- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
11
CONCLUSION
C
. |
e Security of RFID Primitives . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Our Contributions . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . Further Work . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Privacy in RFID Protocols . . . . . . . . . . . . . . . . . . . . . |
|
|
|
. . |
Our Contributions . . . . . . . . . . . . . . . . . . . . . . |
|
|
. . Further Work . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
. |
Final Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
|
|
|
|
|
|
|
|
e RFID technology is promising with several upcoming evolutions that will hopefully lead them to a widespread development and a general consensus on their bene ts. In particular, two aspects on which current RFID tags should be improved are security and privacy. Whilethespeci cconstraintsputontheselightweightdevicesdeniedtheuseofclassicalcryptographic primitives, we presented an assessment of the security of two original designs, HB and S UASH. e second part of the thesis was dedicated to studying the level of privacy RFID tags can o er.
e main contributions of this thesis are summarized in the list below.
. We showed that the HB protocol is insecure against man-in-the-middle attacks. is gave a negative answer to a conjecture by Gilbert et al. that claimed otherwise.
. We invalidated S UASH’s security argument by mounting an attack against its earlier variant, S UASH-0, that stands on the same security assumption. Although our attack does not compromise the security of S UASH’s nal proposal, it showed that its security is unrelated to factoring.
. To emphasize the need for a framework assessing privacy and the importance of studying protocols in such a framework, we illustrated how several authentication protocols dedicated to RFID tags compromise privacy. e list of these protocols include ProbIP, MARP, Auth , YA-TRAP, YA-TRAP+, O-TRAP, RIPP-FS, and the Lim-Kwon protocol.
. We also argued that protocols proven private in the UC-based model of Le, Burmester and de Meideros, are still vulnerable to privacy attacks that have a practical sense. We took for examples, O-FRAP and O-FRAKE.
. We reformulated Vaudenay’s de nition of privacy. We also incorporated two avors of correctness, depending on whether it is ensured in an absolute or contextual sense. We also clari ed the way adversaries formally select tags.
. WestudiedtherelationofVaudenay’smodelwiththeextended-Juels-Weisprivacymod- el and the the ZK-privacy model. We did that by illustrating protocols that can be proven to be private in their model, but fail to meet our standard notion of privacy.
. We also analyzed variants of Vaudenay’s privacy model that were meant to either simplify the de nitions, such as the HPVP model, or to make Strong privacy possible such as the proposal of Ng et al. We showed that the former model fails to capture real-world attackers capabilities. We also argued that the notion of wise adversaries proposed by Ng et al. fails to justify in practical attack scenarios.
. We corrected Vaudenay’s de nition of privacy and showed that with the new de nition Strong privacy is achievable. We then used encryptions schemes’ notion of plaintextawareness to instantiate a protocol achieving this level of privacy.
. We illustrated a separation between two notions of security for encryption schemes, namely IND-CCA on one side and IND-CPA coupled with PA on the other side.
.