This paper proposes a Storage-Aware Private Authentication protocol (SAPA) this scheme employs the sparse tree structure, and treats the path of each tag in the tree as an independent secret. Without privacy protection, any RFID reader can identify a consumer's ID via the emitted serial number from the tag.
This paper proposes a Storage-Aware Private Authentication protocol (SAPA) this scheme employs the sparse tree structure, and treats the path of each tag in the tree as an independent secret. Without privacy protection, any RFID reader can identify a consumer's ID via the emitted serial number from the tag.
This paper proposes a Storage-Aware Private Authentication protocol (SAPA) this scheme employs the sparse tree structure, and treats the path of each tag in the tree as an independent secret. Without privacy protection, any RFID reader can identify a consumer's ID via the emitted serial number from the tag.
Storage-Awareness: RFID Private Authentication based on Sparse Tree ∗
Weijia Wang, Yong Li, Lei Hu and Li Lu
State Key Laboratory of Information Security, Graduate University of Chinese Academy of Sciences {wwj, yli, hu, luli}@is.ac.cn
Abstract The advantages of using RFID technology is growing
tremendously and is gaining much attention, which is seen As the growing use of Radio Frequency Identification by an increase in its deployment, such as object tracking (RFID) technology to enhance ubiquitous computing envi- and monitoring, supply-chain management, and personal- ronments, the privacy protection problem becomes a crucial ized information services. However, these low-cost tags issue. The objective of private authentication for RFID sys- provide no access control and tamper resistance to sensitive tems is to allow valid readers explicitly authenticate their information and hence pose new risks to security and pri- dominated tags without leaking tags’ private information. vacy. For example, without privacy protection, any RFID To achieve strong privacy, recently, Lu et al. propose a reader can identify a consumer’s ID via the emitted serial Strong and lightweight RFID Private Authentication proto- number from the tag. As a result, a buyer can be tracked col (SPA), which enables dynamic key-updating mechanism and profiled by unauthorized marketers. Therefore, a se- for balanced tree based authentication approaches. How- cure RFID system must meet two requirements, which also ever, due to its balanced tree structure, SPA is still suscep- are the objective of private authentication. On one hand, tible to compromising attacks. In this paper, we propose a valid reader must successfully identify the valid tags; on a Storage-Aware Private Authentication protocol (SAPA). the other hand, misbehaving readers should not be able to This scheme employs the sparse tree structure, and treats retrieve private information from these tags. the path of each tag in the tree as an independent secret. As a result, SAPA enjoys perfect privacy and largely reduces Related work. To address the above privacy protection the space for storing key sequence on the side of the tag, issue in RFID system, many efforts have been made to while keeping the key search complexity on the side of the achieve efficient private authentication. One method is reader still be logarithmic. to employ encryptions in RFID authentication. Each tag shares a unique key with the RFID reader and sends an en- crypted authentication message to the reader. Instead of identifying the tag directly, the reader hereby searches all 1 Introduction keys that it holds to recover the authentication message and identify the tag. Radio Frequency Identification (RFID) is a technology Weis et al. [12] first advanced the general approach of for automated identification of objects in a contactless man- key search for RFID-tag identification. They proposed a ner. RFID systems are made up of small and inexpen- hash function based authentication scheme, HashLock, to sive transponders (tags) inserted into the objects, of read- avoid tags being tracked. In this approach, each tag shares ers which communicate with tags using radio frequencies, a secret key k with the reader. The reader sends a random and usually of a back-end database which contains infor- number r as the authentication request. To respond to the mation on the tag. Tags, which have the ability to store reader, the tag generates a hash value on the inputs of r and data and derive their power from the signal of an interro- k. The reader then computes h(k, r) with all stored keys gating reader, are small microchips designed for wireless until it finds a key to recover r, thereby identifies the tag. data transmission in response to interrogation by an RFID The search complexity of HashLock is linear to n, where reader. Readers are often regarded as a simple conduit to n is the number of tags in the system. In practice, if the back-end database; and it is generally assumed that the con- set of tags {Ti }ni=1 is large, then key search can be pro- nection between reader and back-end database is a secure hibitively costly. Most subsequent approaches in the liter- link. Thus, in this context, our focus is put on the commu- ature are aimed at reducing the cost of key search. In [7], nication link between tags and reader. these approaches are classified into three types. ∗ Supported by NSFC(60573053). Tree based approaches: ([10, 9, 4, 8]) Molnar et al. [10]
k2,1 k2,2 k2,3 k2,4 T1 T2 T3 T4 k r1 k r2 kr3 T1 T2 T3 Figure 1. The balanced tree of SPA Figure 2. The sparse tree of SAPA
the root is recursive, so here we no longer make a further
description. Refer to [8] for more details. In fact, both ideas of the two schemes above make use R Ti Request, r1 of the balanced tree structure to improve the search speed − −−−−−−−−−−− → at the cost of the storage of secrets held by each tag. For Identification. r2 , W Computing W . ←−−−−−−−−−−−− example, let us consider the case that there are n = 220 tags Computing ∆ ∆ Checking ∆ and each key is 64 bit, as a result each tags should store − −−−−−−−−−−− → and key-Updating. then updating keys. 20 × 64 = 1280 bit keys, which will be a hard job for some tags lack of memory resources. On the other hand, although the key-updating mecha- Figure 3. The identification of SAPA . nism in Lu et al.’s scheme, to a certain extent, reduces the key relationship as a whole, local key relationships, es- pecially between the tags whose last keys are brother leaf nodes (we refer to them as brother tag, for simplicity), are d denote the depth of the tree. To present our scheme more still kept relatively static. Therefore the compromise of clearly, we only described the scheme in terms of a binary some tag still imperil the privacy of its brother tag seriously tree, but nothing restricts the sparse-tree-based scheme to even if the aforementioned updating tactic is employed. binary trees. Hence α = 2 in the following. The secrets To address the two problems above, we propose our so- held by each tag is a key triple (kh , km , kr ), where kh and lution SAPA. kr are corresponding to the root and the leaf node in the key tree S, respectively; km represents the path from the 2.2 Basic Idea of SAPA root to the leaf, of which each bit denote which subtree the path will pass through (i.e. 0 refer to left subtree and 1 does right one) in each level of the tree S. Each non-leaf node In SAPA, we make use of a sparse tree structure, instead is assigned with two state bit sl and sr , which are used to of a balanced tree, to organize all tags’s keys. In the tree, denote whether its left or right subtree exists. none of non-leaf nodes (except the root) stores keys, and each path from the root to the leaf, as an independent se- In the initialization, the tree S is empty. When the cret, is held by the corresponding tags and is updated by us- n tags {T1 , T2 , ..., Tn } are enrolled into the system, the ing cryptographic hash function in the key-updating stage. reader R first builds a root for the tree S and assigns to As a result, with logarithmic search complexity, our scheme it a number KH chosen at random. Next, R generates n 1 enjoys both low key-storage cost and perfect privacy on the binary {(Km , Kr1 ), ..., (Kmn , Krn )} randomly. For each bi- side of tags. In the following , we present the description of nary (Km , Kr ), R inserts a branch (or path) in the tree i i our scheme which consists of four components: initializa- from the root, level by level, in turn according to each bit tion, identification, key-updating and maintenance. of Km i , assigns Kri to the leaf node of the branch, and then distributes (KH , Km i , Kri ) to tag Ti as its key triple 2.3 Initialization (kh , km , kr ). In the end, the reader R finishes assigning the i i i
n tags to n branches in a sparse binary tree S. For simplicity
It is assumed that there are n tags Ti , 1 ≤ i ≤ n, and of exposition, we consider a simple and trivial case, where a reader R in the RFID system. The reader R stores and there are only tree tags T1 , T2 and T3 and a sparse binary organizes keys of all tags by using a sparse tree, called key tree of three levels are used to manage them, as illustrated tree S. Let α denote the branching factor of the key tree and in Fig.2.
tag Ti comprises three rounds, as illustrated in Fig.3. In h(km i , kri , r1 , r2 , 1), kri = h(kri , km i , r1 , r2 , 2). Next, the the first round, R starts the protocol by sending a “Request” reader invokes the branch-deletion algorithm to erase the i and a nonce r1 to tag Ti . In the second round, upon request, branch corresponding to km from the tree S and inserts a Ti generates a nonce r2 and computes a sequence of hash i new one corresponding to km in S by applying the branch-
chains insert algorithm. Finally it stores kri in the leaf node of the new branch. Upon finishing the key-updating, R sends a W ={h(khi , r1 , r2 ), h(h(khi , r1 , r2 ), km i [1]), ..., synchronization message ∆ = h(km i , kri , r2 , r1 , 3) to Ti , as h(h(h(...h(khi , r1 , r2 )), km i [l]), kri )}, shown in Fig.3. Having received these messages, Ti first verifies whether or not ∆ = h(km i , kri , r2 , r1 , 3). If yes, Ti where km i [j] denotes the j-th bit in the binary string km i and updates its keys according to the synchronization message, i l is the size of km . Upon receipt of the authentication in- that is, it computes new keys just as the reader does above. formation from Ti , R begins to identify Ti with the help of In the end, both the tag Ti and the reader R will share a new i i key tree S. By using KH stored in the root, the reader R secret triple {khi , km , kr }. first verify the first item h(khi , r1 , r2 ) in the authentication As for the updating of KH shared by all tags, we can sequence. If it is valid, R invokes a recursive algorithm to implement it easily by employing the similar method as in identify the following hash chains level by level in terms of [8]. the subtree state bit of non-leaf nodes until the leaf node. For the example in Fig.2, the reader R authenticates tag 2.6 Maintenance T1 . Let M = h(kh1 , r1 , r2 ), and the authenticators sequence from T1 can be shown as follows Compared with the scheme provide by Lu et al. [8], it is much easier for the system to withdraw or add tags in our {M, h(M, 0), h(h(M, 0), 0), h(h(h(M, 0), 0), 1), scheme. For withdrawing a tag, the system calls the branch- h(h(h(h(M, 0), 0), 1), kr1 )}. deletion algorithm to delete the corresponding branch from the key tree. For adding a new one, the system chooses a After successfully verifying M with h(KH , r1 , r2 ), new secret triple randomly, assigns it to the new tag and then R computes h(h(KH , r1 , r2 ), 0) (if sl0 = 1) and invokes the branch-insert algorithm to add a corresponding h(h(KH , r1 , r2 ), 1) (if sr0 = 1), and then compares them new branch from the root. with the received h(M, 0). It is clear that the former is equal to h(M, 0), which means that the tag is belonging to the left 3 Security Analysis subtree of the root, thereby R continues to verify the next hash chain by checking sl1,1 and sr1,1 . The rest identifica- In this section, we focus on the formal analysis of the tion procedure may be deduced by analogy until R extends privacy of SAPA under compromising attack. The informal the path (001) of T1 from the root to the leaf. Finally, R analyses of our scheme on the security requirements men- finishes authenticating the whole hash chain sequence by tioned in [4] are similar to those of SPA in [8]. verifying the last hash chain with the leaf node kr1 . Note that if both subtree state bit are zero or both the compar- 3.1 Model and Definition isons between the hash chain from the target tag and the reader’s own computation result fail at corresponding level Compromising attack is a serious active attack, in which in the tree, the identification procedure of the tag fail and by compromising some tags’ keys, attackers attempt to trace stop. the uncompromised ones. In the following, we make use of a attack model to formalize the ability of adversary. 2.5 Key-Updating The model in this paper is mainly based on Avoine’s at- tack model [2], in which the attackers and the RFID system In the following, we introduce the key-updating algo- are abstracted into two participants: the Adversary A and rithm, which are invoked by the reader after the aforemen- the Challenger C. Attacking-defending between the attack- tioned identification step, as shown in Fig.3. It is assumed ers and the RFID system is like a game between A and C. that the target tag is Ti , and the reader R has obtained Any attack on a given R or T can be represented as A’s its corresponding branch from the root to the leaf in the calling on one of its oracle as follows: