scispace - formally typeset

Book ChapterDOI

Secure EPC Gen2 Compliant Radio Frequency Identification

29 Aug 2009-pp 227-240

TL;DR: This paper proposes an EPCGen2 compliant RFID protocol that uses the numbers drawn from synchronized pseudorandom number generators (RNG) to provide secure tag identification and session unlinkability and reduces to the (cryptographic) pseud orandomness of the RNGs supported by EPC Gen2.

AbstractThe increased functionality of EPC Class1 Gen2 (EPCGen2) is making this standard a de facto specification for inexpensive tags in the RFID industry. Recently three EPCGen2 compliant protocols that address security issues were proposed in the literature. In this paper we analyze these protocols and show that they are not secure and subject to replay/impersonation and statistical analysis attacks. We then propose an EPCGen2 compliant RFID protocol that uses the numbers drawn from synchronized pseudorandom number generators (RNG) to provide secure tag identification and session unlinkability. This protocol is optimistic and its security reduces to the (cryptographic) pseudorandomness of the RNGs supported by EPCGen2.

Summary (3 min read)

1 Introduction

  • Radio Frequency Identification (RFID) is a promising new technology that is widely deployed for supply-chain and inventory management, retail operations and more generally for automatic identification.
  • To promote the adoption of RFID technology and to support interoperability, EPCGlobal [10] and the International Organization for Standards (ISO) [12] have been actively engaged in defining standards for tags, readers, and the communication protocols.
  • In this paper the authors are concerned with the security of EPCGen2 compliant protocols.
  • It is important therefore to employ lightweight cryptographic protocols that are compatible with the existing standardized specifications.
  • Obviously, the level of security may not be sufficient for sensitive applications.

2 The EPCGen2 standard

  • This standard defines the physical and logical requirements for a passive-backscatter, Interrogator-talks-first (ITF), radio-frequency identification (RFID) system operating in the 860 MHz - 960 MHz frequency range.
  • The EPCGen2 standard defines a protocol with two layers, the physical and the Tag-identification layer, which together specify the physical interactions, the operating procedures and commands, and the collision arbitration scheme used to identify a Tag in a multiple-tag environment.
  • Physical Layer – Communications are half-duplex, meaning that Interrogators and Tags cannot talk simultaneously.
  • – TID memory that contains sufficient information to identify to a Reader the (custom/optional) features of the Tag and tag/vendor specific data.
  • The Interrogator sends a parameter Q, that is an integer in the range (0, 15); the Tags load a random Q-bit number into a slot counter.

2.1 The Pseudo-Random Number Generator

  • A pseudorandom number generator (RNG) is a deterministic function that outputs a sequence of numbers that are indistinguishable from random numbers by using as input a random binary string, called seed.
  • The length of the random seed must be selected carefully to guarantee that the numbers generated are pseudorandom.
  • The state of the RNG changes each time that a new random number is drawn.
  • For a tag population of up to 10,000 tags, the probability that any two or more tags simultaneously draw the same sequence of RN16s is < 0.1%, regardless of when the tags are energized.

2.2 The 16-bit Cyclic Redundancy Code

  • Cyclic Redundancy Codes (CRC) are error-detecting codes that check accidental (non-malicious) errors caused by faults during transmission.
  • Since the modulo g(x) operator is a homomorphism, CRC16 inherits strong linearity aspects.
  • (1) It follows that the CRC16 of a sequence of numbers can be computed from the CRC16s of the numbers.
  • Consequently CRC16 by itself will not protect data against intentional alteration.
  • Its functionality is to support strong error detection particularly with respect to burst errors, not security.

3 Weaknesses in recently proposed EPCGen2 compliant RFID protocols

  • The Quingling-YijuYonghua minimalist mutual authentication protocol [17], and the Sun-Ting authentication protocol [18].the authors.
  • The authors show that these protocols fall short of their claimed security.
  • The authors assume that S and R are linked with a secure channel, and for simplicity, only consider the case when the authentication is online.

3.2 Analysis of the Quingling-Yiju-Yonghua protocol

  • The Quingling-Yiju-Yonghua protocol is a challenge-response mutual authentication protocol [17].
  • In the protocol T gets identified by revealing information about its keypool, which S uses to locate the tag in DB.
  • The protocol is also subject to a more complex statistical attack in which A first eavesdrops on a number of tag interrogations and then replays the tag flows to the Reader R, changing adaptively the last challenge.
  • Below the authors describe the attack in more detail.
  • A repeats this step for each one of the l words of the keypool.

4.1 The protocol

  • In their protocol each tag T is identified by drawing consecutive numbers from its RNG.
  • S then draws and sends the next number RN4 as challenge and T responds by sending RN5.
  • Each tag T shares with the back-end server S an identifier IDtag, its generator (including mutable state) RNG(gtag) and at least one pseudorandom number among the most recent six values extracted from the RNG (which guarantees synchronization as described below).
  • This protocol is optimistic in the sense of communication efficiency, because just three flows are necessary to identify a tag T when the adversary A is passive.

5.1 RFID deployments

  • A typical RFID deployment involves tags T , Readers R and a back-end Server S. Tags are wireless transponders that typically have no power of their own and respond only when they are in an electromagnetical field, while Readers are transceivers that generate such fields.
  • Readers implement a radio interface to the tags and a high level interface to a back-end server.
  • Readers do not store locally any private data.
  • All parties including the adversary A are modeled as a probabilistic Turing machines.
  • However the channels that link the Server and authorized Readers are assumed to be secure.

5.2 The UC framework

  • The universal composability (UC) framework specifies a particular approach to security proofs for protocols, and guarantees that proofs that follow that approach remain valid if the protocol is, say composed with other protocols and under arbitrary concurrent protocol executions (including with itself).
  • Tag authentication requires that the Server can corroborate values produced by the tag in terms of the state of their shared RNG.
  • Â, of the real adversary, Ŝerver, of the real Server, t̂ag, of real tags, and the interactions of the protocol with Z, in particular its invocations of Fauth.
  • Finally, in the real world all protocol flows involve pseudorandom numbers whereas in the ideal world the authors have random numbers: the environment Z cannot distinguish these because it is a PPT machine.
  • However it will only succeed with negligible probability in guessing RN5 in response to the Server’s query RN4.

Did you find this useful? Give us your feedback

...read more

Content maybe subject to copyright    Report

Secure EPC Gen2 compliant Radio Frequency
Identification
Mike Burmester
1
, Breno de Medeiros
2
, Jorge Munilla
3
, and Alberto Peinado
3
1
Department of Computer Science
Florida State University, Tallahassee, FL 32306, USA
burmester@cs.fsu.edu
2
Go ogle, Inc.
1600 Amphitheatre, Parkway Mountain View, CA 94043, USA
breno@brenodemedeiros.com
3
Departamento de Ingenier´ıa de Comunicaciones
Universidad de alaga, Spain
munilla@ic.uma.es, apeinado@ic.uma.es
Abstract. The increased functionality of EPC Class1 Gen2 (EPCGen2)
is making this standard a de facto specification for inexpensive tags in
the RFID industry. Recently three EPCGen2 compliant protocols that
address security issues were proposed in the literature. In this paper we
analyze these protocols and show that they are not secure and subject to
replay/impersonation and statistical analysis attacks. We then propose
an EPCGen2 compliant RFID protocol that uses the numbers drawn
from synchronized pseudorandom number generators (RNG) to provide
secure tag identification and session unlinkability. This protocol is opti-
mistic and its security reduces to the (cryptographic) pseudorandomness
of the RNGs supported by EPCGen2.
Keywords: EPCGen2 compliance, security, identification, unlinkability.
1 Introduction
Radio Frequency Identification (RFID) is a promising new technology that is
widely deployed for supply-chain and inventory management, retail operations
and more generally for automatic identification. The advantage of RFID over
barcode technology is that it is wireless and does not require direct line-of-sight
reading. Furthermore, RFID readers can interrogate tags at greater distances,
faster and concurrently.
One of the most important advantages of RFID technology is that tags have
read/write capability, allowing stored tag information to be altered dynamically.
Typically an RFID system consists of tags, one or more readers, and a back-end
server. The communication channel between the reader and the back-end server
is assumed to be secure while the wireless channel between the reader and the
tag is assumed to be insecure.

2 Burmester, M., de Medeiros, B., Munilla, J., and Peinado, A.
To promote the adoption of RFID technology and to support interoperability,
EPCGlobal [10] and the International Organization for Standards (ISO) [12] have
been actively engaged in defining standards for tags, readers, and the communi-
cation protocols. A recently ratified standard is EPC Class 1 Gen 2 (EPCGen2).
This defines a platform for the interoperability of RFID protocols, by support-
ing efficient tag reading, flexible bandwidth use, multiple read/write capabilities
and basic reliability guarantees, provided by an on-chip 16-bit Pseudo-random
Number Generator (RNG) and a 16-bit Cyclic Redundancy Code (CRC16).
EPCGen2 is designed to strike a balance between cost and functionality, with
little attention paid to security.
In this paper we are concerned with the security of EPCGen2 compliant
protocols. Clearly one has to take into account the additional cost for intro-
ducing security into systems with restricted capability. It is important therefore
to employ lightweight cryptographic protocols that are compatible with the ex-
isting standardized specifications. Several RFID authentication protocols that
address security issues using cryptographic mechanisms have been proposed in
the literature. Most of these use hash functions [16, 21, 2, 8, 19, 9, 15], which are
beyond the capability of low-cost tags and are not supported by EPCGen2.
Some protocols use pseudorandom number generators (RNG) [21, 13, 5, 4, 20, 3],
a mechanism that is supported by EPCGen2, but these are not optimized for
EPCGen2 compliance. One can also use the RNG supported by EPCGen2 as
a pseudorandom function (PRF) (as in [3, 11]) to link challenge-response flows,
however it is not clear if such protocols are vulnerable to related key attacks [3].
The research literature for RFID security is extensive. We refrain from a
detailed review, and refer the reader to a comprehensive repository available
online at [1]. Recently three RFID authentication protocols specifically designed
for compliance with EPCGen2 have been prop osed [7, 17, 18]. These combine the
CRC-16 of the EPCGen2 standard with its 16-bit RNG to hash, randomize and
link protocol flows, and to prevent cloning, impersonation and denial of service
attacks. In this paper we analyze these protocols and show that they do not
achieve their security goals. One may argue that, because the EPCGen2 standard
supports only a very basic RNG, any RFID proto col that complies with this
standard is potentially vulnerable, for example to ciphertext-only attacks that
exhaust the range of the components of protocol flows. While this is certainly
the case, such attacks may be checked by using additional keying material and
by constraining the application (e.g., the life-time of tags). We contend that
there is scope for securing low cost devices. Obviously, the level of security may
not be sufficient for sensitive applications. However there are many low cost
applications where there is no alternative.
The rest of this paper is organized as follows. Section 2 introduces the EPC-
Gen2 standard focusing on security issues. Section 3 analyzes three recently pro-
posed EPCGen2 protocols. In Section 4 we propose a novel EPCGen2 compliant
protocol that provides tag identification and session unlinkability. In Section 5
we define a security framework for Radio Frequency Identification, and show
that our protocol is secure in this framework.

Secure EPC Gen2 compliant Radio Frequency Identification 3
2 The EPCGen2 standard
EPC Global UHF Class 1 Gen 2, commonly known as the EPCGen2, was ap-
proved in 2004, and ratified by ISO as an amendment to the 18000-6 stan-
dard in 2006. This standard defines the physical and logical requirements for
a passive-backscatter, Interrogator-talks-first (ITF), radio-frequency identifica-
tion (RFID) system operating in the 860 MHz - 960 MHz frequency range. The
EPCGen2 standard defines a protocol with two layers, the physical and the
Tag-identification layer, which together specify the physical interactions, the op-
erating procedures and commands, and the collision arbitration scheme used to
identify a Tag in a multiple-tag environment.
The system comprises Interrogators, also known as Readers, and Tags. Below
we briefly summarize the EPCGen2 requirements.
1. Physical Layer
Communications are half-duplex, meaning that Interrogators and Tags
cannot talk simultaneously.
An Interrogator transmits information to a Tag by modulating an RF
signal. Tags are passive, meaning that they receive all of their operating
energy from the Interrogator’s RF waveform, as well as information.
An Interrogator receives information from a Tag by transmitting a conti-
nuous wave (CW) RF signal to the Tag; the Tag responds only after
being directed to do so by an Interrogator, by modulating the reflection
coefficient of its antenna, thereby backscattering a weak signal.
2. Tag memory is logically separated into four distinct banks
Reserved memory that contains a 32-bit kill password (KP ) to perma-
nently disable the Tag, and a 32-bit access password (AP ) used when
the Interrogator wants to write/read the memory.
EPC memory that contains the parameters of a CRC16 (16 bits), pro-
tocol control (P C) bits (16 bits), and an electronic product code EP C
that identifies the Tag (32-96 bits).
T ID memory that contains sufficient information to identify to a Reader
the (custom/optional) features of the Tag and tag/vendor specific data.
User memory that allows user-specific data storage
3. Tag-identification layer
An Interrogator manages Tag populations using three basic operations:
Select (the operation of choosing a Tag population), Inventory (the op-
eration of identifying Tags) and Access (the operation of reading from
and/or writing to a Tag).
The Interrogator begins an inventory round by transmitting a Query
command in one of four sessions. An inventory operates in only one ses-
sion at a time, and the Interrogator inventories Tags within that session.
A random-slotted collision algorithm is used. The Interrogator sends
a parameter Q, that is an integer in the range (0, 15); the Tags load
a random Q-bit number into a slot counter. Tags decrement this slot
counter when they receive a command (QueryRep), and reply to the
Interrogator when their counter reaches zero. When the Interrogator
detects the reply of a Tag, it requests its P C, EP C, and CRC16.

4 Burmester, M., de Medeiros, B., Munilla, J., and Peinado, A.
Link cover-co ding can be used to obscure information during Reader to
Tag transmissions. To cover-co de data (or a password), an Interrogator
first requests a random number from the Tag. Then, the Interrogator
performs a bit-wise XOR of the data with this random number, and
transmits the result (cover coded or ciphertext) to the Tag.
4. Hardware requirements
A 16-bit Pseudo-Random number generator (RNG).
A 16-bit Cyclic Redundancy Code.
2.1 The Pseudo-Random Number Generator
A pseudorandom number generator (RNG) is a deterministic function that out-
puts a sequence of numb ers that are indistinguishable from random numbers by
using as input a random binary string, called seed. The length of the random
seed must be selected carefully to guarantee that the numbers generated are
pseudorandom. The state of the RNG changes each time that a new random
number is drawn. Although EPCGen2 does not specify any structure for the
RNG, it defines the following randomness criteria.
1. Probability of RN16: The probability that a pseudorandom number RN16
drawn from the RNG has value RN is bounded by:
0.8/2
16
< P rob(RN16 = RN ) < 1.25/2
16
.
2. Drawing identical sequences: For a tag population of up to 10,000 tags,
the probability that any two or more tags simultaneously draw the same
sequence of RN16s is < 0.1%, regardless of when the tags are energized.
3. Next-number prediction: A RN16 drawn from a tag’s RNG is not pre-
dictable with probability better than 0.025%, given the outcomes of all prior
draws.
We refer the reader to the discussion in [3] regarding the strength of EPCGen2
compliant RNGs.
2.2 The 16-bit Cyclic Redundancy Code
Cyclic Redundancy Codes (CRC) are error-detecting codes that check accidental
(non-malicious) errors caused by faults during transmission. To compute the
CRC of a bit string B = ( B
0
, B
1
, . . . , B
m1
) we first represent it by a polynomial
B(x) = B
0
+B
1
x+· · ·+B
m1
x
m1
over the finite field GF (2), and then compute
its remainder: CRC(B(x)) = (B(x) · x
n
) mod g(x), for an appropriate generator
polynomial g(x) of degree n.
EPCGen2 uses the CRC-CCITT generator: x
16
+ x
12
+ x
5
+ 1, and XORs a
fixed bit pattern to the bitstream to be checked. EPCGen2 specifies the Cyclic
Redundancy Code CRC16 which, for a 16-bit number B is defined by:
CRC(B) = [ B(x) · x
16
+
31
X
i=16
x
i
] mod g(x) = B(x)x
16
mod g(x) + CRC(0),

Secure EPC Gen2 compliant Radio Frequency Identification 5
where CRC(0) =
P
31
16
x
i
mod g(x) is a fixed polynomial. Since the modulo g(x)
operator is a homomorphism, CRC16 inherits strong linearity aspects. More
specifically, if P , Q are 16-bit numbers, then
CRC(P (x) + Q(x)) = CRC(P (x)) + CRC(Q(x)) + CRC(0). (1)
It follows that the CRC16 of a sequence of numbers can be computed from the
CRC16s of the numbers. Consequently CRC16 by itself will not protect data
against intentional (malicious) alteration. Its functionality is to support strong
error detection particularly with respect to burst errors, not security.
3 Weaknesses in recently proposed EPCGen2 compliant
RFID protocols
In this section we consider three recently proposed EPCGen2 compliant pro-
tocols: the Chen-Deng mutual authentication protocol [7], the Quingling-Yiju-
Yonghua minimalist mutual authentication protocol [17], and the Sun-Ting au-
thentication protocol [18]. We show that these protocols fall short of their claimed
security.
In the protocols below we use the following notation: S is the back-end server,
R a Reader, T a tag. We assume that S and R are linked with a secure channel,
and for simplicity, only consider the case when the authentication is online.
3.1 Analysis of the Chen-Deng protocol
In the Chen-Deng mutual authentication protocol [7] each tag T shares three
private values with the back-end server S: a key K, a value (incorrectly called
nonce) N and an EPC identifier. The tag stores these in non-volatile memory
and the server stores them in a database DB. The protocol has three passes:
1. S R T : query, R
r
, a random number, and P = CRC(N R
r
).
T : Check that P is correct. If it is correct,
2. T R S : R
t
, a random number, X = (K EP C R
t
) and
Y = CRC(N X R
t
).
S : Check that X, Y are correct. If they are correct,
3. S R T : M
resp
, a response message.
This protocol is clearly subject to a replay attack since the flows from the Reader
R and tag T use independent randomness (and hence are independent). In fact
the adversary needs only one interrogation of T : R
t
, X = (K EP C R
t
)
and Y = CRC(N X R
t
), to impersonate the tag by computing a valid
(R
a
, X
, Y
), for any random number R
a
, as: X
= X (R
t
R
a
), Y
= Y
(Note that new P
= P CRC(R
r
R
a
) CRC(0) can be also computed).

Citations
More filters

Journal ArticleDOI
01 Jan 2011
TL;DR: This work considers a stream of publications among these that consider mutual authentication of tag and reader, and identifies some existing vulnerabilities.
Abstract: As RFID-tagged systems become ubiquitous, the acceptance of this technology by the general public necessitates addressing related security/privacy issues. The past six years have seen an increasing number of publications in this direction, specifically using cryptographic approaches. We consider a stream of publications among these that consider mutual authentication of tag and reader, and identify some existing vulnerabilities.

59 citations


Journal ArticleDOI
TL;DR: A lightweight RFID authentication protocol that supports forward and backward security and uses a pseudorandom number generator (PRNG) that is shared with the backend Server.
Abstract: We propose a lightweight RFID authentication protocol that supports forward and backward security. The only cryptographic mechanism that this protocol uses is a pseudorandom number generator (PRNG) that is shared with the backend Server. Authentication is achieved by exchanging a few numbers (3 or 5) drawn from the PRNG. The lookup time is constant, and the protocol can be easily adapted to prevent online man-in-the-middle relay attacks. Security is proven in the UC security framework.

49 citations


Cites methods from "Secure EPC Gen2 Compliant Radio Fre..."

  • ...Even pseudorandom functions (PRF) based on PRNG (as in [van Le et al. 2007; Burmester et al. 2009b] are too slow for EPCGen2 applications (to generate an n-bit output of a PRF by running a PRNG as in [Goldreich et al. 1986] requires 2n numbers to be drawn)....

    [...]

  • ...We then extend the Universally Composable (UC) security framework for RFID sys­tems presented recently in this journal [Burmester et al. 2009b], to capture lightweight­to-.yweight RFID applications, and, in particular, forward and backward security with refreshment....

    [...]

  • ...A Flyweight RFID protocol that provides mutual authentication with session un­ linkability, extending work in [Burmester et al. 2009a; Burmester and Munilla 2009] (Section 4)....

    [...]

  • ...A UC framework that adapts the model in [Burmester et al. 2009b] to capture availability,1 mutual authentication, and session unlinkability with forward and backward security (Section 8)....

    [...]

  • ...Further­more, we restrict concurrency by prohibiting RFID tags from executing more than one session at a time (as in [Burmester et al. 2009b])....

    [...]


Journal ArticleDOI
TL;DR: It is shown that the proposed mutual authentication protocol fails short of its security objectives, and in fact offers the same security level than the EPC standard it tried to correct, and a new EPC-friendly protocol, named Azumi, which may be considered a significant step toward the security of Gen-2 compliant tags.
Abstract: Recently, Chen and Deng (2009) proposed an interesting new mutual authentication protocol. Their scheme is based on a cyclic redundancy code (CRC) and a pseudo-random number generator in accordance with the EPC Class-1 Generation-2 specification. The authors claimed that the proposed protocol is secure against all classical attacks against RFID systems, and that it has better security and performance than its predecessors. However, in this paper we show that the protocol fails short of its security objectives, and in fact offers the same security level than the EPC standard it tried to correct. An attacker, following our suggested approach, will be able to impersonate readers and tags. Untraceability is also not guaranteed, since it is easy to link a tag to its future broadcast responses with a very high probability. Furthermore, readers are vulnerable to denial of service attacks (DoS), by obtaining an incorrect EPC identifier after a successful authentication of the tag. Moreover, from the implementation point of view, the length of the variables is not compatible with those proposed in the standard, thus further discouraging the wide deployment of the analyzed protocol. Finally, we propose a new EPC-friendly protocol, named Azumi, which may be considered a significant step toward the security of Gen-2 compliant tags.

35 citations


Cites background from "Secure EPC Gen2 Compliant Radio Fre..."

  • ...In Burmester et al. (2009), a similar attack is suggested but its proof is not included....

    [...]


Posted Content
TL;DR: A lightweight RFID authentication protocol that supports session unlinkability with forward and backward security, and is optimistic with constant key-lookup, and can easily be implemented on an EPCGen2
Abstract: In this paper we first discuss the security threats that have to be addressed when dealing with lightweight RFID protocols: in particular, privacy/integrity attacks that compromise the forward and backward security of tags. We then analyze some recently proposed EPCGen2 compliant protocols. Finally, we propose a lightweight RFID authentication protocol that supports session unlinkability with forward and backward security. The only cryptographic mechanism that this protocol uses is a synchronized pseudorandom number generator (RNG), that is shared with the backend Server. Authentication is achieved by using a few numbers (3 or 5) drawn from the RNG. The protocol is optimistic with constant key-lookup, and can easily be implemented on an EPCGen2

32 citations


Cites background from "Secure EPC Gen2 Compliant Radio Fre..."

  • ...So private information can easily be manipulated, and only one eavesdropped interrogation is needed to clone a tag (for details see [6])....

    [...]

  • ...This is also subject to a replay attack because only the tag provides randomness (for details see [6])....

    [...]

  • ...This is subject to a replay attack because the flows of the Reader and tag use independent randomness (for details see [6])....

    [...]


Journal ArticleDOI
TL;DR: A passive disclosure attack on RAPLT protocol is presented, and it is demonstrated that SRP ^{++}$$SRP++ protocol can resist the exhaustive search attack with the complexity O(2^{32})$$O(232), which is the optimal security bound.
Abstract: Several lightweight RFID authentication protocols have been proposed to settle the security and privacy problems. Nevertheless, most of these protocols are analyzed and they are not successful in their attempt to achieve the claimed security objectives. In this paper, we consider the security of two recently proposed typical RFID authentication protocols: RAPLT protocol and SRP+ protocol. RAPLT protocol is a new ultra-lightweight RFID protocol based on two new operations named $$merge$$merge and $$separation$$separation. Utilizing the linear property of the $$merge$$merge operation, we present a passive disclosure attack on RAPLT protocol, and we can deduce the shared secrets with overwhelming probability after eavesdropping about 100 round authentication sessions. SRP+ protocol is a novel secure RFID authentication protocol conforming to the EPC C-1 G-2 standard, and we present efficient de-synchronization attack and passive disclosure attack through exhaustive search. Our disclosure attack only needs one run of the protocol, and the attack complexity is $$O(2^{16})$$O(216) evaluation of the PRNG function in off-line analysis mode. In addition, to counteract the vulnerabilities, we propose a new modified version of SRP+ protocol, denoted by $$ SRP ^{++}$$SRP++, conforming to the EPC C-1 G-2 standard. Our security analysis demonstrates that $$ SRP ^{++}$$SRP++ protocol can resist the exhaustive search attack with the complexity $$O(2^{32})$$O(232), which is the optimal security bound.

30 citations


Cites background from "Secure EPC Gen2 Compliant Radio Fre..."

  • ...However, it is demonstrated that the EPC C-1 G-2 specification has important security flaws in this standard [14], which motivates researchers to try to propose EPC-compliant schemes, analyze the security of existing EPCcompliant schemes, or improve the vulnerable schemes [15–22]....

    [...]


References
More filters

Proceedings ArticleDOI
Ran Canetti1
14 Oct 2001
Abstract: We propose a novel paradigm for defining security of cryptographic protocols, called universally composable security. The salient property of universally composable definitions of security is that they guarantee security even when a secure protocol is composed of an arbitrary set of protocols, or more generally when the protocol is used as a component of an arbitrary system. This is an essential property for maintaining security of cryptographic protocols in complex and unpredictable environments such as the Internet. In particular, universally composable definitions guarantee security even when an unbounded number of protocol instances are executed concurrently in an adversarially controlled manner, they guarantee non-malleability with respect to arbitrary protocols, and more. We show how to formulate universally composable definitions of security for practically any cryptographic task. Furthermore, we demonstrate that practically any such definition can be realized using known techniques, as long as only a minority of the participants are corrupted. We then proceed to formulate universally composable definitions of a wide array of cryptographic tasks, including authenticated and secure communication, key-exchange, public-key encryption, signature, commitment, oblivious transfer, zero knowledge and more. We also make initial steps towards studying the realizability of the proposed definitions in various settings.

3,128 citations


Book
01 Feb 2007
Abstract: Power analysis attacks allow the extraction of secret information from smart cards. Smart cards are used in many applications including banking, mobile communications, pay TV, and electronic signatures. In all these applications, the security of the smart cards is of crucial importance. Power Analysis Attacks: Revealing the Secrets of Smart Cards is the first comprehensive treatment of power analysis attacks and countermeasures. Based on the principle that the only way to defend against power analysis attacks is to understand them, this book explains how power analysis attacks work. Using many examples, it discusses simple and differential power analysis as well as advanced techniques like template attacks. Furthermore, the authors provide an extensive discussion of countermeasures like shuffling, masking, and DPA-resistant logic styles. By analyzing the pros and cons of the different countermeasures, this volume allows practitioners to decide how to protect smart cards.

1,585 citations


Book ChapterDOI
TL;DR: Privacy and security risks and how they apply to the unique setting of low-cost RFID devices are described and several security mech- anisms are proposed and suggested areas for future research are suggested.
Abstract: Like many technologies, low-cost Radio Frequency Identification (RFID) systems will become pervasive in our daily lives when affixed to every- day consumer items as "smart labels". While yielding great productivity gains, RFID systems may create new threats to the security and privacy of individuals or organizations. This paper presents a brief description of RFID systems and their operation. We describe privacy and security risks and how they apply to the unique setting of low-cost RFID devices. We propose several security mech- anisms and suggest areas for future research.

1,505 citations


Book
12 Mar 2007
TL;DR: This volume explains how power analysis attacks work and provides an extensive discussion of countermeasures like shuffling, masking, and DPA-resistant logic styles to decide how to protect smart cards.
Abstract: Power analysis attacks allow the extraction of secret information from smart cards. Smart cards are used in many applications including banking, mobile communications, pay TV, and electronic signatures. In all these applications, the security of the smart cards is of crucial importance. Power Analysis Attacks: Revealing the Secrets of Smart Cards is the first comprehensive treatment of power analysis attacks and countermeasures. Based on the principle that the only way to defend against power analysis attacks is to understand them, this book explains how power analysis attacks work. Using many examples, it discusses simple and differential power analysis as well as advanced techniques like template attacks. Furthermore, the authors provide an extensive discussion of countermeasures like shuffling, masking, and DPA-resistant logic styles. By analyzing the pros and cons of the different countermeasures, this volume allows practitioners to decide how to protect smart cards.

1,086 citations


01 Jan 2003
TL;DR: This paper discusses and clarifies the requirements and restrictions of RFID systems, and suggests the use of the previously proposed scheme, which protects user privacy using a low-cost hash chain mechanism.
Abstract: Radio frequency identification (RFID) is expected to become an important and ubiquitous infrastructure technology. As RFID tags are affixed to everyday items, they may be used to support various useful services. However, widespread deployment of RFID tags may create new threats to user privacy, due to the powerful tracking capability of the tags. There are several important technical points when constructing an RFID scheme. Particularly important is ensuring forward security, i.e., data transmitted today will still be secure even if secret tag information is revealed by tampering in the future. Low cost implementation is another key RFID requirement. This paper discusses and clarifies the requirements and restrictions of RFID systems. This paper also examines the features and issues pertinent to several existing RFID schemes. Finally, this paper suggests the use of our previously proposed scheme, which protects user privacy using a low-cost hash chain mechanism.

678 citations


Frequently Asked Questions (1)
Q1. What are the contributions mentioned in the paper "Secure epc gen2 compliant radio frequency identification" ?

In this paper the authors analyze these protocols and show that they are not secure and subject to replay/impersonation and statistical analysis attacks. The authors then propose an EPCGen2 compliant RFID protocol that uses the numbers drawn from synchronized pseudorandom number generators ( RNG ) to provide secure tag identification and session unlinkability.