- •Abstract
- •Resumé
- •Contents
- •Remerciements
- •Personal Bibliography
- •Introduction
- •The Need for Dedicated Cryptographic Primitives for RFID Tags
- •Privacy Issues in RFID Systems
- •Our Privacy Model
- •Preliminaries
- •Notations
- •Probabilities and Negligible Functions
- •Classical Cryptography
- •Message Authentication Codes
- •Cryptographic Hash Functions
- •Universal Hash Functions
- •Pseudo-Random Functions
- •The Random Oracle Model
- •Proof Techniques
- •Hard Problems
- •The LPN Problem and the HB Family
- •The LPN Problem
- •Extensions of the LPN Problem
- •Security Models for the HB Family
- •The HB Protocol
- •The GRS Attack
- •Attempts to Thwart the GRS Attack
- •Description
- •Proposed Parameter Sets
- •Asymptotic Complexity Analysis
- •Optimizing the Attack
- •Thwarting the Attack: the Case of Vectors without False Rejections
- •Perspectives
- •SQUASH
- •Description
- •Handling Window Truncation
- •Handling the Truncation of the Combinaison of Many Integers
- •Generalization
- •Conclusion
- •Privacy Failures in RFID Protocols
- •ProbIP and the SAT Problem
- •Violation of Anonymous Privacy
- •Future Development
- •MARP
- •Description
- •Auth2
- •Description
- •YA-TRAP+
- •O-TRAP
- •A Backward and Forward Untraceable Protocol
- •Tracing O-FRAP
- •Violating the Forward Privacy of O-FRAP
- •Conclusion
- •Privacy Models for RFID
- •The ADO Model
- •Description
- •RFID System
- •Correctness
- •Privacy
- •From Narrow Privacy to Privacy
- •Narrow-Strong and Forward Privacy Using Public-Key Encryption
- •Achieving Strong Privacy
- •Our Proposal: Incorporate the Blinder into the Adversary
- •Sampling Algorithms and the ISH Hypothesis
- •Plaintext-Awareness
- •Instances of Plaintext-Aware Encryption Schemes
- •From PA+ to PA++ Plaintext-Awareness
- •Privacy
- •Security Proof
- •Correctness
- •Security
- •The Case of Mutual Authentication
- •RFID System with Mutual Authentication
- •Correctness
- •Privacy
- •Correctness and Security for the Reader
- •Security for the Tags
- •Strong Privacy with Mutual Authentication
- •Strong Privacy
- •Conclusion
- •The Security of RFID Primitives
- •Our Contributions
- •Further Work
- •Our Contributions
- •Further Work
- •Final Notes
- •List of Figures
- •List of Tables
- •List of Definitions
- •Bibliography
- •Curriculum Vitæ
|
|
is, a random variable x following the Bernoulli distribution with parameter , denoted x Ber( ), takes the value 1 with success probability and the value 0 with probability
1 .
e Binomial Distribution. Simply put, the binomial distribution is counting how many Bernoulli trials succeed: It consists of repeating n times an experiment that suc-
ceedswithprobability andcountinghowmanyofthoseexperimentssucceeded. erefore, the law admits two parameters, n and , and is noted Binom(n; ). For this dis-
tribution, the mean and variance compute as n and m (1 ) respectively. |
e |
probability mass function is given by |
|
n |
|
fn; (x) = (x) x(1 )n x |
|
e Gaussian Distribution. Also known as the normal distribution, this distribution
is o en used as a rst approximation to describe random variables that tend to cluster around a single mean value resulting in a bell-shaped distribution curve which width depends on another paramater 2 called the variance.
1 |
|
(x )2 |
||
φ ; 2 (x) = p2 2 e |
2 2 |
|||
|
|
|
|
Its corresponding cumulative distribution function is denoted (x).
2.3Classical Cryptography
Let us consider two parties, traditionally refered to as Alice and Bob, who share a secret bitstring K, called the key. Alice sends a message m to Bob through a communication channel that may be under the control of a malicious entity, that we call Malice. Bob receives a message m^ that may be di erent from m. Depending on the needs of Alice and Bob, they may want to materialize some of the properties below.
Integrity. A communication channel is integer if whenever m^ ≠ m, Bob detects it. at is, no one can modify messages transiting through a noiseless channel without beingdetected. NotethatthispropertydoesnotpreventMalicefrominsertingordeleting
messages.
Authenticity. In an authenticated channel, Bob only receives messages that come from AliceandwheneverMaliceinsertsormodi esamessagetransitingthroughthechannel it is detected.
Con dentiality. |
is property aims at preserving the secrecy of the message. |
at is, |
it ensures that no one except Bob deduces any information about the message. |
|
In the following sections, we describe classical cryptographic tools for achieving each one of these properties.
.
|
|
Mallory
Alice |
m |
Encrypt |
c |
m |
|
Decrypt |
Bob |
K |
Key |
K |
|
Generation |
|
Figure 2.1: Components of a symmetric encryption scheme.
. . Symmetric Encryption
Depicted in Figure . , symmetric encryption schemes are used to achieve con dentiality.
De nition . (Symmetric-Key Encryption)
A symmetric-key encryption system is a set of three algorithms de ned as follow.
Key Generation. KeyGen ! K is an algorithm for generating the symmetric key K that will be used by Alice and Bob to communicate privately.
Encryption. For a message m, denoted plaintext, EncK (m) ! c produces a ciphertext. is ciphertext is sent to Bob.
Decryption. Decryption is the in erse operation of encryption. at is, DecK (c) ! m produces the plaintext that was encrypted to c using the same key K.
Symmetric encryption schemes are divided into two categories: stream ciphers and block ciphers. Stream ciphers are inspired by the one-time pad, the only perfectly secure encryption scheme in the Shannon model [Sha ], with the key di erence between the two being that in a stream cipher the stream that is XORed with the plaintext is only pseudo-random. Consequently, stream ciphers can encrypt messages of virtually arbitrary length. Popular stream ciphers include RC , that is used in many protocols such as SSL, WEP and WPA, and A / , used in the GSM cellular telephone standard. On the other side, block ciphers impose a xed length for the plaintext so that even shorter messages need to padded before encryption. Today’s most used block ciphers include DES, DES, both standardized in [NIS ], AES [DR ], IDEA [LM ], and IDEA-NXT [JV ]. However, techniques, known as modes of operations, were proposed to extend the maximal length of plaintexts. e CBC mode is an example of such mode of operation.
.
|
|
Mallory
Alice |
m |
MAC |
m, t |
m, b |
|
Verify |
Bob |
K |
Key |
K |
|
Generation |
|
Figure 2.2: Components of a MAC.
Regarding their security, a stream cipher is secure if the generated bit sequence is indistinguishable from a truly random sequence. More detail on this de nition will be given in Section . . . e security of block ciphers is a more elaborated case which has been subject of several de nitions, ranging from Vaudenay’s decorrelation theory [Vau ] to Bellare-Desai- Jokipii-Rogaway’s indistinguishability based de nitions [BDJR ]. In this work, we keep the most general and simple de nition for its security, namely indistinguishability from a random permutation. at is, a block cipher is said to be secure if for a randomly chosen permutation C , a uniformly distributed key K and every distinguisher D, we have
Pr[DC ( ) ! 1] |
Pr[DEncK ( ) ! 1] |
2 |
|
|
|
. . Message Authentication Codes
While an encryption scheme ensures the con dentiality of a communication channel, it does not guarantee that Mallory cannot manipulate ciphertexts that would induce a transformation of the underlying plaintext (Note that Mallory only changes the content of the message in a certain way but this does not mean that she learnt any information about it). Message authentication codes (MACs) are tasked with achieving authentication in a communication channel . AsitisdepictedinFigure . , aMACiscomposedofthefollowingthreealgorithms.
De nition . (Message Authentication Codes - MAC)
A MAC is a triplet of algorithms (KeyGen, MAC, Verify) de ned as follow
Key Generation. e setup is delegated to an algorithm KeyGen that outputs the key K that will be used by Alice and Bob.
MAC. Using the secret key K, this algorithm generates a tag t for a message m given as input, i.e., MACK (m) ! t.
Verify. is last algorithm is used by the recipient to assert whether a tag t authenticates a message m. In other words, VerifyK (m; t) outputs 1 if t is a tag corresponding to the
.
|
|
message m for the secret key K, otherwise, it outputs 0. Note that it should be that every tag generated by MAC passess Verify keyed with the same key.
e standard security requirement for MACs is called existential unforgeability under chosen message attacks. In short, it assumes that the adversary has access to an oracle to which she can submit a set of adaptively chosen messages M = fm1; : : : ; mng to a MAC oracle that when queried with mi returns t MACK (mi). (In this context, adaptive refers to the adversary’s ability to choose the (i + 1)th message a er receiving the oracle answer regarding the ith message.) In parallel, the adversary may also access an oracle for MAC veri cation, i.e., an oracle to which she can submit (m; t) pair and learn about the bit VerifyK (m; t). In the end, the adversary wins if she manages to produce a pair (m ; t ) such that m was not submitted to the MAC oracle and VerifyK (m; t). A MAC is then said to be secure if every such adversary limited to 2 basic operations does not win with a probability better than 2 . Equivalently, the MAC security experiment can be written as follow.
|
[VerifyK (m ; t ) = 1 |
|
|
A |
|
] 2 |
|
|
K |
0; 1 |
|||
Pr |
|
(m ; t ) |
2R MACf K (g);VerifyK ( ; ) |
|||
|
|
|
|
|
|
|
AfewdedicatedMACswereproposed. Instead,MACsaregenerallybuiltfromothersymmetrickeyprimitivesusingstandardtransformations. Forinstance,theHMAC[BCK ]andUMAC[BHK+ ] constructionsallowtobuildaMACfromahashfunction. Otherproposals,suchasOMAC[IK ]
and PMAC [BR ], build a MAC from a block cipher. Finally, some constructions even allow to combine encryption and MAC in a single primitive called authenticated encryption. Examples of such constructions include the EAX mode of operation [BRW ].
. . Cryptographic Hash Functions
Besides ensuring data integrity, cryptographic hash functions are cryptography’s Swiss army knife, serving many purposes and appearing in almost all constructions.
A hash function family is a set of functions mapping arbitrary large strings to a xed size output called the hash. Mathematically, for a key K 2 f0; 1g , we consider a set of functions HK : f0; 1g ! f0; 1gn. e usual security requirements for hash functions are listed below
in increasing strength order. |
|
|
|
|
|
|
First Pre-image Resistance. A hash function is said to be ( |
rst) preimage resistant |
|||||
if for a randomly chosen K, given a hash y, it is infeasible to |
nd a x such that y |
|||||
HK (x). In other words, |
|
2 |
|
|
|
|
Pr [ |
HK ( (y)) = y |
] |
2 n |
|
||
|
K R f0; 1g |
|
||||
A |
y R2Range(HK ) |
|
|
|||
|
|
|
||||
|
|
|
|
|
|
|
.