RFID의 경량 인증 프로토콜과 Auto-ID Labs의 위조방지 프로젝트 RFID RFID 의 의 경량 경량 인증 인증 프로토콜과 프로토콜과 Auto Auto - - ID Labs ID Labs 의 의 위조방지 위조방지 프로젝트 프로젝트 김광조 Cryptology and Information Security Lab. International Research center for Information Security (IRIS) Information and Communications Univ.(ICU) KRnet 2006 트 랙 RFID/Wireless Sensor Network 세 션 A1-2 발표일시 2006년 6월 27일 Lightweight Authentication Protocol for RFID System and Anti-Counterfeiting Flagship Project in Auto-ID Labs
39
Embed
RFID의 RFID의경량인증프로토콜과프로토콜과 …B1%E8%B1%A4%C1%B6.pdf · proxy signature, blind signature, multi signature, group signature Braid group PKC Cryptographic
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Security Engineering in U-NetworkSecurity Engineering in U-Network
Security requirement Special Requirement in U-network
Authentication Mutual authentication, use of dynamic key, Wireless PKI, device authentication, Central authentication, QoS
Confidentiality Key management, light weight cryptography, secure DB, mobile cryptography
Integrity Integrity mechanism for U-network
Availability DoS attack, Priority management in access control, Differentiated service
Control of delegate
Entity authentication and authorizationAccess control
Anonymity Transfer of real ID information
Safe roaming Global roaming, DRM, Seamless secure roaming
Additional
Basic
Our Approach to Ubiquitous SecurityOur Approach to Ubiquitous SecurityOur Approach to Ubiquitous Security
15
Research Achievements (1)Research Achievements (1)
Research on Provably Secure Cryptographic Primitives– Secret Key Cryptography
▪ Primitives : S-box, P-box, resilient functions▪ Analysis of standard algorithms : SEED, AES, NESSIE, etc.
– Public Key Cryptography▪ Non-abelian group PKC▪ Provably secure PKC▪ Digital signatures
◦ proxy signature, blind signature, multi signature, group signature▪ Braid group PKC
Cryptographic Theory and PrimitivesCryptographic Theory and PrimitivesCryptographic Theory and Primitives
•More secure than the original ElGamal scheme (IND-CCA2)•Provable secure under the computational DH assumption•Shorter ciphertext length compared to previous schemes
•ID-based Blind Signature for E-cash, E-voting, etc.•ID-based Ring Signature for Group Signing•ID-based Proxy Signature for Delegation of Signing•ID-based Threshold Signature for Distributed Signing
Research Achievements (2)Research Achievements (2)
Typical RFID system
Characteristics– Air interface – Asymmetric communication channel– Tag cost
▪ 5-cents tag, IC cost < 2 cents
Secure authentication protocol for low-cost RFID system– Using a rewritable memory like EEPROM, hash in tags– Satisfy confidentiality, anonymity, and integrity– Robust against attacks
Security and Privacy in RFIDSecurity and Privacy in RFID
Risks– Eavesdropping between T & R– DB Desynchronization B & R– Active Query– Hardware attack
Lack of authentication:– Malicious reading (skimming): – Captured information aids
duplicating genuine tags.– Denial-of-Service (DOS) due to
deployment of cloned tags.
Privacy invasion:– Information leakage of user’s
belongings– Static ID is subject to tracking
such as behaviour tracking
@ picture is credited to Juels et. al.
21
Road Map in Secure RFID/USNRoad Map in Secure RFID/USN
Jeongkyu Yang, Jaemin Park, Hyunrok Lee, Kui Ren and Kwangjo Kim , "Mutual Authentication Protocol for Low-cost RFID", Proc. of Workshop on RFID and Lightweight Crypto, Jul.14~15, 2005, Graz, Austria.
Lightweight RFID Authentication Protocol Lightweight RFID Authentication Protocol Lightweight RFID Authentication Protocol
23
Secure authentication protocol for low-cost RFID system– Using a rewritable memory like EEPROM, hash in tags
NewAnonymous ID
Data
Back-end Server Reader(Not TTP)
RFID Tag
Query
Anonymous ID
Anonymous ID
Insecure Channel
Anonymous IDUpdate
Anonymous ID
Insecure Channel
– Meet low-cost RFID environment
– Guarantee privacy for tag bearers
– Satisfy confidentiality, anonymity, and integrity
– Robust against attacks
Design background
24
– Man-in-the-middle attack
▪ The attacker can impersonate as a legitimate R and get the information from T. He can impersonate as the legitimate T responding to R.
– Replay attack
▪ The attackers eavesdrop the response message from T, and can retransmit the message to the legitimate R.
– Forgery
▪ The simple copy of T information by eavesdropping.
– Data loss
▪ DoS, power interruption, and hijacking, etc.
– Do not consider side-channel attack
Attack Model
25
– Data confidentiality
▪ To prevent the data privacy of T from the insecure data
– Tag anonymity
▪ To prevent the location privacy of tag bearers
– Data integrity
▪ Data integrity between T and B against data loss
▪ Linkage between the authentication info. of T and T itself Simple forgery is prevented
– Detection for an illegitimate R
▪ Replay attack and Man-in-the-middle attack are prevented.
Security Requirement
26
Our Protocol( (), (), )kh h ⊕
R TB
k1 k1 ⊕ ID'k2 k2 ⊕ ID
Verify ID' =? h(k2) (abort if not)then
k1 k1 ⊕ ID'k2 k2 ⊕ ID
Insecure Channel Insecure Channel
1 2, ,k k C 1 2, ,k k C
1( )ID h k S C= ⊕ ⊕1) challenge
query with S
( , ())kRNG h ( (), )h ⊕, ( )kr S h r=
2) T-R response
ID
3) R-B response
ID, S, rVerify S =? hk(r)(abort if not)then
Retrieve <k1,k2,C>from <T1,T2,CN> D
Verify ID =? h(k1⊕ hk(r)⊕C)(abort if not)then ID' = h(k2)
∈
T1 T2 AE CN DATA ID k1 k2
4) R-B reply
( )', ( )kh SID E DATA
5) R-T reply
'ID
( ) ( )kh SD DATA
27
Security Comparison
Comparison (1/2)
* S. Weis, S. Sarma, R. Rivest, and D. Engels, “Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems", Proc. of the 1st Security in Pervasive Computing, LNCS, vol.2802, pp.201-212, 2004.** D. Henrici and P. MÄuller, “Hash-based Enhancement of Location Privacy for Radio-Frequency Identification Devices using Varying Identifiers", PerSec'04 at IEEE PerCom, pp.149-153, Mar. 2004.
28
Performance Comparison
• L bits is assumed for the sizes of all components between protocols• The outputs of hash function is ½L bits• Comparison for DATA is excluded since its size is depended on application.