- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
the identi er of the tag it authenticated. Although this is an undeniable privacy loss, we could study the impact of learning such an information on other ones that the adversary can try to obtain without relying on the reader.
An extension towards addressing read/write only tags can also be envisaged for that these types of tags are still the most commonly used in real-world applications. Such type of tags only provide two interfaces that can be remotely accessed, one for reading the contents of its memory and another one to set it to a value speci ed in the command. It is rather easy to see that from a classical cryptographic point of view, no privacy can be achieved if the tag performs no computations unless we assume that the adversary does not completely control the communication channels. e goal of the model in here would be to measure the best privacy protection such tags can o er.
11.3Final Notes
e notion of blinder is a powerful tool for assessing the privacy of an RFID system. Yet, we believe that it could be used for other types of cryptographic protocols. At rst, it could be used in key exchange protocols. For the similarities these latter share with RFID protocols, it would be rather straightforward to translate the de nitions from one setting to the other. e paradigm could also be used to deployed key establishment Internet protocols such as SSL/TLS. Similarly,wecanstrengthenzero-knowledgeprotocolswithrequiringthatnotonly the veri er learns anything from a protocol execution but also that no other party can deduce
any information.
Onanotherside,thede nitionsofplaintext-awarenessmaybeimprovedtomaketheknowl- edge extractor able to lter the eventual auxiliary information the ciphertext creator gets.
.