TWI504222B - Authentication method - Google Patents

Description

Authentication method

The invention relates to an authentication technology, in particular to a lightweight radio frequency identification (RFID) authentication protocol suitable for multi-server environments, and has non-traceability (un- Traceability) and forwarding security (forward secrecy).

In recent years, due to the booming development of RFID, RFID has become more widely used. The main application areas are identity identification, mass transit bills, inventory counting, logistics supply chain management, etc. With the continuous advancement of RFID technology, how to use RFID to achieve innovative applications. To improve people's lives has also been a major research topic in this field. However, once the RFID system is applied to personal identification, such as security system access control, electronic ticket system, medical record management, patient identification, patient contact history tracking, etc., unauthorized readers may illegally access electronic devices. Label information, which will infringe on the user's privacy rights; however, there are many related studies to prevent attackers from obtaining user-related information (location, privacy, etc.) or destroying the effectiveness of electronic tags. Authentication between RFID electronic tags and RFID readers.

A conventional RFID authentication method, such as a Taiwan patent One of the authentication methods, authentication systems, and electronic tags disclosed in I398153 is based on the Error Correction Code (ECC) technology. The conventional method is implemented in an authentication system including at least one client device and a server device, which can achieve the anonymity and non-traceability of the RFID tag during communication, but in the conventional method, When RFID tags roam between multiple servers, there is no forward security, and the RFID tags supported by the conventional methods are limited, and are not suitable for implementation in an authentication system that requires a large number of RFID tags. .

Accordingly, it is an object of the present invention to provide an authentication method.

Therefore, the authentication method of the present invention is implemented in an authentication system including at least one client device and a server group, wherein the server group has at least one server device, and the method includes the following steps: (a) The client device generates a transmission ciphertext according to one of the codewords allocated by the server group and an asymmetric key issued by the server group; (b) the client device transmits an authentication data. Providing the server device to the server device, wherein the authentication data group includes the transmission ciphertext and a first verification data; and (c) the server device certifies the client device according to the received authentication data group, The step (c) includes the following sub-steps: (c-1) the server device solves the transmitted ciphertext of the authentication data set to obtain a plurality of candidate plaintexts, wherein each candidate stationery has a candidate Authentication index; (c-2) the server device calculates each of the candidate authentication indexes a candidate key corresponding to the candidate plaintext; and (c-3) the server device verifies the candidate key corresponding to each candidate plaintext according to the received first verification data, and further determines the client end Whether the device is successfully authenticated.

1‧‧‧Server group

10‧‧‧Servo device

11‧‧‧Servo transceiver unit

12‧‧‧Server processing unit

13‧‧‧Server storage unit

20‧‧‧Customer device

21‧‧‧Customer transceiver unit

22‧‧‧Customer Processing Unit

31~36‧‧‧Steps in the initialization phase

401~409‧‧‧Steps in the certification phase

410~413‧‧‧Steps in the certification phase

Other features and advantages of the present invention will be apparent from the embodiments of the present invention. FIG. 1 is a block diagram illustrating a preferred embodiment of the authentication system of the present invention; FIG. 2 is a flow chart. An initialization phase in a preferred embodiment of the authentication method of the present invention is illustrated; and Figures 3 and 4 are flowcharts illustrating an authentication phase in the preferred embodiment of the authentication method.

The above and other technical contents, features and advantages of the present invention will be apparent from the following detailed description of the preferred embodiments.

Referring to FIG. 1, a preferred embodiment of the authentication system of the present invention includes a server group 1 and at least one client device 20. The server group 1 includes at least one server device 10, and the server device 10 includes a server transceiver unit 11, a server processing unit 12 connected to the servo transceiver unit 11, and is connected to the server. One of the processing units 12 is a server storage unit 13. The client device 20 is configured to be loaded with the server The user terminal transceiver unit 21 is configured to communicate with one of the client transceiver units 21, and is connected to the client processing unit 22 of the client transceiver unit 21.

In the preferred embodiment, the authentication system is an RFID system having an authentication mechanism; wherein the server group 1 constitutes a distributed server environment composed of a plurality of server devices 10, and each server terminal The servo transceiver unit 11 of the device 10 is an RFID reader/writer (Reader/Writer), and the server processing unit 12 of the server device 10 is a processor of a computer, and the server memory unit 13 of the server device 10 is A client library 20 is an RFID electronic tag. The client transceiver unit 21 of the client device 20 is an antenna. The client processing unit 22 of the client device 20 is a processing chip. It should be noted that the present invention is applicable to all the authentication systems in which the client device 20 is weakly computing, and is not limited to the RFID system disclosed in the preferred embodiment.

In order to clarify the interaction and individual functions of the components in the preferred embodiment of the above authentication system, the following description will be made in conjunction with a preferred embodiment of the authentication method of the present invention. Although a plurality of client devices 20 are depicted in FIG. 1, the present invention is also applicable to an authentication system having only one client device 20, and execution between each client device 20 and each server device 10 is performed. operation is substantially the same, and therefore, the detail of the authentication process will be to T _l is the identity of the user identity and the terminal apparatus 20 to perform the operation between the end of the servo device 10 will be described S _i.

The authentication method of the present invention comprises two phases, an initialization phase (see Figure 2) and an authentication phase (see Figures 3 and 4).

Referring to FIG. 1 and FIG. 2, the initialization phase is only performed once when the authentication system is established, and then only when the components of the authentication system are changed, for example, when the user device 20 is added or removed. Need to be implemented. This initialization phase includes the following steps.

In step 31, the server group 1 issues a public function and an asymmetric key, wherein the public function is a pseudo-random number generator, g ( ) indicates; and the technology used by the asymmetric key is an asymmetric cryptosystems, for example, a Rabin encryption system, the asymmetric key is represented by N , which is a two-private prime number p, q. The product of.

In step 32, the server end group generated random number 1 is the identity assigned to the UE 20 T _l one key device, and initializes the identity assigned to the UE 20 one T _l authentication indexing means Where the key is represented by K _l and the authentication index is (The initial value is set to 1).

In step 33, the server processing unit 12 of each server device 10 in the server group 1 records the key and the authentication index of the client device 20 that has been assigned to the user segment T1 _. said server storage unit 13 is connected, wherein, for said server in a group identity to said server apparatus 10, S _i, said server storage unit 13 and stored in the authentication of the key index to K respectively _i,l and Said.

In step 34, the server group 1 optionally selects a linear error correction code as a linear code, the linear code is specified by a generator matrix, and all elements in the generator matrix belong to GF ( 2), wherein the linear code is represented by C ( n , k , d ), n represents the codeword length of one of the linear codes, k represents the original data length before encoding, and d represents the minimum distance of one of the linear codes ( Minimum distance); the generator matrix is represented by G _{k × n} .

In step 35, the server end of the group by a generator matrix G _{k × n} linear combinations of one group of the substrate to produce T _l identity assigned to the client device one of the 20 codewords (codeword is), wherein The codeword is represented by c _l and l satisfies 1 l 2 ^k -1; It is worth mentioning that the codewords assigned to each client device 20 are non-zero and unused codewords.

In step 36, each end of the servo device 10 of the server end processing unit 12, which has been assigned to the identity of the user terminal T _l said server apparatus storage unit 20 records the code word of 13 to which it is attached.

When servo 10 of the terminal identity to said server device S _i transceiver unit 11 to be sensed or already sensed identity of the user terminal device 20 T _l, then enters the authentication phase, which comprises the following steps.

In step 401, the identity of said server device S _i of the servo end 10 of the processing unit generates a challenge value 12 nonce to, and through the identity of said server device S _i servo 10 of the end of the transceiver unit 11 is a conveyor belt has one value of this challenge interrogation message (query message) to the user end device 20; wherein the challenge value is expressed in N _R.

In step 402, the UE identity to T _l of the apparatus 20 of the user end transceiver unit 21 receives the inquiry message with the challenge value. Then, the UE 20 the identity of the processing unit 22 randomly generates an error vector T _l to the UE device, wherein the error vector is expressed in e _l, and the Hamming weight (Hamming weight) or less ; And a processing unit UE, the identity of the client device 20 T _l 22 transmit a codeword is calculated using the following equation (1):

among them, Represents the transmitted codeword, and c _l represents the codeword.

In step 403, the UE identity to T _l client device 20 of the processing unit 22 based on the transmitted codeword And the certification index Generate a plaintext Wherein, the plaintext is represented by m _l , and ∥ represents a string concatenation operator.

In step 404, the UE identity to T _l client device 20 of the processing unit 22 (2) transmitting a ciphertext calculated using the following equation:

Where M _l represents the transmitted ciphertext, m _l represents the plaintext, and N represents the asymmetric key.

In step 405, the identity of the client device 22 T _l based on the received challenge value, the error vector generated in step 402, and the key is assigned to the UE 20 of the processing unit, and using the disclosed The function generates a first verification data, wherein the first verification data is represented by V _T , and the calculation is organized as follows (3). The transmission ciphertext and the first verification data generated in the step 404 form an authentication data group, that is, ( M _l , V _T ).

V _T = g ( e _l ⊕ g ( N _R ⊕ K _l )). . . . . . . . . . . . . . . . . . . . . . . (3)

Subsequently, the identity of the user end device transmits T _l UE processing unit 20 of the UE 22 through the authentication information transceiving unit 21 is set to the identity of said server S _i of the servo device 10 of the transceiver unit 11 ends.

In step 406, the server device 10, which is classified as S _i , solves the transmitted ciphertext by using the Chinese remainder theorem according to the private masses to obtain a plurality of candidate plaintexts, wherein the candidate plaintexts are { m _{l , u} | u =1, 2, 3, 4} indicates that each candidate stationery has a candidate transmission codeword and a candidate authentication index, and the relationship is And the candidate transmission codeword is Said that the candidate authentication index is Express, and 1 u 4.

In step 407, the server processing unit 12 of the server device 10 that is classified as S _i decodes each candidate transmission code word by using one of the check matrixes associated with the generation matrix to obtain a corresponding plaintext for each candidate. a candidate error vector and a candidate codeword, wherein the candidate error vector corresponding to each candidate plaintext is represented by e _{l, u} , and the candidate codeword corresponding to each candidate plaintext is represented by c _{l, u} , where 1 u 4.

In step 408, in the server device 10 having the identity S _i , the server processing unit 12 thereof pre-records the code assigned to the different client device 20 according to the candidate codeword corresponding to each candidate plaintext. a word to find a client device 20 corresponding to the comparison result, and then the server storage unit 13 is authenticated according to the corresponding client device 20 authenticated by the server device 10 of the previous time and the identity S _i The stored key and the authentication index (if the client device 20 has not been authenticated by the server device 10, the key and the authentication index are both initial values), and the candidate corresponding to each candidate plaintext is calculated according to different candidate authentication indexes. a candidate key; wherein the server processing unit 12 of the server device 10 having the identity of S _i calculates the candidate key corresponding to each candidate plaintext according to the following equation (4):

Where g ( ) represents the public function, and K _{l, u} represents the candidate key corresponding to the candidate plaintext m _l,u , Representing the candidate authentication index corresponding to the candidate plaintext m _l,u , and K _i,l represents the key stored by the server device 10 of the identity S _i , The authentication index stored by the server device 10 of the S _i is represented.

Therefore, the server device 10 having the identity of S _i can further obtain the secret of the previously stored key by using the candidate keys obtained in the equation (4) by the following steps 409 to 410. Key update value.

In step 409, the server processing unit 12 of the server device 10 that is classified as S _{i takes} the challenge value, the candidate key corresponding to each candidate plaintext obtained in steps 407-408 and the candidate error vector as parameters. Substituting into the following formula (5):

Furthermore, four calculation results respectively corresponding to four candidate plaintexts can be obtained from equation (5); if the value of one of the calculation results satisfies the first verification data calculated in equation (2), it indicates that the identity is S _i said server apparatus 10 to the user terminal identity T _l of the apparatus 20 of the success of the authentication, wherein, after the authentication success option to plaintext Representing, and corresponding to the candidate key, the candidate authentication index, and the candidate error vector, respectively , , Said.

In step 410, after the authentication of step 408 is successful, in the server device 10 of the identity S _i , the server storage unit 13 is based on the candidate key corresponding to the successful candidate candidate text and the candidate authentication index. To update the key that was originally stored and the authentication index so that K _i,l ← , ← .

In step 411, after the authentication of the step 408 is successful, the server processing unit 12 of the server device 10 of the S _i is determined according to the challenge value generated in the step 401, and the candidate for successful authentication in the step 409. The candidate error vector corresponding to the plaintext and the candidate key, and using the public function to generate a second verification data, wherein the second verification data is represented by V _ST , and the calculation is organized as follows (6). Identity to the identity of the user terminal device T _l 20 S _i said server apparatus 10, the server end of the second processing unit 12 transmits authentication data to said server through the transceiver unit 11.

In step 412, the identity of the client apparatus 20 T _l, the UE transceiver unit 21 receives the second authentication information. Then, the client processing unit 22 substitutes the received challenge value, the error vector generated in step 402, the key, and the received second verification data as parameters, and substitutes the above formula (6) for authentication. If the equation of formula (6) the establishment, it indicates that the identity of T _l client device 20 of the identity of the S _i said server apparatus 10 of the success of the authentication.

In step 413, when the authentication is successful in step 412, the identity of the user end device T _l servo 20 of the end processing unit 12 by using the disclosed key of the update function, and the authentication value of the index plus one, Let K _l ← g ( K _l ), ← +1.

The authentication method of the present invention has the following advantages:

1. the identity of the client device 20 may be T _l 401 ~ 41,310 mutual authentication (mutual authentication) by performing the above steps with said server group according to any one end of a servo device.

2. The server device 10 of the present invention randomly generates a new challenge value in each authentication phase, and the corresponding client device 20 also selects a new random error vector, thus, an old challenge based ( N The retransmission data of _R , e _l ) does not fool the server device 10 or the client device 20, so the mechanism of the present invention can prevent a relay attack; for any tampering attack and other possible The impersonation attack, after the completion of the authentication process of the present invention, the client device 20 updates its key, so the attacker cannot generate the correct first verification without knowing the latest key. Information or second verification data.

3. In the mechanism of the present invention, each end of the servo device 10 for the identity of the client device stored in T _l keys 20, which are the last 20 successfully matched with the UE identity to the apparatus T _l after the stored key, therefore, in the present invention, a new identity to the key 20 of the current T _l synchronize the client device, using the Chinese remainder Theorem shall decrypt the ciphertext transmission, and further through calculating the formulas (4) to obtain the identity of the user of the terminal T _l 20 synchronize the key means; such a mechanism ensures that each real server end and the client device 10 may be a key synchronization means 20, Further, the identity verification between the server device 10 and the client device 20 is ensured, and the effect of resisting a de-synchronization attack is achieved.

4. In the mechanism of the present invention, an attacker cannot derive a previous key from the current key being cracked, mainly because the key has been updated through a security update mechanism (ie, K _l ← g ( K _l )) In addition, the attacker cannot calculate the error vector without knowing the secret generation matrix; therefore, under the two dual protections, the present invention has forward secrecy.

5. In the mechanism of the present invention, since each of the client devices 20 challenges ( N _R , e _l ) in each authentication phase, the data is generated in random numbers, and the parameters { M _l V _ST V _T } are In order to further encrypt through the Rabin encryption system, the attacker cannot infer the following random output parameter { M _l V _ST V _T } and track the client device 20; therefore, the present invention has anonymity and non-traceability.

6. In the mechanism of the present invention, taking the linear code C ( n , k , d ) as an example, the conventional method can only support O ( k ) RFID electronic tags, and the present invention can support O (2 ^k ) RFIDs. The number of RFID tags that an electronic tag can support is much larger than the conventional method.

In summary, in the method and system of the present invention, only the weak computing power of the client device 20, such as a lightweight RFID electronic tag, can achieve anonymity and non-traceability with a high security level. And the mutual authentication mechanism of the forward security; in addition, the client processing unit 22 of the client device 20 only needs to have the computing capability of performing addition, mutual exclusion or (XOR), and random number generation. By completing the authentication method of the present invention, the object of the present invention can be achieved.

However, the above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, that is, the simple equivalent change of the patent application scope and the patent specification content of the present invention is Modifications are still within the scope of the invention.

1‧‧‧Server group

10‧‧‧Servo device

11‧‧‧Servo transceiver unit

12‧‧‧Server processing unit

13‧‧‧Server storage unit

20‧‧‧Customer device

21‧‧‧Customer transceiver unit

22‧‧‧Customer Processing Unit

Claims (8)

An authentication method is implemented in an authentication system including at least one client device and a server group, wherein the server group has at least one server device, and the method includes the following steps: (a) performing the server An initialization process between the group and the client device, wherein the step (a) comprises the following sub-steps: (a-1) the server group further issues a public function, wherein the public function is g () represents, as a function of this disclosure and a virtual random number generator function; (a-2) said server a group assignment and an authentication key index to the identity of the client device T _l, wherein the The key is represented by K _l and the authentication index is Represents; and (a-3) said server group is assigned to record the identity of the key to the user terminal device and the authentication T _l index, wherein, for said server for the group identity of the S _i The server device stores the key and the authentication index respectively by K _{i, l} and Representing; (b) the client device generates a transmission ciphertext according to one of the codewords allocated by the server group and an asymmetric key issued by the server group; (c) the user The end device transmits an authentication data group to the server device, wherein the authentication data group includes the transmission ciphertext and a first verification data; and (d) the server device receives the authentication data group according to the The client device performs authentication, wherein the step (d) includes the following sub-steps: (d-1) the server device solves the transmitted ciphertext of the authentication data group to obtain a plurality of candidate plaintexts, wherein each a candidate clear stationery has a candidate authentication index; (d-2) the server device calculates a candidate key corresponding to each candidate plaintext according to the candidate authentication indexes, wherein the server device is classified into S _i The candidate key corresponding to each candidate plaintext is calculated according to the following formula: And 1 u 4; where g ( ) represents the public function, and K _{l, u} and Representing the candidate key corresponding to the candidate plaintext m _l,u and the candidate authentication index, respectively, and And K _i,l respectively represent the authentication index and the key stored by the server device of the identity S _i ; and (d-3) the server device according to the received first verification data, for each The candidate key corresponding to the candidate plaintext is verified to determine whether the client device is successfully authenticated. The authentication method according to a request, wherein the step (b) comprises the substeps of: (b-1) the identity of the client device T _l arbitrarily generating an error vector; (b-2) the identity of T _l of the client device according to the error vector and the code words, calculating a transmission codeword: (b-3) status as T _l of the client device in accordance with the authentication index which is assigned to it, and the transmission codeword and generating a plaintext; (b-4) the identity of the client computing device T _l conveying the ciphertext using the following equation: M _l = Mod N , where M _l represents the transmitted ciphertext, m _l represents the plaintext, and N represents the asymmetric key. The authentication method of claim 1, wherein the step (a) further comprises a sub-step (a-4), the server group optionally selecting a linear error correction code as a linear code, the linear code being The generation matrix specifies that all elements in the generation matrix belong to GF (2), where the linear code is represented by C ( n , k , d ), n represents the codeword length of one of the linear codes, and k represents the code before One of the original data lengths, d represents a minimum distance of the linear code, the generation matrix is represented by G _{k × n} , and in the step (b), the server is assigned by the server group to the user of the identity T _l The codeword of the end device is generated by a linear combination of a set of bases of the generator matrix G _{k × n} , wherein the codeword is represented by c _l and l satisfies 1 l 2 ^k -1. The authentication method according to claim 3, further comprising a step (e) between the steps (a) and (b), the server device generates a challenge value in a random number, and carries the challenge value. An inquiry message is transmitted to the client device. The authentication method of claim 4, wherein in the sub-step (d-1), each candidate plaintext further has a candidate transmission codeword, and the sub-step (d-1) and the sub-step (d) -2) also has a sub-step (d-4), the server device decodes each candidate transmission codeword by using one of the check matrixes associated with the generation matrix to obtain a corresponding candidate a candidate error vector, and in the sub-step (d-3), the server device substitutes the challenge value and the candidate key and candidate error vector corresponding to each candidate plaintext into the public function, Obtaining a calculation result corresponding to one of the candidate plaintexts, and then performing verification according to the received first verification data for the calculation results, and if the value of one of the calculation results satisfies the first verification data, the server device determines The client device authentication is successful. The authentication method of claim 1, the step (d) further comprising a step (f), wherein the step (f) comprises the following sub-steps: (f-1) if the client device passes the server device Authentication, the server device transmits a second verification data to the client device; (f-2) the client device authenticates the server device according to the second verification data and the key; and (f -3) if the authentication of the server device by the client device in the sub-step (f-2) is successful, the client device updates the key by using the public function, and the value of the authentication index is plus one. The authentication method of claim 1, wherein the sub-step (d-3) comprises a sub-step (d-5), and if the determination result of the sub-step (d-3) is YES, the server The key stored in the device and the authentication index are updated according to the candidate key after the authentication succeeds and the candidate authentication index. In the authentication method described in claim 1, in the step (b), the asymmetric key issued by the server group is multiplied by two private prime numbers. Product, and in the sub-step (d-1), the server device solves the transmitted ciphertext according to the private masses and uses the Chinese remainder theorem to obtain the candidate plaintexts.