- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
|
|
|
the protocol. is causes the tag to update its ri, while its Ki remains unchanged, thus |
||
|
marking the tag for future tracing. |
|
|
|
. Challenge: To trace the tag in future, the adversary observes the interaction between |
||
|
the reader and the tag Tb. |
|
|
|
. Guess: If the reader does not output Accept, then the adversary knows that this tag was |
||
|
indeed the tag that it marked in step ( ), i.e. Tb = T0. Otherwises, he deduces that |
||
|
Tb = T1. |
|
|
|
. . Violating the Forward Privacy of O-FRAP |
|
|
|
In the Le-Burmester-de Medeiros model, corruption is not allowed before a protocol session |
||
|
is initiated, and it is assumed that upon corruption of a party, either a tag or a reader, then |
||
|
the corrupted party’s current incomplete session o ers no privacy. It is claimed that privacy is |
||
|
maintained for all previously completed sessions involving the corrupted party. |
||
|
To motivate our case, we consider the de nition of subsession completion in the LBdM |
||
|
model. A subsession is a party’s view of its current protocol session, e.g. during an O-FRAP |
||
|
protocol session, both the reader and the tag have their own separate views of that session, |
||
|
so-called their subsession. To quote from [LBdM ], “Upon successful completion of a sub- |
||
|
session, each party accepts its corresponding partner as authenticated.” |
us, at the point |
|
|
where a party outputs Accept, its subsession is already considered completed. |
|
|
|
Referring to the O-FRAP description in Figure . , the reader’s subsession is completed at |
||
|
the point when it outputs Accept, i.e. before it updates its entry in L and before it sends v3′ to |
||
|
the tag. Meanwhile, the tag’s subsession is completed at the point that it outputs Accept, i.e. |
||
|
before it updates its Ki. In the context of the Le-Burmester-deMedeiros model, corruption of |
||
|
a party at this point should not violate the privacy of the party corresponding to its completed |
||
|
subsession. |
is is the problem with the O-FRAP proof that we are exploiting. Indeed, we |
show how this can be circumvented.
. |
e adversary rst eavesdrops on an O-FRAP session and records r; ri; v2 . |
. |
en, it corrupts a tag Ti′ at the point a er the tag outputs Accept. It thus obtains Ki′ |
|
corresponding to a previoulsy completed subsession, and not the updated Ki′ = v4. |
. |
e adversary calculates v1jjv2jjv3jjv4 = F (Ki′; rjjri). It can then check the comput- |
|
ed v2 with its recorded v2 for a match, thereby associating the tag Ti′ to the particular |
|
completed subsession corresponding to its recorded r; ri; v2 . |
Our attack here requires a stronger adversary than the other attacks we have presented in earlier sections of this chapter. Yet, assuming corruption capabilities is taken into account by the Le-Burmester-deMedeiros model in which O-FRAP’s privacy was proven, and shows that O-FRAP does not achieve its goal of forward untraceable privacy.
.