KR100680272B1 - Rfid authentication system and its method - Google Patents

Abstract

An RFID(Radio Frequency IDentification) authentication system and a method thereof are provided to usefully apply to a low price type tag, detect or prevent retransmission and spoofing attack, and offer recovery when a message is missed. The tag(420) stores an ID, generates/transmits a hash function value of the ID to a reader(420) if a query is received, generates/transmits a right half to the reader if a left half of the hash function value connecting/operating the ID and a random number is received, and updates an XOR value of the ID and the random number if tag authentication is completed. The reader transmits the hash function value to a database(440) if the hash function value is received by sending the query to the tag, and transmits the left half and the random number to the tag if the hash value connecting/operating the ID and the random number is received from the database. The database is equipped with tag information, the ID, the hash value of the ID, and a random number generator.

Description

RFID authentication system and its method {RFID authentication system and its method}

1 illustrates an RFID authentication protocol model.

2 shows the authentication process of the HL.

3 shows an HIDV authentication process.

4 is a block diagram showing the configuration of the first embodiment of the RFID tag authentication system according to the present invention.

5 is a flowchart of an RFID authentication method according to a first embodiment of the present invention.

6 is a block diagram showing a configuration of a second embodiment of an RFID tag authentication system according to the present invention.

7 is a flowchart of an authentication method for a second embodiment of the present invention.

The present invention relates to RFID (Radio Frequency Identification) authentication, and more particularly, to a RFID tag authentication system and a method for a low-cost RFID tag.

RFID is a very small chip that can analyze an object at a long distance wirelessly using a constant frequency band and transmit and receive various data. It is a core technology of next generation information communication. It was developed and used for the first time in the United Kingdom during the Second World War. The tags used at that time were expensive and were not widely available to the public because they were not economical. Unlike other connected cards, RFID tags do not require the user to insert the card into the reader and have no mechanical contact, so there is no friction, no damage, and less pollution or environmental effects. In addition to these advantages, as the price of RFID tags is lowered, many fields that previously used optical barcodes are changing their systems to RFID systems, and thus their use is being expanded. The RFID system is composed of a tag having personal information, a reader receiving the tag's information and transmitting it in a database, and a database having information of all tags. In a ubiquitous environment, RFID systems will be useful for factory automation, logistics and distribution management, security, access control, person / animal tracking, toll collection, counterfeit bills, and home networks.

As RFID systems become more practical, the risk of privacy invasion increases. Low-cost RFID tags are small in size and store unique numbers within them. In this case, the RFID tag may be embedded in the user's product without the user's knowledge, and may communicate with the reader without the user's knowledge in a ubiquitous environment. This allows all attackers with readers to know the tag's information and track the user's location through the unique tag's identification number.

One of the methods for ensuring personal information privacy and location privacy in the RFID system is the RFID authentication protocol. 1 illustrates an RFID authentication protocol model, in which communication between a reader and a tag is wireless and insecure, and communication between a reader and a database is secure by wire. In the RFID authentication protocol, when a reader inquires through ①, the tag and reader exchange valid information ②, ⑤ that can be authenticated with each other in order to ensure the privacy of each other. Send information ⑥. The information that the tag sends to the reader for its validity to satisfy location privacy varies for each authentication session.

Looking at the proposed RFID authentication protocols, the protocol proposed by Weis is to ensure privacy privacy. The protocol proposed by Henrici and Muller ensures privacy and location privacy, prevents retransmission attacks, does not detect spoofing attacks, and has a large amount of tag memory and requires three hash operations.

This will be described in more detail as follows. First, the Hash-Lock Scheme (hereinafter HL) protocol will be described. Weis' proposed tag for HL is passive and has a few hundred bits of memory with read-only identification functionality. Table 1 shows the components and calculation tools of HL.

Here, ID represents actual data of a tag, key represents a random value, metaID represents a hash value of key (= h (key)), and h () represents a one-way hash function.

A tag with a hash function as an operation tool in HL stores, by its owner, a temporary metaID value for the authentication process, including its actual data ID. At this time, metaID is the hash value of the randomly selected key (metaID = h (key)). This process is called a lock process. After the locking process, the owner of the tag stores the key and metaID in the database. This is done securely by RF channel or physical contact for security.

2 shows the authentication process of the HL. HL's certification process is divided into locked and unlocked. First, while the tag is locked and locked, the tag responds by sending a metaID to all reader queries, and does nothing until the tag is open. However, the tag receives the key, which is the information sent by the reader, hashes it, and if it is the same as the metaID it has, it determines that the information is valid and sends the ID as the status changes to open. At this time, the open state is made in a very short moment to prevent the attacker from eavesdropping on the ID, and returns to the locked state. This locking ensures the privacy of the tags.

HL manages the keys of every tag, assuming that the tag only needs one hash operation, and the database is secure. The safety of HL is based on a one-way hash function. Because of the nature of the hash function, it is difficult for anyone who does not know the key to find the key from the metaID, so any attacker cannot pretend to be a legitimate reader. However, since the communication between the reader and the tag can be eavesdropped, an attacker who has eavesdropped on the communication between the specific tag and the legitimate reading period can change the tag to an open state and obtain an ID by sending a query and transmitting an eavesdropping key. Therefore, HL does not guarantee privacy. HL cannot prevent replay attacks and spoofing attacks on any tag, but it can detect them.

However, as mentioned earlier, after eavesdropping on the communication of a specific tag, an ID value can be obtained, which does not guarantee personal privacy. In addition, since metaID is used as a personal identifier, each time the tag responds to the reader's query, the same metaID is sent, allowing tracking to readers and eavesdroppers. In other words, eavesdroppers, including readers, can eavesdrop on the same metaID and key being sent, so the location privacy of the tag is not guaranteed.

Next, the Hash-based ID Variation (HIDV) protocol is as follows. HIDV ensures location privacy by varying ID values. Unlike HL, the ID is a random value for authentication. The actual information about the tag is stored in the database as DATA. When the ID needs to be sent to the reader, the database sends it directly. Since communication between the database and the reader is assumed to be secure, this ensures privacy of personal information. DATA may be stored in the tag, but in the present invention, authentication is considered first, so it is assumed that the tag does not have DATA. Table 2 shows the components and calculation tools of HIDV in a table.

는 XOR 연산(exclusive-or function)이다.Here, the ID is a random value for authentication and changes every time authentication is successful, the HID is a hash value of ID (= h (ID)), and the TID is initialized to an ongoing authentication session number (initial fosea value such as LST). .), AE is the associated database entry for memory connection, DATA is the actual data such as user information, tag information, h () is a one-way hash function, RNG is a random number generator,

Is an XOR operation (exclusive-or function).

The user inputs an ID as an arbitrary random value in the tag, and enters another random value in the same way as the TID and the LST. Then enter HID, ID, TID, LST, AE and DATA into the database through secure contact. At this time, h (ID) is input to the HID. In HIDV, the h (ID) of a tag is used to find the memory row of that tag as a HID in the database, and TID and LST are used to prevent replay attacks. In addition, AE is used to recover from an attack such as message loss or message manipulation. The database has two memory rows for a tag, which are linked together by AE.

ID) 는 인증 및 재전송 공격을 막기 위해 쓰인다. 이러한 정보를 받은 데이터베이스는 태그를 인증하고 임의의 랜덤 값 R 을 생성하여 태그에게 전송되도록 한다. R 은 ID 를 갱신 (update) 하는데 쓰이며, 이를 통해 다음 인증 세션의 h(ID) 가 바뀌게 되어 위치 프라이버시가 보장되게 된다. 그리고 데이터베이스가 보낸 h(R

TID

ID) 는 태그가 받은 R 이 타당한지 확인하기 위해 쓰인다. HIDV에서 ⑤번째 과정이 제대로 수행되면, 태그는 h(R

TID

ID)를 생성해 전송받은 값과 비교해 본 후, 값이 같으면 기존의 ID 를 ID = (ID

R) 값으로 갱신하고, LST 값을 TID 값으로 저장한다.The HIDV certification process is as follows. When the reader sends a query to the tag, the tag increases the TID by 1 and then transmits information such as ② in FIG. h (ID) is used to find information about the tag in the database.h (TID

ID) is used to prevent authentication and replay attacks. Having received this information, the database authenticates the tag and generates a random random value R to be sent to the tag. R is used to update the ID, which changes the h (ID) of the next authentication session, ensuring location privacy. And h (R sent by database

TID

ID) is used to verify that the R received by the tag is valid. If the ⑤th process is executed correctly in HIDV, the tag is h (R

TID

Create an ID) and compare it with the received value.If the values are the same, replace the existing ID with ID = (ID

R) update the value and store the LST value as the TID value.

HIDV updates the ID value with a random R for each authentication session, ensuring location privacy from eavesdropping attackers, including readers. In addition, TID and LST are used to prevent replay attacks by attackers, and message recovery can be recovered through AE.

HIDV, however, cannot prevent spoofing attacks. For example, an attacker can receive the information of ② by querying an arbitrary tag, and authenticate the legitimate reader by using the information ② obtained while the tag does not open the next authentication session. Such an attack cannot be detected by the reader or the database, so the attacker authenticates with a legitimate tag. The tag that gave ② to the attacker also could not detect the spoofing attack because it didn't receive the information ⑤. This spoofing attack allows attackers to authenticate from legitimate readers. Another problem is that a tag must have three kinds of memory, and the hash operation is also performed three times, which increases the price of the tag.

The first technical task of the present invention is to provide an RFID authentication system that satisfies more security considerations than existing authentication systems and authentication methods and is useful for low cost tags.

The second technical problem to be achieved by the present invention is to provide an RFID authentication method in the RFID authentication system.

The third technical problem to be achieved by the present invention is to provide a computer-readable recording medium that records a program for executing the RFID authentication method on a computer.

R)으로 갱신하는 태그; 상기 태그에 질의하여 h(ID)를 수신하면 데이터베이스로 전송하고, 데이터베이스로부터 h(ID ∥R)를 수신하면 이에 대한 왼쪽 반(half_L(h(ID ∥R))) 및 R을 태그로 전송하는 판독기; 및 상기 태그 정보(DATA), ID, 상기 ID의 해쉬값(HID) 및 랜덤값 생성기(R.N.G)를 구비하며, 상기 h(ID)를 수신하면 이를 이용하여 태그의 정보를 찾아 확인하고, 상기 R 및 h(ID ∥R)를 생성하여 판독기로 전송하고, 태그인증이 완료되면 ID를 ID

R로 갱신하는 데이터베이스를 포함하는 것을 특징으로 한다.The RFID authentication system according to the present invention for achieving the above technical problem, in the RFID authentication system having a tag, a reader and a database, the ID is stored, and when a query comes in, generates a hash function value h (ID) of the ID. And transmits to the reader and receives the left half (half_L (h (ID ∥R)) of the hash function value h (ID ∥R) of the value (ID ∥R) by linking the ID and the random value R. Generates the right half (half_R (h (ID ∥R)) for h (ID∥R)) and sends it to the reader.When tag authentication is completed, the ID is exclusively the sum of the ID and R (ID).

Tag to update to R); When querying the tag and receiving h (ID), it is sent to the database.When receiving h (ID ∥R) from the database, the left half (half_L (h (ID ∥R))) and R are transmitted to the tag. reader; And the tag information DATA, an ID, a hash value HID of the ID, and a random value generator NRG. Upon receipt of the h ID, the tag information DATA is used to find and confirm the tag information. And h (ID ∥R) is generated and transmitted to the reader, and the ID is ID when tag authentication is completed.

It is characterized by including a database to update to R.

R)으로 갱신하는 단계를 포함하는 것을 특징으로 한다.In the RFID authentication method in the RFID authentication system according to the present invention for achieving the technical problem, in the RFID authentication method in the RFID authentication system having a tag, a reader and a database, the step of interrogating the tag for authentication ; Sending to the reader a value h (ID) of the tag ID hashed for the query; Receiving the h (ID), transmitting it to a database; Upon receiving h (ID) from the reader, the database finds and confirms the information of the tag through h (ID), hashes the random value R and the ID and R by hashing the function (h (ID ∥R). Generating)) and sending it to the reader; Upon receiving the R and h (ID ∥R), transmitting half_L (h (ID ∥R)) and R, which are the left half of h (ID ∥R), to the tag; Upon receiving the R and half_Lh (ID ∥R), the tag checks that the received information is valid if the R and half_L (h (ID ∥R)) matches the left side of the h (ID ∥R) they have made, Sending half_Rh (ID ∥R) to the reader to the right of h (ID ∥R); And when the authentication is completed, the database and the tag exclusively sum ID with the ID and the random value R.

R) updating to.

(R ∥R))으로 갱신하는 태그; 랜덤숫자생성기(R.N.G)를 구비하며, 태그에 질의할 때 상기 R.N.G에서 생성된 랜덤숫자(S)를 함께 전송하며, 태그로부터 h(ID) 및 half_L(R)를 수신하면 S, h(ID) 및 half_L(R)를 데이터베이스로 전송하고, 데이터베이스로부터 상기 half_R(R)를 수신하면 이를 태그로 전송하는 판독기; 및 상기 RFID 태그의 정보(DATA), 상기 ID, ID의 해쉬값(HID) 및 메모리 연결을 위한 데이터베이스 엔트리(AE)를 구비하며, 판독기로부터 h(ID), S 및 R의 오른쪽 반 값인 half_L(R)을 수신하면 h(ID)를 통해 태그의 정보를 확인하고, ID와 S를 이용하여 R을 생성하며, 상기 R의 왼쪽부분이 판독기로부터 받은 값과 같다면 태그를 정당하다고 판단하고 자신의 인증을 위해 half_R(R)를 생성하여 판독기로 전송하며, 상기 R을 통해 ID를 ID = ID

(R∥R)로 갱신하며 상기 갱신되는 정보들은 AE에 의해 연결되는 메모리에 저장하는 데이터베이스를 포함하는 것을 특징으로 한다.In an RFID authentication system according to the present invention for achieving the above technical problem, in the RFID authentication system having a reader, a tag and a database, the ID is stored, and a value that hashes the ID when a query and a random value (S) comes. generates half_L (R) corresponding to h (ID) and the left half of R and sends it to the reader, receives half_R (R) corresponding to the right half of R from the reader, checks whether it matches the one created When the authentication is completed, the ID is the exclusive logical sum of the ID and R ∥R (ID

(R ∥R) tag to update; It has a random number generator (RNG), and transmits the random number (S) generated in the RNG when querying the tag, S, h (ID) when receiving h (ID) and half_L (R) from the tag And a reader for transmitting half_L (R) to a database and transmitting the half_L (R) to a tag upon receipt of the half_R (R) from the database. And a data entry (ID) of the RFID tag, the ID, a hash value (HID) of the ID, and a database entry (AE) for a memory connection, and half_L (the right half value of h (ID), S and R from the reader). When R) is received, the information of the tag is checked through h (ID), and R is generated using ID and S. If the left part of R is equal to the value received from the reader, the tag is determined to be valid and its own A half_R (R) is generated and sent to the reader for authentication, where ID is sent as ID = ID

(R ∥R) and the updated information includes a database storing in the memory connected by the AE.

(R ∥R)로 갱신하며 갱신되는 정보들은 AE에 의해 연결되는 메모리에 저장하는 단계; half_R(R)를 받으면, 판독기는 태그에게 half_R(R)를 전송하는 단계; 및 세션이 안전하게 끝나면, 태그와 데이터베이스는 ID 를 ID

(R ∥R)로 갱신하는 단계를 포함하는 것을 특징으로 한다.The RFID authentication method in the RFID authentication system according to the present invention for achieving the above technical problem, in the RFID authentication method in the RFID authentication system having an RFID tag, a reader and a database, the reader generates a random value S tag Sending the S while querying; When the query is received with S, the tag generates h (ID ∥S) as an R value, generates a hash function value h (ID) of ID and half_L (R), which is the left half of R, to the reader. Transmitting; The reader sending the S together with the information received from the tag to the database; When receiving h (ID), S, half_L (R), the database checks the tag information through h (ID), generates R using ID and S, and the left part of the generated R is read from the reader. If it is equal to the value received, the tag is considered legitimate, and half_R (R), the right part of R, is sent to the reader for authentication, and the database sends the ID via R to ID = ID.

(R || R) updating and storing the updated information in a memory connected by the AE; upon receiving half_R (R), the reader sends half_R (R) to the tag; And when the session ends securely, the tag and database

(R ∥R).

The present invention provides a computer readable recording medium having recorded thereon a program for executing the RFID authentication method in a computer in order to achieve the third technical problem.

Hereinafter, an RFID tag authentication system and method thereof according to the present invention will be described in detail with reference to the accompanying drawings. In the RFID authentication system according to the present invention, the RFID tag has a memory and a hash function. RFID tags can be divided into passive tags and active tags according to their functions. The tags used in the present invention are active tags. The cryptographic hash function is defined as y = h (x), and y does not get any partial information about x. In reality, the cryptographic one-way hash function suitable for the hardware is sufficient, thereby asserting the security of the RFID authentication protocol. Current low cost tags usually have 200 to 2,000 gates. The implementation of standard cryptographic hash functions such as SHA-1 requires approximately 20,000 gates, but this is expected to be available in low cost tags in the near future.

On the other hand, security considerations in the RFID authentication system and method are as follows. Take the RFID authentication protocol as an example. Today's logistics warehouses require security guards to validate the vehicles and people entering and leaving the warehouse, but automation can be achieved using RFID authentication systems. A reader is installed at the entrance of the warehouse to ensure that only vehicles and persons with certified tags are allowed access. In the RFID authentication system, it is assumed that the communication between the reader and the tag is wireless and that the communication between the reader and the database is secure by wire. Therefore, the following security requirements must be satisfied.

(1) Eavesdropping: Communication between the reader and the tag can be eavesdropped over wireless communication. (2) Traffic Analysis: An attacker who can eavesdrop can analyze arbitrary information with the eavesdropping. (3) Replay Attack: The attacker can resend the eavesdropping to a legitimate reader. (4) Spoofing Attack: An attacker can pretend to be a legitimate tag by pretending to be a reader to any tag to obtain the information of the legitimate tag, and showing the legitimate reader the information from the tag. (5) Denial of Service: An attacker can make noise or distort the RF communication between the tag and the reading period even if the attacker cannot obtain useful information from the RFID system. (6) Loss of message: Data may be damaged or lost due to denial of service or communication problem by attacker. (7) Physical Attacks: Attackers can physically attack tags by stealing them.

On the other hand, the present invention provides two embodiments of the RFID tag authentication system. The first embodiment is Improved Hash-based ID Variation-1 (hereinafter referred to as IHIDV-1) and the second embodiment is Improved Hash-based ID Variation-2 (hereinafter referred to as IHIDV-2).

The IHIDV-1 reduces the amount of memory and the amount of hash operations and is useful for low cost tags. The IHIDV-1 does not prevent retransmission attacks or spoofing attacks, but can detect the IHIDV-1. Therefore, the IHIDV-1 can be used as a low-cost tag authentication protocol in an environment with little such attacks.

The tag has only a random value ID for authentication, and the database has a HID and ID, which is a hash value of the tag information DATA and ID. These inputs are safely made via RF communication or physical contact in advance. Table 3 shows the components and calculation tools of IHIDV-1.

는 XOR 연산(exclusive-or function), ∥ 는 연결연산(concatenate function)이며, half_L ( ) 는 입력되는 값의 왼쪽 반을 출력하는 함수이며, half_R ( ) 는 입력되는 값의 오른쪽 반을 출력하는 함수이다.Here, ID is a random value for authentication and changes every authentication success. HID is a hash value of ID (= h (ID)), DATA is actual data such as user information and tag information, and h () is a one-way hash. Function, R, N, G are random number generators,

Is an XOR operation, ∥ is a concatenate function, half_L () is the function that outputs the left half of the input value, and half_R () is the function that outputs the right half of the input value. to be.

4 is a block diagram showing the configuration of the first embodiment of the RFID tag authentication system according to the present invention, and includes a tag 400, a reader 420, and a database 440. As shown in FIG.

R)으로 갱신한다.The tag 400 stores a random value ID for authentication. When the tag 400 receives a query from the reader 420, the tag 400 generates a value h (ID) of the ID by hashing the ID and transmits the ID to the reader. The tag 400 obtains the value half_L (h (ID ∥R) obtained by taking the left half of the value h (ID ∥R) by hashing the value (ID ∥R) by linking the ID and the random value R. It generates and transmits to the reader 420, and when the authentication for the tag is completed, the ID is the exclusive logical sum of the ID and R (ID ∥)

Update to R).

The reader 420 queries the tag 400 for tag authentication. When the reader 420 receives a hash function value h (ID) of the ID from the tag 400 as a result of the query, the reader 420 sends the h (ID) to the database 440. ) And a value h (ID ∥R) obtained by hashing the ID and the random value R from the database 440 and concatenating a random value R from the database 440. (h (ID ∥R)) and the R to the tag 400.

R로 갱신한다. 또한 상기 데이터베이스(440)는 태그정보(DATA), HID 및 ID를 RF통신이나 물리적인 접촉을 통해 안전하게 입력받는다.The database 440 stores the tag information DATA, the ID, a hash value HID of the ID, and a random value generator RNG. When the database 440 receives the h (ID) from the reader 420, the database 440 finds and confirms information on the tag using the h (ID), and connects the random value R generated using the RNG with the ID and the R. The value h (ID ∥R) of the hash function is generated and transmitted to the reader 420. Also, ID verification when tag verification is complete

Update to R In addition, the database 440 receives the tag information (DATA), HID and ID securely through RF communication or physical contact.

In the tag 400, the reader 420, and the database 440, the left half (half_L (h (ID ∥R)) may be replaced with the right half (half_L (h (ID ∥R)). When the right half (half_L (h (ID | R)) is the left half (half_L (h (ID | R)).

Next, an RFID authentication method for the first embodiment IHIDV-1 will be described. 5 is a flowchart illustrating an RFID authentication method for IHIDV-1, which is a first embodiment of the present invention.

Referring to FIG. 5, first, the reader 420 queries the tag 400. (Reference number ①) The tag 400, which has received an inquiry from the reader 420, hashes its own ID with the value h (ID). Is transmitted to the reader 420. (2) The reader 420 then transmits the information received from 2 to the database 440. (3) The database 440 is connected via h (ID). The information of the tag 400 is found and confirmed, and a random value R for updating the ID is generated. In order to prevent the reader 420 or an attacker from tampering with R, R (h) is generated and sent together. (Ref. No. 4) The reader 420 transmits R and h ( Send half_L (h (ID ∥R)) which is the left half of ID ∥R. (Ref. ⑤)

The tag 400 receiving the R and half_L (h (ID ∥R)) checks that the information received from ⑤ is valid if the information received from ⑤ matches the left side of h (ID ∥R) that can be made. In addition, it also informs the reader 420 that R has been properly received by sending half_Rh (ID ∥R) to the right of h (ID ∥R) (reference number ⑥).

R 로 갱신한다.When the session is completed normally, the tag 400 is authenticated, and the ID of the database and the tag is ID = ID

Update to R

The safety, advantages and disadvantages of the first embodiment IHIDV-1 are as follows. The IHIDV-1 satisfies the personal information privacy because it is assumed that the personal information DATA of the tag 400 is stored in the database 440, and the ID is updated by the random value R generated by the database. To ensure.

The attacker can retransmit ② obtained by eavesdropping, but the attack is not successful because the HID value stored in the database has already been changed in the previous step. IHIDV-1 does not prevent spoofing attacks, but can detect them. An attacker can query any tag to get h (ID), and ask the legitimate reader for authentication. If the legitimate tag did not request the next authentication session, the reader determines that the attacker is legitimate and sends ⑤. However, since the attacker does not send ⑥, the reader detects the spoofing attack. Readers and tags passing ⑤ and ⑥ also detect the loss of messages.

라 가정한다. 표 4는 IHDIV-2의 구성요소 및 연산도구를 나타낸 것이다.Next, IHIDV-2 which is the second embodiment of the RFID authentication system according to the present invention will be described. The tag of IHIDV-2 has only a memory and a hash function for ID like IHIDV-1. And the hash computation required by the tag is twice. The advantage of IHIDV-2 is that it prevents retransmission attacks and spoofing attacks, and recovers in case of message loss. It is assumed that the reader has an RNG to achieve this purpose. And the hash function used in this protocol is that when RNG is L bit,

Assume Table 4 shows the components and calculation tools of IHDIV-2.

는 XOR 연산(exclusive-or function), ∥ 는 연결연산(concatenate function)이며, half_L ( ) 는 입력되는 값의 왼쪽 반을 출력하는 함수이며, half_R ( ) 는 입력되는 값의 오른쪽 반을 출력하는 함수이다.In Table 4, ID is a random value for authentication, and changes every time authentication is successful, HID is a hash value of ID (= h (ID)), DATA is actual data such as user information and tag information, and AE is a memory connection. Is a one-way hash function, S is a random value generated by the reader every session using R, N, and G, and is used to create R. The tag generates as h (ID∥S) using ID and S, and is used to update the ID. R, N, and G are random number generators.

Is an XOR operation, ∥ is a concatenate function, half_L () is the function that outputs the left half of the input value, and half_R () is the function that outputs the right half of the input value. to be.

6 is a block diagram showing the configuration of the second embodiment of the RFID tag authentication system according to the present invention, and includes a tag 600, a reader 620, and a database 640. As shown in FIG.

(R ∥R))으로 갱신한다.The tag 600 stores an ID. When a query and a random value S come from the reader 620, the tag 600 hashes the value h (ID) of the ID and half_L (R) corresponding to the left half of the R. It generates and transmits to reader 620. Also, receives half_R (R) corresponding to the right half of R from reader 620 and checks whether it matches the one generated by itself. When authentication is completed, ID is transmitted to ID and R. ∥exclusive logical sum of R (ID

(R ∥R)).

The reader 520 has a random number generator (RNG), and transmits the random number (S) generated in the RNG when querying the tag 600, h (ID) and half_L from the tag 600 Upon receiving (R), S, h (ID) and half_L (R) are transmitted to database 640. In addition, when the half_R (R) is received from the database 640, the half_R (R) is transmitted to the tag 600.

(R∥R)로 갱신하며 상기 갱신되는 정보들은 AE에 의해 연결되는 메모리에 저장한다.The database 540 includes the general information DATA of the tag 600, the ID, a hash value HID of the ID, and a database entry AE for memory connection, and the h from the reader 620. Upon receipt of (ID), S and half_L (R), the right half of R, check the tag information via h (ID), generate R using ID and S, and the left part of R is the reader If it is equal to the value received from the tag, the tag is considered legitimate and half_R (R) is generated and sent to the reader for authentication. Also id via id = id

(R, R) and the updated information is stored in a memory connected by the AE.

In the tag 600, the reader 620, and the database 640, the left half (half_L (h (ID ∥R)) may be replaced with the right half (half_L (h (ID ∥R)). When the right half (half_L (h (ID | R)) is the left half (half_L (h (ID | R)).

Next, an RFID authentication method for the second embodiment IHIDV-2 will be described. 7 is a flowchart illustrating a RFID authentication method for IHIDV-2, which is a second embodiment of the present invention.

Referring to FIG. 7, first, when the reader 620 sends a query to the tag 600, the reader 620 generates and sends a random value S. (Reference number ①) When the reader 620 receives the query together with the random value S, the tag is read. 600 generates two pieces of data. The first is the value of h (ID), which is used to find the information of the tag. The second value is R, which is generated by h (ID∥S). R is later used to update the ID after the session is over, and now only sends half_L (R), the left part of R, for authentication, as well as verifying that the database and tag generated the same R. Number ②)

The reader 620 then sends S together with the information received from the tag 600 to the database 640 (reference 3).

(R∥R)로 갱신하며 갱신되는 정보들은 AE에 의해 연결되는 메모리에 저장된다.(참조번호 ④) 판독기(620)는 ④의 내용을 태그(600)에게 전송한다.(참조번호 ⑤)The database 640 checks the information of the tag 600 through the h (ID), and generates R using the ID and S. If the left part of the generated R is equal to the value received from the reader 620, the tag is determined to be legitimate, and half_R (R), which is the right part of R, is transmitted for its authentication. Along with this, the database 640 uses ID = ID to ID

The updated information is stored in the memory connected by the AE. (Reference number ④) The reader 620 transmits the content of ④ to the tag 600. (Reference number ⑤)

(R∥R)로 갱신한다. 이와 같이 하는 이유는 기존에 제시된 인증방법들과 달리 본 발명에서 생성되는 R은 해쉬함수에 의해 생성된 값으로 1/2 L비트이기 때문이다.If the session ends safely, the tag and the database will return ID = ID

We update to (R∥R). The reason for doing this is that, unlike the existing authentication methods, R generated in the present invention is a value generated by the hash function and is 1/2 L bit.

The safety, advantages and disadvantages of the second embodiment IHIDV-2 are as follows. The IHIDV-2 ensures personal information privacy because the database 640 stores the actual personal information of the tag 600, and satisfies the location privacy because the ID value stored in the tag is changed every time for the correct authentication session.

Consider an attack where a legitimate reader attempts to find out the ID value of a tag, even though the reader sends S to its own value to find out the ID, depending on the nature of the hash function, the reader uses R and S to determine the ID value. Can not infer If the attacker retransmits h (ID) through eavesdropping, the legitimate reader will send a random S every time, so the attacker cannot generate half_L (R) and cannot be authenticated from the database.For this reason, spoofing attacks impossible. This overcomes the disadvantages of HIDV. In other words, the IHIDV-2 prevents retransmission attacks and spoofing attacks with two hash operations in 1/3 of the memory required for HIDV by placing R, N, and G in the reader.

And, as in HIDV, there are two memory rows per tag in the database, and two rows are linked by AE so that recovery is possible even if a message is lost.

An example of the IHIDV-2 will be described below. The practical process of IHIDV-2 is shown. Assume an arbitrary tag with a value of ID = 14. In the initialization phase, the database stores HID = h (14) and ID = 14 along with the information DATA for the tag. At this time, nothing is stored in the AE. Table 5 shows the memory of the initialized database.

When a legitimate reader generates S = 5 and queries the tag, the tag generates R = h (ID∥S) = h (14∥15). Let R be 3. The tag sends h (14) and half_L (3) to the reader. The reader sends R to the database with the information received from the tag. The database checks the ID using h (14) and generates R to authenticate whether it is a valid tag. After authentication, the database is updated as shown in Table 6. Table 6 shows the memory of the database after the first authentication session.

(3∥3)) 로 바뀌게 된다. The database has two rows of memory for a tag. These are connected to each other by the AE in the same manner as the HIDV described above. After updating the database, if the database sends half_R (3) and the tag receives the information normally, the ID stored in the tag is ID = h (14

(3∥3)).

Consider missing messages. In the above case, if the tag did not receive the last half_R (3), the database was updated but the ID information of the tag was not updated. Therefore, the tag sends HID = h (14) to the next authentication session. However, the database can find h (14) so it authenticates and updates the memory row concatenated by AE with the newly created R. Through this process, message loss recovery is possible.

The present invention can be embodied as code that can be read by a computer (including all devices having an information processing function) in a computer-readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored. Examples of computer-readable recording devices include ROM, RAM, CD-ROM, magnetic tape, floppy disks, optical data storage devices, and the like.

Although the present invention has been described with reference to the embodiments shown in the drawings, this is merely exemplary, and it will be understood by those skilled in the art that various modifications and equivalent other embodiments are possible. Therefore, the true technical protection scope of the present invention will be defined by the technical spirit of the appended claims.

Hereinafter, the effects of the present invention and the existing RFID authentication system and method are as follows.

In the case of IHIDV-2, the tag requires the amount of memory required by the aforementioned IHIDV protocol and performs two hash operations for one authentication session. In addition to ensuring privacy and location privacy, both retransmission and spoofing attacks are impossible, and recovery is possible even if a message is lost.

라 하여, 해쉬값이 저장되는 메모리는 ½L 비트로 계산한다. Compare and analyze the existing RFID authentication protocols and the present invention. In order to compare the amount of memory, all components including ID are assumed to be L bits.

Therefore, the memory storing the hash value is calculated as ½L bit.

Existing protocols require 2L or 3L bits of memory for the tag, but the present invention requires only L bits of memory. The database also requires less memory than the HIDV described above. In the case of hash operation, the tag of HIDV performs three operations in total to prevent tag authentication and retransmission attack, but the present invention satisfies the security considerations of the authentication protocol in two operations. Table 7 shows a comparison of memory and amount of computation.

HIDV and the present inventions satisfy privacy and location privacy. IHIDV-1 detects replay attacks, spoofing attacks, and message loss. HIDV prevents retransmission attacks and recovers from lost messages, but does not detect spoofing attacks. In contrast, the IHIDV-2 prevents retransmission attacks and spoofing attacks by using a memory and two hash operations after the IHIDV. Table 8 shows a comparison of stability against attack.

IHIDV-1 according to the present invention is useful for low-cost tags by reducing the amount of memory and the amount of hash operations. The IHIDV-1 has a smaller amount of memory required for the tag than the conventional HIDV described above, and the hash operation is performed twice. Therefore, the cost of the tag can be reduced. By applying these features, the IHIDV-1 should be used in low-cost tags and in systems that are less likely to be spoofed or lose messages. It will be available for low-cost tags within a few years, so it will be useful for many ubiquitous environments. In addition to being useful for low cost tags, the present inventions can be advantageously detected or prevented by retransmission attacks, spoofing attacks, and recoverable in the event of message loss.

As described above, according to the RFID authentication system and method according to the present invention, it is not only useful for low-cost tags, but also has the advantage of detecting or preventing retransmission attacks and spoofing attacks, and recovering messages. .

Claims (10)

An RFID authentication system having a tag, a reader and a database, The ID is stored, and when the query comes, the hash function value h (ID) of the ID is generated and transmitted to the reader, and the hash function value h (ID ∥R) of the ID and the random value R is calculated by concatenating the ID. Receiving the left half (Hf_L (h (ID∥R)) for ∥R, generate the right half (half_R (h (ID∥R)) for h (ID∥R)) and send it to the reader. When tag authentication is completed, the ID is the exclusive logical sum of the ID and R (ID

Tag to update to R); When querying the tag and receiving h (ID), it transmits it to the database, and when it receives h (ID∥R) from the database, it transmits the left half (half_L (h (ID∥R))) and R to the tag. reader; And Tag information DATA, an ID, a hash value HID of the ID, and a random value generator NRG. When the h is received, the tag information is used to find and confirm information of the tag. Generates h (ID∥R) and sends it to the reader

RFID authentication system comprising a database for updating to R. The method of claim 1, wherein the left half (half_L (h (ID | R)) is The right half (half_L (h (ID ∥R)) and the right half (half_L (h (ID ∥R)) is the left half (half_L (h (ID ∥R)) RFID authentication system, characterized in that. The method of claim 1, wherein the database RFID authentication system, characterized in that for receiving the tag information (DATA), HID and ID securely through RF communication or physical contact. An RFID authentication method in an RFID authentication system having a tag, a reader, and a database, The reader querying the tag for authentication; Sending to the reader a value h (ID) of the tag ID hashed for the query; Receiving the h (ID), transmitting it to a database; Upon receiving h (ID) from the reader, the database finds and confirms the tag information through h (ID), and hashes a random value R and a hash function by concatenating the ID and R (h (ID∥R). Generating)) and sending it to the reader; Upon reception of the R and h (IDR), transmitting half_L (h (IDR)) and R, the left half of h (IDR), to the tag; Upon receiving the R and half_Lh (ID ∥R), the tag checks that the received information is valid if the R and half_L (h (ID ∥R)) matches the left side of the h (ID ∥R) that they have made, Sending half_Rh (ID∥R) to the reader to the right of h (ID∥R); And When the authentication is completed, the database and the tag exclusively sum ID with the ID and the random value R (ID

R) updating to the RFID authentication method in the RFID authentication system, characterized in that it comprises a. The method of claim 4, wherein the left half (half_L (h (ID | R)) is In the RFID authentication system, the right half is half_L (h (ID∥R), and the right half is half_L (h (ID∥R). RFID authentication method. In an RFID authentication system having a reader, a tag and a database, Stores the ID, and when the query and the random value (S) comes, it generates the value h (ID) hashed the ID and half_L (R) corresponding to the left half of the R, and transmits to the reader, and from the reader Receives half_R (R) corresponding to the right half and checks whether it matches the one created by itself, and when authentication is completed, the ID is the exclusive logical sum of ID and R∥R (ID

Tag to update to (R∥R); It has a random number generator (RNG), and transmits the random number (S) generated in the RNG when querying the tag, S, h (ID) when receiving h (ID) and half_L (R) from the tag And a reader for transmitting half_L (R) to a database and transmitting the half_L (R) to a tag upon receipt of the half_R (R) from the database. And Information (ID) of the RFID tag, the ID, a hash value (HID) of the ID, and a database entry (AE) for memory connection, and half_L (R) which is the right half value of h (ID), S and R from the reader. ), Check the information of the tag through h (ID), generate R using ID and S, and if the left part of R is equal to the value received from the reader, determine the tag as just and verify its own authentication. Generates a half_R (R) and sends it to the reader for ID, where ID = ID

And a database storing the updated information in a memory connected by AE. The method of claim 6, wherein the left half (half_L (h (ID | R)) is The right half (half_L (h (ID ∥R)) and the right half (half_L (h (ID ∥R)) is the left half (half_L (h (ID ∥R)) RFID authentication system, characterized in that. An RFID authentication method in an RFID authentication system having an RFID tag, a reader, and a database, The reader generating a random value S and querying the tag to send the S; When the query is received with the S, the tag generates h (ID ∥S) as an R value, generates a hash function value h (ID) of ID and half_L (R), which is the left half of R, to the reader. Transmitting; The reader sending the S together with the information received from the tag to the database; When receiving h (ID), S, half_L (R), the database checks the tag information through h (ID), generates R using ID and S, and the left part of the generated R is read from the reader. If it is equal to the value received, the tag is considered legitimate, and half_R (R), the right part of R, is sent to the reader for authentication, and the database sends the ID via R to ID = ID.

Storing the updated information in a memory connected by the AE; upon receiving half_R (R), the reader sends half_R (R) to the tag; And When the session ends securely, the tag and database IDs

RFID authentication method in the RFID authentication system, characterized in that it comprises the step of updating to (R ∥R). The method of claim 8, wherein the left half (half_L (h (ID ∥ R)) is In the RFID authentication system, the right half is half_L (h (ID∥R), and the right half is half_L (h (ID∥R). RFID authentication method. A computer-readable recording medium having recorded thereon a program for executing the invention according to any one of claims 4, 5, 8, and 9 on a computer.

Images