e RFID technology is promising with several upcoming evolutions that will hopefully lead them to a widespread development and a general consensus on their bene ts. In particular, two aspects on which current RFID tags should be improved are security and privacy. Whilethespeci cconstraintsputontheselightweightdevicesdeniedtheuseofclassicalcryptographic primitives, we presented an assessment of the security of two original designs, HB and S UASH. e second part of the thesis was dedicated to studying the level of privacy RFID tags can o er.
e main contributions of this thesis are summarized in the list below.
. We showed that the HB protocol is insecure against man-in-the-middle attacks. is gave a negative answer to a conjecture by Gilbert et al. that claimed otherwise.
. We invalidated S UASH’s security argument by mounting an attack against its earlier variant, S UASH-0, that stands on the same security assumption. Although our attack does not compromise the security of S UASH’s nal proposal, it showed that its security is unrelated to factoring.
. To emphasize the need for a framework assessing privacy and the importance of studying protocols in such a framework, we illustrated how several authentication protocols dedicated to RFID tags compromise privacy. e list of these protocols include ProbIP, MARP, Auth , YA-TRAP, YA-TRAP+, O-TRAP, RIPP-FS, and the Lim-Kwon protocol.
. We also argued that protocols proven private in the UC-based model of Le, Burmester and de Meideros, are still vulnerable to privacy attacks that have a practical sense. We took for examples, O-FRAP and O-FRAKE.
. We reformulated Vaudenay’s de nition of privacy. We also incorporated two avors of correctness, depending on whether it is ensured in an absolute or contextual sense. We also clari ed the way adversaries formally select tags.
. WestudiedtherelationofVaudenay’smodelwiththeextended-Juels-Weisprivacymod- el and the the ZK-privacy model. We did that by illustrating protocols that can be proven to be private in their model, but fail to meet our standard notion of privacy.
. We also analyzed variants of Vaudenay’s privacy model that were meant to either simplify the de nitions, such as the HPVP model, or to make Strong privacy possible such as the proposal of Ng et al. We showed that the former model fails to capture real-world attackers capabilities. We also argued that the notion of wise adversaries proposed by Ng et al. fails to justify in practical attack scenarios.
. We corrected Vaudenay’s de nition of privacy and showed that with the new de nition Strong privacy is achievable. We then used encryptions schemes’ notion of plaintextawareness to instantiate a protocol achieving this level of privacy.
. We illustrated a separation between two notions of security for encryption schemes, namely IND-CCA on one side and IND-CPA coupled with PA on the other side.
