CN107994992B - RFID bidirectional authentication protocol method and device - Google Patents

RFID bidirectional authentication protocol method and device Download PDF

Info

Publication number
CN107994992B
CN107994992B CN201711105510.5A CN201711105510A CN107994992B CN 107994992 B CN107994992 B CN 107994992B CN 201711105510 A CN201711105510 A CN 201711105510A CN 107994992 B CN107994992 B CN 107994992B
Authority
CN
China
Prior art keywords
vector
message
message vector
reader
authentication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711105510.5A
Other languages
Chinese (zh)
Other versions
CN107994992A (en
Inventor
姜晓
林国营
党三磊
林佳
赵闻
胡皓鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Electric Power Research Institute of Guangdong Power Grid Co Ltd
Original Assignee
Electric Power Research Institute of Guangdong Power Grid Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Electric Power Research Institute of Guangdong Power Grid Co Ltd filed Critical Electric Power Research Institute of Guangdong Power Grid Co Ltd
Priority to CN201711105510.5A priority Critical patent/CN107994992B/en
Publication of CN107994992A publication Critical patent/CN107994992A/en
Application granted granted Critical
Publication of CN107994992B publication Critical patent/CN107994992B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3271Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
    • H04L9/3273Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • H04L2209/805Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor

Abstract

The invention provides a method and a device for an RFID (radio frequency identification) mutual authentication protocol, which are used for transmitting five message vectors through two-round communication, realizing the authentication of a tag on a reader by adopting a strong universal hash function f and a pointer value, hiding a third message vector b by utilizing a strong universal hash function g, realizing the safe transmission of the third message vector b, resisting man-in-the-middle attack, and solving the technical problems that the current Auth protocol cannot resist the man-in-the-middle attack and the LPNAP protocol does not realize the mutual authentication.

Description

RFID bidirectional authentication protocol method and device
Technical Field
The invention relates to the field of power system stability control, in particular to a Radio Frequency Identification Device (RFID) mutual authentication protocol method and device.
Background
In the internet of things, the RFID technology carries a large amount of secret information of national materials, enterprise customer relationship information and user personal information, and for the consideration of national security, enterprise interests and user privacy, the RFID technology for identifying objects must be authenticated and protected, otherwise, the reliability of the internet of things will be affected. Therefore, achieving authentication in low cost RFID systems is a must-go route to the development of RFID technology today. Many cryptologists research and obtain great results on the authentication of the RFID protocol, but most of the protocols currently only attach importance to the secure authentication of the tag and ignore the secure identification of the reader, so that unauthorized readers can still pass the secure authentication, and tag information is leaked.
The purpose of RFID mutual authentication is to prevent unauthorized readers from browsing some or all of the information stored in the tags and to grant legitimate readers the ability to distinguish legitimate tags from illegitimate tags. The low cost and security requirements of RFID become a difficult point in the design of authentication protocols. On one hand, the computation and programming capabilities of the tags in the RFID system are limited by the cost of the tags, so that the tags only have very limited computation capabilities and can only perform simple logic operation; on the other hand, the wireless communication environment of the RFID system makes the RFID protocol vulnerable.
The RFID authentication protocol designed based on the LPN has the advantages that: one is lower computational complexity, and the other is quantum attack resistance, because no effective quantum algorithm is found at present, the problem that the LPN can be successfully cracked within polynomial time is difficult. Hopper and Blum propose a two-round RFID authentication protocol capable of being proved to be safe based on LPN for the first time: the HB protocol, but the HB protocol can only resist passive attacks; juels and Weis propose HB + protocols with active security, but Gilbert, Robshaw and Sibert successfully implement GRS attacks on HB + protocols; gilbert et al proposed a Random-HB # protocol, but Ouafi et al implemented a man-in-the-middle attack on the Random-HB # protocol; tang and Jidong Yao propose an HB # protocol, and give the security proof of the HB # protocol against man-in-the-middle attack under the random predictive model, but Jiangxing et al discovered the security hole of the HB # protocol and successfully implemented the man-in-the-middle attack; kiltz et al first proposed a two-round Auth protocol that is resistant to active attacks and ingeniously provided a security proof, but the Auth protocol was not resistant to man-in-the-middle attacks. The two rounds of the LPNAP protocol can resist man-in-the-middle attacks, but the LPNAP protocol does not achieve bidirectional authentication.
Therefore, it is necessary to provide a method and an apparatus for RFID mutual authentication protocol to solve the technical problems that the current Auth protocol cannot resist man-in-the-middle attack and the LPNAP protocol does not implement mutual authentication.
Disclosure of Invention
The invention provides a method and a device for a Radio Frequency Identification (RFID) mutual authentication protocol, which solve the technical problems that the current Auth protocol cannot resist man-in-the-middle attack and the LPNAP protocol does not realize mutual authentication.
The invention provides a Radio Frequency Identification Device (RFID) mutual authentication protocol method, which comprises the following steps:
S1、the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
s2, calculating by the label according to the third message vector b, the first random vector r and the fourth message vector e obeying the Bernoulli distribution to obtain a second random vector
Figure GDA0001606680100000021
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure GDA0001606680100000022
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
s3, after the reader receives (r, z, y) sent by the label, it is determined whether the first random vector r is equal to 0, if so, the execution of the protocol is terminated, and if not, the fifth message vector is calculated according to the second random vector z and the hidden vector y to obtain the second random vector r, and if not, the protocol is terminated
Figure GDA0001606680100000023
Wherein g is a strong universal hash function;
s4, the tag obtains the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
Preferably, step S1 is preceded by:
s0, the reader generates a first message vector a which satisfies
Figure GDA0001606680100000024
First of allHamming overlap wt (a) l/2 of message vector a, and calculating a second message vector m f (T)SC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsFor the Toeplitz matrix T to be associated with a vector s of (2l + n-1) bits with a uniform probability, c is a preset constant.
Preferably, the RFID mutual authentication protocol method provided by the present invention further includes:
the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
Preferably, step S4 specifically includes:
the label acquires the reader according to the first message vector a and the secret key TsA first random vector r and a fifth message vector b', and judging by a reader
Figure GDA0001606680100000031
And obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
Preferably, the third message vector
Figure GDA0001606680100000032
The Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
Figure GDA0001606680100000033
The invention also provides a RFID bidirectional authentication protocol device, which comprises:
a first receiving unit, configured to receive, by a tag, a first message vector a and a second message vector m ═ f (T) sent by a readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
a first calculating unit, configured to calculate, by the tag, a second random vector according to the third message vector b, the first random vector r, and a fourth message vector e that obeys bernoulli distribution
Figure GDA0001606680100000034
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure GDA0001606680100000035
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
a second calculating unit, configured to determine whether the first random vector r is equal to 0 after the reader receives (r, z, y) sent by the tag, terminate execution of the protocol if the first random vector r is equal to 0, and calculate to obtain a fifth message vector according to the second random vector z and the hidden vector y if the first random vector r is not equal to 0
Figure GDA0001606680100000036
Wherein g is a strong universal hash function;
an authentication unit for the tag obtaining the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
Preferably, the RFID mutual authentication protocol device provided by the present invention further includes:
a generating unit for the reader to generate a first message vector a satisfying
Figure GDA0001606680100000041
Hamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsFor the Toeplitz matrix T to be associated with a vector s of (2l + n-1) bits with a uniform probability, c is a preset constant.
Preferably, the RFID mutual authentication protocol device provided by the present invention further includes:
a second receiving unit, configured to receive, by the tag, a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
Preferably, the authentication unit is further configured to acquire, by the tag, the first message vector a and the key T from the readersA first random vector r and a fifth message vector b', and judging by a reader
Figure GDA0001606680100000042
And obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
Preferably, the third message vector
Figure GDA0001606680100000043
The Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
Figure GDA0001606680100000044
From the technical scheme, the invention has the following advantages:
the invention provides a Radio Frequency Identification Device (RFID) mutual authentication protocol method, which comprises the following steps:
s1, the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant; s2, calculating by the label according to the third message vector b, the first random vector r and the fourth message vector e obeying the Bernoulli distribution to obtain a second random vector
Figure GDA0001606680100000045
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure GDA0001606680100000046
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader; s3, after the reader receives (r, z, y) sent by the label, it is determined whether the first random vector r is equal to 0, if so, the execution of the protocol is terminated, and if not, the fifth message vector is calculated according to the second random vector z and the hidden vector y to obtain the second random vector r, and if not, the protocol is terminated
Figure GDA0001606680100000047
Wherein g is a strong universal hash function; s4, the tag obtains the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
In the invention, five message vectors are transmitted through two-round communication, the authentication of the tag to the reader is realized by adopting a strong universal hash function f and a pointer value, the third message vector b is hidden by utilizing a strong universal hash function g, the safe transmission of the third message vector b is realized, the man-in-the-middle attack is resisted, and the technical problems that the current Auth protocol cannot resist the man-in-the-middle attack and the LPNAP protocol does not realize bidirectional authentication are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an embodiment of an RFID mutual authentication protocol apparatus provided in an embodiment of the present invention;
Detailed Description
The embodiment of the invention provides a method and a device for a Radio Frequency Identification (RFID) mutual authentication protocol, which solve the technical problems that the current Auth protocol cannot resist man-in-the-middle attack and the LPNAP protocol does not realize mutual authentication.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of an RFID mutual authentication protocol method provided in an embodiment of the present invention includes:
100. the reader generates a first message vector a which satisfies
Figure GDA0001606680100000051
Hamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsFor the Toeplitz matrix T to be associated with a vector s of (2l + n-1) bits with a uniform probability, c is a preset constant.
The reader generates a first message vector a which satisfies
Figure GDA0001606680100000052
Hamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending the message to the tag, wherein the hamming overlap wt (a) l/2 of the first message vector a is set for judging whether a problem occurs in the transmission process of the reader.
101. The tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
it should be noted that the tag receives the first message vector a and the second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
The reader authentication of the tag is realized by using a strong universal hash function f, and in the process of resisting passive attack, the transmitted second message vector m is f (T)SC) every time the key is different, an attacker cannot eavesdrop correct information related to the key;
in the process of resisting active attacks, it is computationally infeasible to find x satisfying h (x) m for any given value m, according to the one-way nature of the hash function. So that the attacker is not aware of the secret key TsAnd the pointer value c, a value equal to m ═ f (T) is chosenSC) is not feasible, and the attacker cannot pass the authentication of the tag, and cannot obtain any response message of the tag.
102. The label is according to the third information vector b, the firstCalculating a random vector r and a fourth message vector e obeying the Bernoulli distribution to obtain a second random vector
Figure GDA0001606680100000061
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure GDA0001606680100000062
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
it should be noted that the tag calculates a second random vector according to the third message vector b, the first random vector r, and the fourth message vector e that obeys bernoulli distribution
Figure GDA0001606680100000063
The first message vector a and the third message vector b jointly participate in the transmission of the message, the randomization of the communication key is realized, and then the hidden vector is obtained by calculation according to the second random vector z
Figure GDA0001606680100000064
And hiding the third message vector b, finally synthesizing (r, z, y) and sending the (r, z, y) to the reader.
In the process of resisting man-in-the-middle attack, an attacker attacks the protocol in a mode of intercepting messages, modifying messages and sending messages. Firstly, an attacker intercepts a first message vector a and a second message vector m ═ f (T) sent by a reader to a labelSC), the attacker may then set f (T) for the first and second message vectors a and m (T)SAnd c) making a modification to pass authentication of the tag. Based on the analysis of the active attack portion, there is no way for an attacker to modify the second message vector m ═ f (T)SAnd c) is adopted. In this case, an attacker may only modify the message (a, r, z, y), but any one of the attacker's modifications (a, r, z, y) will not be authenticated by the reader because: the first message vector a and the third message vector b jointly select the subkey (T) used by the communicationS)↓(a||b)According to the operation a b, only the first message vector a or the third message vector b is modifiedInformation vector b, then the traffic key must change. Further, the second random vector z may not be modified, as is known from the nature of the strong universal hash function. Thus, the attacker has no way to obtain the desired information by modifying the message and the man-in-the-middle attack fails.
103. After the reader receives (r, z, y) sent by the tag, whether the first random vector r is equal to 0 or not is judged, if yes, the execution of the protocol is terminated, and if not, a fifth message vector is obtained through calculation according to the second random vector z and the hidden vector y
Figure GDA0001606680100000071
Wherein g is a strong universal hash function;
it should be noted that, after the reader receives (r, z, y) sent by the tag, it is determined whether the first random vector r is equal to 0, if equal to 0, it represents that the tag does not pass the authentication of the reader, and terminates the execution of the protocol, and if not equal to 0, a fifth message vector is calculated according to the second random vector z and the hidden vector y
Figure GDA0001606680100000072
Wherein g is a strong universal hash function.
104. The label acquires the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
It should be noted that the tag obtains the first message vector a and the secret key T from the readersA first random vector r and a fifth message vector b', and judging by a reader
Figure GDA0001606680100000073
And obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
The symbolic illustration in the embodiment of the invention comprises:
z and R respectively represent an integer set and a real number set, a, b belongs to R, and [ a, b ] - { x belongs to R: a < x < b };
Z2representing a finite field, over which operations are modulo-2 addition and multiplication,
Figure GDA0001606680100000074
represents Z2A k-dimensional linear space above;
Figure GDA0001606680100000075
represents from
Figure GDA0001606680100000076
Wherein a binary vector r, wt (r) sampled according to the uniform distribution represents the Hamming weight of the vector r;
rTrepresents the transpose of the vector r;
suppose that
Figure GDA0001606680100000077
T↓vA sub-matrix representing the matrix T, which operates as: if v [ i ]]If 0, deleting the ith row in the matrix T;
ber (η) represents the Bernoulli distribution with parameter η (η ∈ [0,1/2 ]]) Namely Pr [ x ← beer (η): x is 1]=η;
Figure GDA0001606680100000081
Representing a vector of n-dimensional bits sampled from a bernoulli distribution;
if a, b represent a vector, then a | | | b represents a bit-wise concatenation of the 2 vectors (e.g., a | | | | b ═ 0,1,0,1, b | (1,1,0,0), then a | | | | b | (0,1,0,1,1,1,0, 0)).
The bidirectional authentication protocol process of the embodiment of the invention is as follows:
Figure GDA0001606680100000082
τ is 1/4+ η/2, η is a parameter of the bernoulli distribution.
In the embodiment of the invention, five message vectors are transmitted through two-round communication, the authentication of the tag to the reader is realized by adopting the strong universal hash function f and the pointer value, the third message vector b is hidden by utilizing the strong universal hash function g, the safe transmission of the third message vector b is realized, the man-in-the-middle attack is resisted, and the technical problems that the current Auth protocol cannot resist the man-in-the-middle attack and the LPNAP protocol does not realize bidirectional authentication are solved.
The above is a description of an embodiment of an RFID mutual authentication protocol method provided by an embodiment of the present invention, and an embodiment of an RFID mutual authentication protocol device provided by an embodiment of the present invention is described below.
Referring to fig. 1, the present invention provides an embodiment of an RFID mutual authentication protocol apparatus, including:
a first receiving unit 201, configured to receive a first message vector a and a second message vector m ═ f (T) sent by a reader by a tagSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
a first calculating unit 202, configured to calculate, by the tag, a second random vector according to the third message vector b, the first random vector r, and a fourth message vector e that obeys bernoulli distribution
Figure GDA0001606680100000091
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure GDA0001606680100000092
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
a second calculating unit 203, configured to determine whether the first random vector r is equal to 0 after the reader receives (r, z, y) sent by the tag, and if so, terminate the protocolExecuting, if not equal to 0, calculating to obtain a fifth message vector according to the second random vector z and the hidden vector y
Figure GDA0001606680100000093
Wherein g is a strong universal hash function;
an authentication unit 204, configured to acquire, by the tag, the first message vector a and the secret key T from the readersAnd the first random vector r and the fifth message vector b' obtain an authentication result, wherein the authentication result is authentication error or authentication correct.
In this embodiment, an RFID mutual authentication protocol apparatus provided in an embodiment of the present invention further includes:
a generating unit 200 for the reader to generate a first message vector a satisfying
Figure GDA0001606680100000094
Hamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsAssociating a vector s of (2l + n-1) bits with a uniform probability for the Toeplitz matrix T, wherein c is a preset constant;
a second receiving unit 205, configured to receive, by the tag, a first message vector a and a second message vector m ═ f (T ═ f) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
The authentication unit is also used for the tag to acquire the reader according to the first message vector a and the secret key TsThe first random vector r and the fifth message vector b' are judged by the reader
Figure GDA0001606680100000095
And obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
In the embodiment of the invention, the third message vector
Figure GDA0001606680100000096
The Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
Figure GDA0001606680100000097
The embodiment of the invention has the following advantages:
(1) the embodiment of the invention is designed based on Toeplitz-LPN, and the Toeplitz matrix is selected as the key matrix, so that the low-cost storage of the label is realized;
(2) the protocol in the embodiment of the invention adopts two-round communication, only 5 vectors are transmitted in the whole communication process, and the communication complexity is linear;
(3) the embodiment of the invention adopts the strong universal hash function f and the pointer value c to realize the rapid authentication of the tag to the reader and the reliable transmission of the message.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (4)

1. An RFID mutual authentication protocol method, comprising:
s1, the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
s2, calculating by the label according to the third message vector b, the first random vector r and the fourth message vector e obeying the Bernoulli distribution to obtain a second random vector
Figure FDA0002675585760000011
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure FDA0002675585760000012
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
s3, after the reader receives (r, z, y) sent by the label, it is determined whether the first random vector r is equal to 0, if so, the execution of the protocol is terminated, and if not, the fifth message vector is calculated according to the second random vector z and the hidden vector y to obtain the second random vector r, and if not, the protocol is terminated
Figure FDA0002675585760000013
Wherein g is a strong universal hash function;
s4, the tag obtains the reader according to the first message vector a and the secret key TsThe first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct;
step S1 is preceded by:
s0, the reader generates a first message vector a which satisfies
Figure FDA0002675585760000014
Hamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsAssociating a vector s of (2l + n-1) bits with a uniform probability for the Toeplitz matrix T, wherein c is a preset constant;
further comprising:
the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) terminating the execution of the protocol if the two are not equal;
wherein:
z and R respectively represent an integer set and a real number set;
Z2representing a finite field, over which operations are modulo-2 addition and multiplication,
Figure FDA0002675585760000015
represents Z2A k-dimensional linear space above;
Figure FDA0002675585760000021
represents from
Figure FDA0002675585760000022
A binary vector a sampled according to the uniform distribution, wt (a), representing the hamming weight of vector a;
rTrepresents the transpose of the vector r;
T↓va sub-matrix representing the matrix T, which operates as: if v [ i ]]If 0, deleting the ith row in the matrix T;
a | | b represents the bit-wise concatenation of the 2 vectors;
step S4 specifically includes:
the label acquires the reader according to the first message vector a and the secret key TsA first random vector r and a fifth message vector b', and judging by a reader
Figure FDA0002675585760000023
And obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
2. The RFID mutual authentication protocol method of claim 1, wherein the third message vector
Figure FDA0002675585760000024
The Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
Figure FDA0002675585760000025
3. An RFID mutual authentication protocol device, comprising:
a first receiving unit, configured to receive, by a tag, a first message vector a and a second message vector m ═ f (T) sent by a readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
a first calculating unit, configured to calculate, by the tag, a second random vector according to the third message vector b, the first random vector r, and a fourth message vector e that obeys bernoulli distribution
Figure FDA0002675585760000026
Then, a hidden vector is obtained by calculation according to the second random vector z
Figure FDA0002675585760000027
Finally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
a second calculating unit, configured to determine whether the first random vector r is equal to 0 after the reader receives (r, z, y) sent by the tag, terminate execution of the protocol if the first random vector r is equal to 0, and calculate to obtain a fifth message vector according to the second random vector z and the hidden vector y if the first random vector r is not equal to 0
Figure FDA0002675585760000028
Wherein g is a strong universal hash function;
an authentication unit for the tag obtaining the reader according to the first message vector a and the secret key TsThe first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct;
a generating unit for the reader to generate a first message vector a satisfying
Figure FDA0002675585760000031
Hamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsAssociating a vector s of (2l + n-1) bits with a uniform probability for the Toeplitz matrix T, wherein c is a preset constant;
further comprising:
a second receiving unit, configured to receive, by the tag, a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) terminating the execution of the protocol if the two are not equal;
wherein:
z and R respectively represent an integer set and a real number set;
Z2representing a finite field, over which operations are modulo-2 addition and multiplication,
Figure FDA0002675585760000032
represents Z2A k-dimensional linear space above;
Figure FDA0002675585760000033
represents from
Figure FDA0002675585760000034
A binary vector a sampled according to the uniform distribution, wt (a), representing the hamming weight of vector a;
rTrepresents the transpose of the vector r;
T↓va sub-matrix representing the matrix T, which operates as: if v [ i ]]If 0, deleting the ith row in the matrix T;
a | | b represents the bit-wise concatenation of the 2 vectors;
the authentication unit is also used for the tag to acquire the reader according to the first message vector a and the secret key TsA first random vector r and a fifth message vector b', and judging by a reader
Figure FDA0002675585760000035
And obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
4. The RFID mutual authentication protocol device according to claim 3, wherein the third message vector
Figure FDA0002675585760000036
The Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
Figure FDA0002675585760000037
CN201711105510.5A 2017-11-10 2017-11-10 RFID bidirectional authentication protocol method and device Active CN107994992B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711105510.5A CN107994992B (en) 2017-11-10 2017-11-10 RFID bidirectional authentication protocol method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711105510.5A CN107994992B (en) 2017-11-10 2017-11-10 RFID bidirectional authentication protocol method and device

Publications (2)

Publication Number Publication Date
CN107994992A CN107994992A (en) 2018-05-04
CN107994992B true CN107994992B (en) 2020-11-10

Family

ID=62030710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711105510.5A Active CN107994992B (en) 2017-11-10 2017-11-10 RFID bidirectional authentication protocol method and device

Country Status (1)

Country Link
CN (1) CN107994992B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110011804B (en) * 2019-03-12 2022-03-04 南京邮电大学 Ultra-lightweight RFID communication authentication method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488179A (en) * 2008-01-18 2009-07-22 华为技术有限公司 Authentication method and apparatus for wireless radio frequency recognition system
CN102739402A (en) * 2012-06-06 2012-10-17 天津大学 Strong safety certification method based on HB+ in RFID (Radio Frequency Identification Devices) system
CN103560881A (en) * 2013-10-16 2014-02-05 南京邮电大学 Radio frequency identification system safety certification and key agreement method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8359480B2 (en) * 2008-12-19 2013-01-22 University Of Washington Scalable RFID systems: a privacy preserving protocol with constant-time identification

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101488179A (en) * 2008-01-18 2009-07-22 华为技术有限公司 Authentication method and apparatus for wireless radio frequency recognition system
CN102739402A (en) * 2012-06-06 2012-10-17 天津大学 Strong safety certification method based on HB+ in RFID (Radio Frequency Identification Devices) system
CN103560881A (en) * 2013-10-16 2014-02-05 南京邮电大学 Radio frequency identification system safety certification and key agreement method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于LPN抗中间人攻击的两轮认证协议;姜晓,马昌社;《华南师范大学学报(自然科学版)》;20160525;第48卷(第3期);第1-4节 *

Also Published As

Publication number Publication date
CN107994992A (en) 2018-05-04

Similar Documents

Publication Publication Date Title
Ahmadian et al. Desynchronization attack on RAPP ultralightweight authentication protocol
KR101874119B1 (en) Authentication method between client and server, machine-readable storage medium, client and server
Hancke Distance-bounding for RFID: Effectiveness of ‘terrorist fraud’in the presence of bit errors
Gao et al. An ultralightweight RFID authentication protocol with CRC and permutation
CN108304902B (en) Ultra-lightweight mobile RFID system bidirectional authentication method
Doss et al. A minimum disclosure approach to authentication and privacy in RFID systems
Han et al. Vulnerability of an RFID authentication protocol conforming to EPC Class 1 Generation 2 Standards
Niu et al. EPC Gen2v2 RFID standard authentication and ownership management protocol
Sundaresan et al. A secure search protocol for low cost passive RFID tags
CN101488179A (en) Authentication method and apparatus for wireless radio frequency recognition system
Yang et al. Privacy-preserving group authentication for rfid tags using bit-collision patterns
Akgün et al. Attacks and improvements to chaotic map‐based RFID authentication protocol
Bhagat et al. Lightweight cryptographic algorithms based on different model architectures: A systematic review and futuristic applications
CN107994992B (en) RFID bidirectional authentication protocol method and device
Khorasgani et al. Novel lightweight RFID authentication protocols for inexpensive tags
Chien De-synchronization attack on quadratic residues-based RFID ownership transfer
Baha’A et al. Using dummy data for RFID tag and reader authentication
Huang et al. An ultralightweight mutual authentication protocol for EPC C1G2 RFID tags
Habibi et al. Attacks on recent RFID authentication protocols
Adeli et al. Mdsbsp: a search protocol based on mds codes for rfid-based internet of vehicle
Wang et al. Scalable and resynchronisable radio frequency identification ownership transfer protocol based on a sliding window mechanism
Mujahid et al. A review of ultralightweight mutual authentication protocols
CN106992861B (en) RFID (radio frequency identification) key wireless generation method and system with EPC (electronic product code) tag
ÖZCANHAN et al. Mersenne twister-based RFID authentication protocol
Niu et al. An ultralightweight and privacy-preserving authentication protocol for mobile RFID systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant