احراز هویت و حفظ حریم خصوصی در سیستم های RFID (سامانه بازشناسی با امواج رادیویی) موبایل با یک طرح کاربردی مبتنی بر باقیمانده درجه دوم

ABSTRACT A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems

Radio Frequency Identification (RFID) is a technology that enables the non-contact, automatic and unique identification of objects using radio waves [1]. RFID technology was first used in the IFF (Identify Friend or Foe) aircraft system during World War II. However, its use for commercial applications has recently become attractive with RFID technology seen as the replacement for the optical barcode system that is currently in widespread use [2]. RFID has many advantages over the traditional barcode. It can be applied to different objects (optical barcodes must have a flat surface), it provides read/write capability (optical barcodes are read only), it does not require line-of-sight contact with readers (optical barcodes do) and more than one tag can be read at the same time (optical barcodes can only be read one at a time) [2,3]. These advantages have the potential to significantly increase the efficiency of decentralised business environments such as logistics and supply chain management particularly in the fields of inventory control, distribution and transportation [4].

It is estimated that the the RFID market in 2008 was worth USD 5.2 billion [5]. However, a major proportion of this value was due to large national RFID schemes such as the national ID (in China) and asset tracking (as in the US Dept. of Defense [3]). The demand for such traditional RFID applications is nearing saturation requiring the development of novel applications to achieve the projected growth of more than USD 25 billion in 2018 [5].

The attractiveness of RFID technology as a replacement for the traditional barcode system has necessitated the need for securing RFID systems. An important aspect of RFID security is mutual authentication of the tag, reader and back-end server [6,7]. Mutual authentication is required to ensure that tag information is made available to only valid reader and server systems and that readers and servers are communicating with legitimate tags. Additionally, privacy of communication also needs to be achieved. Further, for any scheme to be practical it needs to achieve compliance with industry standards and specifications.

The EPC Class-1 Gen-2 standard [8] has evolved as the industry standard for RFID tags. From a security perspective it requires tags to only implement cyclic redundancy checks (CRCs) and pseudo random number generators (PRNGs). Based on this specification and with the aim of keeping the cost of tags low, EPC Class-1 Gen-2 tags have limited number of gates available for additional security purposes. The limited processing and storage capability of the RFID tags limits the effective use of cryptographic techniques as there are roughly 2.5k–5k equivalent gates available for security purposes on a standard chip [9]. This is insufficient for standard cryptographic techniques such as RSA [9]. Further, the use of established security primitives such as one-way hash functions is not possible. As noted by Chen et al. [10] established hash functions such as SHA-1 and MD5 require between 16k and 20k gates for implementation. This is clearly infeasible for low-cost RFID tags. However, quadratic residues based on modular squaring operations require only a few hundred gates for implementation making them an attractive option for securing low cost EPC Class-1 Gen-2 tags [10,11].

We also note that while cheaper cryptographic alternatives such as Elliptic Curve Cryptography (ECC) exist and authentication schemes such as ERAP [12] based on ECC have been proposed for RFID systems. However, as demonstrated by Batina et al. [13], implementation of ECC would require between 8.2k and 15k equivalent gates which is beyond the capabilities of low cost RFID tags – the efficient implementation of ECC for RFID tags is still an open research problem. Many RFID applications use fixed RFID readers, where the channel between the RFID reader and the server is assumed to be secure. However, emerging applications of RFID such as the ‘‘Green Taxi’’ service and the fraudulent wine produce detection in Korea involve mobile RFID readers [14]. In the green taxi service, a passenger is able to retrieve the details regarding the taxi that they are traveling in based on the in-taxi RFID tag using a RFID-enabled mobile device (such as a smartphone). They can then transmit these details to friends and family, who are then able to track their location. However, insecure transmission of information over the wireless channel between the mobile reader and the back-end server can cause reader/owner privacy disclosure.

While there has been considerable work on authentication and privacy in RFID systems, these are concentrated on achieving security properties only between the RFID reader and the RFID tag [3,15–17,10,18,11]. Further, most schemes make the assumption of the existence of a secure channel between the reader and the server and are not suited for mobile/wireless RFID readers. Emerging applications with mobile/wireless enabled RFID readers require security and privacy properties to be achieved over both the tag–reader channel and the reader–server channel as both channels are open to compromise. Hence the motivation for our work. In this paper our main contributions can be summarized as:

• A novel approach to authentication and privacy in RFID systems based on quadratic residues and in conformance to EPC Class-1 Gen-2 specifications. Our scheme requires tags to perform modulo squaring, bitwise operations (XOR, multiplications), CRC calculations and pseudo random number generation (e.g., LAMED [19]) . All of these are within the capabilities of low-cost RFID tags [20,21].
• A collaborative authentication scheme suited to RFID systems with mobile/wireless readers where both the tag–reader channel and the reader-server channel are insecure.

The main distinctions between our work and the work of Chen et al. [10] and Yeh et al. [11] are:

• We do not require the tag to compute hash functions. Chen and Yeh require 3 and 4 hash functions to be implemented respectively.
• Our scheme takes into account the insecure nature of the reader-server channel and achieves, reader authentication, reader anonymity and reader location privacy explicitly. Chen and Yeh do not explicitly achieve these properties.
• Our scheme is suited for mobile/wireless reader RFID systems while Chen and Yeh’s schemes are not as they make secure channel assumptions with regards to the server–reader channel.

The required security properties to achieve authentication and privacy in RFID systems can be summarized as follows [18,22–24]:

• Tag anonymity (P1): The protocol should protect against information leakage that can lead to disclosure of a tag’s real identifier. This is important as otherwise an attacker may be able to clone a valid tag.
• Tag location privacy (P2): The protocol should ensure that the message contents are sufficiently randomized to ensure that they cannot be used to track the location(s) of the tags and thereby glean social information about the wearer of the tag.
• Forward secrecy (P3): The protocol should ensure that on compromise of the internal secrets of the tag, its previous communications cannot be traced by the attacker. This requires that previous messages are not dependent on current resident data on the tag.
• Reader anonymity (P4): The protocol should protect against information leakage that can lead to disclosure of a reader’s real identifier. This is important as otherwise an attacker may be able to clone a valid reader.
• Reader location privacy (P5): The protocol should ensure that the message contents are sufficiently randomized to ensure that they cannot be used to track the location(s) of the readers and thereby glean social information about the owner. Replay attacks (A1): The protocol should be able to resist compromise by an attacker through the replay of messages that have been collected by an attacker during previous protocol sequences. This requires that protocol messages in each round of the protocol are unique.
• Desynchronisation attack (A2): The protocol should be able to recover from incomplete protocol sequences that can occur due to an attacker selectively blocking messages. Importantly, such blocking of messages by an attacker should not lead to desynchronisation between the tag and the server/reader.
• Server impersonation (A3): The protocol should ensure that the server cannot be impersonated by an attacker. This requires that the tag/reader challenges a server to prove its legitimacy thereby achieving mutual authentication.

The rest of this paper is organized as follows. In Section 2 we present related work with an overview of the two quadratic residues based schemes proposed by Chen et al. [10] and Yeh et al. [11]. In Section 3 we present our approach based on quadratic residues followed by a detailed security analysis and performance comparison of our scheme in Section 4. Section 5 concludes the work