Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School."— Presentation transcript:

1 1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School of Chinese Academy of Sciences Jinsong Han, Yunhao Liu, and Lionel M. Ni Dept. of Computer Science and Engineering, Hong Kong University of Science and Technology

2 2 Why Privacy in RFID? RFID (Radio Frequency Identification) has been very popular Tag Reader Most important usage Identifying valid users or entities A tag is attached Bob’s car

3 3 Basic Identification Procedure ReaderTag (1) Request (2) ID

4 4 A tag is attached Bob’s car However… Automatic response Silent scanning I found Bob.

5 5 Motivation Concerns regarding RFID privacy An attacker can’t determine which tag he is accessing and can’t get any information about the tag’s owner. In Short Private authentication Keeping private information (ID, Name,…) Authenticating valid users

6 6 Introducing Encryption into RFID ReaderTag (1) { Request, P } (2) { ID, P } K K Key-Searching

7 7 Linear Key-Searching -- keyed one-way function P -- a random number -- key shared by reader and tag ReaderTag (1) Request, P (2) (3) searches the key space of all tags for a key Key-searching is linear search, O (n). Thus it is not practical in large scale systems. k1k1 k2k2 knkn..

8 8 A binary key tree with eight tags, Tree-based Key-searching

9 9 Authentication of Tree-based Protocols Reader Tag Identification: Compute O(logn)

10 10 Drawbacks: No forward security. Vulnerable to compromising attack. Requires Key Updating

11 11 Requirement of Key-Updating Challenging issues: No interruption during authentication Automatically updating keys We use two techniques to keep the consistency of key-updating: temporary key and state bit.

12 12 Our Protocol: SPA Temporary keys are used to store old keys. State bits are used to record the key-updating status of nodes in the sub-trees. For example: Temporary Key State bit

13 13 An Example of Key-Updating 00 0 0 0 0 1 1 1 00 Using, and to identify The ’s second identification 1 The ’s identification Authentication: Basic tree-based identification Key updating Authentication sequence: T 1, T 2, T 1

14 14 New Tag Joining

15 15 Tag Leaving

16 16 Which key is used? Which keys is used? Compromising Attack Resistance

17 17 Security Analysis Property\Protocol Static tree- based approaches Our design Privacy Yes Untraceability Yes Cloning resistance Yes Forward security NoYes

18 18 Exposing Probability Comparison (Under Compromising Attack) Each non-leaf node has 2 keys (1 working key and 1 temporary keys).

19 19 Key-Updating Latency Each key updating needs less than 2 ms when the tag accessing frequency does not exceed 10 times per second.

20 20 Conclusion By using dynamic key-updating scheme, SPA enhances the security of existing RFID private-authentication protocols. SPA is lightweight. The authentication efficiency is logarithmic and the key- updating latency is acceptable. SPA can effectively defend against both passive and active attacks including compromising attack.

21 21

22 22 Authentication To protect reader from forged tags. Only authorized reader can read valid tags. Is the tag which I am reading valid? Is the reader which scans tags authorized?

23 23 However… Authorized reader may be cheated by forged tags. A cloning tag may insert into a system while not be notified. A malicious reader can read the content in a tag easily. The goal of authentication: only authorized readers can get the content in valid tags, while private information would not be leaked if there exist dishonest entities.

24 24 Private Authentication Tradeoff between privacy and authentication: Privacy is to hide the identity of RFID tag. Authentication needs to know the identity of tag before tag being authenticated. Private authentication is to hide the identity of a tag in authentication procedure: Reader identifies a tag at the end of authentication.

25 25 System Initialization The reader assigns the N tags to N leaf nodes in a balanced binary tree S. Each non-leaf node j in S is assigned with two keys, a working key and a temporary key. Initially, each key is generated randomly and independently by the reader, and for all non- leaf nodes. When a tag is introduced in the system, the reader distributes the keys from the root to a leaf node to this tag. for a non-leaf node j at the path, if, tag is assigned.

26 26 Mutual Authentication Procedure Reader Tag Updating keys Identifying Computing Checking Updating keys

27 27 Tag Identification The tag identification procedure is similar to the previous tree-based approaches. The differences: For each non-leaf node included in the identification, the reader uses not only the working key k, but also the temporary key tk. If some of the keys stored in a tag are temporary keys, the reader will record the level information of these keys in the synchronization message to inform the tag updating these keys.

28 28 Key-updating Rules Use hash function h to generating a new key. Let be the old key for node j A new key To remain consistent, the non-leaf node j uses temporary key to store j ’s old key. Use state bits to note the key state of non-leaf node j ’s children nodes. 1 for having been updated, otherwise 0. If keys in all j ’s children have been updated, j updates itself.

29 29 Three Key Parameters the correlated-exposing probability is mainly determined by three key parameters: t, the number of compromised tags;, the branching factor of the key tree; a, the number of keys belonging to each non-leaf node

30 30 A new tag joining

31 31 Tag leaving

32 32 Linear Key-Searching -- keyed one-way function P -- a nonce -- key shared by reader and tag ReaderTag (1) (1) Request, P (2) (3) searches the key space of all tags for a key s.t. Key-searching is linear search, O (n). Thus it doesn’t fit large scale systems. k1k1 k2k2 knkn..

33 33 Prototype Implementation We have implemented the our design on 40 Mantis™-series 303 MHz asset tags and a Mantis™ II reader manufactured by RF Code. The back-end database is implemented on a desktop PC with the following configurations: Pentium M 3.2G dual core CPU, 1GBytes memory, and 40G hard disk. We use the SHA-1 algorithm as the secure hash function the system is able to maintain up to tags

34 34 Comparison of Static Protocols (under compromising attack) Each none-leaf node has 2 keys (1 working key and 1 temporary keys). Each none-leaf node has 5 keys (1 working key and 4 temporary keys).

Download ppt "1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School."

Similar presentations

A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.

1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠.
An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,

An Improvement on Privacy and Authentication in GSM Young Jae Choi, Soon Ja Kim Computer Networks Lab. School of Electrical Engineering and Computer Science,
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.

A Simple and Cost-effective RFID Tag-Reader Mutual Authentication Scheme Divyan M. Konidala, Zeen Kim, Kwangjo Kim {divyan, zeenkim, International.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.

A lightweight mutual authentication protocol for RFID networks 2005 IEEE Authors : Zongwei Luo, Terry Chan, Jenny S. Li Date : 2006/3/21 Presented by Hung.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.

RFID Security CMPE 209, Spring 2009 Presented by:- Snehal Patel Hitesh Patel Submitted to:- Prof Richard Sinn.
An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.

An Authentication Service Based on Trust and Clustering in Wireless Ad Hoc Networks: Description and Security Evaluation Edith C.H. Ngai and Michael R.
Security in RFID Presented By… NetSecurity-Spring07

Security in RFID Presented By… NetSecurity-Spring07
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.

Distributed Collaborative Key Agreement Protocols for Dynamic Peer Groups Patrick P. C. Lee, John C. S. Lui and David K. Y. Yau IEEE ICNP 2002.
Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.

Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems Stephen A. Weis, Sanjay E. Sarma, Ronald L. Rivest and Daniel W. Engels.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Similar presentations

Ads by Google