This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
The F_f-Family of Protocols for RFID-Privacy and Authentication
May/June 2011 (vol. 8 no. 3)
pp. 466-480
Erik-Oliver Blass, EURECOM, Sophia Antipolis
Anil Kurmus, IBM, Zurich
Refik Molva, EURECOM, Sophia Antipolis
Guevara Noubir, Northeastern University , Boston
Abdullatif Shikfa, EURECOM, Sophia Antipolis
In this paper, we present the design of the lightweight F_f family of privacy-preserving authentication protocols for RFID-systems. F_f results from a systematic design based on a new algebraic framework focusing on the security and privacy of RFID authentication protocols. F_f offers user-adjustable, strong authentication, and privacy against known algebraic attacks and recently popular SAT-solving attacks. In contrast to related work, F_f achieves these security properties without requiring an expensive cryptographic hash function. F_f is designed for a challenge-response protocol, where the tag sends random nonces and the results of HMAC-like computations of one of the nonces together with its secret key back to the reader. In this paper, the authentication and privacy of F_f is evaluated using analytical and experimental methods.

[1] N. Courtois, K. Nohl, and S. O'Neil, "Algebraic Attacks on the Crypto-1 Stream Cipher in Mifare Classic and Oyster Cards," http://eprint.iacr.org/2008166.pdf, 2008.
[2] R. Di Pietro and R. Molva, "Information Confinement, Privacy, and Security in RFID Systems," Lecture Notes in Computer Science, pp. 187-202, Springer, 2007.
[3] Y. Choi, M. Kim, T. Kim, and H. Kim, "Low Power Implementation of SHA-1 Algorithm for RFID System," Proc. 10th Int'l Symp. Consumer Electronics, pp. 1-5, 2006.
[4] M. Feldhofer and C. Rechberger, "A Case Against Currently Used Hash Functions in RFID Protocols," Proc. OTM Conf., pp. 372-381, 2006.
[5] M. Feldhofer and J. Wolkerstorfer, "Strong Crypto for Rfid Tags—A Comparison of Low-Power Hardware Implementations," Proc. Int'l Symp. Circuits and Systems, pp. 1839-1842, 2007.
[6] A. Juels and S. Weis, "Authenticating Pervasive Devices with Human Protocols," Proc. 25th Ann. Int'l Cryptology Conf., pp. 293-308, 2005.
[7] A. Juels and S. Weis, "Defining Strong Privacy for RFID," Proc. IEEE Pervasive Computing Comm. Workshops, pp. 342-347, 2007.
[8] M. Soos, "Analysing the Molva and Di Pietro Private Rfid Authentication Scheme," RFIDSec, http://events.iaik.tugraz.atRFIDSec08/, 2008.
[9] T. van Deursen, S. Mauw, and S. Radomirovic, "Untraceability of Rfid Protocols," Proc. Second Workshop Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks, pp. 1-15, 2008.
[10] E. Levieil, P.-A. Fouque, "An Improved LPN Algorithm," Proc. Conf. Security and Cryptography Networks, pp. 348-359, 2006.
[11] G. Bard, N. Courtois, and C. Jefferson, "Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials Over gf(2) via Sat-Solvers," Proc. European Network Excellence Cryptology Workshop, http://eprint. iacr.org/2007024/, 2007.
[12] G. Tsudik, "Ya-Trap: Yet Another Trivial RFID Authentication Protocol," Proc. Int'l Conf. Pervasive Computing and Comm. Workshops, 2006.
[13] S. Weis, S. Sarma, R. Rivest, D. Engels, "Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems" Proc. Security in Pervasive Computing Conf., pp. 201-212, 2003.
[14] D. Molnar, D. Wagner, "Privacy and Security in Library RFID: Issues, Practices, and Architectures" Proc. Conf. Computer and Comm. Security, pp. 210-219, 2004.
[15] G. Avoine, E. Dysli, P. Oechslin, "Reducing Time Complexity in RFID Systems" Proc. Workshop Selected Areas in Cryptography, pp. 291-306, 2005.
[16] M. Ohkubo, K. Suzuki, and S. Kinoshita, "Cryptographic Approach to Privacy-Friendly Tagsss," Proc. Radio-Frequency Identification Privacy Workshop, http://www.rfidprivacy.us/2003agenda.php , 2003.
[17] EPCglobal, "Epcglobal Standards and Technology," http://www.epcglobalinc.orgstandards/, 2008.
[18] S. Vaudenay, "On Privacy Models for RFID," Proc. Int'l Conf. Theory and Application of Cryptology and Information Security, pp. 68-87, 2007.
[19] T. van Deursen and S. Radomirovic, "Attacks on RFID Protocols," http://eprint.iacr.org/2008310, 2008.
[20] I. Damgård, M. Østergaard, "Rfid Security: Tradeoffs Between Security and Efficiency," Proc. RSA Conf., http://eprint.iacr.org/2006234.pdf, pp. 318-332, 2006.
[21] L. Batina, J. Lano, N. Mentens, B. Preneel, I. Verbauwhede, S. Oers, "Energy, Performance, Area Versus Security Trade-Offs for Stream Ciphers," Proc. European Network of Excellence in Cryptogoy (ECRYPT) Workshop, The State of the Art of Stream Ciphers (SASC), pp. 302-310, 2004.
[22] D. Dobkin, The RF in Rfid: Passive UHF Rfid in Practice. Elsevier, 2007.
[23] N. Courtois and G. Bard, "Algebraic Cryptanalysis of the Data Encryption Standard," Lecture Notes in Computer Science, Cryptography and Coding, pp. 152-169, Springer, 2007.
[24] C. Cooper, "On the Rank of Random Matrices," Random Structures and Algorithms, vol. 16, no. 2, pp. 209-232, 2000.
[25] H. Gilbert, M. Robshaw, and H. Sibert, "Active Attack Against Hb+: A Provably Secure Lightweight Authentication Protocol," IEEE Electronic Letters, vol. 41, no. 21, pp. 1169-1170, Oct. 2005.
[26] S. Weis, "Hb+ Protocol Information Page," http://saweis.nethbplus.shtml, 2008.
[27] E.-O. Blass, A. Kurmus, R. Molva, G. Noubir, and A. Shikfa, "The $f_f$ -Family of Protocols for Rfid-Privacy and Authentication," http://eprint.iacr.org/2008476.pdf, 2008.
[28] C. McDonald, C. Charnes, and J. Pieprzyk, "Attacking Bivium with Minisat," http://www.ecrypt.eu.org/stream/papersdir/ 2007040.pdf, 2007.
[29] C. McDonald, C. Charnes, and J. Pieprzyk, "An Algebraic Analysis of Trivium Ciphers Based on the Boolean Satisfiability Problem," http://eprint.iacr.org/2007129, 2007.
[30] I. Mironov, L. Zhang, "Applications of Sat Solvers to Cryptanalysis of Hash Functions," Proc. Int'l Conf. Theory and Applications of Satisfiability Testing (SAT '06), pp. 102-115, 2006.
[31] T. Eibach, E. Pilz, and S. Steck, "Comparing and Optomising Two Generic Attacks on Bivium," Proc. State of the Art of Stream Ciphers Workshop (SASC '08), http://www.ecrypt.eu.org/stvlsasc2008, 2008.
[32] T. Eibach, E. Pilz, and G. Voelkel, "Attacking Bivium Using Sat Solvers." Proc. Int'l Conf. Theory and Applications of Satisfiability Testing (SAT '08), pp. 63-76, 2008.
[33] N. Eèn, N. Sörensson, "An eXtensible Sat-Solver," Theory and Applications of Satisfiability Testing, pp. 502-518, Santa Margherita Ligure, 2004.

Index Terms:
Lightweight RFID security, authentication, privacy, algebraic attacks, SAT-solving, LPN.
Citation:
Erik-Oliver Blass, Anil Kurmus, Refik Molva, Guevara Noubir, Abdullatif Shikfa, "The F_f-Family of Protocols for RFID-Privacy and Authentication," IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 3, pp. 466-480, May-June 2011, doi:10.1109/TDSC.2010.37
Usage of this product signifies your acceptance of the Terms of Use.