. Beca니s연 the server does not re­ new each tag ID and the reader do연$ not generate a random number, the adversary can easily impersonate a tag by r은sending a g(lD) that was used once before. Moreover the server can identify a tag after perform­ ing hash function ni times on average, who】'숀 n is the number of tags and i is the number of tag ID reii샨wals. This caus운s server overload. The server for this protocol cannot identify a tag in a reasonable amount of time in a real RFID system.

The mutual authentication protocol, which is more scalable than OSK, was pro­ posed by Henrici and Muller [16]. Unlike OSK, in this protocol (HM), the server also updates tags ID so that it only requii■쟌s three hashes to authenticate a t윥g. Howev­ er, an adversary can still impersonate a tag. This impersonation results from the fact that the reader does not generate ran­ dom number. An attack may proceed as fol­ lows: the adversary blocks the servers au­ thentication message and collects the tag responses; then, he forwards the collected message whenever the reader sends a query; thus, h야 impersonates a genuine, , tag. Moreover, this protocol cannot guaran^ tee anonymity and cannot defend the sys… tem against DoS. An adversary can hijack the servers legal message {r, and he alters it into {0, 加0㊉园㊉丑力}. Because is exactly the same as K(斓㊉Z끼, he cans alter the message. Then the tag updates the ID and ZST(last success­ ful transaction, number) while the server does not. Because the tag updates the 1ST, the server will never authenticate the tag. Therefore, the tag will never renew its ID. As a result, the adversary can cause DoS and identify that tag because it always emits same h(lD) (3).

Lee et al. proposed an authentication protocol(LHLL) that educed t, h얀 length of transmitted m좐stages and the number of calculation of both tag and server (17). By using the extraction function, lengths of authentication messages of both the tag and server can be reduced by half. In de­ tail, both the tag and server generate au­ thentication messages. The tag sends the left half of its message using the extraction function. After receiving the tags message, the server verifies it. If the message is cor­ rect, the server forwards sends the right half of the already computed message with­ out additional computation. Thus, they not only reduce the length of message but also the number of calculations. However, they still cannot solve the location tra시dng problem because the tag always emits the identifier hash value, even if the tag it was not updated.

[Figure 1) HHMB⑹

[Figure 2] The proposed protocol

Ha et al. proposed an authentication pro~ tocol(HHMB) in which the ta 홈 generates a message according to the state of the pre­ vious session 〔6〕. The tag generates mes- s규ge 'by just hashing ID, if tag updated its id normally in last session as shown in the (Figure 1], Otherwise, tag generates mes­ sage using not ID but also random number t. In spite of tag generates according to the state of previous session, their protocol can not assure anonymity wh 얀 n adversary blocked the previous message〔9〕. After ad­ versary intercepted the previous message of either tag 엲r server, the adversary receives th댱 random number r from reader by im­ personating a tag. Then he sends th양 r to tag and receives the respond, h(imt) and left half of h(ID\\t\\r). He forwards the mes­ sage to legal reader after exchanging &(丑게t) for h(lD). Provided that he is authenticated, he can link the tag. Furthermore, this pro­ tocol has trouble with scalability; the serv­ er is able to search the tag after hashing n+3 times on average, when the previous session finishes abnormally. Here, w얀 pres­ ent a novel mutual authentication protocol. W얀 focus on reducing the search time as well as enhancing security and privacy.

Ⅲ. Prpposed protocol

Before describing our protocol in detail, we will provide some assumptions and notations. Generally, an RFID system is composed of three entities: the server, the readers, and the t芯gs. The communication channel between th슨 server and reader is wired so that this channel is often consid­ ered to be secure. Thus, we consider these two entities as one unit, system.

In our protocol, every tag keeps two se­ cret keys: an Z-bit session key 4 and long-term key 知. M야r연ov®r, 얀ach tag has a one-bit counter value c, that is, c is 由나)er 0 or 1. Each tag can generate //2-bit random number, denoted as t. It also can carry out the hash function h: 2*7 ’ and the extraction function z(resp. 7?): 2m-^2m/2 such that ex­ tracts the left(resp. right) half of the input. Each reader can generate the /-bit random number, denoted as r.

We assume that the n tags are enrolled in a server. The server has a list of J繪 and the information for each tag. H repre­ sents the hash value of k1; and 电 is exactly the same for that tag. However, 虹 of server is not always the same as the tag's Th둔 server's equals to kx of tag when the last session finished normally so that both tag and server updated 咼 or when th연 tag mes­ sage was lost in the last session and nei­ ther the server nor the tag renewed their " However, the kY vahi슨s differ when the server message was lost in the last session. In this case, the tag's session key kr is same to k\ of server. This discordance re­ sults from the fact that the server renewed the session key 也 before the tag does.

Now, we introduce our mutual authenti­ cation protocol.

1. The reader broadcasts a Query with its I -bit random number r to th순 tag.

2. After receiving the Query, th슨 tag gen- er챥tes an l/2-bit random number t and a message m according to the counter c.

a. If c=^o, then the tag computes m as 律네 m?, where ml is WQ and m2 is that is, m2 is the left half of h(r\\ 小姻).

b. Else, the tag generates m as ma|| mb lit, where ma and mb are, respectively, £(睛시im)), 一乙統(幻iag)).

After sending m, 나! 쟌 tag sets its coun­ ter value c as 1.

3. The reader forwards the message trans­ mitted from the tag with r.

4. After receiving a message from the reader, the server has to find an ap­ propriate quadruplet (H kv krv fc2) in the list.

, It finds a quadruplet such that H equals to two-thirds of m.

a. If there is such a quadruplet, it generates a verification message v^h(r 11^ II fc2) and confirms whether or not L(v) equals the rightmost one-third of m, m2 —^(/z(r||fc1j|fc2)). Provided that the two values are same, server renews k\ as 幻.

b. Else, the server computes L(h(k2\\t\\r))) for each k2 and compares it with one-third of the received message, ma, until it matches. If there exists a quadruplet containing such k2, the server must determine which value between kx and k\ equals to 幻 of tag. The details are described below.

i . Let v be h(灯 II t II質). If 나le midmost one-third bits of m, known as mb, are the same as the left half of v, L(v), then the second message m was intercepted in the last ses­ sion: thus, the server and tag did not update their 北「As a result, 灯 of both the tag and server are the same. In this case, the server re­ news k\ as "

ii. Otherwise, the server switches v to II t II r). If the midmost one-third bits of m equals to L(v), then it implies that the final mes­ sage R(v) in the previous session was lost; thus, the tag did not up­ date its 幻 while server did. In this case, the tag's secret /可 is same to the previous secret k\ of server; therefore, the server does not up­ date k\, unlike in the above case.

iii. Provided that neither 幻 nor k\ matches the 灯 of tag, the server repeats searching the appropriate row.

- The server finishes the session if it cannot find a quadruplet in the list that meets the criteria. Otherwise, it sends reader and updates kr as /i(fc\ II r) and H as 从灯、).

5. The reader forwards R{v).

6. After receiving 腿), the tag confirms its correctness. If R(&) is correct, the tag also renews 禹 and sets the counter value c to 0.

Ⅳ. Analysis

Depending on Subsection 2.1, we will an­ alyze the security and privacy informally. The notations used in this section are the same as those used in Section HI. Without loss of generality, we assume that both the reader and tag generate the same random numbers in a row with negligible proba­ bility, and 2~l/, 2 is negligible.

4.1 Security analysis

4.1.1 Denial of services

As cited in Subsection 2.1, we do not treat DoS caused by excessive queries. Because our protocol uses changeable key the servers key may not match that of the tag. In this section, we treat DoS resulting from this discordance between the server and tag keys. This discordance results from the in­ terception of a transmitted message and im­ personating a legal reader. We show that our protocol prevents the system from giving a DoS caused by differences in 幻.

4.1.1.1 By message interception

One way to accomplish DoS is for the op­ ponent to intercept the messages trans­ mitted through the wireless channel. For protocols that employ a static state, this attack is futile. However, in a protocol that uses changeable tag states, message inter­ ception may be fatal because message inter­ ception causes desynchronization 샤f the state between the server and tag. However, our protocol can resist message inter­ ception, even though it uses a variable se­ cret key, fcj.

If we assume that the tag's message m is intercepted, the secret key kx of the server and tag are still same. Moreover, the tag will send a message in the next session us­ ing the static secret key k2, and 舄 that equals that of the server. Thus, server will be able to identify tag normally. Provided that the server message v is intercepted. Then, the server updates " while the tag d眼s not. As a r部냕It, the 咼 of server and 府 of tag are not equal. How션ver, the server will be still able to authenticate the tag at the next session because the server keeps the tags 如 as k\.

4.1.1.2 By reader interception

In our protocol, impersonating a reader is not a goal in itself but is just a tool for causing a s연wet key mismatch that result in DoS. Spoofing a legal reader enables the adversary to renew the only tags secret ar­ bitrarily so that the tag will be never auth션日ticated. In order to imitate a lag사 1 reader, he must create a valid message v, either R(h(r\\Jci ||A:2)) or 成龙(幻 II 세『)), without knowing k\. The probability of generating coit슨et v without the information concern­ ing 鮭 is at most 打”七 which is negligible.

4.1.2 Tag impersonation

If someone pretends to hold a legal tag, he must generate a valid m. Namely, he must compute correct 从”1)||£(丸*||(炳시)) or £(九(시出|厂))||以互(用|비广)) when he knows the r and t with no information on 也 and 歸 We assume that the adversary has collected the tag message. In this situation, he can be identified as a legitimate tag if a reader sends him a random number r which is the same to that used in last session. We al­ ready assume that the reader creates the sam으 random number in succession with negligible probability. Thus, he is only suc­ cessful with negligible probability. If he does not wait for the same random number of reader, he must cr쟌ate m randomly. In this case, th얀 probability that he pretends to have a legal tag is at most 戒「'L The probability of assuming a specific tag is at most Tl. Because both probabilities are in­ significant, we assert that our protocol is secure against tag impersonation.

4.2 Privacy analysis

4.2.1 Information leakage

If we assume that a갸 adversary wants to know what a tag holder possesses, he eavesdrops on the communication between the tag and reader. In our protocol, tags emit the hashed value of a mixture of ran­ dom bits and the secret key of itself. Thus, it is difficult for the adversary to know who holds what, if he just collects the tag response. Furthermore, tags do not save their identifier, i.e., they keep two secrets that are independent of its identifier. Moreover, the tag information is only com­ municated through a secure channel be­ tween the server and reader.

4.2.2 Location privacy

4.2.2.1 Anonymity

Because each tag generates a message by hashing its secrets and random numbers every session, the adversary cannot tell whether or n랺t the messages are generated by the same tag. Though two messages are generated by the same tag, they are gen- erat얀d in a completely different way accord­ ing to the counter value c and random numbers r, t. Thus, an attack that invades the anonymity the previously proposed pro­ tocol ⑹ cannot invade the anonymity of our model.

4.2.2.2 Forward privacy

Our protocol provides restrictive forward privacy. Generally, the protocols in which the tags employ a static identifier cannot provide location privacy if the attacker compromises the tag. Because our protocol uses a static identifier, our protocol cannot provide forward privacy perfectly. That is, the attacker who compromised a certain tag and holds the entire transcript of previous communication can grasp th얀 previous loca­ tion information about the tag whenever the tag g순眼rat% message using static key k2. However the tags in our protocol employ not only static key k2, but also variable key 也. So the attack픈!' cann쟝t trace the 이tag seamles 이 y,

4.3 Performance analysis

In o니r protocol tag authentication phase is composed of three steps; the identi­ fication step, the verification step, and the key renewal step. If the previous session ^nded completely, the server can identify a tag with no hash function. And the server verifies the tag identity with just one hash operation, and it performs hash operation twice for renewing the and H. Thus the server has to perform hash operation three times during the tag authentication phase usually. This is not too impressive because previous research [6], (16) has obtained the same result. However our protocol is supe­ rior when the previous session finished ab­ normally, that is, the communication be­ tween th양 entities was blocked. In this case, th얀 server executes the hash function n/2+4 times on average, where n is the number of tags contained in the server. As represented by (Table 1〕, this value is the half of HHMB.

(Table 1) A comparison of the five protocols

* I is the length of ID. n is the number of tags, i is the number of tag ID renewals

Ⅴ. Conclusion

It is 양xpected that RFID systems will be widely used in the near future. Thus, it is important to ensure that the system pre­ serves security, privacy, and scalability. Here, we used two secret keys, 灯 and 灼, for each tag: only k± is renewed each session, whereas k2 is static. The server also keeps 幻, 电, and fe/s previous key k\ in order to recover from a desynchronization caused by loss of message if 宣얀cessary. Thus, 。갽芸 pro­ tocol is secure against attacks to incite ir­ recoverable mismatch between tag and server keys.

Both the tag and reader generate mes­ sages using the secret keys and a newly picked random number: thus, the message changes irregularly every session, even though the tag does not update th얀 secret key. Therefore, an adversary cannot im- p잔rsonate both the tag and reader. In addi­ tion, he cannot violate tag anonymity. Unfortunately, our protocol provides limited forward privacy because of the static key 頌. 

Moreover, we reduced the server work­ load by 50% when the previous communica­ tion finishes abnormally because we em­ ployed both variable and static s샨crets rather than one variable secret. As a r웡suit, our protocol ensures security against im­ personation, a decrease in DoS, and tag holder privacy. Furthermore, the server can identify the tag in a reasonable amount of time, even if the messages from the pre­ vious session were lost.