Abstract
Radio Frequency Identification (RFID) is used to replace the bar code system. RFID is more powerful than a bar code system, but it suffers from the weakness of wireless communication. Security issues in RFID systems include a tag or reader impersonation, replay attack, eavesdropping, location privacy, forward and backward un-traceability. Appling traditional security mechanism such as MD4, MD5, SHA 256 or AES directly on RFID is impossible due to the hardware limitation of a passive tag. Thus, many studies try to design all new protocols about mutual authentication and ownership transfer on RFID system. Physical unclonable function (PUF) is a new hardware security device that could make their protocols tinier. In order to keep location privacy of tag, most of these works will not use tags unique identification. Instead, they will use a temporary identification once and update it individually each run. However, in this way, their works will suffer from de-synchronization between the tag and reader, if an attacker blocks some messages. In this work, we propose protocols about mutual authentication and ownership transfer with PUF that can significantly alleviate this issue because the de-synchronization attacks will not happen in our mutual authentication protocol. On the other hand, our protocol also can be compatible with the EPC Gen2 v2 standard easily. Besides, our simple and robust methods have better performance.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
Keywords
- Negative Binomial Distribution
- Mutual Authentication
- Location Privacy
- Linear Feedback Shift Register
- Cyclic Redundancy Check
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
Radio Frequency IDentification, RFID, can be used to replace bar code system in identification technology. It can provide the same or even more functions than bar code system. Hence, RFID can be applied not only in logistics and supply chain management, but also in some new domains like health care, materials management, object tracking, etc. RFID uses radio frequency, RF, as a communication media instead of optical. This allows RFID can identify multiple targets at the same time without touching. However, due to the weakness of wireless communication, RFID also suffers from security issues.
The RFID system consists of tags and reader/back-end-database. Tag with unique identification is deployed on target goods. The reader has more detailed information about tags, and indexes them based on their unique identifications. One reader queries the targeted tag by unsafe radio frequency, but communicates other readers in the safer wire communication with powerful security mechanism. For the purpose of large-scale and wide range applications, tags are limited in cost, size, processing capacity, storage size and non-battery assisted. This kind of tag is also called passive tag. The EPC Gen2 v2 standard [1] specifies the requirements of commercially available tags, and only support some restricted operations like cyclic redundancy check, pseudo random number generator and EXOR.
Security issues in RFID system deserve more than a passing notice. Take logistics and supply chain management for example. The standard shipping map comprises manufacturing, transportation, distribution center, delivery and retail. The owner of goods/tag may change intensively, so does the ownership between tag and reader. The handoff of ownership must make sure that the privacy among previous and current owners is isolated. During the ownership holding period, the tag and the reader still have to authenticate each other before communicating to avoid the impersonation attack.
Furthermore, to control the power of a reader’s antenna for limiting the communication range may reduce the risk of attack. However, inadequate power will cause useless messages. That is to say, as distance from the reader increases, the number of messages needed to be resent cloud goes up. If the authentication mechanism is complex, the system performance will degenerate very fast due to additional transmission. Hence, striking a balance between security and communication range, and between simple and robust authentication is quite challenging.
Hardware limitation of a Gen2 v2 tag makes the security problems became even more complicated. There are no more than 2,000 hardware gates available can be used for security in passive tag. However, traditional security mechanism like MD4, MD5, SHA 256 and AES cannot be adopted in RFID system directly due to the gate numbers of implementation. Thus, many studies make a new start on designing tiny protocols about mutual authentication and ownership transfer. Physical unclonable function, PUF, is a hardware [3] that makes the use of the race condition in gates and wires to produce the unique identification. That is, for every challenge, a PUF can produce a unique correspond response which differs from other PUFs even if they share same in physical structure. With this feature, some studies [2–4, 6, 12] have already applied PUF in their design to make their mutual authentication dexterous. Besides, both the tag and the reader do not use tags unique identification directly in order to avoid tracing of tags. They use temporary tag identification, and update it individually after successful authentication. In this way, if an attacker blocks massages, temporary tag identification will not be consistent between tag and reader, namely de-synchronization.
Based on these research foundations, our protocols also take advantage of PUF in mutual authentication and ownership transfer. Several pairs of challenge and response produced by PUF on the tag are preloaded on a trusted third party, TTP, then will be released to the reader partially later. Simultaneously, temporary tag identification will also be generated by TTP. In ownership transfer, TTP will release partial pairs of challenge and response with temporary tag identification to the reader, but only temporary tag identification to tag. By this way, the ownership can be provided as needed just like a service. On the other hand, mutual authentication bases on the fact that only the right tag and the right reader will share the same pairs of challenge and response with temporary tag identification. The proposed protocol in mutual authentication will not only immune normal attacks (such as eavesdrop, tag/reader impersonation, relay attack, and Man in the Middle), but also alleviate the problem of de-synchronization. In ownership transfer, it can still keep location privacy and forward/backward untracebility.
Our contributions are listed below:
-
1.
By leveraging PUF, our authentication mechanism is more simple and robust.
-
2.
The issue of de-synchronization between tag and reader can be significantly alleviated because only ownership transfer/update protocol is possible to be attacked.
-
3.
Our protocol is the first work to combine PUF and can be compatible with the EPC Gen2 v2 standard.
This work is extended and revised based on [5] and the rest are organized as follows. More information about related work is given in Sect. 2. Concrete protocols including mutual authentication and ownership transfer are given in Sect. 3. Analysis of proposed protocols about security issues is given in Sect. 4. We demonstrate the elegant and robust about proposed protocols in Sect. 5. Finally, this work is concluded in Sect. 6.
2 Related Work
We first denote challenge as c, the corresponding response as r, PUF function as p(.), and p(c) will equal to r. Each challenge will have a unique response produced by PUF, and [3, 6] use this feature to verify tag. PUF on the tag can produce distinct pairs of challenge and response, {(c, r)}, then server stores these data for authentication in advance. Apparently, only the right tag can answer the right response to the challenge with its PUF. Subsequently, [9, 10] make some improvements. Pairs of challenge and response are not stored in server beforehand, but are provided by tag directly. After successful mutual authentication, the tag will offer the server new (c, r) for the next run. Obviously, their works will not work in ownership handoff. Moreover, there is a problem of de-synchronization in these ways. Bassil et al. [2] also tries to take PUF in their mutual authentication. But, [12] shows that there still exist some problems in secret disclosure attack, traceability attack, reader impersonation attack and de-synchronization attack on it.
The work of [4] makes use of PUF as a mask generator to keep messages exchanged from sight. In addition, the tag and reader use temporary tag id instead of unique tag id in communication. After successful authentication, the tag and reader update temporary tag id individually to avoid the traceability attack. Their protocols about authentication can also immune most attacks. Unfortunately, if an attacker blocks some of messages, this method will suffer from de-synchronization attack.
In [13], pairs of challenge and response produced by PUF on tag also be preloaded at server. These data are organized in the form of (tag-id, {c- p(c)-p(p(c))-p(p(p(c)))}), called key-chain. The reader can download few key-chain from server for authentication dynamically. During authentication, tag and reader use one key-chain as a session key to verify each other. In fact, a successful authentication needs five messages in communication. Also, it is difficult to be applied in the scenario of ownership transfer, let alone be applied in the supply chain.
Trusted third party, TPP, is introduced by [8] for their ownership transfer. TTP controls the ownership handoff and makes sure the forward/backward un-traceability between readers. In the phase of mutual authentication, linear feedback shift register, LFSR, and PUF are used to generate a mask and update the temporary tag id each run. In each successful run, the tag id and shared key are updated individually. Overall, [8] needs four messages in mutual authentication and two messages in ownership transfer. However, [7] pointed out there is still message blocking attack, de-synchronization attack, and the misuse of LFSR problems in authentication; besides, ownership transfer cannot avoid attack on traceability of tag.
TTP also be adopted by [11] for their ownership transfer. Their mutual authentication customized “Authentication message” to be compatible with the EPC Gen2 v2 standard. Their work also suffers from de-synchronization attack.
3 Proposed Method
3.1 Pre-condition/Assumption
We assume that the following pre-conditions and assumptions in the RFID system. Each tag is a passive one, so the processing capacity, storage size and hardware complexity of a tag is strictly limited. All tags are non-battery assisted, and draw power from readers. Furthermore, they only support operations such as cyclic redundancy check, pseudo random number generator and EXOR that are specified by EPC Gen2 v2. Tag with PUF attached on goods has its unique identification named EPC (or PIN). Every tag shares its EPC only with TTP. All previous and current owners of the tag will know nothing about EPC.
A reader communicates with tags in unsecure wireless channel. On the other hand, reader links other readers or TTP in secure wire with traditional security mechanism such as TLS. A reader has the ownership of one tag for some time period. While only an ownership subsists, the reader can authenticate, query, and exchange information with the tag.
TTP will keep all information about each tag in detail. The information includes the unique identification named EPC (or PIN), pairs of challenge and response generated by the PUF embedded in the tag, and the current owner for every tag. TTP will not only verify the reader, but also control the ownership handoff between them. Instead of using unique identification of tag, TTP will release a temporary identification to the tag and reader for communicating, called TempID.
3.2 Mutual Authentication
The reader broadcasts (TempID ⊕ r′) and its corresponding challenge c′ to all Tags. Each tag computes the response r″ by its PUF. Only the target tag can get the correct r′, then decode its TempID. Now, target tag knows this reader has the correct TempID and the pair of challenge and response. Therefore, the reader has been authenticated by target tag. Other non-target tags will not calculate the right response r″ or get their TempIDs, so they ignore this broadcast.
After authenticating the reader, the target tag will return the message PRNG(c′, r′) to the reader. Only the target tag knows the right response r′ as well as calculates the correct PRNG(c′, r′). If so, the reader authenticates the tag. Otherwise, the reader will terminate the connection. Finally, the (c′, r′) serves as a session key to encode the following communication, as shown in Fig. 1.
Protocol of mutual authentication
Both the tag and the reader will time out and return from their security state to normal state, if each of them does not receive any expect message in time. To be compatible with EPC Gen2v2 standard [1], all we need is to customize our protocol in established “Authenticate message”.
3.3 Ownership Transfer/Update
The reader may run out of his pairs of challenge and response for some target tags, or the reader may try to get the new ownership of some tags. Anyway, if the reader needs to have or renew the ownership of some tags, it should submit an ownership transfer/update request to TTP.
The reader should hand in his pairs of challenge and response to TTP, if has. TTP checks eligibility of the request and reader. After successful verification, TTP will return the reader new pairs of challenge and response, and new TempID of the target tag. In the same time, TTP also makes the tag update his own TempID, as shown in Fig. 2. In the last stage of ownership transfer/update, TTP will cross out all pairs of challenge and response that are released to the old reader. It is worth to mention, the de-synchronization problem may only occur in the ownership transfer/update protocol.
Protocol of ownership transfer/update
4 Security Analysis
-
Tag/reader impersonation: During mutual authentication, the pair (c′, r′) and TempID only be shared by both the right reader and the right tag. A counterfeit reader cannot generate the correct (TempID ⊕ r′); on the other hand, a counterfeit tag will not produce the right r′ and corresponding PRNG(c′, r′).
-
Replay attack/eavesdrop: An attacker will not be able to generate the correct r′, even if he knows c′ by eavesdropping. After authenticating each other, both the reader and the tag will use (c′, r′) as a session key to encode their communication. If someone tries to replay message (TempID ⊕ r′, c′) or PRNG(c′, r′) to be authenticated, he will still get nothing useful ever after.
-
De-synchronization problem: In our protocol, both the reader and the tag will not update shared TempID individually after each successful communication. Hence, there is no de-synchronization problem in mutual authentication phase. Only in ownership transfer/update phase, both the reader and the tag will update their shared TempID generated by TTP.
-
Location privacy: The message that contains identification of target tag, TempID, is masked by r′. This masker, r′, only be used once in a communication, and will be changed next run. Consequently, there is no way to lock target tag and trace its location.
-
Forward/Backward un-traceability: Although the previous and current owners will have correct pairs of (c′, r′) for the same tag, only the current owner shares the right TempID with this tag. The previous and current owners will not be disturbed.
-
Windowing problem: TempID will be changed in every ownership transfer/update phase, and every tag has only one TempID at the same time. Hence, there is only one reader can be the owner for every tag.
5 Evaluation
This evaluation will show that how the required numbers of massages in a security mechanism influences the performance of mutual authentication.
In [11], authors reveal the relationship between distance and successful OT messages. As the distance between the reader and tag increasing, the power received from reader decreasing and so are successful messages. In other words, the probability of a message to be received successfully is inversely proportion to the distance between them.
In the definition of negative binomial distribution, every trial will success or fail, but the final trial must success. The successful number of trials are given, but the total number of trials needed are a distribution can be modeled by negative binomial distribution. The behavior of wireless communication in RFID system is the same as negative binomial experiment. To complete one protocol, the system has to exchange defined messages(successful trial). Due to signal interference, messages will not always be exchanged successfully; therefore, a message will be retransmitted again and again until it can be received correctly.
Without loss of generality, we refer [11] and can assume the probability is 0. 375(p = 0. 375) of a successful message in the distance 2.5 m to be exchanged. In [8], completing the mutual authentication needs four successful messages to be exchanged. On the other hand, our protocol only needs two messages. We show the difference of performance between them by negative binomial distribution.
To complete mutual authentication, Figs. 3 and 4 show the relationship between the probability, y-axis, and exact number of messages needed to be retransmitted, x-axis. Figure 3 shows the distribution of retransmitted messages in [8]. It will very likely need extra five messages to complete mutual authentication. In this case the probability is 0.1056. However, in the more impossible case(assume the probability is 0.00051), 25 additional messages may be needed. Figure 4 shows the situation of our work. It is highly possible that only one extra message is need. The case that messages will effectively be sent without any retransmission is also very possible in our work. At worst, no more than 18 additional messages may be needed.
Distribution of additional messages with four successful messages (p = 0. 375)
Distribution of additional messages in our work (with two successful messages, p = 0. 375)
In order to highlight the difference, let us consider a more extreme example than p = 0. 375. We assume p = 0. 1, and this could happen because of wireless transmission collision or farther transmission distance. By studying Fig. 5, if protocol needs 4 successful messages to be exchanged, system will highly likely need almost 25 extra messages to be retransmitted and almost 125 extra messages in worst cases. By contrast, our mutual authentication only needs two successful messages to be exchanged. As the Fig. 6 shows, it is highly probability that almost 7 extra messages may be enough and no more than 85 extra messages in unusual case. More retransmitted messages mean more power consumption and more transmission collisions. As we mentioned before, a passive tag is limited in power and calculate capacity. Therefore, this is why we claim our protocol is simple and robust in Gen2 v2 system.
Distribution of additional messages with four successful messages (p = 0. 1)
Distribution of additional messages in our work (with two successful messages, p = 0. 1)
6 Conclusion
In conclusion, we combine PUF in our mutual authentication and ownership transfer protocols to make them simple and robust. These protocols immune normal attacks such as eavesdrop, tag/reader impersonation, relay attack, and Man in the Middle. Generally speaking, the occurrence frequency of ownership transfer is less than mutual authentication. Therefore, the issue of de-synchronization between tag and reader can be alleviated because this issue may happen only in our ownership transfer protocol. Another benefit is that TTP releases pairs of challenge and response to the reader when needed, and the ownership can be provided just like a service. In addition, our protocol also be compatible with the EPC Gen2 v2 standard by embedding in established message without modification. Finally, we use negative binomial distribution to demonstrate the better performance of our protocols.
References
R. Air, I. Protocol, M. Version, EPC radio-frequency identity protocols generation-2 UHF RFID specification for RFID air interface (2013), pp. 1–152
R. Bassil, W. El-Beaino, A. Kayssi, A. Chehab, A PUF-based ultra-lightweight mutual-authentication RFID protocol, in 2011 International Conference for Internet Technology and Secured Transactions, vol. 1, June 2011, pp. 495–499
S. Devadas, E. Suh, S. Paral, R. Sowell, T. Ziola, V. Khandelwal, Design and implementation of PUF-based ‘Unclonable’ RFID ICs for anti-counterfeiting and security applications, in IEEE International Conference on RFID (2008), pp. 58–64
Z. He, L. Zou, High-efficient RFID authentication protocol based on physical unclonable function, in 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing (2012), pp. 1–4
H.-H. Huang, L.-Y. Yeh, W.-J. Tsaur, Ultra-lightweight mutual authentication and ownership transfer protocol with PUF for Gen2 v2 RFID systems, in Proceedings of the International Multiconference of Engineers and Computer Scientists 2016, Hong Kong, 16–18 Mar, 2016. Lecture Notes in Engineering and Computer Science, pp655–658
D. Jiang, C.N. Chong, Anti-counterfeiting using phosphor PUF, in 2nd International Conference on Anti-counterfeiting, Security and Identification (2008), pp. 59–62
S. Kardas, M. Akgün, M.S. Kiraz, H. Demirci, Cryptanalysis of lightweight mutual authentication and ownership transfer for RFID systems, in 2011 Workshop on Lightweight Security Privacy: Devices, Protocols and Applications (LightSec) (2011), pp. 20–25
L. Kulseng, Z. Yu, Y. Wei, Y. Guan, Lightweight mutual authentication and ownership transfer for RFID systems, in Proceedings of the IEEE INFOCOM (2010)
K. Lars, Y. Zhen, W. Yawen, G. Yong, Lightweight secure search protocols for low-cost RFID systems, in Proceedings of the International Conference on Distributed Computing Systems (2009), pp. 40–48
Y.S. Lee, Y. Park, S. Lee, T. Kim, H.J. Lee, RFID mutual authentication protocol with unclonable RFID-tags, in International Conference on Mobile IT Convergence (2011), pp. 74–77
H. Niu, E. Taqieddin, S. Jagannathan, EPC Gen2v2 RFID standard authentication and ownership management protocol. IEEE Trans. Mob. Comput. 15 (1), 137–149 (2016)
M. Safkhani, N. Bagheri, M. Naderi, Security analysis of a PUF based RFID authentication protocol. ePrint Arch. (2011), pp. 1–10
Y. Xu, Z. He, Design of a security protocol for low-cost RFID, in 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing (2012), pp. 1–3
Acknowledgements
This work was supported in part by the Ministry of Science and Technology MOST 105-2221-E-492-024 and MOST 104-2221-E-492-014-MY2.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Huang, HH., Yeh, LY., Tsaur, WJ. (2017). PUF-Based Protocols About Mutual Authentication and Ownership Transfer for RFID Gen2 v2 Systems. In: Ao, SI., Kim, H., Huang, X., Castillo, O. (eds) Transactions on Engineering Technologies. IMECS 2016. Springer, Singapore. https://doi.org/10.1007/978-981-10-3950-8_4
Download citation
DOI: https://doi.org/10.1007/978-981-10-3950-8_4
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-3949-2
Online ISBN: 978-981-10-3950-8
eBook Packages: EngineeringEngineering (R0)