KR101721510B1 - An Authentication Method for Privacy Protection in RFID Systems - Google Patents
An Authentication Method for Privacy Protection in RFID Systems Download PDFInfo
- Publication number
- KR101721510B1 KR101721510B1 KR1020160151035A KR20160151035A KR101721510B1 KR 101721510 B1 KR101721510 B1 KR 101721510B1 KR 1020160151035 A KR1020160151035 A KR 1020160151035A KR 20160151035 A KR20160151035 A KR 20160151035A KR 101721510 B1 KR101721510 B1 KR 101721510B1
- Authority
- KR
- South Korea
- Prior art keywords
- tag
- reader
- dynamic
- unique
- key
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3215—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a plurality of channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/122—Hardware reduction or efficient architectures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
- H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
A RFID authentication method for privacy protection, which performs authentication in an RFID authentication system comprising a plurality of tags, at least one reader, and a server, the RFID authentication method comprising the steps of: (a) The server stores a unique ID, a dynamic ID generated from the unique ID, and a first unique key generated using a secret value of the server and a unique ID of the server, and the server stores a unique ID, a dynamic ID, Storing tag information; And (b) the reader generates and broadcasts a query message, receives a response to the query from the tag, authenticates the tag, updates the dynamic ID of the tag if the tag is successfully authenticated, Tag and a step of transmitting to the server.
By using the dynamic ID changed every communication session by the RFID authentication method as described above, it is possible to prevent the privacy invasion due to the exposure of the identification information of the tag and the tracking of the location.
Description
The present invention relates to an RFID authentication method for privacy protection that solves the problem that a reader and a tag use the same key in a mutual authentication method between a tag and a reader and the key is not updated for a long time and is easily exposed to an attacker .
RFID (Radio Frequency Identification) is a sensor-based technology that attaches a tag with a microchip embedded in every object and the reader automatically recognizes and detects information of the object by wireless communication using a certain frequency band [ Non-Patent Documents 1-4]. The application of RFID technology is becoming common in various fields such as defense, medical, distribution, manufacturing, and service industries, and is expected to change our lives more widely in the future [Non-Patent Documents 5-8].
However, in RFID systems, tags and readers communicate with each other by using radio frequencies. Therefore, like other wireless communications, spoofing attacks, replay attacks, denial- of-service attacks (Non-Patent Documents 12 and 13). In addition, because RFID tags are attached and distributed to a large number of objects, the information stored inside them is not safe for physical attack by an attacker [Non-Patent Document 7]. Therefore, RFID systems must apply security technologies to achieve security requirements such as confidentiality and integrity of messages, and availability of services. The authentication protocol is one of the most essential and applicable security technologies [Non-Patent Document 16] Until recently, the mutual authentication technology between the components of the RFID system has been studied extensively [Non-Patent Document 1].
In 2012, Bae proposed a privacy-protected authentication protocol (DAP3-RS) in the RFID system [Non-Patent
However, in the RFID authentication method of Oh et al., All readers and tags store the same encryption / decryption key, and the key can be easily exposed to an attacker since it is a long-term key that is not updated throughout the lifetime of the tag. Moreover, since tags are vulnerable to physical attacks in an RFID system, an attacker can physically detach one of the tags and extract keys stored therein [Non-Patent Document 7].
In the RFID authentication method of Oh et al., Once an attacker finds a key once, he can disguise it as a different tag or reader by tapping the message. In this case, since the identification information of the tag is exposed to the attacker, the position of the tag can still be tracked. These attacks are even more serious, as only one tag is compromised, allowing an attacker to perform on all tags that are within the bounds of eavesdropping.
An object of the present invention is to solve the above-mentioned problems, and it is an object of the present invention to provide a method and a device for managing privacy, which assigns a unique key to each tag, manages the key in a tag information database of a server, And to provide an RFID authentication method for protection.
It is another object of the present invention to provide an RFID authentication method for privacy protection, which is configured such that even if a network general-purpose key is exposed to an attacker, it can not attack communication of another tag that has not been tampered with.
It is another object of the present invention to provide an RFID authentication method for privacy protection, which uses only encryption / decryption and XOR operations using symmetric key cryptography in consideration of limited hardware resources of a tag.
In order to achieve the above object, the present invention provides an RFID authentication method for privacy protection, which performs authentication in an RFID authentication system including a plurality of tags, at least one reader, and a server, Each tag having a unique ID, a dynamic ID generated from the unique ID, and a first unique key generated using a secret value of the server and a unique ID of the server, Storing a unique ID, a dynamic ID, and tag information of the tag; And (b) the reader generates and broadcasts a query message, receives a response to the query from the tag, and authenticates the tag, and (b) Generating a query message and broadcasting the query message; (b2) receiving the query message, encrypting the query message with its own unique key to generate a response message, and transmitting the response message to the reader together with the dynamic ID; (b3) the reader receives the dynamic ID and the response message of the tag, and transmits the dynamic ID of the tag to the server; (b4) The server searches for a unique ID and tag information corresponding to the dynamic ID of the received tag, generates a second unique key using the searched unique ID and the held secret value, and generates the generated second unique key To the reader; (b5) The reader decrypts the response message with the second inherent key, and performs authentication based on whether the decrypted response sentence is the same as the query sentence. If the authentication is successful, the reader updates the dynamic ID of the tag, Transmitting an updated dynamic ID to the server and the tag; And (b6) the tag receiving the updated dynamic ID and updating its own dynamic ID with the received dynamic ID.
According to another aspect of the present invention, there is provided an RFID authentication method for privacy protection, wherein each tag generates a random number, concatenates its own unique ID with a generated random number, performs a hash operation, .
According to another aspect of the present invention, there is provided an RFID authentication method for privacy protection, wherein the first or second inherent key is generated through a hash operation after concatenating a unique ID of a tag and a secret value of a server.
In the RFID authentication method for privacy protection, the random number is generated in step (b1), and the random number is encrypted with the shared key to generate the query.
In the RFID authentication method for privacy protection according to the present invention, in the step (b2), an XOR operation is performed with a first inherent key before encryption with a first inherent key in a query statement, And in the step (b5), an XOR operation is performed using the second inherent key before comparing the response sentence decrypted with the query, and the calculated query is compared with the response sentence.
According to another aspect of the present invention, there is provided an RFID authentication method for privacy protection, comprising the steps of: transmitting and receiving data through an insecure channel between the reader and a tag; transmitting and receiving data between the server and the reader via a secure channel; .
According to another aspect of the present invention, there is provided an RFID authentication method for privacy protection, comprising the steps of: (b5) if authentication is successful, encrypting a decrypted response message and an updated dynamic ID by using a second unique key, ; And in the step (b6), the tag decrypts the encrypted response message and the updated dynamic ID with the first unique key, authenticates the reader according to whether the decrypted response sentence is the same as the response sent by the tag, And updates its own dynamic ID if it succeeds.
In the RFID authentication method for privacy protection according to the present invention, in the step (b5), a unique ID is concatenated to a dynamic ID of a tag, and a hash operation is performed to update the dynamic ID of the tag .
According to another aspect of the present invention, there is provided an RFID authentication method for privacy protection, comprising the steps of: transmitting and receiving data through an insecure channel between the reader and a tag; transmitting and receiving data between the server and the reader via a secure channel; .
In addition, the present invention relates to a computer-readable recording medium on which a program for performing an RFID authentication method for privacy protection is recorded.
As described above, according to the RFID authentication method for privacy protection according to the present invention, it is possible to provide an improved RFID authentication method by analyzing and eliminating a security vulnerability of a conventional protocol.
In addition, according to the RFID authentication method for privacy protection according to the present invention, the use of the dynamic ID changed every communication session can prevent the privacy infringement due to the exposure of the identification information of the tag and the tracking of the location.
In addition, according to the RFID authentication method for privacy protection according to the present invention, the use of the dynamic ID changed every communication session can prevent the privacy infringement due to the exposure of the identification information of the tag and the tracking of the location.
In addition, according to the RFID authentication method for privacy protection according to the present invention, by using only the encryption / decryption and the XOR operation using the symmetric key cryptography, the computation amount can be reduced in consideration of limited hardware resources of the tag.
BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1 is a diagram showing a configuration of an RFID authentication system for implementing the present invention; Fig.
2 is a table showing a notation for describing the RFID authentication method of the prior art and the present invention;
3 is a flowchart illustrating an RFID authentication method for privacy protection such as Oh in accordance with the related art.
4 is a flowchart illustrating a tag ID extraction process on an RFID authentication method according to the related art.
FIG. 5 is a flowchart illustrating a reader spoof attack process on the RFID authentication method according to the related art.
6 is a flowchart illustrating an RFID authentication method for privacy protection according to an embodiment of the present invention.
7 is a table showing a comparison of safety of the RFID authentication method for privacy protection according to the experiment of the present invention.
FIG. 8 is a table showing comparison of computational complexity of the RFID authentication method for privacy protection according to the experiment of the present invention. FIG.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, the present invention will be described in detail with reference to the drawings.
In the description of the present invention, the same parts are denoted by the same reference numerals, and repetitive description thereof will be omitted.
First, examples of the configuration of the entire system for carrying out the present invention will be described with reference to Fig.
1, the RFID system for implementing the present invention includes a
In the RFID system, a channel between the
Next, security requirements to be satisfied by the RFID authentication method of the present invention will be described.
As described above, in the RFID system, communication between the
First, it should be safe against spoofing attacks.
A spoofing attack means that an attacker masquerades as one of the legitimate communication subjects, that is, the
Also, it should be safe against man-in-the-middle attacks.
In an RFID system, a Man-In-The-Middle Attacks (MITM Attacks) is an attack by an attacker to intervene between a
Next, it should be safe against retransmission attacks.
A retransmission attack is an attack in which an attacker stores a message transmitted between a
Next, we need to have tag anonymity.
Tag Anonymity means that unique identification information of a
Next, it should be safe for location tracking.
Location Tracking is a method for locating a location of a
Next, it should be safe against physical attacks.
The physical attack is an attack technique for extracting in-memory information of the
Next, it should be safe against camouflage attacks.
Impersonation Attacks means that the other party deceives the attacker into a legitimate tag (10) or reader (20) of the corresponding RFID system [Non-Patent Document 2].
Next, mutual authentication must be possible.
The mutual authentication is a process of confirming both the
Next, the notations used for the following explanation are summarized as the table of FIG.
Next, an RFID authentication method for privacy protection according to the related art will be described with reference to FIG. 3 is a flowchart illustrating an RFID authentication method for privacy protection such as Oh.
First, in the initialization step in which the
After the initialization step, if the reader Rdr j broadcasts a query message within its radio range, the authentication procedure is performed as follows (steps 1-6). At this time, it is assumed that the communication between the server Svr and the reader Rdr j is a secure channel, and the reader Rdr j and the tag Tg i communicate with each other through a public channel.
Step 1: The reader Rdr j generates the random number RN j and then encrypts RN j using the key K that was installed in the initialization step of the protocol (S1).
[Equation 1]
The reader Rdr j broadcasts a query message {Query, C j } within its radio range.
Step 2: Upon receiving the query message {Query, C j } from the reader Rdr j, the tag Tg i generates its own random number RN i and decrypts C j using the key K (S2).
&Quot; (2) "
Tag Tg i is "using keys own random number RN i, its identity ID i, and RN j 'j encrypts the RN.
&Quot; (3) "
The tag Tg i transmits a response message {C i } to the reader Rdr j .
Step 3: The reader Rdr j decodes the random number RN j generated by itself using the random number RN j as a key (S3).
&Quot; (4) "
Rdr j reader compares the values of the RN j 'that was included in the response message of the random number RN j and the tag Tg i where they are generated to the authentication tag Tg i. If these two values are the same, the reader Rdr j transmits the ID ID i * of the tag Tg i to the server Svr through the secure channel, otherwise, the authentication process is aborted.
Step 4: When the server Svr receives the ID i * from the reader Rdr j , it finds the information TagInfo i of the tag Tg i in its database and transmits it to the reader Rdr j through the secure channel (S4).
Step 5: The reader Rdr j XORs the RN i * received from the tag Tg i and its own random number RN j (S5).
&Quot; (5) "
The reader Rdr j transmits the message {V} to the tag Tg i .
Step 6: Upon receiving the message {V} from the reader Rdr j, the tag Tg i XORs its own random number RN i and RN j 'received from the reader Rdr j (S6).
&Quot; (6) "
The tag Tg i compares the values of V 'and V for authentication of the reader Rdr j . If these two values are equal, the reader Rdr j authentication of tag Tg i is successfully completed. On the other hand, if the two values are not the same, the protocol is aborted due to authentication failure.
Next, a weak point of the RFID authentication method such as Oh in accordance with the related art will be described with reference to FIG. 4 to FIG.
Oh, et al., The mutual authentication is performed using the random number generated by the reader and the tag, respectively. For this, the tag is efficient in the amount of computation since it performs symmetric key encryption / decryption and XOR operation only. However, in this protocol, the key K is a long-term key that is stored extensively in all the readers and tags and is not updated throughout the life of the system, Furthermore, tags are generally vulnerable to physical attacks in RFID systems [Non-Patent Document 7]. Therefore, an attacker can attach a large number of objects and physically take out one of the distributed tags to extract the key K stored therein. Once an attacker is exposed to a key K, he or she can interrogate the message to find the ID of the tag or track the location. It is also possible to use a spoofing attack to trick an opponent to be authenticated by a legitimate tag or reader. These attacks are even more serious in that an attacker can perform not only tags that are compromised to obtain a key K, but also all tags that are within the scope of eavesdropping.
First, we describe vulnerability of tag identification information exposure.
In the authentication method such as Oh, if the attacker finds the key K and eavesdrops on the message transmitted / received between the reader and the tags, the IDs of the tags can be recovered. For example, suppose an attacker finds key K from tag Tg i and then intercepts messages {Query, C j } and {C j + 1 } transmitted between leader Rdr j and another tag Tg i + 1 . As shown in FIG. 4, the attacker can decrypt C j of the message {Query, C j } because he knows the key RN j .
&Quot; (7) "
Then, since the attacker has calculated the key RN j , it can also decode the response message {C j + 1 } of the tag Tg i + 1 .
&Quot; (8) "
Therefore, an attacker can obtain the identity ID i + 1 of the tag Tg i + 1, and does not provide anonymity for the tag Tg i + 1.
Next, we describe vulnerabilities in tag location tracking.
In the authentication method such as Oh, the response message of the tag Tg i + 1 for the query message of the reader is changed every communication session since it is a cipher text including the random number. However, as shown in FIG. 4, if the attacker knows the key K, the tag ID can be obtained by intercepting a message exchanged between the reader and the tag. Therefore, if the attacker repeats the process of recovering the tag ID by intercepting the message transmitted / received near the reader installed in various regions, it is possible to trace the position of the tag Tg i + 1 .
Next, we describe vulnerabilities to tag spoofing attacks.
As shown in FIG. 4, if the attacker knows the key K, the tag ID can be obtained by intercepting the message exchanged between the reader and the tag. In this attack, the attacker can disguise the key K and the tag ID as a legitimate tag. For example, an attacker who knows the key K ID and the tag ID of the i + 1 i + 1 Tg generates a C, as follows: Upon receiving a query message {Query, C j} from the reader Rdr j.
&Quot; (9) "
&Quot; (10) "
If the attacker transmits the response message {C a } to the reader Rdr j , the reader Rdr j authenticates the attacker as a legitimate tag Tg i + 1 as follows.
&Quot; (11) "
&Quot; (12) "
Next, we describe vulnerabilities to reader spoofing attacks.
Suppose that the attacker has gotten the key K from the i -th tag Tg i . The attacker can disguise tags other than the tag Tg i as a legitimate reader by using the key K as shown in FIG. The attacker generates a random number RN a to start the authentication process and then encrypts it using the key K already obtained.
&Quot; (13) "
When an attacker broadcasts a query message {Query, C a }, the attacker's tag Tg i + 1 in the radio range generates a random number RN i + 1 and decodes C a with key K.
&Quot; (14) "
Tag Tg i + 1 is "to key his random number RN i + 1, its identity ID i + 1, and the received RN a" RN a encrypts then the result value C i + 1 in the response message To the attacker.
&Quot; (15) "
Since the key RN a 'is the random number generated by the attacker, the attacker can decrypt C i + 1 . From the decryption result, it is possible to extract a random number RN i + 1 " required to authenticate as a legitimate reader from the ID of the tag Tg i + 1 and Tg i + 1 .
&Quot; (16) "
The attacker XORs the RN i + 1 " received from the tag Tg i + 1 and the RN a it generates, and then transmits the result to the tag Tg i + 1 .
&Quot; (17) "
The tag Tg i + 1 verifies the V value and authenticates the attacker as a legitimate reader.
Next, an RFID authentication method for privacy protection according to an embodiment of the present invention will be described with reference to FIG.
The RFID authentication method according to the present invention is an RFID authentication method for privacy protection which improves the weakness of the above-mentioned prior art. That is, the RFID authentication method according to the present invention should be secure against possible attacks on the RFID authentication protocol such as spoofing attack, man-in-the-middle attack, and retransmission attack. Also, in order to cope with camouflage attacks, mutual authentication process between tag and reader should be provided. In addition to providing anonymity of the tag to protect the privacy of the user, it should not be possible to trace the location of the tag. In addition, in the RFID authentication method according to the present invention, even if an attacker finds a secret value from one or a small number of tags, it should be designed such that it can not attack the communication of the untouched tag or threaten security of the whole network.
The RFID authentication method according to the present invention comprises an initialization step (S10) and an authentication step (S20), and steps of performing each step will be described in detail below.
First, the initialization process (S10) will be described.
The initialization step (S10) of the RFID authentication method according to the present invention is a step of installing information necessary for authentication in a server, a reader, and a tag, and performs the following steps once (Steps I-1 to I-3).
Step I-1: All readers and tags share key K (or shared key).
Step I-2: After generating the random number rn i for the tag Tg i , calculate the dynamic ID DID i by performing a hash operation on the concatenated values of the IDs (or unique IDs) ID i and rn i of Tg i .
&Quot; (18) "
Calculates h (ID i ∥x s) by using the tag Tg i the identity ID i and the server secret value x s to generate the tag of unique key K i Tg i (or unique key). Depending on the nature of the one-way hash function, it is not possible for any other operator or attacker except the server to derive ID i or x s from K i .
&Quot; (19) "
And stores DID i and K i generated before tag Tg i .
Step I-3: Store secret value x s in server Svr. This xs is not shared by any other server than the server.
The server Svr also adds the IDs of the tags and the tag information (or tag content) as well as the dynamic ID information to the tag information database managed by the server Svr. For example, for the tag Tg i , add the unique ID ID i , the dynamic ID DID i , and the tag information (or tag content) TagInfo i of the tag to the database of the server.
Next, the authentication process will be described.
In this process, the reader and the tag mutually authenticate and then update the dynamic ID of the tag for the next communication session. Like the existing assumption, the server and the reader communicate with each other through a secure channel, and the reader and the tag communicate with each other through a public channel. When the tags in the wireless communication range respond to the query message of the reader, the authentication step starts (Step A-1 to A-6). 6 shows an authentication process of the RFID authentication method according to the present invention.
Step A-1: The reader Rdr j generates the random number RN j and performs an XOR operation with the key K installed at the initial stage of the protocol.
&Quot; (20) "
The reader Rdr j broadcasts a query message {Query, V} to all tags in its radio range. Let V be the query.
Step A-2: tag Tg i the message {Query, V} When using its key (or unique key) K i = K i i receives the V
V.Then tag Tg i is V i encrypt using its own key K i.
&Quot; (21) "
The tag Tg i transmits a response message {DID i , C i } to the reader Rdr j . Here, C i is called a response statement.
Step A-3: When the reader Rdr j receives the message {DID i , C i } from the tag Tg i , it transmits the DID i to the server Svr through the secure channel.
Step A-4: The server Svr searches its own database to find ID ID i and tag information (or tag content) TagInfo i of tag Tg i .
The server Svr XORs the result of concatenating its secret value x s and ID i to generate a key K i '.
&Quot; (22) "
Svr server is the tag Tg i Step A-4: Svr server searches its database to find the tag ID of the tag information and ID i Tg i (or tag content) TagInfo i. TagInfo i and key K i 'are transmitted to the reader Rdr j through a secure channel.
Step A-5: The reader Rdr j decrypts C i using the key K i 'received from the server Svr.
&Quot; (23) "
The reader Rdr j performs a XOR operation on the keys K i 'and V (K i '
V) and the decoding result value V i * . If the two values are the same, the sender of the response message {DID i , C i } means the legitimate tag Tg i . If the two values are different, the authentication step is aborted due to an authentication failure.The reader Rdr j updates the dynamic ID of the tag Tg i for the next communication session. New dynamic ID of tag Tg i
Is generated by performing a hash operation on the value obtained by concatenating the current dynamic ID DID i and the key K i 'as follows.&Quot; (24) "
The reader Rdr j uses the key K i 'of the tag Tg i to calculate V i *
.&Quot; (25) "
The leader Rdr j is the new dynamic ID of the tag Tg i
To the server Svr so that the server Svr and the tag Tg i share And an encrypted message {C j } to the tag Tg i .Step A-6: tag Tg i decodes the C j by using its own key K i when receiving the message from the reader Rdr {C j} j.
&Quot; (26) "
The tag Tg i compares the values of V i * and V i to verify that the sender of the message {} is a legitimate leader. If the two values are equal, the sender of the message {C j } is a legitimate reader holding the key K i (= K i ') of the tag Tg i . However, if the two values are different, the authentication of the reader fails and the authentication phase is aborted.
The tag Tg i has its own dynamic ID DID i
. On the other hand, the server Svr also stores the dynamic ID information of the tag Tg i in its own tag information database in the DID i .Next, a safety analysis result of the RFID authentication method according to an embodiment of the present invention will be described.
The security of the authentication method according to the present invention will be discussed with reference to the security requirements described above. The table of FIG. 7 shows the comparison of the safety of the authentication method according to the present invention with the authentication method of the existing Oh et al.
First, the analysis results of mutual authentication are explained.
In the RFID system, the mutual authentication is a process of confirming whether the other party is a legitimate communicator by checking the secret values shared by the tag and the reader or generating the same value [Non-Patent Document 2]. In the method according to the present invention, upon receiving the message {DID i , C i }, the reader decrypts the cipher text C i using the key K i to authenticate that the message sender is a legitimate tag Tg i . If the decrypted plaintext V i * and K i '
If the calculated values of V are identical, the other party that sent the message {DID i , C i } is a valid tag Tg i . Since only the server and the tag Tg i know the value of the key K i according to the initialization step of the method according to the present invention, only the server or the tag Tg i is V i * (= V i * = K i ' V = K i V) can be calculated. On the other hand, when the message {C j } is received, the tag Tg i decrypts C j using the key K i to authenticate that the sender of the message is a legitimate leader. If the decrypted plaintext V i * If the values of V i * and V i are the same, then the sender of the message {C j } is a legitimate reader. Because only the server and the tag Tg i share the key K i in the initialization step of the method according to the present invention, only the leader communicating with the server or the server on the secure channel is allowed to read V i * (= K i V) because it can calculate a value, and generating a cipher text C j.Next, we explain the analysis of safety against physical attacks.
In the method according to the present invention, even if an attacker finds a secret value stored in a certain tag, it can not effectively attack another tag's communication by using it. For example, it is assumed that an attacker could eavesdrop the messages which are sent and received between the tag Tg i secret value from K, i DID, and extracts the K i, then the reader Rdr j and (Tg i is not) other tag Tg i +1. First, the response message {DID i +1 , C i + 1 } transmitted from the tag Tg i +1 to the reader Rdr j can not be attacked using the three secret values of the tag Tg i . This is because DID i + 1 is the dynamic ID of the tag Tg i and C i + 1 is encrypted using the key K i + 1 of the tag Tg i +1 and thus has no relation with the three secret values of the tag Tg i . Similarly, since the message {C j '} transmitted from the reader Rdr j to the tag Tg i +1 is also encrypted using the key K i + 1 , it can not perform a meaningful attack using three secret values of the tag Tg i . Since the key K is a general-purpose key used by all tags and readers in the system, if an attacker eavesdrops on the query message {Query, V} broadcasted from the reader Rdr j , K
By calculating V, the random number RN j of the leader Rdr j can be found. But only RN j, as well as not able to obtain the information necessary for the other to attack RN j is generated every new session. Therefore, the method according to the present invention does not affect the security of other tag or system which is not damaged even if one or a few tags are damaged.Next, we describe the analysis of safety for camouflage, spoofing, and man-in-the-middle attacks.
Since the method according to the present invention provides a mutual authentication process between the tag and the reader, the attacker can not disguise it as a tag or a reader. Even if the attacker learns the secret values K, DID i , and K i stored in the tag Tg i through physical tag hijacking, etc., the attacker can not disguise the tag other than the tag Tg i . Therefore, the method according to the present invention is safe against spoofing attack or meson attack based on a camouflage attack.
Next, we explain the analysis results of tag anonymity and prevention of location tracking.
Tag anonymity means that the tag ID should not be exposed to the attacker. In the method according to the invention, the tag uses a dynamic ID instead of its own ID. The dynamic ID of the tag Tg i for the next communication session
Is generated by hashing a value obtained by concatenating the unique key K i '(= K i ) of the tag Tg i with the dynamic ID DID i of the current communication session. Depending on the nature of the one-way hash function, Can not derive DID i , K i ', or ID i . Also, since the dynamic ID of the tag is changed every communication session and only the server and the corresponding tag share the value, the method according to the present invention is safe for tracking the tag position of the attacker.Next, the analysis result of the retransmission attack will be described.
In the method according to the present invention, even if an attacker intercepts a message {Query, V}, {DID i , C i }, or {C j } transmitted between a reader and a tag Tg i and transmits again to another communication session, You can not disguise like tag Tg i or get the information you need for authentication. The messages {DID i , C i } and {C j } are not only encrypted ciphertext using the tag Tg i and the key K i known only to the server, but also a random number generated for each communication session It is impossible to do a retransmission attack because it contains.
Next, efficiency analysis of the method according to the present invention will be described.
Especially, efficiency is analyzed and compared in terms of computation amount and message transmission amount.
The table of FIG. 8 shows the results of an analysis of the method according to the present invention and the RFID authentication method of Oh et al. [Non-Patent Document 5] in terms of calculation amount. The table of FIG. 8 shows the types of operations and the number of operations performed in the two methods. The amount of computation in the server is 1S + 1H, Oh, and the computation amount in the reader is 1R + 1E + 1D + 1H + 2X, Oh The RFID authentication method is 1R + 1E + 1D + 1X. However, since the resource-limited node is a tag in the RFID system, it is necessary to concentrate more on the operation amount on the tag than the server or the reader. The amount of computation in the tag is 1E + 1D + 1X in the method according to the present invention, and the computation amount of the method according to the present invention is smaller than 1R + 1E + 1D + 1X in the RFID authentication method of Oh et al. This means that the method according to the present invention is more efficient in terms of computation than the RFID authentication method of Oh et al.
The total number of messages transmitted between the reader and the tag in the method according to the present invention is equal to the number of messages in the RFID authentication method of Oh and the like.
In the present invention, if the secret value is exposed from one tag through cryptanalysis or physical attack, the RFID authentication method proposed in the present invention may threaten the communication of another tag or the safety of the whole system Respectively. In order to solve this problem, the present invention proposes a method of managing a unique encryption key and a dynamic ID for each tag by the server. The RFID authentication method according to the present invention is safe for a spoof attack, a spoof attack, a man-in-the-middle attack, and a retransmission attack expected in an RFID system. In addition to providing the anonymity of the tag to protect the user's privacy, it is impossible to trace the location. The RFID authentication method according to the present invention is more efficient than the existing method in terms of the amount of operation of the tag despite the improved security.
Although the present invention has been described in detail with reference to the above embodiments, it is needless to say that the present invention is not limited to the above-described embodiments, and various modifications may be made without departing from the spirit of the present invention.
10: Tag 20: Reader
30: Server
Claims (10)
(a) all the readers and tags share a shared key, and each tag has a unique ID, a dynamic ID generated from the unique ID, and a first unique key generated using the secret value of the server and its own unique ID The server storing a unique ID, a dynamic ID, and a tag content of each tag; And
(b) the reader generates and broadcasts a query message, receives a response to the query from the tag, and authenticates the tag,
The step (b)
(b1) the reader generates and broadcasts a query message;
(b2) receiving the query message, encrypting the query message with its own unique key to generate a response message, and transmitting the response message to the reader together with the dynamic ID;
(b3) the reader receives the dynamic ID and the response message of the tag, and transmits the dynamic ID of the tag to the server;
(b4) The server searches for a unique ID and a tag content corresponding to the dynamic ID of the received tag, generates a second unique key using the searched unique ID and the held secret value, To the reader;
(b5) The reader decrypts the response message with the second inherent key, and performs authentication based on whether the decrypted response sentence is the same as the query sentence. If the authentication is successful, the reader updates the dynamic ID of the tag, Transmitting an updated dynamic ID to the server and the tag; And
(b6) receiving the updated dynamic ID and updating its own dynamic ID with the received dynamic ID.
In the step (a), each tag generates a random number, generates a dynamic ID by concatenating its own unique ID with the generated random number, and performing a hash operation.
Wherein the first or second inherent key is generated by concatenating a unique ID of a tag and a secret value of a server and then performing a hash operation.
Wherein the random number is generated and encrypted with the shared key to generate the query message in the step (b1).
In the step (b2), an XOR operation is performed on the query statement with the first inherent key before the encryption with the first inherent key, then the result is used to encrypt the query statement with the first inherent key,
Wherein in the step (b5), an XOR operation is performed using a second inherent key before comparing a response sentence decrypted with the query statement, and then the computed query statement is compared with the response sentence.
If the authentication is successful in step (b5), encrypting the decrypted response message and the updated dynamic ID with the second unique key, and transmitting the decrypted response ID and the updated dynamic ID to the tag; And
In step (b6), the tag decrypts the encrypted response sentence and the updated dynamic ID with the first inherent key, authenticates the reader according to whether the decrypted response sentence is the same as the response sent by the tag, And updates its own dynamic ID.
The RFID authentication method for privacy protection according to claim 1, wherein, in the step (b5), a dynamic ID of the tag is updated by concatenating a second unique key with a dynamic ID of the tag and performing a hash operation.
And transmitting and receiving data through an insecure channel between the reader and the tag and transmitting and receiving data between the server and the reader through a secure channel.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160151035A KR101721510B1 (en) | 2016-11-14 | 2016-11-14 | An Authentication Method for Privacy Protection in RFID Systems |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020160151035A KR101721510B1 (en) | 2016-11-14 | 2016-11-14 | An Authentication Method for Privacy Protection in RFID Systems |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101721510B1 true KR101721510B1 (en) | 2017-04-11 |
Family
ID=58580973
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020160151035A KR101721510B1 (en) | 2016-11-14 | 2016-11-14 | An Authentication Method for Privacy Protection in RFID Systems |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101721510B1 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107231231A (en) * | 2017-06-16 | 2017-10-03 | 深圳市盛路物联通讯技术有限公司 | A kind of method and system of terminal device secure accessing Internet of Things |
KR102036725B1 (en) * | 2018-10-08 | 2019-10-28 | 주식회사 케이씨인더스트리얼 | Gateway apparatus and information processing method thereof |
CN116456346A (en) * | 2023-06-13 | 2023-07-18 | 山东科技大学 | RFID group tag authentication method for dynamic grouping |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070006526A (en) * | 2005-07-08 | 2007-01-11 | 주식회사 비즈모델라인 | System and method for assigning dynamic id to rfid tag, rfid tag, rfid terminal and recording medium |
KR20100090672A (en) * | 2010-07-08 | 2010-08-16 | 주식회사 비즈모델라인 | Rfid tag |
KR20120010604A (en) * | 2010-07-20 | 2012-02-06 | 충남대학교산학협력단 | A random ID-based RFID Mutual authentication method for detecting impersonation attack against a back-end server and a reader |
KR20120101260A (en) * | 2011-03-04 | 2012-09-13 | 충남대학교산학협력단 | A low-cost rfid tag search method preventing the reuse of mobile reader's tag-list |
-
2016
- 2016-11-14 KR KR1020160151035A patent/KR101721510B1/en active IP Right Grant
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR20070006526A (en) * | 2005-07-08 | 2007-01-11 | 주식회사 비즈모델라인 | System and method for assigning dynamic id to rfid tag, rfid tag, rfid terminal and recording medium |
KR20100090672A (en) * | 2010-07-08 | 2010-08-16 | 주식회사 비즈모델라인 | Rfid tag |
KR20120010604A (en) * | 2010-07-20 | 2012-02-06 | 충남대학교산학협력단 | A random ID-based RFID Mutual authentication method for detecting impersonation attack against a back-end server and a reader |
KR20120101260A (en) * | 2011-03-04 | 2012-09-13 | 충남대학교산학협력단 | A low-cost rfid tag search method preventing the reuse of mobile reader's tag-list |
Non-Patent Citations (17)
Title |
---|
A. Juels, "RFID security and privacy: A research survey," IEEE J. Sel. Areas in Commun., vol. 24, no. 2, pp. 381-394, 2006. |
B. Toiruul, K. O. Lee, H. J. Lee, Y. H. Lee, and Y. Y. Park, "Mutual-authentication mechanism for RFID systems," Mobile Ad-hoc and Sensor Networks, Springer, pp. 449-460, Hong Kong, China, Dec. 2006. |
D. H. Jeon, H. M. Kim, H. J. Kwon, and S. J. Kim, "Hash-based Mutual Authentication Protocol for RFID Environment," J. KICS, vol. 35, no. 1B, pp. 42-52, Oct. 2010. |
E. J. Yoon and K. Y. Yoo, "Patient authentication system for medical information security using RFID," J. KICS, vol. 35, no. 6B, pp. 962-969, Jun. 2010. |
J. S. Kim, J. K. Park, and Y. T. Shin, "RFID-Based automatic inspection system design and implementation for manufacturing and retail industry," J. KICS, vol. 39, no. 1C, pp. 97-105, Jan. 2014. |
J. Saito, J. C. Ryou, and K. Sakurai, "Enhancing privacy of universal re-encryption scheme for RFID tags," Embedded and Ubiquitous Computing, Springer, pp. 879-890, Aizu-Wakamatsu City, Japan, Aug. 2004. |
K. H. Chung, K. Y. Kim, S. J. Oh, J. K. Lee, Y. S. Park, and K. S. Ahn, "A mutual authentication protocol using key change step by step for RFID systems," J. KICS, vol. 35, no. 3B, pp. 462-473, Mar. 2010. |
K. Rhee, J. Kwak, S. Kim, and D. Won, "Challenge-response based RFID authenti- cation protocol for distributed database environment," Security in Pervasive Computing, Springer, vol. 3450, pp. 70-84, Boppard, Germany, 2005. |
K. Rhee, J. Kwak, W. S. Yi, C. Park, S. Park, H. Yang, S. Kim, and D. Won, "Efficient RFID authentication protocol for minimizing RFID tag computation," Advances in Hybrid Inf. Technol., Springer, pp. 607-616, Jeju Island, Korea, Nov. 2006. |
M. Aigner and M. Feldhofer, "Secure symmetric authentication for RFID tags," Telecommun. Mob. Comput., Graz, Austria, 2005. |
R. S. Ahn, E. J. Yoon, K. D. Bu, and I. G. Nam, "Secure and efficient DB security and authentication scheme for RFID system," J. KICS, vol. 36, no. 4C, pp. 197-206, Nov. 2011. |
S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels, "Security and privacy aspects of low-cost radio frequency identification systems," Security in Pervasive Computing, Springer, pp. 201-212, Boppard, Germany, 2004. |
S. E. Sarma, S. A. Weis, and D. W. Engels, "RFID systems and security and privacy implications," Cryptographic Hardware and Embedded Systems-CHES 2002, Springer, pp. 454-469, Redwood Shores, CA, USA, Aug. 2002. |
S. Kim, K. Lee, S. Kim, and D. Won, "Security analysis on anonymous mutual authentication protocol for RFID tag without back-end database and its improvement," World Acad. Sci. Eng. Technol., vol. 59, pp. 460-464, Nov. 2009. |
S. Oh, C. Lee, T. Yun, K. Chung, and K. Ahn, "Improved authentication protocol for privacy protection in RFID systems," J. KICS, vol. 38, no. 1, pp. 12-18, Jan. 2013. |
W. Che, S. Kim, Y. Kim, T. Yun, K. Ahn, and K. Han, "Design of PUF-Based encryption processor and mutual authentication protocol for Low-Cost RFID authentication," J. KICS, vol. 39, no. 12B, pp. 831-841, Dec. 2014. |
W. S. Bae, "Design of an authentication protocol for privacy protection in RFID systems," J. Digital Policy and Management, vol. 10, no. 3, pp. 155-160, Apr. 2012. |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107231231A (en) * | 2017-06-16 | 2017-10-03 | 深圳市盛路物联通讯技术有限公司 | A kind of method and system of terminal device secure accessing Internet of Things |
KR102036725B1 (en) * | 2018-10-08 | 2019-10-28 | 주식회사 케이씨인더스트리얼 | Gateway apparatus and information processing method thereof |
CN116456346A (en) * | 2023-06-13 | 2023-07-18 | 山东科技大学 | RFID group tag authentication method for dynamic grouping |
CN116456346B (en) * | 2023-06-13 | 2023-08-25 | 山东科技大学 | RFID group tag authentication method for dynamic grouping |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Alladi et al. | SecAuthUAV: A novel authentication scheme for UAV-ground station and UAV-UAV communication | |
Tewari et al. | A lightweight mutual authentication protocol based on elliptic curve cryptography for IoT devices | |
Saxena et al. | Authentication protocol for an IoT-enabled LTE network | |
Jang et al. | Hybrid security protocol for wireless body area networks | |
Badra et al. | A lightweight security protocol for NFC-based mobile payments | |
Abughazalah et al. | Secure improved cloud-based RFID authentication protocol | |
Dehkordi et al. | Improvement of the hash-based RFID mutual authentication protocol | |
Yang | Across-authority lightweight ownership transfer protocol | |
KR101721510B1 (en) | An Authentication Method for Privacy Protection in RFID Systems | |
Hamandi et al. | A privacy-enhanced computationally-efficient and comprehensive LTE-AKA | |
Saeed et al. | Preserving Privacy of User Identity Based on Pseudonym Variable in 5G. | |
Li et al. | A hidden mutual authentication protocol for low‐cost RFID tags | |
Abdo et al. | EC-AKA2 a revolutionary AKA protocol | |
Gope | Anonymous mutual authentication with location privacy support for secure communication in M2M home network services | |
KR20120010604A (en) | A random ID-based RFID Mutual authentication method for detecting impersonation attack against a back-end server and a reader | |
Saxena et al. | A novel hash-based mutual RFID tag authentication protocol | |
Syamsuddin et al. | A survey on low-cost RFID authentication protocols | |
Kardaş et al. | An efficient and private RFID authentication protocol supporting ownership transfer | |
WO2021088593A1 (en) | Verification method, device and equipment and computer readable storage medium | |
Lee et al. | Privacy challenges in RFID systems | |
Seo et al. | Secure RFID authentication scheme for EPC class Gen2 | |
KR101216993B1 (en) | A Low-Cost RFID Tag Search Method Preventing the Reuse of Mobile Reader's Tag-List | |
Yin et al. | Keep all mobile users′ whereabouts secure: A radio frequency identification protocol anti‐tracking in 5G | |
KR100760044B1 (en) | System for reading tag with self re-encryption protocol and method thereof | |
Rajagopalan et al. | A lightweight inter-zonal authentication protocol for moving objects in low powered RF systems |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant |