YA-TRAP: Yet Another Trivial RFID Authentication Protocol Gene Tsudik International Conference on Pervasive Computing and Communications, PerCom 報告人:陳昱升
Abstract The proposed protocol YA-TRAP –A simple technique for inexpensive untraceable identification of RFID tags. –Involves minimal interaction between a tag and a reader –Places low computational burden on the tag and back-end server
Introduction RFID tags –Replace barcodes –Their proliferation into our lives Privacy-related concerns –One of the main issues Tracking RFID tags –Unauthorized tracking of RFID tags by rogue readers
Operating Environment The legitimate entities are –Tags –Readers A device querying tags for identification information. –Server A trusted entity that knows all information about tags, their assigned keys, etc. Server Tag Reader
Operating Environment Assumptions –All communication between server and readers is over private and authentic channels. –A tag has No clock Small amounts of ROM and non-volatile RAM –The adversary can be either passive or active. Its primary goal is to track RFID tags.
Non-security Goals Our goals are to minimize every –(1) non-volatile RAM on the tag –(2) ROM on the tag –(3) tag computation –(4) # of messages & rounds in reader-tag interaction –(5) message size in the reader-tag interaction –(6) server real-time computation –(7) server storage The first 3 directly influence tag cost.
Modes of Operation Real time –It involves on-line contact between the reader and the server. –Retail or library check-out Batch mode –A reader scans numerous tags, collects replies and later performs their identification in bulk. –Inventory control
Tag Requirements Each tag is initialized with –K i Tag identification Cryptographic key –T 0 initial timestamp –T max the top value for the timestamp –Pseudo-Random Number Generator (PRNG) can be solved as an iterated keyed hash (e.g. HMAC) started with a random secret seed and keyed on K i.
Main idea Consider anonymous authentication of mobile users who move between domains. –A remote user identifies itself to the host domain by means of an ephemeral userid. –An ephemeral userid is computed as a collision- resistant one-way hash of current time and a secret permanent userid. –Server maintains a periodically updated hash table where each row corresponds to a traveling user. row: (permanent userid, ephemeral userid) –Server may precompute the current hash table and waits for requests to come in.
permanent userid ephemeral userid table of time T ephemeral userid ephemeral userid = hash (T, permanent userid) Server looks up (secret)
YA-TRAP Protocol previous timestamp current timestamp
Advantage Server can precompute the hash table of time T r. In batch mode, the reader interrogates a multitude of tags, at a later time, off-loads the collected responses along with the corresponding T r values. Only needs O(n) operations to identify n tags. (Compared to the MSW protocol which requires O(n*logn) operations of pseudo-random functions.)
Drawbacks Susceptible to DoS attack –the adversary sends a wildly inaccurate T r. A tag can not be authenticated more than once within the same interval. –a possible solution: k-traceable allow tags to response the same time value k times.
Efficiency/Cost considerations For a tag –a single HMAC or PRNG For the server –precompute the table at any time –a simple table look-up Cost –our requirement for non-volatile RAM elevate the cost above that of cheapest tags, i.e., less than $0.1 per tag. –Comparing: MSW protocols use non-volatile RAM, but need a physical random number generator.
Conclusion YA-TRAP protocol YA-TRAP protocol inexpensive untraceable identification of RFID tags. inexpensive untraceable identification of RFID tags.