Ⅰ. Introduction
The radio frequency identification (RFID) system identifies a tagged item through a wireless channel. Currently, it is used for various purposes and provides advantages in various applications, including supply chain management, access control systems, library systems, inventory control, and identification and tracking of livestock and pets〔1〕-〔3〕. Thus, RFID technology is ex pected to play an important role in a ubiq uitous environment. Therefore, tagged items will become widely used in the near future.
However, like other telecommunication systems, the RFID system has security problems. For example, it is open to im personation and denial of service (DoS) 〔4〕-〔6〕. Moreover, several RFID systems are not privacy-friendly because some tags emit their naive, unique identifier which might represent the character of the items, although the bearer of the tag may not be aware of the lack of privacy. Thus, an ad versary who eavesdrops on communications between tags and readers can learn what the tag holder owns and where he stayed which is- an invasion of privacy ⑸-〔7〕.
In order for the system to guarantee se curity and privacy against adversarial threats, numerous schemes have been proposed. The schemes are based on the public key cryptosystem, the symmetric key cryptosystem, the hash operation, or the bit operation [8], In this paper, we focus on authentication schemes based on the hash operation, rather than other operations. Though Weis et al. introduced a hash func tion in RFID authentication, their s사leme cannot ensure both security and privacy. However, their proposal has inspired many researchers to study methods that guaran tee security and privacy using a hash function.
Among the various hash-based schemes, hash chain protocol〔7〕has inspired studies of the RFID server scalability because of its poor scalabilty; the server identifies a tag after executing the hash operation ni times, where n and i are the number of tags and the number of renewed IDs, respectively (the next section provides more details). As a result, the protocol which seemed effi cient as well as secure and private was pro posed in 2006 ⑹.In that protocol, a server can usually identify a tag by hashing three times. However, a server must operate the hash function n+3 times on average to iden tify a tag if the last session is incomplete. Thus, we study the threats to an RFID system and the RFID protocol requirements in detail. We review the RFID hash-based authentication protocols to achieve se curity, privacy, and efficiency in section II. Next, analyses of existing protocols are presented. Then, we propose our new effi cient protocol, which is secure and private, in Section III. Finally, we present our con clusions after analyzing the security, pri vacy, and performance of our protocol.
Ⅱ. The requirements for RFID system
To identify a tag successfully, an RFID system must meet some requirements. These requirements protect the RFID sys tem from adversaries so that the server can identify a tag smoothly. Here, the adver sary is characterized by his goals of and his tools for attack〔3〕. An adversary attacks in order to achieve his attack goal using his tools for attack. In this section, we study the requirements for an RFID system to successfully fend off an adversary. Then, we investigate the existing hash-based au thentication protocols to determine whether or not they meet the requirements.
2.1 Requirements of RFID protocal
The requirements for an RFID system have been presented and the general con sensus is that the RFID protocol must ach ieve security, privacy, and efficiency〔3〕, 〔6〕, 〔7〕, 〔9〕. The details of each require ments are presented below.
2.1.1 Security
An RFID system is secure if it perfectly frustrates the goals of an adversary, such as impersonating a tag and DoS. An adver sary whose goal is tag impersonation may carry out attacks, including eavesdropping, message hijacking, replay attack. Since the tag communicates with the reader over the wireless channel, above attacks are rela tively easy. Tag responds automatically when reader asks a query to identify a tag. If tag responds with a its naive identifier, an adversary can obtain information about tag through eavesdropping. It causes an in vasion of privacy and other attacks includ ing replay attack against security. An ad versary sends eavesdropped message to a reader (respectively, a tag), then an adver sary can impersonate a tag(respecti'vely, a reader). Above attacks threaten the se curity of RFID system, Hence we design a secure RFID protocol, with an emphasis on preventing above attacks. However we do not treat the interleaving attacks as an ad- verserial tool for impersonating a tag. An adversary who use interleaving attacks in order to impersonate a legal entity takes part in the current session, and he uses the combined messages obtained from commu nicating with the legal tag and reader si multaneously 〔4〕. Furthermore, in this pa per we exclude attacks that send excessive queries to a tag and server in order to cause DoS.
2.1.2 Privacy
Because the tags are attached to personal items that represent the individuality of the tag holder, noting information about the tag is the same as recognizing the pri vate information of tag holder, which may be a severe invasion of privacy. An RFID system guarantees privacy if the system completely thwarts the adversarial goal of obtaining personal information about a tag holder. At this point, personal information is defined as the information about the be longings of the tag holder and where the tag holder has stayed. When the former is revealed, the item privacy is infringed (or simply information leakage is happened). Moreover, location privacy is invaded if the latter is revealed. There are two types of location privacy, anonymity and forward privacy, according to the adversary's ability to corrupt the tag. If an attacker cannot trace the previous location of a tag holder when he does not corrupt the tag, then the system ensures anonymity. If he cannot trace the previous location even though the tag is compromised, the system ensures for ward privacy.
2.1.3 Efficiency
If the server's process for identification of certain protocol has a high time complexity, the protocol is unlikely to be acceptable for a real system, even if the protocol ensures strong security and privacy. Thus, an RFID protocol must also be efficient. In partic ular, hashbased RFID protocols in which tags emit a fresh message every session have trouble identifying a tag when the previous session between that tag and the server ends abnormally, i.e., when the com munication message was lost. To increase efficiency, some methods have been pro posed- utilizing distributed servers or adopting a group ID [4], 〔10〕-〔14〕. The for mer, delegation, can cause serious privacy infringement when any one distributed server is compromised. Molnar et al. repre sented delegation as too coarse-grained to def원at such a problem〔15〕. The latter de creases th젼 server workload, but it is not a fundamental solution: rather, it is an assis tant solution that can be applied to any protocol.
2.2 Review of existing protocols
As cited Subsection 2.2., it is undesirable for a tag to emit its naive ID in response to a reader query because it allows someone who has an RFID reader to easily obtain private information regarding the tag bear er, i.e., th른 tag holders list of possessions and location information. Additionally, for warding a naive ID can allow impersonation of a legal tag.
To solve these problems, Weis et al. pro~ p쟝s@d hash-locking and randomized ha웜 kx±ing schemes [1J. In 난le former, the tag responds to a query with h(ID), where h is a hash function, while in the latter, the tag responds to a query with h(ID^r). However, this does not completely sol룔응 the problem because the tag sends its ID through an in- s양cure channel in the last flow.
The identification protocol called hash chain protocol(OSK) was proposed by Ohkubo, Suzuki, and Kinoshita〔7〕, In this scheme, a tag updates its ID every session using the hash function h, while the server does not. The tag transmits g(lD) where g is a different hash function. As a result, this protocol can ensure forward privacy, as well as item privacy and indistinguishability. However, it has trouble with security and scalability. Beca니s연 the server does not re new each tag ID and the reader do연$ not generate a random number, the adversary can easily impersonate a tag by r은sending a g(lD) that was used once before. Moreover the server can identify a tag after perform ing hash function ni times on average, who】'숀 n is the number of tags and i is the number of tag ID reii샨wals. This caus운s server overload. The server for this protocol cannot identify a tag in a reasonable amount of time in a real RFID system.
The mutual authentication protocol, which is more scalable than OSK, was pro posed by Henrici and Muller [16]. Unlike OSK, in this protocol (HM), the server also updates tags ID so that it only requii■쟌s three hashes to authenticate a t윥g. Howev er, an adversary can still impersonate a tag. This impersonation results from the fact that the reader does not generate ran dom number. An attack may proceed as fol lows: the adversary blocks the servers au thentication message and collects the tag responses; then, he forwards the collected message whenever the reader sends a query; thus, h야 impersonates a genuine, , tag. Moreover, this protocol cannot guaran^ tee anonymity and cannot defend the sys… tem against DoS. An adversary can hijack the servers legal message {r, and he alters it into {0, 加0㊉园㊉丑力}. Because is exactly the same as K(斓㊉Z끼, he cans alter the message. Then the tag updates the ID and ZST(last success ful transaction, number) while the server does not. Because the tag updates the 1ST, the server will never authenticate the tag. Therefore, the tag will never renew its ID. As a result, the adversary can cause DoS and identify that tag because it always emits same h(lD) (3).
Lee et al. proposed an authentication protocol(LHLL) that educed t, h얀 length of transmitted m좐stages and the number of calculation of both tag and server (17). By using the extraction function, lengths of authentication messages of both the tag and server can be reduced by half. In de tail, both the tag and server generate au thentication messages. The tag sends the left half of its message using the extraction function. After receiving the tags message, the server verifies it. If the message is cor rect, the server forwards sends the right half of the already computed message with out additional computation. Thus, they not only reduce the length of message but also the number of calculations. However, they still cannot solve the location tra시dng problem because the tag always emits the identifier hash value, even if the tag it was not updated.
[Figure 1) HHMB⑹
[Figure 2] The proposed protocol
Ha et al. proposed an authentication pro~ tocol(HHMB) in which the ta 홈 generates a message according to the state of the pre vious session 〔6〕. The tag generates mes- s규ge 'by just hashing ID, if tag updated its id normally in last session as shown in the (Figure 1], Otherwise, tag generates mes sage using not ID but also random number t. In spite of tag generates according to the state of previous session, their protocol can not assure anonymity wh 얀 n adversary blocked the previous message〔9〕. After ad versary intercepted the previous message of either tag 엲r server, the adversary receives th댱 random number r from reader by im personating a tag. Then he sends th양 r to tag and receives the respond, h(imt) and left half of h(ID\\t\\r). He forwards the mes sage to legal reader after exchanging &(丑게t) for h(lD). Provided that he is authenticated, he can link the tag. Furthermore, this pro tocol has trouble with scalability; the serv er is able to search the tag after hashing n+3 times on average, when the previous session finishes abnormally. Here, w얀 pres ent a novel mutual authentication protocol. W얀 focus on reducing the search time as well as enhancing security and privacy.
Ⅲ. Prpposed protocol
Before describing our protocol in detail, we will provide some assumptions and notations. Generally, an RFID system is composed of three entities: the server, the readers, and the t芯gs. The communication channel between th슨 server and reader is wired so that this channel is often consid ered to be secure. Thus, we consider these two entities as one unit, system.
In our protocol, every tag keeps two se cret keys: an Z-bit session key 4 and long-term key 知. M야r연ov®r, 얀ach tag has a one-bit counter value c, that is, c is 由나)er 0 or 1. Each tag can generate //2-bit random number, denoted as t. It also can carry out the hash function h: 2*7 ’ and the extraction function z(resp. 7?): 2m-^2m/2 such that ex tracts the left(resp. right) half of the input. Each reader can generate the /-bit random number, denoted as r.
We assume that the n tags are enrolled in a server. The server has a list of J繪 and the information for each tag. H repre sents the hash value of k1; and 电 is exactly the same for that tag. However, 虹 of server is not always the same as the tag's Th둔 server's equals to kx of tag when the last session finished normally so that both tag and server updated 咼 or when th연 tag mes sage was lost in the last session and nei ther the server nor the tag renewed their " However, the kY vahi슨s differ when the server message was lost in the last session. In this case, the tag's session key kr is same to k\ of server. This discordance re sults from the fact that the server renewed the session key 也 before the tag does.
Now, we introduce our mutual authenti cation protocol.
1. The reader broadcasts a Query with its I -bit random number r to th순 tag.
2. After receiving the Query, th슨 tag gen- er챥tes an l/2-bit random number t and a message m according to the counter c.
a. If c=^o, then the tag computes m as 律네 m?, where ml is WQ and m2 is that is, m2 is the left half of h(r\\ 小姻).
b. Else, the tag generates m as ma|| mb lit, where ma and mb are, respectively, £(睛시im)), 一乙統(幻iag)).
After sending m, 나! 쟌 tag sets its coun ter value c as 1.
3. The reader forwards the message trans mitted from the tag with r.
4. After receiving a message from the reader, the server has to find an ap propriate quadruplet (H kv krv fc2) in the list.
, It finds a quadruplet such that H equals to two-thirds of m.
a. If there is such a quadruplet, it generates a verification message v^h(r 11^ II fc2) and confirms whether or not L(v) equals the rightmost one-third of m, m2 —^(/z(r||fc1j|fc2)). Provided that the two values are same, server renews k\ as 幻.
b. Else, the server computes L(h(k2\\t\\r))) for each k2 and compares it with one-third of the received message, ma, until it matches. If there exists a quadruplet containing such k2, the server must determine which value between kx and k\ equals to 幻 of tag. The details are described below.
i . Let v be h(灯 II t II質). If 나le midmost one-third bits of m, known as mb, are the same as the left half of v, L(v), then the second message m was intercepted in the last ses sion: thus, the server and tag did not update their 北「As a result, 灯 of both the tag and server are the same. In this case, the server re news k\ as "
ii. Otherwise, the server switches v to II t II r). If the midmost one-third bits of m equals to L(v), then it implies that the final mes sage R(v) in the previous session was lost; thus, the tag did not up date its 幻 while server did. In this case, the tag's secret /可 is same to the previous secret k\ of server; therefore, the server does not up date k\, unlike in the above case.
iii. Provided that neither 幻 nor k\ matches the 灯 of tag, the server repeats searching the appropriate row.
- The server finishes the session if it cannot find a quadruplet in the list that meets the criteria. Otherwise, it sends reader and updates kr as /i(fc\ II r) and H as 从灯、).
5. The reader forwards R{v).
6. After receiving 腿), the tag confirms its correctness. If R(&) is correct, the tag also renews 禹 and sets the counter value c to 0.
Ⅳ. Analysis
Depending on Subsection 2.1, we will an alyze the security and privacy informally. The notations used in this section are the same as those used in Section HI. Without loss of generality, we assume that both the reader and tag generate the same random numbers in a row with negligible proba bility, and 2~l/, 2 is negligible.
4.1 Security analysis
4.1.1 Denial of services
As cited in Subsection 2.1, we do not treat DoS caused by excessive queries. Because our protocol uses changeable key the servers key may not match that of the tag. In this section, we treat DoS resulting from this discordance between the server and tag keys. This discordance results from the in terception of a transmitted message and im personating a legal reader. We show that our protocol prevents the system from giving a DoS caused by differences in 幻.
4.1.1.1 By message interception
One way to accomplish DoS is for the op ponent to intercept the messages trans mitted through the wireless channel. For protocols that employ a static state, this attack is futile. However, in a protocol that uses changeable tag states, message inter ception may be fatal because message inter ception causes desynchronization 샤f the state between the server and tag. However, our protocol can resist message inter ception, even though it uses a variable se cret key, fcj.
If we assume that the tag's message m is intercepted, the secret key kx of the server and tag are still same. Moreover, the tag will send a message in the next session us ing the static secret key k2, and 舄 that equals that of the server. Thus, server will be able to identify tag normally. Provided that the server message v is intercepted. Then, the server updates " while the tag d眼s not. As a r部냕It, the 咼 of server and 府 of tag are not equal. How션ver, the server will be still able to authenticate the tag at the next session because the server keeps the tags 如 as k\.
4.1.1.2 By reader interception
In our protocol, impersonating a reader is not a goal in itself but is just a tool for causing a s연wet key mismatch that result in DoS. Spoofing a legal reader enables the adversary to renew the only tags secret ar bitrarily so that the tag will be never auth션日ticated. In order to imitate a lag사 1 reader, he must create a valid message v, either R(h(r\\Jci ||A:2)) or 成龙(幻 II 세『)), without knowing k\. The probability of generating coit슨et v without the information concern ing 鮭 is at most 打”七 which is negligible.
4.1.2 Tag impersonation
If someone pretends to hold a legal tag, he must generate a valid m. Namely, he must compute correct 从”1)||£(丸*||(炳시)) or £(九(시出|厂))||以互(用|비广)) when he knows the r and t with no information on 也 and 歸 We assume that the adversary has collected the tag message. In this situation, he can be identified as a legitimate tag if a reader sends him a random number r which is the same to that used in last session. We al ready assume that the reader creates the sam으 random number in succession with negligible probability. Thus, he is only suc cessful with negligible probability. If he does not wait for the same random number of reader, he must cr쟌ate m randomly. In this case, th얀 probability that he pretends to have a legal tag is at most 戒「'L The probability of assuming a specific tag is at most Tl. Because both probabilities are in significant, we assert that our protocol is secure against tag impersonation.
4.2 Privacy analysis
4.2.1 Information leakage
If we assume that a갸 adversary wants to know what a tag holder possesses, he eavesdrops on the communication between the tag and reader. In our protocol, tags emit the hashed value of a mixture of ran dom bits and the secret key of itself. Thus, it is difficult for the adversary to know who holds what, if he just collects the tag response. Furthermore, tags do not save their identifier, i.e., they keep two secrets that are independent of its identifier. Moreover, the tag information is only com municated through a secure channel be tween the server and reader.
4.2.2 Location privacy
4.2.2.1 Anonymity
Because each tag generates a message by hashing its secrets and random numbers every session, the adversary cannot tell whether or n랺t the messages are generated by the same tag. Though two messages are generated by the same tag, they are gen- erat얀d in a completely different way accord ing to the counter value c and random numbers r, t. Thus, an attack that invades the anonymity the previously proposed pro tocol ⑹ cannot invade the anonymity of our model.
4.2.2.2 Forward privacy
Our protocol provides restrictive forward privacy. Generally, the protocols in which the tags employ a static identifier cannot provide location privacy if the attacker compromises the tag. Because our protocol uses a static identifier, our protocol cannot provide forward privacy perfectly. That is, the attacker who compromised a certain tag and holds the entire transcript of previous communication can grasp th얀 previous loca tion information about the tag whenever the tag g순眼rat% message using static key k2. However the tags in our protocol employ not only static key k2, but also variable key 也. So the attack픈!' cann쟝t trace the 이tag seamles 이 y,
4.3 Performance analysis
In o니r protocol tag authentication phase is composed of three steps; the identi fication step, the verification step, and the key renewal step. If the previous session ^nded completely, the server can identify a tag with no hash function. And the server verifies the tag identity with just one hash operation, and it performs hash operation twice for renewing the and H. Thus the server has to perform hash operation three times during the tag authentication phase usually. This is not too impressive because previous research [6], (16) has obtained the same result. However our protocol is supe rior when the previous session finished ab normally, that is, the communication be tween th양 entities was blocked. In this case, th얀 server executes the hash function n/2+4 times on average, where n is the number of tags contained in the server. As represented by (Table 1〕, this value is the half of HHMB.
(Table 1) A comparison of the five protocols
* I is the length of ID. n is the number of tags, i is the number of tag ID renewals
Ⅴ. Conclusion
It is 양xpected that RFID systems will be widely used in the near future. Thus, it is important to ensure that the system pre serves security, privacy, and scalability. Here, we used two secret keys, 灯 and 灼, for each tag: only k± is renewed each session, whereas k2 is static. The server also keeps 幻, 电, and fe/s previous key k\ in order to recover from a desynchronization caused by loss of message if 宣얀cessary. Thus, 。갽芸 pro tocol is secure against attacks to incite ir recoverable mismatch between tag and server keys.
Both the tag and reader generate mes sages using the secret keys and a newly picked random number: thus, the message changes irregularly every session, even though the tag does not update th얀 secret key. Therefore, an adversary cannot im- p잔rsonate both the tag and reader. In addi tion, he cannot violate tag anonymity. Unfortunately, our protocol provides limited forward privacy because of the static key 頌.
Moreover, we reduced the server work load by 50% when the previous communica tion finishes abnormally because we em ployed both variable and static s샨crets rather than one variable secret. As a r웡suit, our protocol ensures security against im personation, a decrease in DoS, and tag holder privacy. Furthermore, the server can identify the tag in a reasonable amount of time, even if the messages from the pre vious session were lost.
References
- S. Weis, S. Sarma, R. Rivest, and D. Engels, "Security and privacy aspects of Low-Cost radio frequency identification systems," International Conference on Security in Pervasive Computing, pp. 454-469, March 2003.
- A. Juels and S. Weis, "Defining strong privacy for RFID," International Conference on Pervasive Computing and Communications, pp. 342-347, March 2007.
- G. Avoine, "Adversary model for radio frequency identification," Swiss Federal Institute of Technology (EPFL), Security and Cryptography Laboratory (LASEC), Lausanne, Switzerland, Technical Report LASEC-REPORT-2005-001, September 2005.
- M. Burmester, B. de Medeiros, and R. Motta, "Provably secure grouping-proofs for RFID tags," Proceeding of the 8th Smart Card Research and Advanced Applications, pp. 176-190, September 2008.
- K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi, "An efficient and secure RFID security method with ownership transfer," Computational Intelligence and Security, 2006 International Conference on, vol. 2, pp. 1090-1095, November 2006.
- J. Ha, J. Ha, S. Moon, and C. Boyd, "LRMAP: Lightweight and resynchronous mutual authentication protocol for RFID system," in ICUCT, pp. 80-89, December 2006.
- M. Ohkubo, K. Suzuki, and S. Kinoshita, "Cryptographic approach to Privacy Friendly Tags," in RFID Privacy Workshop, http://simson.net/ref/2004/rfidprivacy.us/2003/agenda.php. November 2003.
- H.Y. Chien, "Sasi: A new ultralightweight rfid authentication protocol providing strong authentication and strong integrity," IEEE Transactions on Dependable and Secure Computing, vol. 4, no. 4, pp. 337-340, Oct.-Dec. 2007. https://doi.org/10.1109/TDSC.2007.70226
- S. Vaudenay, "On privacy models for RFID," Advances in Cryptology - Asiacrypt 2007, pp. 68-87, December 2007.
- E.Y. Choi, S.M. Lee, and D.H. Lee, "Efficient RFID authentication protocol for ubiquitous computing environment," Proc. of SECUBIQ05, pp. 945-954, December 2005.
- J. Ha, S.J. Moon, J.M.G. Nieto, and C. Boyd, "Security analysis and enhancement of one-way hash based low-cost authentication protocol (OHLCAP)," PAKDD Workshops, pp. 574-583, May 2007.
- J. Ha, H. Kim, J. Park, S.J. Moon, J.M.G. Nieto, and C. Boyd, "HGLAP - hierarchical group-index based lightweight authentication protocol for distributed RFID system," EUC Workshops, pp. 557-567, December 2007.
- Y.K. Lee, L. Batina, and I. Verbauwhede, "EC-RAC: provably secure RFID authentication protocol," IEEE International Conference on RFID 2008, pp. 97-104, April 2008.
- 권혜진, 이재욱, 전동호, 김순자, "데이터베이스에 서의 태그 검색이 쉽고 안전한 RFID 상호인증 프로토콜," 정보보호학회논문지, 18(5), pp. 125-134, 2008년 10월.
- D. Molnar, A. Soppera, and D. Wagner, "A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags," Selected Areas in Cryptography, pp. 276-290, August 2005.
- D. Henrici and P. Muller, "Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers," Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second IEEE Annual Conference on, pp. 149-153, March 2004.
- S.M. Lee, Y.J. Hwang, D.H. Lee, and J.I. Lim, "Efficient authentication for Low-Cost RFID Systems," International Conference on Computational Science and its Applications, pp. 619-627, May 2005.