Subscribe

Issue No.03 - May/June (2011 vol.8)

pp: 466-480

Erik-Oliver Blass , EURECOM, Sophia Antipolis

Anil Kurmus , IBM, Zurich

Refik Molva , EURECOM, Sophia Antipolis

Guevara Noubir , Northeastern University , Boston

Abdullatif Shikfa , EURECOM, Sophia Antipolis

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2010.37

ABSTRACT

In this paper, we present the design of the lightweight F_f family of privacy-preserving authentication protocols for RFID-systems. F_f results from a systematic design based on a new algebraic framework focusing on the security and privacy of RFID authentication protocols. F_f offers user-adjustable, strong authentication, and privacy against known algebraic attacks and recently popular SAT-solving attacks. In contrast to related work, F_f achieves these security properties without requiring an expensive cryptographic hash function. F_f is designed for a challenge-response protocol, where the tag sends random nonces and the results of HMAC-like computations of one of the nonces together with its secret key back to the reader. In this paper, the authentication and privacy of F_f is evaluated using analytical and experimental methods.

INDEX TERMS

Lightweight RFID security, authentication, privacy, algebraic attacks, SAT-solving, LPN.

CITATION

Erik-Oliver Blass, Anil Kurmus, Refik Molva, Guevara Noubir, Abdullatif Shikfa, "The F_f-Family of Protocols for RFID-Privacy and Authentication",

*IEEE Transactions on Dependable and Secure Computing*, vol.8, no. 3, pp. 466-480, May/June 2011, doi:10.1109/TDSC.2010.37REFERENCES

- [1] N. Courtois, K. Nohl, and S. O'Neil, "Algebraic Attacks on the Crypto-1 Stream Cipher in Mifare Classic and Oyster Cards," http://eprint.iacr.org/2008166.pdf, 2008.
- [2] R. Di Pietro and R. Molva, "Information Confinement, Privacy, and Security in RFID Systems,"
Lecture Notes in Computer Science, pp. 187-202, Springer, 2007.- [3] Y. Choi, M. Kim, T. Kim, and H. Kim, "Low Power Implementation of SHA-1 Algorithm for RFID System,"
Proc. 10th Int'l Symp. Consumer Electronics, pp. 1-5, 2006.- [4] M. Feldhofer and C. Rechberger, "A Case Against Currently Used Hash Functions in RFID Protocols,"
Proc. OTM Conf., pp. 372-381, 2006.- [5] M. Feldhofer and J. Wolkerstorfer, "Strong Crypto for Rfid Tags—A Comparison of Low-Power Hardware Implementations,"
Proc. Int'l Symp. Circuits and Systems, pp. 1839-1842, 2007.- [6] A. Juels and S. Weis, "Authenticating Pervasive Devices with Human Protocols,"
Proc. 25th Ann. Int'l Cryptology Conf., pp. 293-308, 2005.- [7] A. Juels and S. Weis, "Defining Strong Privacy for RFID,"
Proc. IEEE Pervasive Computing Comm. Workshops, pp. 342-347, 2007.- [8] M. Soos, "Analysing the Molva and Di Pietro Private Rfid Authentication Scheme,"
RFIDSec, http://events.iaik.tugraz.atRFIDSec08/, 2008.- [9] T. van Deursen, S. Mauw, and S. Radomirovic, "Untraceability of Rfid Protocols,"
Proc. Second Workshop Information Security Theory and Practices. Smart Devices, Convergence and Next Generation Networks, pp. 1-15, 2008.- [10] E. Levieil, P.-A. Fouque, "An Improved LPN Algorithm,"
Proc. Conf. Security and Cryptography Networks, pp. 348-359, 2006.- [11] G. Bard, N. Courtois, and C. Jefferson, "Efficient Methods for Conversion and Solution of Sparse Systems of Low-Degree Multivariate Polynomials Over gf(2) via Sat-Solvers,"
Proc. European Network Excellence Cryptology Workshop, http://eprint. iacr.org/2007024/, 2007.- [12] G. Tsudik, "Ya-Trap: Yet Another Trivial RFID Authentication Protocol,"
Proc. Int'l Conf. Pervasive Computing and Comm. Workshops, 2006.- [13] S. Weis, S. Sarma, R. Rivest, D. Engels, "Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems"
Proc. Security in Pervasive Computing Conf., pp. 201-212, 2003.- [14] D. Molnar, D. Wagner, "Privacy and Security in Library RFID: Issues, Practices, and Architectures"
Proc. Conf. Computer and Comm. Security, pp. 210-219, 2004.- [15] G. Avoine, E. Dysli, P. Oechslin, "Reducing Time Complexity in RFID Systems"
Proc. Workshop Selected Areas in Cryptography, pp. 291-306, 2005.- [16] M. Ohkubo, K. Suzuki, and S. Kinoshita, "Cryptographic Approach to Privacy-Friendly Tagsss,"
Proc. Radio-Frequency Identification Privacy Workshop, http://www.rfidprivacy.us/2003agenda.php , 2003.- [17] EPCglobal, "Epcglobal Standards and Technology," http://www.epcglobalinc.orgstandards/, 2008.
- [18] S. Vaudenay, "On Privacy Models for RFID,"
Proc. Int'l Conf. Theory and Application of Cryptology and Information Security, pp. 68-87, 2007.- [19] T. van Deursen and S. Radomirovic, "Attacks on RFID Protocols," http://eprint.iacr.org/2008310, 2008.
- [20] I. Damgård, M. Østergaard, "Rfid Security: Tradeoffs Between Security and Efficiency,"
Proc. RSA Conf., http://eprint.iacr.org/2006234.pdf, pp. 318-332, 2006.- [21] L. Batina, J. Lano, N. Mentens, B. Preneel, I. Verbauwhede, S. Oers, "Energy, Performance, Area Versus Security Trade-Offs for Stream Ciphers,"
Proc. European Network of Excellence in Cryptogoy (ECRYPT) Workshop, The State of the Art of Stream Ciphers (SASC), pp. 302-310, 2004.- [22] D. Dobkin,
The RF in Rfid: Passive UHF Rfid in Practice. Elsevier, 2007.- [23] N. Courtois and G. Bard, "Algebraic Cryptanalysis of the Data Encryption Standard,"
Lecture Notes in Computer Science, Cryptography and Coding, pp. 152-169, Springer, 2007.- [24] C. Cooper, "On the Rank of Random Matrices,"
Random Structures and Algorithms, vol. 16, no. 2, pp. 209-232, 2000.- [25] H. Gilbert, M. Robshaw, and H. Sibert, "Active Attack Against Hb+: A Provably Secure Lightweight Authentication Protocol,"
IEEE Electronic Letters, vol. 41, no. 21, pp. 1169-1170, Oct. 2005.- [26] S. Weis, "Hb+ Protocol Information Page," http://saweis.nethbplus.shtml, 2008.
- [27] E.-O. Blass, A. Kurmus, R. Molva, G. Noubir, and A. Shikfa, "The $f_f$ -Family of Protocols for Rfid-Privacy and Authentication," http://eprint.iacr.org/2008476.pdf, 2008.
- [28] C. McDonald, C. Charnes, and J. Pieprzyk, "Attacking Bivium with Minisat," http://www.ecrypt.eu.org/stream/papersdir/ 2007040.pdf, 2007.
- [29] C. McDonald, C. Charnes, and J. Pieprzyk, "An Algebraic Analysis of Trivium Ciphers Based on the Boolean Satisfiability Problem," http://eprint.iacr.org/2007129, 2007.
- [30] I. Mironov, L. Zhang, "Applications of Sat Solvers to Cryptanalysis of Hash Functions,"
Proc. Int'l Conf. Theory and Applications of Satisfiability Testing (SAT '06), pp. 102-115, 2006.- [31] T. Eibach, E. Pilz, and S. Steck, "Comparing and Optomising Two Generic Attacks on Bivium,"
Proc. State of the Art of Stream Ciphers Workshop (SASC '08), http://www.ecrypt.eu.org/stvlsasc2008, 2008.- [32] T. Eibach, E. Pilz, and G. Voelkel, "Attacking Bivium Using Sat Solvers."
Proc. Int'l Conf. Theory and Applications of Satisfiability Testing (SAT '08), pp. 63-76, 2008.- [33] N. Eèn, N. Sörensson, "An eXtensible Sat-Solver,"
Theory and Applications of Satisfiability Testing, pp. 502-518, Santa Margherita Ligure, 2004. |