Enhancing Privacy and Security of RFID System with Serverless Authentication and Search Protocols in...

Wireless Pers Commun (2010) 55:65–79DOI 10.1007/s11277-009-9786-0

Enhancing Privacy and Security of RFID Systemwith Serverless Authentication and Search Protocolsin Pervasive Environments

Md. Endadul Hoque · Farzana Rahman ·Sheikh I. Ahamed · Jong Hyuk Park

Published online: 29 July 2009© Springer Science+Business Media, LLC. 2009

Abstract One of the recent realms that gathered attention of researchers is the securityissues of Radio Frequency Identification (RFID) systems that have tradeoff between con-trolled costs and improved efficiency. Evolvement and benefits of RFID technology signifiesthat it can be low-cost, efficient and secured solution to many pervasive applications. ButRFID technology will not intermingle into human lives until prevailing and flexible privacymechanisms are conceived. However, ensuring strong privacy has been an enormous chal-lenge due to extremely inadequate computational storage of typical RFID tags. So in order torelieve tags from responsibility, privacy protection and security assurance was guaranteed bycentral server. In this paper, we suggest serverless, forward secure and untraceable authenti-cation protocol for RFID tags. This authentication protocol safeguards both tag and readeragainst almost all major attacks without the intervention of server. Though it is very criticalto guarantee untraceability and scalability simultaneously, here we are proposing a schemeto make our protocol more scalable via ownership transfer. To the best of our knowledge thisfeature is incorporated in the serverless system for the first time in pervasive environments.One extension of RFID authentication is RFID tag searching, which has not been given muchattention so far. But we firmly believe that in near future tag searching will be a significantissue RFID based pervasive systems. So in this paper we propose a serverless RFID tagsearching protocol in pervasive environments. This protocol can search a particular tag effi-ciently without server’s intervention. Furthermore they are secured against major securitythreats.

Keywords RFID · Authentication · Privacy · Security · Forward secrecy · Scalability ·Ownership transfer

Md. E. Hoque · F. Rahman · S. I. Ahamed (B)Ubicomp lab, Marquette University, Milwaukee, WI, USAe-mail: [email protected]

J. H. ParkDepartment of Computer Science and Engineering, Kyungnam University, Kyungnam, Korea

123

66 Md. E. Hoque et al.

1 Introduction

Radio Frequency Identification (RFID) is a technology that helps us to discover completelycontemporary and noble solutions to existing enigmas which also stimulate some new oppor-tunities in pervasive computing area along the way. It is a latest technology that eases auto-mated recognition and has emerged as a feasible solution for identifying large quantities ofitem. One of the major remuneration of such a system is that human intervention is eliminatedand a large number of items can be identified within little time.

However, the expansion of RFID technology is limited because of security and privacyconcerns. Conventional security primitives cannot be integrated in RFID tags as they haveinadequate computation capabilities with extremely limited resources. So security and pri-vacy issues must be addressed before the enormous deployment of RFID tags in omnipresentenvironment. That is why research community devoted themselves in search of appropriateauthentication protocols that will ensure RFID privacy and security without compromis-ing the cost. All these security requisites were ensured by a central database so far. Thisserver based model has drawn much consideration and some of the outcomes are reflected in[3–6,14,15,18,19]. Actually in server based system, central server played an essential roleand it was quite easy to check validity of tags or reader, which is very important for privacyprotection and security issues. Consequently a malicious reader could hardly obtain preciousinformation from tags in such a system. The major drawback of central server based systemis that the readers always have to be connected to the server, which limits usage of RFID sys-tems in remote locations where connectivity with server cannot be ensured. Besides havinga single database makes the whole system more vulnerable to privacy attacks.

An alternative, analogous to using central database, is to store all information of the cen-tral server in the reader. But because of the mobile nature of readers, they can be stolen.An adversary with a stolen reader will have access to the information actually found in thecentral database and the stolen reader can be easily compromised. The compromised readermay hold ID and tag secret pair which can be loaded by an adversary into a blank tag. Thisfake tag will impersonate a legitimate tag and a reader cannot distinguish between the two.This is a severe breach in the security of an RFID system. So in this paper we propose anauthentication protocol that can provide similar security and privacy protection as the cen-tral database model without having persistent connection with the database. A preliminaryversion of this protocol has been presented in [2].

Security and privacy protection is a major issue in another situation where a single readerand multiple tags are present. In all such practical situation, often a reader needs to determinewhether a particular tag exists within a group of tags. This is referred to as RFID searching.Tag searching with the help of central database is not a challenging issue. But without thehelp of server, the reader has to search a tag entirely by itself. This is a critical task because itis vulnerable to privacy and security threats. For example, through the broadcast of a searchquery, a reader in a warehouse wants to search for a tag which belongs to a precious object.Now if the tag exists, it will reply and an adversary will become sure that a valuable objectexists around it.

However, RFID searching can be thought as an extension of RFID authentication. Byauthenticating every tag within a group, we can find out the desired tag. But as the num-ber of tags increase, the ability to search RFID tags becomes invaluable when the readerrequires data from few RFID tags rather than all the tags in the collection. If the reader has toauthenticate each tag one at a time then the entire searching process will become very timeconsuming. Though tag searching is very useful in many RFID applications, secure search-ing methods have not received enough attention in research literature. So in this paper, we

123

Enhancing Privacy and Security of RFID System 67

suggest efficient search protocol which ensures security and privacy. A preliminary versionof this protocol has been presented in [1].

A serverless RFID system was proposed in [17] noticing the shortcomings of server basedsystem. For reasons of cost and size, and lack of security the use of RFID technology has beenrestricted to a closed set of pervasive applications. However, number of applications will bebenefit if secure serverless systems are introduced. Because, one big advantage of serverlessRFID system is that it reduces the cost of RFID system deployment in large applicationareas. So in this paper we propose a low cost serverless authentication protocol that is secureagainst major attacks and can protect user privacy. We are also proposing secure RFID tagsearch protocol as we believe that RFID searching will become indispensable when they aredeployed on massive level.

1.1 Our Major Contributions

Our major contributions in this paper are the following:

I. We propose a serverless authentication protocol that provides mutual authenticationbetween the RFID reader and RFID tag without the need for a persistent central data-base.

II. We propose ownership transfer in serverless protocol for the first time. Protocols shouldbe designed so that after ownership transfer, none but new owner (reader) can accessthe tag. Our protocol provides this facility.

III. In real life scalable RFID protocols need to be designed as tag’s quantities are assumedto be increasing. So we propose a way to make our protocol scalable so that it can keeppace with increasing number of tags.

IV. Our protocol is secured against almost all the major attacks (like: tracking, cloning,eavesdropping, privacy violation, physical attack, and DoS).

V. Here we also suggest secure RFID searching protocol which will be very effectivewhen RFID systems will be enormously deployed. This proposed protocol is securedagainst most common and major attacks. Due to page limitation, we could not includethe security analysis of the search protocol in this paper.

The remainder of this paper is as follows. Next section discusses mainly relevant work onRFID security and privacy protection. It also describes the architecture of an RFID system.In Sect. 3, we propose authentication protocol along with its security analysis, additionalfeatures and cost analysis. A comparison between different authentication protocols is alsopresented in this section. Secure RFID search protocol is presented in Sect. 4. Finally someconclusion remarks and future work are reported in Sect. 5.

2 Related Works

RFID security based research area can be divided into two categories. The first categoryis protocol based. This category mainly focuses on implementing protocols using secure,lightweight primitives on small RFID tags in order to ensure security and privacy. The sec-ond category is hardware based and this category focuses on improving RFID tag hardwareso that it can provide additional security primitives. Our paper falls in the first category. So wewill not discuss about the hardware based category. However, interested readers can refer to[8] and [13] for more details. In this section, we will mainly discuss the research backgroundrelated to the protocols based category. However, we shall refrain from a prevalent review

123


and focus on those works that are directly related to our contribution. Interested readers mayrefer to [8] and [9].

Back-end database played an essential role in most early works on RFID security.Researchers came up with highly secure protocols but authentication was done mostly by theback-end server rather than the reader itself. Weis et al. [20] proposed authentication protocolwhich used back-end database to perform the authentication. This protocol is not securedagainst tracking attack which hampers privacy of the tag holder. So the authors proposed arandomized hash lock scheme to solve this problem.

Another hash function based authentication protocol was proposed by Seo et al. [14]which ensures scalability. This protocol is also untraceable. The most significant contribu-tion of this paper is scalability and forward secrecy. One of the main drawbacks of thisprotocol is that ownership transfer requires external intervention. Seo et al. proposed anotherauthentication protocol [15] that ensures high scalability and ownership transfer. But it suf-fers from the problem of traceability and some other security issues such as DOS attack andswapping.

YA-TRAP [18] is a famous authentication protocol that places little burden on the back-end server. The principle advantage of this protocol is that the central database avoids anyreal time processing. It is unsecured against DOS attack. Although the solution to DOS wasproposed in YA-TRAP+ [3], this still lacks forward secrecy.

Another lightweight protocol is OSK [12]. Ohkubo, Suzuki and Kinoshita proposed thattwo hash function H and G are sufficient to provide indistinguishability and forward secrecy.Here, H is a one way hash function and G has random oracle. In [3], Avoine and Oechslinmodified OSK which removed the scalability problem. Another problem of OSK is that amalicious reader may desynchronize a tag which eventually results in DOS. In [15], Chiuet al. proposed a serverless authentication protocol. In this protocol, a tag releases its dataonly after realizing that the reader is legitimate. But here again the reader has to do a lotof computation to find out id of the required tag. But their protocol 2 is not purely andstrongly anonymous as they return tag id by performing XOR operation with hash value forauthentication.

Like many other earlier research, here we have assumed that RFID tags are capable ofperforming cryptographic hash function. Some common hash functions like MD4, SHA-1,SHA-256 requires between 7,350 and 10,868 additional gates [7].

2.1 System Architecture of an RFID System

Usually, the RFID system consists of wireless tag, T , wireless reader, R, and back-end data-base. However, our RFID system is a serverless system. Therefore, our serverless RFIDsystem mainly consist two parties, one of them is the reader R and the other is a set of tags.A certification authority CA is involved in the system to certify readers and authorize themto particular tags. Next we discuss components of an RFID system.

Tag: Each tag T is comprised of an IC chip and antenna. Tag sends information to the RFIDreader in response through wireless medium. Tags can be of two types. There are active tags,which have a battery, and passive tags, which have no battery. We focus on the passive tag,which is expected to be the most common type of RFID. In our system, each tag is able tocommunicate with one reader at a time.Reader: A reader R is a device that sends some query using radio frequency signal to a tag,receives the information sent by the tag and performs some important computation on thosedata.

123


Communication: The wireless communications between the reader and the tag is assumedto be vulnerable to eavesdropping. Communications between the reader and the CA areassumed to be conducted over a secure channel.

3 Authentication Protocol

3.1 Notation and Assumption

All readers and tags have knowledge of a pseudorandom number generator P(.) and a func-tion M(.). P(.) is a fairly simple random number generator that needs to be implemented atlow cost. P(.) takes a seed as an argument and outputs a pseudorandom number according toits distribution. M(.) is used by all readers and tags to update the seed of the pseudorandomnumber generator by passing the current seed as input. We assume M(.) as an irreversibleone way hash function. Therefore a current seed cannot be linked to its previous one.

We refer an RFID reader as R. Each R has a unique identifier rand a contact list L. We willdescribe the contents of L later. R obtains r and L from a certification authority, CA, afterauthenticating itself. The CA is a trusted party who deploys all the RFID tags and authorizesany RFID reader. For the sake of simplicity we assume that R and CA communicate througha secure channel. On the other hand, each RFID tag T contains a unique identifier id and aunique secret t in its nonvolatile memory.

Subscripts are used to describe a particular R or T and their respective variables. Thusa particular RFID reader i will be Ri with an identifier ri and contact list Li stored in itsnonvolatile memory. An RFID tag j is Tj having a secret t j . The contact list Li containsinformation about the tags which Ri has access to. And the information about each tag com-prises a seed and the id of the tag. If Ri is authorized to access tags T1, . . . , Tn, Li , will takethe following shape after authenticating itself to CA,

Li =⎧⎨

⎩

seed1 : id1

· · · : · · ·seedn : idn

⎫⎬

⎭

where, for any tag Tj and 1 ≤ j ≤ n, seed j is a seed used by Ri to communicate withTj and id j is Tj ’s identifier. seed j is initialized by seed j = f

(ri , t j

) = h(ri ||t j

)where

h(.) is a one way hash function and G represents concatenate. Note that Ri does not knowthe tag secret t j . Ri only knows the outcome of the function f (ri , t j ) as seed j . The initialseed j is computed by CA and stored in Ri . On the contrary, the tag Tj will contain onlyone seed for its only one authorized reader Ri . While Tj is deployed by CA, Tj will getf(ri , t j

) = h(ri ||t j

)as seedTj from CA. Tj stores seedTj in its nonvolatile memory. We

also assume that CA cannot be compromised. And we denote an adversary as �. Figure 1shows a detailed interaction diagram of our authentication protocol.

3.2 Authentication Protocol

(1) Ri → Tj : request, randi

(2) Tj : n j = P(seedTj ⊕ (randi ||rand j ))

(3) Ri ← Tj : n j , rand j

(4) Ri : ni = randi

(5) for all m from 1 to n //run through list Li

123


Reade

Step 1: Initiating authentication for tag by broadcasting and

Reade

, Tag computes

and replies with and

Step 2: Tag replies with the computed pseudorandom number along with

Reade

Step 3: Upon receiving , reader computes next pseudorandom number using for each tag in and compares with

Reade

Step 4: Reader finds a match with for tag . Then reader transmits and finally stores the updated seed, denoted as bold , in its contact list. Thus reader authenticates

Tag is authenticated. So seed is updated.

Reade

Step 5: Upon receiving , generates next pseudorandom number from its sequence and finds a match with . Thus tag authenticates reader . Finally updates its seed which is denoted as bold

Reader is authenticated. So seed is updated.

Fig. 1 Interaction diagram of Authentication Protocol, when reader Ri is authenticating T2

(6) Let nm = P(seedm ⊕ (randi ||rand j ))

(7) if (nm == n j )then(8) Let s=M(seedm)

(9) ni = P(s)(10) seedm =M(s)(11) Ri → Tj : ni

(12) Tj : Let k =M(seedTj )

(13) Let a == P(k)

123


(14) if(a == ni ) then(15) seedT j =M(k)

(16) else(17) Reader is not authorized

or is an adversary

3.3 Security Analysis of Authentication Protocol

In this section, we analyze our proposed authentication protocol against different types ofattacks. For every attack, we first describe how the attack is performed by an adversary.Then how our protocol protects against the attack is explained. Ri and Tj are referred to asa legitimate reader and tag.

Privacy protection: By querying a tag, if an adversary � comes across any private informa-tion of the tag, it may cause several vulnerabilities to owner’s day to day life. We assumethat � may target a list of tags. � queries the tags to discover private information to causedetriment. Our protocol protects user’s privacy strongly. Since under our protocol, a tagnever sends its own id to anyone, not even to the authorized reader. It sends its reply indisguise so that only an authorized reader can identify itself. Moreover no one is able toinfer or learn the id of the tag by simply looking at the tag replies or by simply querying thetag. Under this attack, we generally assume that the adversary has a list of targeted RFIDtags. The adversary then queries every tag within the group to decide which tags of his listexist within this group. According to our protocol, each time a reader queries tag Tj , Tj

replies with a new response P(seedTj ⊕ (randi ||rand j )). Therefore, � fails to recognizewhich of the tags is replying. Thus our protocol protects the privacy of the tag.Tracking: Here, � tries to track Tj over time. � succeeds if it is able to distinguish Tj fromother RFID tags over time. Under this attack, � repeatedly queries Tj with a value whichyields a consistent reply. This consistent reply becomes a signature of Tj . � can reuse thesame randi learned from any previous challenge-response. By incorporating rand j , ourprotocol becomes secured against tracking as � cannot predict rand j . Consequently Tj willreply a new pseudorandom number each time it is queried. Moreover, if � learns the randi

from any transaction that results in a successful authentication, seedTj will also be updatedto a new value. Thus � fails to get any consistent reply from Tj . As a result it cannot followTj afterwards.Cloning: Under this attack, � queries Tj and places its response in a fake tag. Let this faketag be T j . � wants to pass off its counterfeits as legitimate and it becomes successful if itcan fool a legitimate reader Ri . Under our protocol, whenever the adversary queries Tj , itgets a different response because of randi and rand j . Now if � places this response in T j ,it will never be able to fool a valid Ri . When T j is queried by Ri , T j cannot generate theactual response. This is because, for each query, Ri will now transmit a new randi that �

cannot predict. As � does not know the current seed stored in Tj , it cannot generate theactual response.Denial of Service (DoS): In this case, � does not want to derive any information or tries toimpersonate. Its main target is to ensure that a reader cannot access its authorized tags. Tolaunch a DoS attack, � places many requests to the back-end server so that the readers areunable to communicate with back-end server. This problem becomes severe when back-enddatabase shares with the tag a secret key that has to be synchronized for each successfulauthentication. Our protocol eliminates the need of a back-end server. So synchronization

123


between the server and the tag is not required. Moreover in our scheme, a reader has tocommunicate with the back-end server only to get its contact list.Physical attack: Physical attack means � can compromise either a tag or a reader. We willconsider each case.A. � compromisesRi : When � compromises a reader Ri , � will know the reader’s contactlist Li and id ri . It can now impersonate Ri and communicate with Tj , if the reader has beenauthorized to access Tj . Eventually, it will be able to obtain data from tags T1, T2, · · · , Tn .Now, the goal is to prevent � from using the knowledge to create counterfeit tags. Let Tj

resides in the contact list Li , and � wishes to counterfeit the tag Tj which we name T j .The adversary will be successful if T j can fool another legitimate reader Rx . But under ourscheme, only one reader is authorized to access Tj and that reader is Ri . So, T j cannot foolRx by learning seed j and id j from Li .B. � compromisesTj : In this case, the adversary compromises a tag Tj . So � is able tocreate a fake tag t j that can fool an honest reader Ri . We want to prevent � from creatinganother fake tag that can fool Ri . We let this other tag be Tx and assume that Tx is insideLi . Since the adversary has compromised Tj , we assume that the adversary knows all theinformation that is passed between Tj and Ri .With this information � wants to clone avalid tag Tx . And with that cloned tag � wants to spoof an honest reader Ri that is autho-rized to access Tx . Since each RFID tag shares a seed with its authorized reader, Tx willshare a different seed with Ri which is not known by Tj . Though � knows seedTj , � can-not derive the seed shared between Ri and Tx . Therefore � cannot create any fake tag tofool Ri .Eavesdropping: � eavesdrops the communication between Ri and Tj and later uses thisinformation to launch any of the attacks mentioned above. � can learn every informationexchanged between Ri and Tj such as randi , n j , rand j and ni . We assume that � canlisten to both tag-to-reader and reader-to-tag communication. According to our protocol, �

cannot launch privacy attack as the protocol does not reveal any sort of private informa-tion of the tag and the reader. Even � fails to track Tj because each time Tj is queried, itreplies with a new pseudo-random number. Thus � cannot figure out any signature to followTj .

Under our protocol, eavesdropping the communication cannot help � to launch a cloningattack. � cannot create a fake tag T j by learning only the pseudorandom and random num-bers exchanged between Ri and Tj . As � cannot predict randi and have no idea about seedTj ,it is impossible for � to clone Tj . As a result, it cannot fool a legitimate reader Ri . Suppose,� tries to impersonate tag Tj which we named T j and it wants to fool an honest reader Ri

with which Tj has communicated recently. Now T j will not be able to deceive Ri as Ri will

definitely query with a new ˜randi . And T j fails to generate P(

seedTj ⊕(

˜randi ||rand j

))

as it does not know the seedTj . Even if T j replays P (seedTj ⊕

(randi ||rand j

)), Ri will

easily identify that it is a fake tag.

3.4 Additional Features

Ownership transfer: Ownership transfer ensures that an authorized reader renounces theauthority of a tag and a new reader gets the authority to access the tag. Suppose Ri is thecurrent owner of tag Tj . After transferring ownership to another reader Rx , Tj responds toRx in the same way as it did to Ri . From now on Ri has no rights to access Tj .As far aswe know ownership transfer issue is dealt with in [6,18] and [10]. In all of them, back- end

123


server plays a significant role. Based on our protocol, two methods of ownership transferare proposed next.A. CA based ownership transfer: CA (Certification Authority) has all the responsibility ofdeploying tags and authorizing readers. A reader gets its contact list Lfrom CA using a securechannel at the beginning of its operation. Whenever reader Ri faces the need to transfer theownership of a particular tag to another reader, it informs the CA about the change in accesspolicy along with the ownership information of the tag. Ownership information comprisesthe identifier and the current seed for the particular tag stored in the contact list of Ri . CAnow authenticates new owner (another reader) and authorizes it by updating the contactlist of new owner with the ownership information. And CA will also delete the ownershipinformation of the tag from the old owner’s contact list. For example, id j and current seed j

for tag Tj are its ownership information. Old owner transmits this ownership information toCA at the time of informing about a change in ownership of Tj .B. Serverless ownership transfer: The prerequisite of this method is “reader–reader securecommunication”. At the time of ownership transfer, old owner Ri transmits id j and currentseed j for tag Tj to new owner Rx and then simply eradicates ownership information for Tj

from the contact list Li . However, the old reader can abuse the situation by deciding notto delete seed j from its contact list as agreed. Therefore, to protect against such situation,the new authorized owner Rx will authenticate the tag Tj once. This allows the seed sharedbetween Tj and the old owner to be desynchronized. Therefore, even if Ri does not erad-icate ownership information for Tj , Ri will have no valid seed to access Tj . However, theseeds between Rx and Tj will still be synchronized. Once the ownership transfer processis completed, the new owner Rx will notify CA regarding his new contact list to remainsynchronized. This notification will be done through a secure channel.Scalability: Scalability means that a reader can find a tag’s identifier with limited compu-tational time regardless of the number of tags owned by it. According to our protocol, ifthe total number of tags owned by a reader is n, the time complexity of search operation isO(n). Juels and Weis proved in [5] that improved randomized hash lock offer strong privacyand security at the cost of poor scalability. We entirely comply with their observation andpropose a more practical way of ensuring scalability with the help of ownership transfer. Ourproposal is that each reader will have a threshold value θ . Here θ is the maximum number oftags that can reside in a reader to ensure scalability. When a reader’s contact list surpassesthe threshold θ , the reader called as overloaded reader wishes to reduce its burden. So ifthe overloaded reader has a co-operative reader and if the co-operative reader has enoughmemory the overloaded reader will transfer some of its burden to the other one.

3.5 Cost Analysis of Authentication Protocol

Our authentication protocol involves two hash functions, f (·, ·) and M(.). Therefore wedetermine the cost of our protocol is based on the computation of M(.) hash function. Fromthe authentication protocol described in Sect. 3.2, we see that, M(.) is executed twice, firstin line 12 and second in line 15. So, the cost for our protocols is little higher than alternativeprotocols [11,18,20] which require the tag to perform only one hash function. The additionalhash functions allow our protocols to be serverless and yet avoid exposing the tag secretto the reader. Considering communication cost, assuming that both reader and tag ids havethe same length, the authentication protocol requires (2 · |n| + 2 · |rand|) bits, where |n|is the length of random numbers ni and n j . And |rand| is the length of randi and rand j

respectively. In terms of efficiency, the reader needs to perform |Li | computation once to

123


Table 1 Comparison of authentication protocols based on the security features and other additional features

Protocols Privacyprotection

Anti-tracking

Anti-Cloning

Synchroni-zation

DOSresil-iency

Forwardsecrecy

Ownershiptransfer

Scalabilityassurance

Seo-Lee-Kim [14]

Yes Yes Yes Yes Yes Yes Externalintervention

Yes

Seo-Lee-Kim [15]

Yes No Yes Yes No Yes Yes Yes

OSK [12] Yes Yes Yes Yes No Yes No No

YA-TRAP[18]

Yes Yes Yes No No No No Yes

YA-TRAP+[11]

Yes Yes Yes Yes Yes No No Yes

Av-Oech[3] Yes Yes Yes Yes No Yes No Yes

RIPP-FS [5] Yes Yes Yes Yes Yes Yes No Yes

Chiu-Bo-Qun [17]

Yes Yes Yes Yes Yes Yes No No

Our Protocol Yes Yes Yes Yes Yes Yes Yes Yes

derive P (seedm ⊕

(randi ||rand j

))for each tag Tm in the contact list. For each new query,

the reader performs computation for ni matching with n j , resulting on average computationand searching of

(|Li |/

2|n|)

entries.

3.6 Authentication Protocol Comparison

See Table 1.

4 Search Protocols

Suppose, a reader Ri is searching for a tag denoted as Tdesired . One way of searching maybe according to our Search Protocol 1 which we name as Simple Search Protocol.

Search Protocol 1: Simple Search Protocol

(1) Ri → T∗ : Broadcast ri

(2) Ri : Compute ndesired = P(seeddesired)

(3) T∗ : m = P(seedT∗)(4) Ri ← T∗ : m(5) Ri : for each m received from each tag in the group(6) if (m == ndesired )then(7) Tdesired f ound(8) else(9) Tdesired not f ound

One main shortcoming of this protocol is that it is a one side authenticated search protocol.Here tags do not authenticate the readers before replying. So they cannot know whether theyare replying to an adversary or to a valid reader. Tags should reply only to the authorizedreader. But here tags reply upon receiving a search query. So by querying a group of tags, anadversary may succeed in its attempt of searching a particular valuable tag if that tag is pres-

123


ent. So tags need to authenticate the reader before replying. It means that when Ri broadcaststhe search query, all tags, including the tag which satisfies the query, need to authenticate Ri

before replying.Moreover, since seeds are not updated in both parties after each search, tags will reply

with the same answers in subsequent search queries. If an adversary queries with a previouslylearned ri , tags will reply with the same values as before. Although the adversary will not beable to figure out which tag the reader was searching for, adversary will be sure of that thesame search is taking place. Querying several times with different ri , adversary can learn apattern for queries and replies.

To solve the problems of simple search protocol, we can set up our goals for searching asfollows. A tag should respond only to its authorized reader. A reader should query only thetags it is authorized to access to. And both parties should update their seeds after a successfulsearch. All these properties are incorporated in our next search protocol which is SearchProtocol 2 (Enhanced Search Protocol). Here, a reader issues a query in a way that onlya legitimate tag can understand and a tag replies in such a manner that only an authorizedreader can understand.

Enhanced Search Protocol(1) Ri : Compute ndesired = P(seeddesired)

(2) Ri → T∗ : Broadcast ndesired

(3) T∗ : a = P(seedT∗)(4) if(a == ndesired) then(5) Let k =M(seedT∗)(6) Let x = P(k)

(7) seedTdesired =M(k)

(8) Ri ← Tdesired : x(9) else(10) Ri ← Tj :rand with probability λ

(11) Ri : Let s =M(seeddesired)

(12) Let m = P(s)(13) for each response from the group of tags(14) if (m is equal to a response) then(15) seeddesired =M(s)(16) Tdesired f ound(17) else(18) Tdesirednot f ound

In enhanced search protocol, we let some other tags also reply in addition to the desiredtag to put the actual reply in disguise. Each tag, receiving a search query, which does not findany match with the request, will have some probability λ of replying with a random number.So by observing the replies of the tags, an adversary cannot realize the tag that the reader issearching for. Figure 2 shows a detailed interaction diagram of enhanced search protocol.

5 Conclusion

In this paper we suggest serverless authentication protocol which ensures that both tag andreader are authenticated at the time of communication. Our authentication protocol is for-ward secured and shielded against some major attacks like: tracking, cloning, eavesdropping,

123


Step 1: Initiating search for tag by broadcasting

Reade

Step 2: All tags receiving the search query, within the vicinity of the reader, compute next pseudorandom number based on their seeds.

Computes

Computes

Reade

Reade

matches with . So seed is updated.

does not match with . So seed is not

updated.

Step 3: seed is updated in (black colored tag) as matches with . Here, updated seed is denoted as bold . replies with next pseudorandom number . While some other tags, with probability , reply with random number without updating their seed.

Reade

seed is updated for tag in reader’s contact list.

Tag is found

Step 4: Reader again generates next pseudorandom number for tag and compares the number with the replies sent by different tags. A match occurs for . So reader updates the seed for tag and it becomes sure about the existence of the desired tag. Here updated seed is denoted as bold .

Fig. 2 Interaction diagram of search protocol 2, when reader Ri is searching tag T3

physical tampering, and DoS. Moreover we also propose ownership transfer mechanismwhich facilitates our protocol to be scalable. To the best of our knowledge, this is the firstcontribution in the literature that enables serverless protocol to perform ownership transfer.Here, we also point out difficulties encountered while searching RFID tags. Moreover, wepropose serverless RFID tag searching protocol which is secured against major attack models.In future, we plan to devise a robust authentication protocol which will be able to synchronizea tag and its legitimate reader even if the adversary de-synchronizes them. We are currentlyworking to improve the scalability of our protocol from the reader point of view. We alsoplan to simulate the protocols with a large number of tags to see how it performs. Study ofother issues of DoS and making them more robust are other future research directions.

123


Acknowledgments This work was partially supported by the Korea Research Foundation Grant funded bythe Korean Government (MOEHRD, Basic Research Promotion Fund) (KRF-2008-0174).

References

1. Ahamed, S. I., Rahman, F., Hoque, E., Kawsar, F., Nakajima, T., et al. (2008). S3PR: Secure serverlesssearch protocols for RFID. In The proceedings of second IEEE international conference on informationsecurity and assurance (ISA 2008), Busan, Korea, pp. 187–192.

2. Ahamed, S. I., Rahman, F., Hoque, E., Kawsar, F., Nakajima, T., et al. (2008). YA-SRAP: Yetanother serverless RFID authentication protocol. In The 4th IET international conference on intelligentenvironment (IE08), Seattle, USA, pp. 1–8.

3. Avoine, G., Oechslin., P., et al. (2005). A scalable and provably secure hash based RFID proto-col. In International workshop on pervasive computing and communication security (PerSec ‘05)(pp. 110–114). Kauai Island, Hawaii, USA: IEEE Computer Society Press.

4. Burmester, M., Le, T. V., de Medeiros, B., et al. (2006). Provably secure ubiquitous systems: Universallycomposable RFID authentication protocols. In Conference on security and privacy for emerging areasin communication networks (SecureComm) (pp. 1–9). Baltimore, Maryland, USA: IEEE.

5. Conti, M., Pietro, R. D., Mancini, L. V., Spognardi, A., et al. (2007). RIPP-FS: An RFID identification,privacy preserving protocol with forward secrecy. In International workshop on pervasive computingand communication security (PerSec ‘07) (pp. 229–234). New York, USA: IEEE Computer SocietyPress.

6. Cui, Y., Kobara, K., Matsuura, K., Imai, H., et al. (2007). Lightweight asymmetric privacy-preservingauthentication protocols secure against active attack. In International workshop on pervasive computingand communication security (PerSec ‘07) (pp. 223–228). New York, USA: IEEE Computer SocietyPress.

7. Feldhofer, M., Rechberger, C., et al. (2006). A case against currently used hash functions in RFIDprotocols. In On the move to meaningful internet systems 2006: OTM 2006 workshops, pp. 372–381.

8. Juels, A. (2006). RFID security and privacy: A research survey. Journal of Selected Areas inCommunications, 24(2), 381–394.

9. Juels, A., Weis, S., et al. (2007). Defining strong privacy for RFID. In Pervasive computing andcommunications workshops, 2007. PerCom Workshops ‘07, pp. 342–347.

10. Molnar, D., Soppera, A., Wagner, D., et al. (2005). A scalable, delegatable pseudonym protocolenabling owner-ship transfer of RFID tags. In Proceedings of selected areas in cryptography (SAC2005) (Vol. 3897, pp. 276–290). Kingston, Canada: Springer-Verlag.

11. Molnar, D., Wagner, D., et al. (2004). Privacy and security in library RFID: Issues, practices, andarchitectures. In Proceedings of the 11th ACM conference on computer and communications security,Washington DC, USA, pp. 210–219.

12. Ohkubo, M., Suzuki, K., Kinoshita, S., et al. (2003). Cryptographic approach to “privacy-friendly”tags. In RFID privacy workshop. MA, USA: MIT.

13. Rieback, M., Crispo, B., & Tanenbaum, A., et al. (2006). The evolution of RFID security. Journalof IEEE Pervasive Computing, 5(1), 62–69.

14. Seo, Y., Kim, K., et al. (2006). Scalable and untraceable authentication protocol for RFID. InInternational workshop on security in ubiquitous computing systems—Secubiq 2006, Lecture Notesin Computer Science, Seoul, Korea.

15. Seo, Y., Lee, H., Kim, K., et al. (2006). A lightweight authentication protocol based on universalre-encryption of RFID tags. http://caislab.icu.ac.kr/Paper/paper_files/2006/CISC_1115_Youngjoon.pdfLast accessed 2009.

16. Solanas, A., Domingo-Ferrer, J., Martínez-Ballesté, A., Daza, V., et al. (2007). A distributed architecturefor scalable private RFID tag identification. Journal of Computer Networks, 51(9), 2268–2279.

17. Tan, C. C., Sheng, B., Li, Q., et al. (2007). Severless search and authentication protocols forRFID. In Proceedings of the fifth annual IEEE international conference on pervasive computing andcommunications (PerCom ‘07), New York, USA, pp. 3–12.

18. Tsudik, G. (2006). YA-TRAP: Yet another trivial RFID authentication protocol. In Internationalconference on pervasive computing and communications (PerCom ‘06). Pisa, Italy: IEEE ComputerSociety, pp. 643.

19. Vajda, I., Buttyan, L., et al. (2003). Lightweight authentication protocols for low-cost RFID tags. InSecond workshop on security in ubiquitous computing (Ubicomp ‘03), Seattle, WA, USA.

123

http://caislab.icu.ac.kr/Paper/paper_files/2006/CISC_1115_Youngjoon.pdf


20. Weis, S. A., Sarma, S. E., Rivest, R. L., Engels, D. W., et al. (2003). Security and privacy aspects oflow-cost radio frequency identification systems. In International conference on security in pervasivecomputing—SPC 2003 (Vol. 2802, pp. 454–469). Boppard, Germany: Springer.

Author Biographies

Md. Endadul Hoque is a member of Ubicomp lab, Marquette Uni-versity, USA. Currently, he is a graduate student of Computer Scienceat Marquette University, USA. He received his B.Sc degree in Com-puter Science and Engineering from Bangladesh University of Engi-neering and Technology (BUET), Bangladesh in 2008. His field ofinterest encompasses RFID security, privacy in pervasive environmentand trust model in pervasive computing, and wireless sensor network.His contact address is [email protected]; http://www.mscs.mu.edu/~mhoque.

Farzana Rahman is a member of Ubicomp lab, Marquette Univer-sity, USA. Currently, she is a graduate student of Computer Science atMarquette University, USA. She received her B.Sc in Computer Sci-ence and Engineering from Bangladesh University of Engineering andTechnology (BUET), Bangladesh in 2008. Her field of interest encom-passes pervasive security, RFID security, and trust models in pervasivecomputing. Her contact address is [email protected]; http://www.mscs.mu.edu/~frahman.

Sheikh I. Ahamed is currently an Associate Professor in theDepartment of Mathematics, Statistics, and Computer Science, andDirector of the Ubicomp Research Laboratory, Marquette University,Milwaukee, WI. Dr. Ahamed received the B.Sc. degree in computerscience and engineering from Bangladesh University of Engineeringand Technology, Dhaka, Bangladesh, in 1995, and the Ph.D. degree incomputer science from Arizona State University, Tempe, in 2003. Hiscurrent research interests include security in ad hoc networks, middle-ware for ubiquitous/pervasive computing, sensor networks, and compo-nent-based software development. He has published more than 60 peerreviewed journal articles and conference papers. He has received BestPaper Award in the 31st Annual International Computer Software and

Applications Conference (COMPSAC 2007), Beijing, July 2007. Dr. Ahamed is a member of the IEEE Com-puter Society and the Association for Computing Machinery (ACM). He is a program committee memberfor several international conferences in software engineering and pervasive computing, such as the Com-puter Software and Applications Conference (COMPSAC 2009) and the Pervasive Computing and Commu-nications Conference (PerCom 2008), and the Symposium on Applied Computing (SAC 2008). He is theProgram Co-Chair of the International Workshop on Security, Privacy, and Trust for Software Applications(SPTSA 2009). He is the Workshop Chair of Computer Software and Applications Conference (COMPSAC2010).

123

http://www.mscs.mu.edu/~mhoque

http://www.mscs.mu.edu/~mhoque

http://www.mscs.mu.edu/~frahman

http://www.mscs.mu.edu/~frahman


Jong Hyuk Park received his Ph.D. degree in the Graduate Schoolof Information Security from Korea University, Korea. He is now aprofessor at the Department of Computer Science and Engineering,Kyungnam University, Korea. He has published about 100 researchpapers in international journals and conferences. He has been serv-ing as chairs, program committee, or organizing committee chair formany international conferences and workshops. He was editor-in-chiefof the International Journal of Multimedia and Ubiquitous Engineering(IJMUE), the managing editor of the International Journal of SmartHome (IJSH). He is Associate Editors / Editors of 14 international jour-nals including 8 journals indexed by SCI(E). In addition, he has beenserving as a Guest Editor for international journals by some publishers:Springer, Elsevier, John Wiley, Oxford Univ. press, Hindawi, Emer-ald, Inderscience, SERSC. His research interests include security anddigital forensics, ubiquitous and pervasive computing, context aware-ness, multimedia services, etc. He got the best paper award in ISA-08conference, April, 2008.

123

Enhancing Privacy and Security of RFID System with Serverless Authentication and Search Protocols in...

Documents

Transcript of Enhancing Privacy and Security of RFID System with Serverless Authentication and Search Protocols in...