CN107994992B - RFID bidirectional authentication protocol method and device - Google Patents
RFID bidirectional authentication protocol method and device Download PDFInfo
- Publication number
- CN107994992B CN107994992B CN201711105510.5A CN201711105510A CN107994992B CN 107994992 B CN107994992 B CN 107994992B CN 201711105510 A CN201711105510 A CN 201711105510A CN 107994992 B CN107994992 B CN 107994992B
- Authority
- CN
- China
- Prior art keywords
- vector
- message
- message vector
- reader
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
- H04L9/3273—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response for mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
- H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
Abstract
The invention provides a method and a device for an RFID (radio frequency identification) mutual authentication protocol, which are used for transmitting five message vectors through two-round communication, realizing the authentication of a tag on a reader by adopting a strong universal hash function f and a pointer value, hiding a third message vector b by utilizing a strong universal hash function g, realizing the safe transmission of the third message vector b, resisting man-in-the-middle attack, and solving the technical problems that the current Auth protocol cannot resist the man-in-the-middle attack and the LPNAP protocol does not realize the mutual authentication.
Description
Technical Field
The invention relates to the field of power system stability control, in particular to a Radio Frequency Identification Device (RFID) mutual authentication protocol method and device.
Background
In the internet of things, the RFID technology carries a large amount of secret information of national materials, enterprise customer relationship information and user personal information, and for the consideration of national security, enterprise interests and user privacy, the RFID technology for identifying objects must be authenticated and protected, otherwise, the reliability of the internet of things will be affected. Therefore, achieving authentication in low cost RFID systems is a must-go route to the development of RFID technology today. Many cryptologists research and obtain great results on the authentication of the RFID protocol, but most of the protocols currently only attach importance to the secure authentication of the tag and ignore the secure identification of the reader, so that unauthorized readers can still pass the secure authentication, and tag information is leaked.
The purpose of RFID mutual authentication is to prevent unauthorized readers from browsing some or all of the information stored in the tags and to grant legitimate readers the ability to distinguish legitimate tags from illegitimate tags. The low cost and security requirements of RFID become a difficult point in the design of authentication protocols. On one hand, the computation and programming capabilities of the tags in the RFID system are limited by the cost of the tags, so that the tags only have very limited computation capabilities and can only perform simple logic operation; on the other hand, the wireless communication environment of the RFID system makes the RFID protocol vulnerable.
The RFID authentication protocol designed based on the LPN has the advantages that: one is lower computational complexity, and the other is quantum attack resistance, because no effective quantum algorithm is found at present, the problem that the LPN can be successfully cracked within polynomial time is difficult. Hopper and Blum propose a two-round RFID authentication protocol capable of being proved to be safe based on LPN for the first time: the HB protocol, but the HB protocol can only resist passive attacks; juels and Weis propose HB + protocols with active security, but Gilbert, Robshaw and Sibert successfully implement GRS attacks on HB + protocols; gilbert et al proposed a Random-HB # protocol, but Ouafi et al implemented a man-in-the-middle attack on the Random-HB # protocol; tang and Jidong Yao propose an HB # protocol, and give the security proof of the HB # protocol against man-in-the-middle attack under the random predictive model, but Jiangxing et al discovered the security hole of the HB # protocol and successfully implemented the man-in-the-middle attack; kiltz et al first proposed a two-round Auth protocol that is resistant to active attacks and ingeniously provided a security proof, but the Auth protocol was not resistant to man-in-the-middle attacks. The two rounds of the LPNAP protocol can resist man-in-the-middle attacks, but the LPNAP protocol does not achieve bidirectional authentication.
Therefore, it is necessary to provide a method and an apparatus for RFID mutual authentication protocol to solve the technical problems that the current Auth protocol cannot resist man-in-the-middle attack and the LPNAP protocol does not implement mutual authentication.
Disclosure of Invention
The invention provides a method and a device for a Radio Frequency Identification (RFID) mutual authentication protocol, which solve the technical problems that the current Auth protocol cannot resist man-in-the-middle attack and the LPNAP protocol does not realize mutual authentication.
The invention provides a Radio Frequency Identification Device (RFID) mutual authentication protocol method, which comprises the following steps:
S1、the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
s2, calculating by the label according to the third message vector b, the first random vector r and the fourth message vector e obeying the Bernoulli distribution to obtain a second random vectorThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
s3, after the reader receives (r, z, y) sent by the label, it is determined whether the first random vector r is equal to 0, if so, the execution of the protocol is terminated, and if not, the fifth message vector is calculated according to the second random vector z and the hidden vector y to obtain the second random vector r, and if not, the protocol is terminatedWherein g is a strong universal hash function;
s4, the tag obtains the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
Preferably, step S1 is preceded by:
s0, the reader generates a first message vector a which satisfiesFirst of allHamming overlap wt (a) l/2 of message vector a, and calculating a second message vector m f (T)SC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsFor the Toeplitz matrix T to be associated with a vector s of (2l + n-1) bits with a uniform probability, c is a preset constant.
Preferably, the RFID mutual authentication protocol method provided by the present invention further includes:
the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
Preferably, step S4 specifically includes:
the label acquires the reader according to the first message vector a and the secret key TsA first random vector r and a fifth message vector b', and judging by a readerAnd obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
Preferably, the third message vectorThe Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
The invention also provides a RFID bidirectional authentication protocol device, which comprises:
a first receiving unit, configured to receive, by a tag, a first message vector a and a second message vector m ═ f (T) sent by a readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
a first calculating unit, configured to calculate, by the tag, a second random vector according to the third message vector b, the first random vector r, and a fourth message vector e that obeys bernoulli distributionThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
a second calculating unit, configured to determine whether the first random vector r is equal to 0 after the reader receives (r, z, y) sent by the tag, terminate execution of the protocol if the first random vector r is equal to 0, and calculate to obtain a fifth message vector according to the second random vector z and the hidden vector y if the first random vector r is not equal to 0Wherein g is a strong universal hash function;
an authentication unit for the tag obtaining the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
Preferably, the RFID mutual authentication protocol device provided by the present invention further includes:
a generating unit for the reader to generate a first message vector a satisfyingHamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsFor the Toeplitz matrix T to be associated with a vector s of (2l + n-1) bits with a uniform probability, c is a preset constant.
Preferably, the RFID mutual authentication protocol device provided by the present invention further includes:
a second receiving unit, configured to receive, by the tag, a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
Preferably, the authentication unit is further configured to acquire, by the tag, the first message vector a and the key T from the readersA first random vector r and a fifth message vector b', and judging by a readerAnd obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
Preferably, the third message vectorThe Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
From the technical scheme, the invention has the following advantages:
the invention provides a Radio Frequency Identification Device (RFID) mutual authentication protocol method, which comprises the following steps:
s1, the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant; s2, calculating by the label according to the third message vector b, the first random vector r and the fourth message vector e obeying the Bernoulli distribution to obtain a second random vectorThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader; s3, after the reader receives (r, z, y) sent by the label, it is determined whether the first random vector r is equal to 0, if so, the execution of the protocol is terminated, and if not, the fifth message vector is calculated according to the second random vector z and the hidden vector y to obtain the second random vector r, and if not, the protocol is terminatedWherein g is a strong universal hash function; s4, the tag obtains the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
In the invention, five message vectors are transmitted through two-round communication, the authentication of the tag to the reader is realized by adopting a strong universal hash function f and a pointer value, the third message vector b is hidden by utilizing a strong universal hash function g, the safe transmission of the third message vector b is realized, the man-in-the-middle attack is resisted, and the technical problems that the current Auth protocol cannot resist the man-in-the-middle attack and the LPNAP protocol does not realize bidirectional authentication are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic structural diagram of an embodiment of an RFID mutual authentication protocol apparatus provided in an embodiment of the present invention;
Detailed Description
The embodiment of the invention provides a method and a device for a Radio Frequency Identification (RFID) mutual authentication protocol, which solve the technical problems that the current Auth protocol cannot resist man-in-the-middle attack and the LPNAP protocol does not realize mutual authentication.
In order to make the objects, features and advantages of the present invention more obvious and understandable, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the embodiments described below are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An embodiment of an RFID mutual authentication protocol method provided in an embodiment of the present invention includes:
100. the reader generates a first message vector a which satisfiesHamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsFor the Toeplitz matrix T to be associated with a vector s of (2l + n-1) bits with a uniform probability, c is a preset constant.
The reader generates a first message vector a which satisfiesHamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending the message to the tag, wherein the hamming overlap wt (a) l/2 of the first message vector a is set for judging whether a problem occurs in the transmission process of the reader.
101. The tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
it should be noted that the tag receives the first message vector a and the second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
The reader authentication of the tag is realized by using a strong universal hash function f, and in the process of resisting passive attack, the transmitted second message vector m is f (T)SC) every time the key is different, an attacker cannot eavesdrop correct information related to the key;
in the process of resisting active attacks, it is computationally infeasible to find x satisfying h (x) m for any given value m, according to the one-way nature of the hash function. So that the attacker is not aware of the secret key TsAnd the pointer value c, a value equal to m ═ f (T) is chosenSC) is not feasible, and the attacker cannot pass the authentication of the tag, and cannot obtain any response message of the tag.
102. The label is according to the third information vector b, the firstCalculating a random vector r and a fourth message vector e obeying the Bernoulli distribution to obtain a second random vectorThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
it should be noted that the tag calculates a second random vector according to the third message vector b, the first random vector r, and the fourth message vector e that obeys bernoulli distributionThe first message vector a and the third message vector b jointly participate in the transmission of the message, the randomization of the communication key is realized, and then the hidden vector is obtained by calculation according to the second random vector zAnd hiding the third message vector b, finally synthesizing (r, z, y) and sending the (r, z, y) to the reader.
In the process of resisting man-in-the-middle attack, an attacker attacks the protocol in a mode of intercepting messages, modifying messages and sending messages. Firstly, an attacker intercepts a first message vector a and a second message vector m ═ f (T) sent by a reader to a labelSC), the attacker may then set f (T) for the first and second message vectors a and m (T)SAnd c) making a modification to pass authentication of the tag. Based on the analysis of the active attack portion, there is no way for an attacker to modify the second message vector m ═ f (T)SAnd c) is adopted. In this case, an attacker may only modify the message (a, r, z, y), but any one of the attacker's modifications (a, r, z, y) will not be authenticated by the reader because: the first message vector a and the third message vector b jointly select the subkey (T) used by the communicationS)↓(a||b)According to the operation a b, only the first message vector a or the third message vector b is modifiedInformation vector b, then the traffic key must change. Further, the second random vector z may not be modified, as is known from the nature of the strong universal hash function. Thus, the attacker has no way to obtain the desired information by modifying the message and the man-in-the-middle attack fails.
103. After the reader receives (r, z, y) sent by the tag, whether the first random vector r is equal to 0 or not is judged, if yes, the execution of the protocol is terminated, and if not, a fifth message vector is obtained through calculation according to the second random vector z and the hidden vector yWherein g is a strong universal hash function;
it should be noted that, after the reader receives (r, z, y) sent by the tag, it is determined whether the first random vector r is equal to 0, if equal to 0, it represents that the tag does not pass the authentication of the reader, and terminates the execution of the protocol, and if not equal to 0, a fifth message vector is calculated according to the second random vector z and the hidden vector yWherein g is a strong universal hash function.
104. The label acquires the reader according to the first message vector a and the secret key TsAnd the first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct.
It should be noted that the tag obtains the first message vector a and the secret key T from the readersA first random vector r and a fifth message vector b', and judging by a readerAnd obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
The symbolic illustration in the embodiment of the invention comprises:
z and R respectively represent an integer set and a real number set, a, b belongs to R, and [ a, b ] - { x belongs to R: a < x < b };
Z2representing a finite field, over which operations are modulo-2 addition and multiplication,represents Z2A k-dimensional linear space above;
represents fromWherein a binary vector r, wt (r) sampled according to the uniform distribution represents the Hamming weight of the vector r;
rTrepresents the transpose of the vector r;
suppose thatT↓vA sub-matrix representing the matrix T, which operates as: if v [ i ]]If 0, deleting the ith row in the matrix T;
ber (η) represents the Bernoulli distribution with parameter η (η ∈ [0,1/2 ]]) Namely Pr [ x ← beer (η): x is 1]=η;Representing a vector of n-dimensional bits sampled from a bernoulli distribution;
if a, b represent a vector, then a | | | b represents a bit-wise concatenation of the 2 vectors (e.g., a | | | | b ═ 0,1,0,1, b | (1,1,0,0), then a | | | | b | (0,1,0,1,1,1,0, 0)).
The bidirectional authentication protocol process of the embodiment of the invention is as follows:
τ is 1/4+ η/2, η is a parameter of the bernoulli distribution.
In the embodiment of the invention, five message vectors are transmitted through two-round communication, the authentication of the tag to the reader is realized by adopting the strong universal hash function f and the pointer value, the third message vector b is hidden by utilizing the strong universal hash function g, the safe transmission of the third message vector b is realized, the man-in-the-middle attack is resisted, and the technical problems that the current Auth protocol cannot resist the man-in-the-middle attack and the LPNAP protocol does not realize bidirectional authentication are solved.
The above is a description of an embodiment of an RFID mutual authentication protocol method provided by an embodiment of the present invention, and an embodiment of an RFID mutual authentication protocol device provided by an embodiment of the present invention is described below.
Referring to fig. 1, the present invention provides an embodiment of an RFID mutual authentication protocol apparatus, including:
a first receiving unit 201, configured to receive a first message vector a and a second message vector m ═ f (T) sent by a reader by a tagSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
a first calculating unit 202, configured to calculate, by the tag, a second random vector according to the third message vector b, the first random vector r, and a fourth message vector e that obeys bernoulli distributionThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
a second calculating unit 203, configured to determine whether the first random vector r is equal to 0 after the reader receives (r, z, y) sent by the tag, and if so, terminate the protocolExecuting, if not equal to 0, calculating to obtain a fifth message vector according to the second random vector z and the hidden vector yWherein g is a strong universal hash function;
an authentication unit 204, configured to acquire, by the tag, the first message vector a and the secret key T from the readersAnd the first random vector r and the fifth message vector b' obtain an authentication result, wherein the authentication result is authentication error or authentication correct.
In this embodiment, an RFID mutual authentication protocol apparatus provided in an embodiment of the present invention further includes:
a generating unit 200 for the reader to generate a first message vector a satisfyingHamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsAssociating a vector s of (2l + n-1) bits with a uniform probability for the Toeplitz matrix T, wherein c is a preset constant;
a second receiving unit 205, configured to receive, by the tag, a first message vector a and a second message vector m ═ f (T ═ f) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) is not equal, the execution of the protocol is terminated.
The authentication unit is also used for the tag to acquire the reader according to the first message vector a and the secret key TsThe first random vector r and the fifth message vector b' are judged by the readerAnd obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
In the embodiment of the invention, the third message vectorThe Hamming overlap of the third message vector b satisfies wt (b) l/2, the first random vector
The embodiment of the invention has the following advantages:
(1) the embodiment of the invention is designed based on Toeplitz-LPN, and the Toeplitz matrix is selected as the key matrix, so that the low-cost storage of the label is realized;
(2) the protocol in the embodiment of the invention adopts two-round communication, only 5 vectors are transmitted in the whole communication process, and the communication complexity is linear;
(3) the embodiment of the invention adopts the strong universal hash function f and the pointer value c to realize the rapid authentication of the tag to the reader and the reliable transmission of the message.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (4)
1. An RFID mutual authentication protocol method, comprising:
s1, the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
s2, calculating by the label according to the third message vector b, the first random vector r and the fourth message vector e obeying the Bernoulli distribution to obtain a second random vectorThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
s3, after the reader receives (r, z, y) sent by the label, it is determined whether the first random vector r is equal to 0, if so, the execution of the protocol is terminated, and if not, the fifth message vector is calculated according to the second random vector z and the hidden vector y to obtain the second random vector r, and if not, the protocol is terminatedWherein g is a strong universal hash function;
s4, the tag obtains the reader according to the first message vector a and the secret key TsThe first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct;
step S1 is preceded by:
s0, the reader generates a first message vector a which satisfiesHamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsAssociating a vector s of (2l + n-1) bits with a uniform probability for the Toeplitz matrix T, wherein c is a preset constant;
further comprising:
the tag receives a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) terminating the execution of the protocol if the two are not equal;
wherein:
z and R respectively represent an integer set and a real number set;
Z2representing a finite field, over which operations are modulo-2 addition and multiplication,represents Z2A k-dimensional linear space above;
represents fromA binary vector a sampled according to the uniform distribution, wt (a), representing the hamming weight of vector a;
rTrepresents the transpose of the vector r;
T↓va sub-matrix representing the matrix T, which operates as: if v [ i ]]If 0, deleting the ith row in the matrix T;
a | | b represents the bit-wise concatenation of the 2 vectors;
step S4 specifically includes:
the label acquires the reader according to the first message vector a and the secret key TsA first random vector r and a fifth message vector b', and judging by a readerAnd obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
3. An RFID mutual authentication protocol device, comprising:
a first receiving unit, configured to receive, by a tag, a first message vector a and a second message vector m ═ f (T) sent by a readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a satisfies wt (a) l/2 and m f (T)SC) and m ═ f (T)SC-1), generating a third message vector b, a first random vector r and a fourth message vector e obeying Bernoulli distribution, wherein f is a strong universal hash function and a secret key TsAssociating a Toeplitz matrix T with a vector s of (2l + n-1) bits with a uniform probability, l being a preset parameter, n being a polynomial on l, c being a preset constant;
a first calculating unit, configured to calculate, by the tag, a second random vector according to the third message vector b, the first random vector r, and a fourth message vector e that obeys bernoulli distributionThen, a hidden vector is obtained by calculation according to the second random vector zFinally synthesizing (r, z, y) and sending the (r, z, y) to the reader;
a second calculating unit, configured to determine whether the first random vector r is equal to 0 after the reader receives (r, z, y) sent by the tag, terminate execution of the protocol if the first random vector r is equal to 0, and calculate to obtain a fifth message vector according to the second random vector z and the hidden vector y if the first random vector r is not equal to 0Wherein g is a strong universal hash function;
an authentication unit for the tag obtaining the reader according to the first message vector a and the secret key TsThe first random vector r and the fifth message vector b' are used for obtaining an authentication result, wherein the authentication result is authentication error or authentication correct;
a generating unit for the reader to generate a first message vector a satisfyingHamming overlap wt (a) l/2 of first message vector a, and second message vector m f (T) is calculatedSC), the first message vector a and the second message vector m ═ f (T)SC) sending to the label, wherein f is a strong universal hash function, and the secret key TsAssociating a vector s of (2l + n-1) bits with a uniform probability for the Toeplitz matrix T, wherein c is a preset constant;
further comprising:
a second receiving unit, configured to receive, by the tag, a first message vector a and a second message vector m ═ f (T) sent by the readerSC), m' ═ f (T) is obtained by calculationSC-1) and determining that the first message vector a does not satisfy wt (a) ═ l/2 and/or m ═ f (T)SC) and m ═ f (T)SAnd c-1) terminating the execution of the protocol if the two are not equal;
wherein:
z and R respectively represent an integer set and a real number set;
Z2representing a finite field, over which operations are modulo-2 addition and multiplication,represents Z2A k-dimensional linear space above;
represents fromA binary vector a sampled according to the uniform distribution, wt (a), representing the hamming weight of vector a;
rTrepresents the transpose of the vector r;
T↓va sub-matrix representing the matrix T, which operates as: if v [ i ]]If 0, deleting the ith row in the matrix T;
a | | b represents the bit-wise concatenation of the 2 vectors;
the authentication unit is also used for the tag to acquire the reader according to the first message vector a and the secret key TsA first random vector r and a fifth message vector b', and judging by a readerAnd obtaining an authentication result after the verification is true, wherein the authentication result is authentication error or authentication correctness, wherein tau is 1/4+ eta/2, and eta is a parameter of the Bernoulli distribution.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711105510.5A CN107994992B (en) | 2017-11-10 | 2017-11-10 | RFID bidirectional authentication protocol method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711105510.5A CN107994992B (en) | 2017-11-10 | 2017-11-10 | RFID bidirectional authentication protocol method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107994992A CN107994992A (en) | 2018-05-04 |
CN107994992B true CN107994992B (en) | 2020-11-10 |
Family
ID=62030710
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711105510.5A Active CN107994992B (en) | 2017-11-10 | 2017-11-10 | RFID bidirectional authentication protocol method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107994992B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110011804B (en) * | 2019-03-12 | 2022-03-04 | 南京邮电大学 | Ultra-lightweight RFID communication authentication method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101488179A (en) * | 2008-01-18 | 2009-07-22 | 华为技术有限公司 | Authentication method and apparatus for wireless radio frequency recognition system |
CN102739402A (en) * | 2012-06-06 | 2012-10-17 | 天津大学 | Strong safety certification method based on HB+ in RFID (Radio Frequency Identification Devices) system |
CN103560881A (en) * | 2013-10-16 | 2014-02-05 | 南京邮电大学 | Radio frequency identification system safety certification and key agreement method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8359480B2 (en) * | 2008-12-19 | 2013-01-22 | University Of Washington | Scalable RFID systems: a privacy preserving protocol with constant-time identification |
-
2017
- 2017-11-10 CN CN201711105510.5A patent/CN107994992B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101488179A (en) * | 2008-01-18 | 2009-07-22 | 华为技术有限公司 | Authentication method and apparatus for wireless radio frequency recognition system |
CN102739402A (en) * | 2012-06-06 | 2012-10-17 | 天津大学 | Strong safety certification method based on HB+ in RFID (Radio Frequency Identification Devices) system |
CN103560881A (en) * | 2013-10-16 | 2014-02-05 | 南京邮电大学 | Radio frequency identification system safety certification and key agreement method |
Non-Patent Citations (1)
Title |
---|
基于LPN抗中间人攻击的两轮认证协议;姜晓,马昌社;《华南师范大学学报(自然科学版)》;20160525;第48卷(第3期);第1-4节 * |
Also Published As
Publication number | Publication date |
---|---|
CN107994992A (en) | 2018-05-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ahmadian et al. | Desynchronization attack on RAPP ultralightweight authentication protocol | |
KR101874119B1 (en) | Authentication method between client and server, machine-readable storage medium, client and server | |
Hancke | Distance-bounding for RFID: Effectiveness of ‘terrorist fraud’in the presence of bit errors | |
Gao et al. | An ultralightweight RFID authentication protocol with CRC and permutation | |
CN108304902B (en) | Ultra-lightweight mobile RFID system bidirectional authentication method | |
Doss et al. | A minimum disclosure approach to authentication and privacy in RFID systems | |
Han et al. | Vulnerability of an RFID authentication protocol conforming to EPC Class 1 Generation 2 Standards | |
Niu et al. | EPC Gen2v2 RFID standard authentication and ownership management protocol | |
Sundaresan et al. | A secure search protocol for low cost passive RFID tags | |
CN101488179A (en) | Authentication method and apparatus for wireless radio frequency recognition system | |
Yang et al. | Privacy-preserving group authentication for rfid tags using bit-collision patterns | |
Akgün et al. | Attacks and improvements to chaotic map‐based RFID authentication protocol | |
Bhagat et al. | Lightweight cryptographic algorithms based on different model architectures: A systematic review and futuristic applications | |
CN107994992B (en) | RFID bidirectional authentication protocol method and device | |
Khorasgani et al. | Novel lightweight RFID authentication protocols for inexpensive tags | |
Chien | De-synchronization attack on quadratic residues-based RFID ownership transfer | |
Baha’A et al. | Using dummy data for RFID tag and reader authentication | |
Huang et al. | An ultralightweight mutual authentication protocol for EPC C1G2 RFID tags | |
Habibi et al. | Attacks on recent RFID authentication protocols | |
Adeli et al. | Mdsbsp: a search protocol based on mds codes for rfid-based internet of vehicle | |
Wang et al. | Scalable and resynchronisable radio frequency identification ownership transfer protocol based on a sliding window mechanism | |
Mujahid et al. | A review of ultralightweight mutual authentication protocols | |
CN106992861B (en) | RFID (radio frequency identification) key wireless generation method and system with EPC (electronic product code) tag | |
ÖZCANHAN et al. | Mersenne twister-based RFID authentication protocol | |
Niu et al. | An ultralightweight and privacy-preserving authentication protocol for mobile RFID systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |