- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
. . Breaking the Forward Secrecy of O-FRAKE
e above attack can be extended to break the forward secrecy of the O-FRAKE protocol, which is an extension of O-FRAP that furthermore establishes a shared secret session key between the tag and reader.
. |
e adversary rst eavesdrops an O-FRAKE session and records r; ri; v2 . |
. It then corrupts a tag Ti′ at the point a er the tag outputs Accept. It thus obtains a pairKi′; SKi′ corresponding to a previously completed subsession, and not the updated
Ki′; SKi′ = v4; v5 .
. e adversary calculates v1jjv2jjv3jjv4jjv5 = F (Ki′; rjjri). It can then check the computed v2 with its recorded v2 for a match, thereby associating the tag Ti′ to the particular completed subsession corresponding to its recorded r; ri; v2 ; and further it also knows that the established session key for that associated session is SKi′.
6.9Conclusion
Although we have used a very limited privacy model, we have been able to show that several RFID protocols that allegedly addressed privacy were vulnerable to rather simple attacks. We identify the main cause behind these failure to be the lack of formal analysis. Indeed, most presentedprotocolswereonlysupportedbyinformalargumentsthatcannottakeintoaccount all the possible attacks an adversary can perform. erefore, we stress the need of studying the extend of privacy an RFID protocol o ers by providing a formal proof of security.
Moreover, wehaveshownthatthechoiceofthemodeliscrucialasitcanbethataprotocolis proven private according to a model with a correct reduction and Still be vulnerable to privacy attacks not covered by the model. As it was demonstrated with the O-FRAP and O-FRAKE protocols, this applies to the LBdM model.
.