project report

317 views

Published on

Published in: Business, News & Politics
  • Be the first to comment

  • Be the first to like this

project report

  1. 1. RFID Authentication Mini-Project report Written by Roi Tzaig & Moria Damri Introduction and theory RFID – Radio Frequency Identification is a technology for tagging using radio waves. A RFID tag is a small electronic device, supplemented with an antenna that can transmit and receive data. The RFID technology is designed for unique identification of different kinds of objects. RFID systems usually contain three parts: 1. Tag – a microchip that can send and receive data (messages). 2. Verifier – interfacing with the Tag, the Verifier can read/write data and sends messages to access the Tags data. 3. Data base – a small amount of memory that uses as a data base that can be changed. Limitations of RFID systems Limits of RFID systems are very important. These systems were designed to be low cost in order to enable mass production. Broadcast range is limited to a few meters, therefore the Tag and the Verifier must be sufficiently close Due to their small size the RFID systems have a limited computational power, and limited memory. Hence, we can conclude that a "heavy" encryption algorithm can not be used by RFID systems. There for we need a simple, low cost encryption protocol that is based on hardware efficiency that will be embedded in the RFID existing systems. The goal of this project is to show the efficiency and empirically prove the theoretic claims upon the protocols AP1 Ungeleralized/Generalized, AP 2 Ungeleralized/Generalized and ² 2 written by professor Shlomi Dolev AP
  2. 2. Typical scenario Let us think of a typical scenario, in which an alarm car uses RFID system to communicate between the remote control (the Tag) and the car alarm system (the Verifier), farther more a thief (an Adversary) may or may not listen to the communications. The scenario is as follows: The Tag (remote control) sends an encrypted request to the Verifier (car) to open the car. The car processes and decrypts the request and composed an answer, if the request is genuine then "Open" message is sent back. If it is not, a "DoNotOpen" message is sent. The thief may or may not listen to the communications, and based on them compose a false message that will be sent to the car in order to get an "Open" message back. The adversary model The adversary has a few basic assumptions: 1. The adversary is weaker than the one in standard cryptography. 2. The adversary is Byzantine, it tries to harm the system as well as break in it. 3. One out of n consecutive communications the adversary does not listen.  Si The adversary does not listen ∃i 1 ≤ i ≤ n  S1 ,K Si −1 ,Si+1 ,K S n The adversary listen 4. (Generalizing 3) k out of n consecutive communications the adversary does not listen. Every n consecutive communications are atomic, meaning, the adversary cannot modify part of the communication in a session.
  3. 3. AP1 Ungeneralized Protocol (Adversary does not listen to one out of n consecutive communications) Protocol for RFID Tag Ungeneralized Protocol for RFID Verifier Ungeneralized 1: Initialization: 1: Initialization: 2: Create int array ARV [1..n] 2: Create int array ARV [1..n] 3: int i := 1; 3: int i := 1; 4: Upon user request 4: Upon reception of key message 5: keyentry = n − (i − 1) mod n 5: keyentry = n − (i − 1) mod n 6: Create new random array LRV 6: s = (X,LRV) 7: Send s = (ARV [keyentry], LRV) 7: if X = ARV [keyentry] 8: to Verifier 8: Send Open and 9: If Open received 9: Call Updating procedure 10: Call Updating procedure 10: else Send DoNotOpen 11: End user request 11: End of key message reception u1: Updating procedure u1: Updating procedure u2: ARV [keyentry] = 0 u2: ARV [keyentry] = 0 u3: for j =1 to n u3: for j = 1 to n u4: ARV [j] = ARV [j] xor LRV [j] u4: ARV [j] = ARV [j] xor LRV [j] Overview: The vector ARV stands for accumulated random vector and it is known to both the Tag and the Verifier. The integer i marks the current request index and keyentry is calculated in such a way that it is a legal index of ARV entry and with every increment of i it is incremented as well with modulo n. When the Tag sends a request, it composes a message form the current ARV entry (ARV[keyentry]) concatenated with a pseudo random generated vector called LRV. When the Verifier gets the message, it checks if the ARV[keyentry] in the message is the same as its ARV[keyentry]. If so then an "Open" message is sent to the Tag and a xor update is preformed on ARV using LRV (update procedure) to both the Tag and the Verifier. If the ARV[keyentry] in the message is not the same as its ARV[keyentry] the "DoNotOpen" message is sent and neither the Tag nor the Verifier updates its ARV.
  4. 4.  Message length is n + 1 which is O ( n ) , so for an entire session (n consecutive communication) O ( n ) bytes will be transferred. 2
  5. 5. AP1 Generalized Protocol (Adversary does not listen to k out of n consecutive communications) Protocol for RFID Tag Protocol for RFID Verifier 1: Initialization: 1: Initialization: 2: Create int array ARV [1..n] 2: Create int array ARV [1..n] 3: int i := 1; 3: int i := 1; 4: Upon user request 4: Upon reception of key message 5: keyentry = n − (i − 1) mod n 5: keyentry = n − (i − 1) mod n 6: Select random 2Log(n) indices 6: s = (X, Indices, reducedLRV) 7: Build reducedLRV form indices 7: if X = ARV [keyentry] 8: Send s = (ARV[keyentry], 8: Send Open and Indices, reducedLRV) to Verifier 9: Call Updating procedure 9: If Open received 10: else Send DoNotOpen 10: Call Updating procedure 11: End of key message reception 11: End user request u1: Updating procedure u1: Updating procedure u2: ARV [keyentry] = 0 u2: ARV [keyentry] = 0 u3: for j =1 to 2Log(n) u3: for j =1 to 2Log(n) u4: ARV [reducedLRV[j]] = u4: ARV[reducedLRV[j]] = ARV [reducedLRV[j]] xor LRV[j] ARV[reducedLRV[j]] xor LRV[j] Overview: Much like in AP1 Ungeneralized protocol this protocol has an ARV vector, i index and keyentry that function the as before. The LRV vector is replaced by reducedLRV and Indices which are both vectors with 2 log n entries. In every request, the Tag randomly selects 2 log n indices of ARVs entries and stores them in Indices vector, then builds the vector reducedLRV by randomly selecting 2 log n numbers. The tag then composes a message from ARV[Keyentry] concatenated with Indices and reducedLRV and sets it to the Verifier. When the Verifier get the message it checks if the ARV[keyentry] in the message is genuine and if so update only the ARV entries that was selected by the Tag.  Message length is 2 log n + 1 which is O ( log n ) , so for an entire session (n consecutive communication) O ( n log n ) bytes will be transferred.
  6. 6. What is the probability that all ARVs entries will be xored?  The probability that a certain entry will be xored is equal to the probability that a 2 log n certain entry will be selected, which is n 2 log n  The probability that the a certain entry will not be selected is 1 − n  The probability that the a certain entry will not be selected for n consecutive n  −2 log n  communications is  1 +   n   Limiting the above probability gives n  −2 log n  1 1 = ( elog n ) = n −2 = 2 −2 −2log n p = 1 +  ≤e ⇒ p≤  n  n n2  Therefore the probability that at least one entry out of n will not be selected during 1 1 1 1 +L + 2 = n ⋅ 2 = n consecutive communications is 14243 n 2 n n n n times  First conclusion: the probability that all n entries of ARV will be selected, and 1 therefore xored, is 1 − n  Second conclusion: When increasing n, the probability for full refresh is increasing.
  7. 7. Results The following graphs present the result and curve fitting of the amount of full xor coverage of ARV out of 100 sessions for 2, 4 and 6 bit. The curve fit is for the  B function y = 100  A −  , which is the probability function as shown at the beginning  n where A and B are parameters. number length is 6 bit Amount of sessions with full coverage out of 100 100 90 80 70 Data: Data1_bit6 Model: RFID Chi^2 = 74.16455 60 A 1.11929 ±0.04837 B 1.01851 ±0.21341 50 40 2 4 6 8 10 12 n Result summary Length of A value A error B value B error number 6 1.11929 0.04837 1.01851 0.21341
  8. 8. Summary and conclusions 1. Form the result, we can see that the values of A and B are much closed to the theoretic ones 1. 2. The theoretic value of B, 1, is within the error range in all the experiments. 3. The theoretic value of A, 1, is not within the in error range in all the experiments, however they are much closed. 4. So, it safe to conclude that the probability for full xor coverage is as 1 developed before P = 1 − . n 5. We can easily see form the graphs that even at n = 3 there is a good coverage, and a better in n = 4 (no less the 95% and an average of 97.666%). For larger n 's there isn't any significant improvement.
  9. 9. AP2 Ungeneralized Protocol Protocol for RFID Tag Ungeneralized Protocol for RFID Verifier Initialization: Initialization: Create int vector array ARV [1..n] Create int vector array ARV [1..n] int i := 1; seed := 0 int i := 1; seed := 0 int vector arrays keywords int vector arrays keywords Upon user request: Upon key message Y reception Create new random array LRV keyentry = n − (i − 1)mod n keyentry = n − (i − 1)mod n Create pseudo-random sequence X[keyentry] = ARV [keyentry] prs of length m from Create pseudo-random sequence seed = X[keyentry] xor seed prs of length m from Z = Y xor prs seed = X[keyentry] xor seed if Z[(n + 1)..m] belong to keywords Y = (LRV ||keyword) xor prs Send Open and Send Y to Verifier Call Updating procedure If Open received else Call Updating procedure Send DoNotOpen End user request End of key message reception Updating procedure Updating procedure ARV[keyentry] = 0 ARV[keyentry] = 0 for j = 1 to n for j = 1 to n [ARV[j] = ARV[j] xor LRV[j ARV[j] = ARV[j] xor LRV[j ] Overview: The vector ARV stands for accumulated random vector and it is known to both the Tag and the Verifier. The integer i marks the current request index and the integer seed is use for the generation of the prs, the initial seed value is initialized to zero. The keyentry is calculated in such a way that it is a legal index of ARV entry and with every increment of i it is incremented as well with modulo n. When the Tag sends a request, it first create a pseudo random generated vector prs of length m = n * l +k where k is the keyword length and l is the length in bits of each ARV vector entry. The current ARV entry (ARV[keyentry]) xor with the old seed is used as a seed for the generation of the pseudo random sequence prs. The old seed is updated, (seed=ARV[keyentry] xor seed). The Tag creates a new vector Y that should be send to the verifier. Y is equal to the xor of the vector prs with the pseudo random generated vector called LRV
  10. 10. concatenated with the keyword. Y=prs xor (LRV||keyword). Y is then send to the Verifier. Because we assume that both the Tag and the Verifier know how to produce the prs vector, when the Verifier gets the message, he can decrypt the it by calculating Y xor prs (which is equal to LRV||keyword) and checks if the suffix of the string (Y xor prs)[n+1..m], is equal to keyword. If yes the Verifier return the message 'Open' to the Tag, else he return the message 'DoNotOpen'. If the authentication successes, the updating procedure is called, and an update is preformed on the ARV vector using the LRV vector, in both, the Tag and the Verifier sides. The computational security of the AP2 protocol is provided by the random seed generation in each session.
  11. 11. ² AP2 Protocol - Resistance against Intruder-in the Middle-Attack This protocol is an upgrade of previously discussed protocol AP 2 . This protocol can cope with an intruder in the middle of an attack (IIMA). The Intruder is able to capture the message, sent by the tag to the verifier, and modify it. Moreover, it should be stated that such an attack can drive the protocols AP1 and AP 2 to a deadlock! We relax the assumption about the atomicity of each communication session. In order to deal with IIMA the message is added with redundant bits and watermark bits while no cryptographic hash function is used. The protocol ² 2 - like in AP 2 the encryption key is derived from the basic vector AP ARV (ARV[keyentry]). The seed X splits into four independent seeds X 1 , X 2 , X 3 and X 4 which will be used to create pseudo-random sequences. • c1 is used to create the sequence that encapsulates LRV. • c2 is used to create the sequence that encapsulates the redundant bits. • c3 is used to create the sequence that encapsulates the watermark bits. • c3 is used to create a permutation of the message bits - π X 4 . The message is constructed as follows: ( Y = π X 4  LRV j || keyword  ⊕ [ c1 sequence ] ||  r1 ,K , rq  ⊕ [ c2 sequence ] || [ w1 ,K wv ]     ) Let's explain the different parts of the message:  LRV j || keyword  is generated as in AP 2 , a concatenation of pseudo-random vector   with a keyword. The LRV has n entries each have l bits and the keyword is of length k . So the total length of this part is m = nl + k , as is [ c1 sequence ] so the xor of the last two also gives m bits.  r1 ,K , rq  is a sequence of q redundant bits generated as follows: looking at    LRV j || keyword  as a log ( m ) dimensions hyper-cube, where every redundant bit   has the value of a parity check on one of the hyper-cube rows/columns. q – number of Dimensions Visualization Calcuation parity checks
  12. 12. ( 2) Parity 0 check ١ ١ 1⋅ 1 =1 Parity checks ( 4) 1 ٢ ٤ 2⋅ 2 =4 Parity checks ( 8) 2 ٣ ١٢ 3⋅ 3 = 12 Let us denote the number of dimensions as d ≡ log ( m ) , According to the above table ( ) d −1 d −1 log ( m ) −1 = d ( m) = log ( m ) ⋅ ( m) log ( m ) we get q = d ⋅ d m d . Another way to get q is by considering the hyper-cube as a d dimensions array where in order to calculate the parity bits we only need a one "running-index" and d − 1 "fixed-indices". If the length of every row/column is 2 (indexed 0 or 1) then we have 1 i d 0 /1 { K x { K 0 /1 { fixed −index running -index fixed −index We have d options to select the running-index and 2 options to select the index for every row, moreover there are d − 1 such entries in the array. So, in total, we have d −1 log ( m ) −1 = d ⋅( 2 ) = log ( m ) ⋅ m , which is the same as above expression. d −1 log ( m ) q = d ⋅2 d d 1 A simpler expression is q = m log m thus we see that q = O ( m log m ) . 2 The [ c2 sequence ] is of length q as well, and so is their xor result. The last part is watermark bits [ w1 ,K wv ] with length of v . Finally, the permutation generated by x4 seed does not add or remove bits. Thus the total length of the message is Y = m + q + v .
  13. 13. What is the probability for adversarial success?  The probability that the adversary will corrupt a watermark while changing the v bits of the original message is α = t  The probability that the adversary will corrupt a bit from the original message is 1 − α .  In order to successfully change the part of the original message, the adversary has to corrupt at least d min bits, where d min is the minimal humming distance and is equal to log ( m ) + 1 .  From the second and third observations we get that in order for the adversary to successes, he must change at least d min bits of the original message.  So the probability for adversarial success is PA ≤ ( 1 − α ) d min . log ( m ) +1 The above probability can manipulate as follows PA ≤ ( 1 − α ) = ( 1−α ) d min = ( 1 − α ) ⋅ ( 2log( 1−α ) ) log ( m ) = ( 1 − α ) mlog( 1−α ) , thus for 1 1 1 3 α= , PA ≤ and for α = , PA ≤ . 2 2m 4 4m 0.415
  14. 14. Results The following graphs present the result and curve fitting of the probability for  A A log 2   adversarial success. The curve fit is for the function y = ⋅ m  B  , which is the B probability function as developed above. The empirical porobability for adversarial success, with alpha = 1/4 0.30 Probability upper bound 0.25 Empirical Probability Data: Data1_UpperBound.,Data1_P.a.0.25 Model: RFID2 0.20 Chi^2 = 0.0001 A 2.97074 ±1.73866 Probability B 3.99292 ±2.41715 0.15 0.10 0.05 0 100 200 300 400 500 600 m [bits], the length of the message
  15. 15. The empirical porobability for adversarial success, with alpha = 1/2 0.035 Probability upper bound Empirical Probability 0.030 Data: Data1_UpBound.0.5 0.025 Model: RFID2 Chi^2 = 9.2925E-7 A 0.9941 ±1.1072 0.020 B 1.9963 ±2.28614 Probability 0.015 0.010 0.005 0.000 0 100 200 300 400 500 600 m [bits], the length of the message Result summary α A value A error Expected value B value B error Expected value 1 2.97074 1.73866 3 3.99292 2.41715 4 4 1 0.9941 1.1072 1 1.9963 2.28614 2 2
  16. 16. Summary and conclusions 1. Form the result, it is clear that PA is bounded by ( 1 − α ) d min , and therefore satisfies the relation PA ≤ ( 1 − α ) d min . 2. Form the result, we can see that the A and B for both α = 1 4 and α = 1 2 are in the range of the expected value, A = 3, B = 4 and A = 1, B = 2 respectively. 3. Therefore we may conclude that the expression for adversarial success is or as developed above PA ≤ ( 1 − α ) m log ( 1−α ) PA ≤ ( 1 − α ) d min , when the adversary changes d min bits. 4. The error for α = 1 4 is greater then the error of α = 1 2 .

×