|
|
be to include a key-updating mechanism similar to OSK [OSK ] at the end of the protocol using a one-way function.
Another approach, recently taken by Kiltz et al. [KPC+ ] was to randomize the tag’s response by having some of the equations erroneous with some probability . A discussion of this scheme can be read in Chapter .
6.3MARP
. . Description
Starting from the observation that RFID tags do not support expensive computations that are quasi-mandatory to achieve security and privacy, Kim et al. [KYK ] considered the use of a third party acting between the reader and the tags, a mobile agent for RFID privacy abbreviated MARP herea er. In practice, the role of the MARP can be played by a PDA or a mobile phone. e idea of Kim et al. was to bind a tag to a MARP so that it is the latter who authenticates to the reader on behalf of the tag. For that, the scheme they proposed is composed of three sub-protocols. At rst, each tag is given a PIN that can be used to unlock it. A copy of that PIN is also stored in the database. e rst sub-protocol, called the initial setup phase, is used to transfer that PIN authentication capabilities of a tag to a designated MARP: at the end of the protocol, the MARP learns a secret, associated to the tag’s PIN, that allows it to acts on behalf of the latter. Concretely, this operation is supposed to represent a transfer of ownership. is operation typically happens when an item is bought in a store and the client’s MARP registers the PIN of the tag attached to the product.
Once the secret information of the tag is stored in the MARP, the tag is put into sleep mode. is is called the privacy preserving phase as it allows the MARP to act on behalf of the tag.
It is also the most typical mode of the proposed scheme as data communication occurs only betweenaMARPandthereader. Anothermode,calledauthenticationmode,isalsoproposed for when the reader wants to ensure that a MARP is e ectively paired with a tag as it claims. As MARPs only learn the hash of the tags’ keys, the protocol consists of the reader sending an encrypted challenge to the MARP. e latter decrypts it and forwards it to the tag who hashes its XOR with the key. Finally, that hash value is sent back to MARP who encrypts it and forwards it to the reader. A mathematical description of the scheme is depicted in Figure . . To avoid confusion with the next protocol, we shall name this protocol MARP- .
Another protocol, which we refer to as MARP- , and does not feature all those di erent modes was also proposed by the authors of MARP- . Instead, it allows to have a double authentication of MARP and a tag at once. e rst is authenticated using its key pair and the information it has received from the tag during the initialization phase while the second uses its PIN. e detailled steps of this protocol are depicted in Figure . .
It is worth mentioning that in both protocols MARPand MARPall communication
.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Reader (IDg) |
|
|
MARP |
|
Tag |
|
||
|
Key Pair: (skg; pkg) |
|
Key pair: (skm; pkm) |
|
Secrets: ID; PINID; KID |
|
|||
|
|
|
! PINID |
Initialization Phase |
|
|
|
|
|
|
|
|
|
Store PINID |
|
|
|
|
|
|
|
|
|
hPIN h(PINID) ! hPIN |
xID = PINID ID |
|
|||
|
|
|
|
Store ID; h(KID) |
xID;xK |
xK = PINID h(KID) |
|
||
|
|
|
|
|
|
||||
|
|
|
Privacy Preserving Phase |
|
|
|
|
||
|
|
Pick Rr |
|
|
|
|
|
|
|
|
Signskg (IDgjjRr)! IDg;Rr; |
Check Signature |
|
|
|
|
|||
|
|
|
|
|
Pick Rm |
|
|
|
|
|
|
|
a1;c1 |
c1 |
Encpkg (RrjjRm) |
|
|
|
|
|
|
Check Signature |
|
a1 |
Signskm (c1) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Recover Rm |
|
|
|
|
|
|
|
|
r |
Signskg (Rm) |
|
|
|
|
|
|
|
|
cr Encpkm ( r) ! cr |
Check Signature |
|
|
|
|
|||
|
|
|
|
e |
Eh(KID)(ID) |
|
|
|
|
|
|
Check signature |
a2;c2 |
c2 |
Eskm (IDjje) |
|
|
|
|
|
|
|
a2 |
Signskm (c2) |
|
|
|
|
|
Recover ID
Authentication Phase
Pick R
|
e |
Decrypt e |
R |
|
e |
Encpkm (R) ! e2 |
! at |
at = h(R KID) |
|
|
Recover PINID |
e2 Encpkg (at) |
|
|
Figure 6.2: e MARPprotocol, comprising phases: setup, privacy protection, and authentication.
channels, except the one between the reader and the server, are assumed to be insecure. at is, any malicious entity can access all those channels during all phases and manipulate the data transmitted over them.
. . Cryptanalysis of MARP-
Tracing. Notethat a2 is xedpertag, beingafunctionofaparticulartag Tt’suniqueidenti er IDt and its secret key KID. As the channel between the reader and the MARP is not con dential, an adversary via Execute queries (i.e. eavesdropping) can easily track the movement of Tt by checking for matches of a2 with previously captured values, as the encryption scheme is deterministic. Alternatively, the adversary can replay an old R from MARP to the tag via Send queries, and check if the response at matches the old value of at corresponding to the
.
|
|
Reader (IDg) |
MARP |
Tag |
Key Pair: (skg; pkg) |
Key pair: (skm; pkm) |
Secrets: PINID; KID |
MARP Authentication
|
Pick Rr |
|
|
|
|
Signskg (IDgjjRr)! IDg;Rr; |
Check Signature |
||
|
|
|
|
Pick Rm |
|
|
c1 |
|
Encpkg (RrjjRm) |
|
|
a1;c1 |
a1 |
Signskm (c1) |
|
Check Signature |
|
||
|
|
|
|
|
|
Recover Rm |
|
|
|
r |
Signskg (Rm) |
|
|
|
cr Encpkm ( r) ! cr |
Check Signature |
|||
|
|
|
e |
Eh(KID)(ID) |
|
Check signature |
a2;c2 |
c2 |
Eskm (IDjje) |
|
|
a2 |
Signskm (c2) |
|
|
Recover ID |
|
|
|
|
Tag Authentication |
|
Pick Rs |
|
|
hr = h(KID) Rs ! hr |
Pick Rd |
|
|
hd = h(Rd h(PINID)) |
|
|
hP = h(PINID) Rs ! Rd;hd;hP Recover Rs |
|
a3 |
a3) |
= h(KID Rs) |
|
a3 |
|
Check that a3 matches
Figure 6.3: eMARPprotocol, comprising phases: MARP authenticationandtagauthentication.
.