摘要
射频识别(Radio Frequency Identification,RFID)技术是一种使用射频信号进行目标物非接触式的自动识别技术。由于RFID技术方便的自动识别过程和标签的低廉成本,其已被广泛地应用到物流、制造业和公共信息服务等众多领域,给企业和组织带来了更高的效率和更低的成本。
然而该技术存在的安全和隐私问题引起人们越来越多的关注,这些安全问题制约了RFID技术的应用,同时也在使用了该技术的应用领域埋下了安全隐患。RFID系统的安全问题主要体现在安全和隐私威胁两个方面:(1)RFID标签和读写器之间的通信是基于无线信号,通信过程容易遭受窃听、篡改、重放等攻击。(2)标签对读卡器的响应信息中通常携带身份或个人数据,而响应信息是在标签携带者未知的情况下自动发射,若非法读卡器获得这些数据便可能威胁到个人隐私。在多数RFID系统中,标签通常是大量发行且成本较低的电子标签,这些标签仅具备有限的存储、计算和处理能力,这使得代价高昂的传统密码学算法不能在低成本的标签中得到实际应用。
本文重点研究RFID标签与读卡器之间无线通信的数据安全,深入分析其面临的安全和隐私威胁,以及攻击者可能采取的攻击手段,并提出对应的安全对策。取得了以下的研究成果:
1)针对低成本RFID系统提出了一种双向认证协议MAP。该协议能够抵抗消息重放、异步攻击和标签被跟踪,并具有前向安全性。与相关协议相比,MAP在存储和计算性能上具有较大优势。
2)考虑在某些应用中标签所有权需要转移,我们设计了一种轻量级的标签所有权可转移的RFID协议OTLAP。该协议不仅包含MAP所具备的安全特性,而且提供了标签所有权转移和抵抗Tag Killing攻击。通过对OTLAP安全性和性能分析,结果显示,该协议用较低的成本开销换取了较强的安全性。
3)提出了一种面向RFID的双向认证和密钥协商协议AKEMAP。该协议在实现了双方身份的认证的基础上,协商出本次会话的会话密钥。AKEMAP同时具备前向安全和后向安全。协议的安全性通过BAN逻辑进行了检验。
Radio Frequency Identification (RFID) is a non-contact and automated object identification technology that uses radio signal to identify an object carrying the identification information. Due to the automatic identification process and low-cost tag, RFID has found widespread use in many applications such as supply chain management, manufacturing, public information service industries and so on. It greatly enhances operational efficiency and reduces costs for enterprises and organizations.
However, the security and privacy issues have raised people’s concerns. These threats hamper the development of RFID application and also leave security vulnerabilities in existing application areas. The main concerns are security and privacy threats. Firstly, because of the use of wireless channel between tags and readers, communications can be easily attacked by eavesdropping, tampering, replay attack and so on. Secondly, when a tag responds with identification or personal information to an unauthentic reader interrogation without alerting its owner, it threatens information and location privacy of the tag owner. In most RFID systems, tags is typically designed to be inexpensive for mass distribution, thus they have limited memory capacity, computational and processing ability. These inherent limitations of low-cost tags could not afford the use of traditional cryptographic primitives which are costly in such environments.
In this thesis, we focus on the wireless channel between a tag and a reader. We provide an in-depth analysis of the security and privacy threatens on communications between tags and readers, as well as the existing attacks. On this basis, we analyze the security requirements and countermeasures. We obtain the following achievements:
First, we propose a mutual authentication protocol MAP designed for RFID system. The protocol prevents security and privacy threats in RFID system including replay attack, desynchronize attack and tag location tracking. It also provides forward security. Storage and computational performances are analyzed to prove our protocol provides better performance compared with related scheme.
Second, considering requirement of tag ownership transfer in some applications, we design a lightweight RFID protocol OTLAP with ownership transfer. Our protocol not only prevents security and privacy threats in MAP, but also provides tag ownership transfer and resistance to tag killing attack. OTLAP has advantages of security and privacy while not scarifying the efficiency on tag-side, compared to the related works.
Third, a mutual authentication and key exchange protocol AKEMAP for RFID system is proposed. The protocol provides secure authentication and authenticated key exchange for tag and reader in each session. It also provides backward and forward security. Security of this protocol is formally analyzed using the BAN logic.
引文
[1]Auto-ID Center. Draft protocol specification for a 900 MHz class 0 radio frequency identification tag[S]. 2003.
[2]F.Stajano, R.Anderson. Then Resurrection Duckling: Security Issues for Ad-hoc Wireless Networks[J]. Security Protocols, 2000:172-182.
[3]Sarma.S.E, Weis.S.A, Engels.D.W. RFID systems, security and privacy implications[R]. AutoID Center, MIT, Cambridge, MA, Tech. Rep.MIT, AUTOID-WH-014, 2002.
[4]S.Inoue, H.Yasuura. RFID privacy using user-controllable uniqueness[EB/OL]. http://www.rfidprivacy.us/2003/papers/sozo_ inoue.pdf 2003.
[5]N.Good, J.Han, E.Miles et al. Radio frequency identification and privacy with information goods[C]. Proc. Workshop on Privacy in the Electronic Society. 2004: 41-42.
[6]A.Juels. Minimalist cryptography for low-cost RFID tags[C]. Proc.4th Int. Conf. Security Commun. New York: Springer-Verlag:LNCS, 2004(3352):149-164.
[7]C.Floerkemeier, R.Schneider, M.Langheinrich. Scanning with a purpose Supporting the fair information principles in RFID protocols[EB/OL]. http:// citeseer.ist.psu.edu/floerkemeier04scanning.html 2004
[8]M. Rieback, B. Crispo, A. Tanenbaum. RFID Guardian: A battery-powered mobile device for RFID privacy management[C]. Security and Privacy, New York: Springer-Verlag, LNCS 2005 (3574):184-194.
[9]A. Juels, P. Syverson, D. Bailey. High-power proxies for enhancing RFID privacy andutility[EB/OL].http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/pdfs/RFIDREP2.pdf 2005
[10]A. Juels, R. L. Rivest, M. Szydlo. The blocker tag: Selective blocking of RFID tags for consumer privacy[C]. ACM Conf. Computer Communication. Security, 2003:103-111.
[11]A.Juels, J.Brainard. Soft blocking: Flexible blocker tags on the cheap[C]. WPES’04, ACM Press, October 2004:1-7.
[12]K.P.Fishkin, S.Roy, B.Jiang. Some methods for privacy in RFID communication[C]. ESAS 2004, Springer:Heidelberg, LNCS, 2004 (3313):42-53.
[13]P.Golle, M.Jakobsson, A.Juels. Universal reencryption for mixnets[C]. CT-RSA’04,Springer-Verlag, LNCS, 2004:(2964)163-178.
[14]J.Saito, J.-C.Ryou, K.Sakurai. Enhancing privacy of universal re-encryption scheme for RFID tags[C]. EUC’04,LNCS,Springer-Verlag, 2004:(3207)879-890.
[15]D.Molnar, D.Wagner. Privacy and security in library RFID: Issues, practices, and architectures[C]. ACM CCS’04,. ACM Press, 2004:210-219.
[16]T.Dimitriou. A lightweight RFID protocol to protect against traceability and cloning attacks[C]. SECURECOMM’05. IEEE Computer Society, 2005.
[17]K.Rhee, J.Kwak, S.Kim et al. Challenge-response based RFID authentication protocol for distributed database environment[C]. SPC’05, Springer-Verlag, LNCS, 2005(3450): 70-84.
[18]E.Berlekamp, R.McEliece, H.Van Tilborg. On the inherent intractability of certain coding problems[J]. IEEE Trans. Inform. Theory ,1978:384-386.
[19]A.Blum, M.Furst, M. Kearns et al. Cryptographic primitives based on hard learning problems[C]. Advances in Cryptology CRYPTO'93, Springer-Verlag, LNCS ,1994(773):278-291.
[20]N.J.Hopper, M.Blum. Secure Human Identi_cation Protocols[C]. Advances in Cryptology - Asiancrypt '01. Springer-Verlag, LNCS, 2001(2248): 52-66.
[21]A.Juels, S.Weis. Authenticating pervasive devices with human protocols[C]. CRYPTO’05. Springer-Verlag, LNCS,2005(3126): 293-308.
[22] H.Gilbert, M.Robshaw, H.Sibert. An active attack against HB+ - A provably secure lightweight authentication protocol[EB/OL]. http://eprint.iacr.org/2005/ 237.pdf 2005
[23]J. Bringer, H. Chabanne, E. Dottax. HB++: a lightweight authentication protocol secure against some attacks[C]. SecPerU’06.IEEE Computer Society, 2006.
[24]P.Selwyn. HB and related lightweight authentication protocols for secure RFID tag/reader authentication. CollECTeR’06, 2006.
[25]J. Munilla, A. Peinado. HB-MP: A further step in the HB-family of lightweight authentication protocols [J]. Computer Networks, 2007 (51-9): 2262-2267.
[26]L.Stépahne, T.Adrian. Clone resistant mutual authentication for low-cost RFID technology[R]. Cryptology ePrint Archive, Report 2007, 2007.
[27]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador et al. LMAP: A real lightweight mutual authentication protocol for low-cost RFID tags[C]. Hand. of RFIDSec’06, 2006.
[28]P.Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador et al. M2AP: A minimalistmutual-authentication protocol for low-cost RFID tags[C]. UIC’06. Springer-Verlag, LNCS, 2006 (4159): 912-923.
[29]P.Peris-Lopez, J.C. Hernandez-Castro, J. M. Estevez-Tapiador et al. EMAP: An efficient mutual authentication protocol for low-cost RFID tags. IS’06, Springer-Verlag, LNCS, 2006 (4277):352-361.
[30]H.Y. Chien. SASI: A new ultralightweight rfid authentication protocol providing strong authentication and strong integrity[J]. IEEE Transactions on Dependable and Secure Computing, 2007(4-4):337-340.
[31]G.Karjoth, P.Moskowitz, Disabling RFID Tags with Visible Confirmation[C]. WPES '05, ACM Workshop on Privacy in the Electronic Society, ACM Press, 2005:27-30.
[32]Minime , Mahajivana. RFID Zapper[C], 22nd Chaos Communication Congress Dec.,2005. https://events.ccc.de/congress/2005/wiki/RFID-Zapper(EN).
[33]A.Juels, RL.Rivest, M. Szydlo. The blocker tag: selective blocking of RFID tags for consumer privacy. CCS'03. ACM Press, 2003 :103-111.
[34]D. C. Ranasinghe, P. H. Cole. Confronting security and privacy threats in modern rfid systems[C]. ACSSC’06. 2006:2058-2064.
[35]Z.Kfir, A.Wool. Picking virtual pockets using relay attacks on contactless smartcard systems[EB/OL]. http://eprint.iacr.org/2005/052 2005
[36]T.S Heydt-Benjamin, D.V. Bailey, K. Fu et al. Vulnerabilities in first-generation RFID-enabled credit cards[C]. FC’07. 2007(4886): 2-14.
[37]M.Ohkubo, K.Suzuki, S.Kinoshita. Cryptographic approach to privacy-friendly tags [EB/OL]. http://rfidprivacy.media.mit.edu/2003/papers/ohkubo.pdf 2003.
[38]C.H.Lim, T.Kwon. Strong and robust RFID authentication enabling perfect ownership transfer[C]. ACIS Conference on Information and Communications Security, Springer-Verlag: LNCS, 2006(4307):1-20.
[39]Class-1 Generation-2 UHF air interface protocol standard version1.0.9[S/OL]. http://www.epcglobalinc.org/standards/, 2005.
[40]S.E.Sarma. Towards the five-cent tag[R/OL]. Auto-Id Centre White paper, http://www.autoidlabs.org/whitepapers/MIT-AUTOID-WH-006.pdf, 2001
[41]S.E.Sarma, S.A.Weis, D.W. Engels. Radiofrequency-identification security risks and challenges[J].CryptoBytes, 2003(6):2-9.
[42]M.Feldhofer, S.Dominikus, J. Wolkerstorfer. Strong authentication for RFID systems using the AES algorithm[C]. CHES’04, Springer-Verlag, LNCS 2004(3156):357-370.
[43]Kumar, Sandeep, Paar, C. Are Standards Compliant Elliptic Curve Cryptosystems feasible on RFID[EB/OL]. http://www.crypto.rub.de/imperia/md/content/texte/ publications/conferences/tiny_ecc.pdf 2009
[44]P.Tuyls, L.Batina. RFID-Tags for Anti-counterfeiting[C]. CT-RSA 2006. Springer, Heidelberg LNCS, 2006(3860):115-131.
[45]L.Batina, J.Guajardo, T.Kerins et al. Public-Key Cryptography for RFID-Tags[C]. PerComW'07, Fourth IEEE International Workshop on Pervasive Computing and Communication Security,2006:217-222
[46]A.J.Menezes, S.A.Vanstone, .P.C.Van Oorschot. Handbook of Applied Cryptography[M]. CRC Press, Inc., Boca Raton ,1996.
[47]M.Feldhofer, C.Rechberger. A Case Against Currently Used Hash Functions in RFID Protocols[C]. OTM2006Workshops. Springer:Heidelberg, LNCS, 2006 (4277):372-381.
[48]H.Yoshida, D.Watanabe, Okeya.K et al. MAME: A Compression FunctionWith Reduced Hardware Requirements[C]. CHES 2007. Springer:Heidelberg, LNCS, 2007 (4727):148-165.
[49]A.Shamir. SQUASH - a New MAC With Provable Security Properties for Highly Constrained Devices Such As RFID Tags[C]. FSE 2008, Springer-Verlag 2008:144-157
[50]A. Bogdanov, G. Leander, C. Paar et al. Hash functions and RFID tags: Mind the gap[C]. CHES 2008, Springer:Heidelberg, LNCS, 2008(5154):283-299.
[51]S.A.Weis, S.E. Sarma, R.L. Rivest et al. Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems[C]. Security in Pervasive Comp. Springer-Verlag LNCS, 2004 (2802): 201-212.
[52]M. Ohkubo, K. Suzuki, S. Kinoshita. Cryptographic approach to privacy-friendly tags[EB/OL]. http://rfidprivacy.media.mit.edu/2003/papers/ohkubo.pdf 2003
[53]G.Avoine, E.Dysli, P.Oechslin. Reducing Time Complexity in RFID Systems[C]. Selected Areas in Cryptography. SAC 2005 Springer-Verlag, LNCS, 2005 (3897):291-306.
[54]X.Henrici, P.Müller. Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers[C]. PERSEC’04,. IEEE Computer Society, 2004:149-153.
[55]周永彬,冯登国. RFID安全协议的设计与分析[J].计算机学报, 2006, 29(04): 581-589
[56]K.Ouafl, R.C.-W.Phan. Traceable Privacy of Recent Provably-Secure RFID Protocols[C]. ACNS’08, LNCS,2008 ( 5037): 479-489.
[57]P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador et al. LAMED - a PRNG for EPC class-1 generation-2 RFID specification[J]. Computer Standars & Interfaces, Elsevier Science Publishers, 2007.
[58]A.A.Bogdanov, L.R.Knudsen, G.Leander et al. PRESENT. An Ultra-Lightweight Block Cipher[J]. CHES 2007. Springer, Heidelberg, LNCS, 2007(4727):450-466.
[59]C.Rolfes, A.Poschmann, G.Leander et al. Ultra-lightweight implementations for smart devices - security for 1000 gate equivalents[C].CARDIS 2008. Springer:Heidelberg, LNCS, 2008(5189):89-103.
[60]A.Poschmann, G.Leander, K.Schramm et al. New Light-Weight DES Variants Suited for RFID Applications[C].Springer:Heidelberg, LNCS,2007 (4593) : 196-210.
[61]C.Lim, T.Korkishko. mCrypton - A Lightweight Block Cipher for Security of Lowcost RFID Tags and Sensors[C]. WISA 2005. Springer: Heidelberg, LNCS, 2005 (3786): 243-258.
[62]Y.Yu, Y.Yang, Y.Fan et al. Security Scheme for RFID Tag[EB/OL]. Auto-ID Labs white paper WP-HARDWARE-022, http://www.autoidlabs.org/
[63]D.Hong, J.Sung, S.Hong et al. HIGHT: A New Block Cipher Suitable for Low-Resource Device[C]. CHES 2006. Springer:Heidelberg LNCS, 2006 (4249):46-59.
[64]Christophe De Cannière, Orr Dunkelman, Miroslav Knezevic. KATAN and KTANTAN - A Family of Small and Efficient Hardware[C]. CHES 2009, 11th International Workshop, 2009, LNCS, 2009(5747):272-288
[65]T. Good, M.Benaissa. Hardware results for selected stream cipher candidates[C]. SASC 2007: 191-204
[66]N.Mentens, J.Genoe, B.Preneel et al. A low-cost implementation of Trivium[C]. SASC 2008:197-204
[67]K.Osaka, T.Takagi, K.Yamazaki et al. An efficient and secure RFID security method with ownership transfer[C]. International Conference on Computational Intelligence and Security. Piscataway, NJ: IEEE press, 2006(2):1090-1095.
[68]P.Jappinen, H.Hamalainen. Enhanced RFID security method with ownership transfer[C].International Conference on Computational Intelligence and Security, Piscataway, NJ: IEEE press, 2008(2):382-385.
[69]L.Hong, C.Tianjie. RFID protocol enabling ownership transfer to protect against traceability and DoS attacks[C]. The First International Symposium on Data, Privacy, and E-Commerce. Washington, DC: IEEE Computer Society Press, 2007:508-510.
[70]M. Burrows, M. Abadi, R. Needham. A logic of authentication[C]. Royal Society of London, 1989(426):233-271.
[71]M.Burrows, M.Abadi, R.Needham. A logic of authentication[J]. ACM Transactions on Computer Systems, 1990(8-1):18-36.
[72]R.Needham, M.Schroeder. Using encryption for authentication in large networks of computers[C]. Communications of the ACM 1978(21-12): 993-999
[73]J.Steiner, C.Neuman, J.Schiller. Kerberos: An authentication service for open network systems[C]. USENIX Conference, 1988(31):191-200.
[74]J.Kohl, C.Neuman, The Kerberos network authentication service (V5)[S], RFC 1510 ,1993.
[75]M.Hutter, J.-M.Schmidt, T.Plos. RFID and its Vulnerability to Faults[C]. CHES 2008, 10th International Workshop, LNCS, Springer, 2008(5154): 363-379.
[76]Michael Hutter, Thomas Plos, J?rn-Marc Schmidt. Contact-Based Fault Injections and Power Analysis on RFID Tags[C]. ECCTD 2009, 19th IEEE European Conference, Antalya, Turkey, August, 2009
[77]Y.Oren, A.Shamir. Remote Power Analysis of RFID Tags [D]. Weizmann Institute of Science, Rehovot, Israel, 2006.
[78]D.G.Han, T.Takagi, H.W.Kim et al. New security problem in RFID systems Tag Killing[C]. ICCSC 2006, Springer-Verlag, LNCS, 2006(3982): 375-384.
[79]L.Tieyan, W.Guilin. Security Analysis of Two Ultra-Lightweight RFID Authentication Protocols[C]. IFIP SEC 2007, Sandton, Gauteng, South Africa, May 2007. IFIP. Security and Communication Networks 2007,1 (2):135 - 146.
[80]A.Juels. RFID Security and Privacy: A Research Survey[J]. IEEE Journal on Selected Areas in Communications, 2006, 24(2): 381-394.
