The goals of this project is to design a protocol that the reader authenticate the incoming user while preserving the privacy of the user. The use of this protocol may, for instance, be used in application, such as secure entry systems. We will not, however, focus on protection against availability or physical tampering attack. This simple protocol involves two flows with a challenge-response approach. In addition, it uses nonces (random numbers) to provide anonymity for each user response, so that reader would have no knowledge of user’s identity during the process of authentication. Thus, the privacy is preserved.
The protocol uses a hash function, and a pseudo-random number generator.
A hash function h is an one-way function that maps an arbitrary length input to a k-bit output, i.e. h : {0,1}*→{0,1}k. The typical requirement for this cryptographic checksum functions are
A pseudo-random number generator (PRNG) is a deterministic algorithm, which given an input seed and outputs a binary sequence of length k, which appears to be random.
Our protocol works under the following assumption
Each user t is preloaded with two polynomial functions:
| A(x,y) | = a11xy + a10x + a01y + a00 | ||
| B(x,y) | = b11xy + b10x + b01y + b00 | ||
{a11,a10,a01,a00},{b11,b10,b01,b00}
.
On the other hand, reader r is preloaded with three different polynomial functions
| C(x) | = c1x + c0 | ||
| D(x) | = d1x + d0 | ||
| E(x) | = ∑ k=02e kxk | ||
| = e2x2 + e 1x + e0 | |||
{c1,c0},{d1,d0},{e2,e1,e0}
varies among different
readers.
Those coefficients needs to be carefully selected, so that A(x,y) ⋅C(x) + B(x,y) ⋅D(x) + E(x) ≡ 0 is guaranteed. The coefficients can be found via algorithms that solves linear equations.
The protocol is summarized in Figure.1
{0,1}l, and sends
this nonce M0 =< γ0 > to user t.
{0,1}l as
temporary session secret, and computes γ2 = h(γ0|γ1), where h(x)
is our hash function. Next, user computes its polynomial functions
A(γ2,t) and B(γ2,i), and sends back to the reader with message
M1 =< γ1,A(γ2,t),B(γ2,t) >.
The protocol has satisfied following privacy and security properties
{a11,a10,a01,a00},{b11,b10,b01,b00}
,
which were pre-computed onto user and stayed secret in transmission.
Thus, it is hard to compute such valid pairs of coefficients without
any prior acknowledgement of the user. However, an attack under the
scenario of compromission of a legitimate reader enables the adversary
to produce a valid user, and we will address this issue and solution
below.
If a reader is compromised, then C(x),D(x),E(x) are compromised. If the attack
can somehow figure out Â,
, such that Â(x,y) ⋅C(x) + 
(x,y) ⋅D(x) + E(x) = 0.
That means some other user device î with secret functions Â, is compromised.
To prevent this attack, for any reader that could be potentially compromised. We preloaded the reader functions with elliptic curve point α to convert the numeric output into points on the elliptic curve in finite field, i.e. α × C(x),α × D(x),α × E(x). In this scenario, the authentication equation becomes
Ĉ(γ2) × A(γ2,u) +  (γ2) × B(γ2,u) + α ×Ê(γ2) | = α × C(γ2) ⋅ A(γ2,u) + α × D(γ2) ⋅ B(γ2,u) + α × E(γ2) | ||
= α × C(γ2) ⋅ A(γ2,u) + D(γ2) ⋅ B(γ2,u) + E(γ2) | |||
| = 0 |
The proposed improvement seems to be promising against eavesdropping attack. However, its vulnerability is shown when multiple tags are compromised. All tags are preloaded with the same coefficient < a11,a10,a01,a00,b11,b10,b01,b00 >. If an attacker has compromised k tags, then the attacker could obtain the following linear equations:
| (a11u1 | + a10) ⋅ x | ||
| (a01u1 | + a00) | ||
| (b11u1 | + b10) ⋅ x | ||
| (b01u1 | + b00) | ||
| … | |||
| (a11uk | + a10) ⋅ x | ||
| (a01uk | + a00) | ||
| (b11uk | + b10) ⋅ x | ||
| (b01uk | + b00) |
(k+8) unknowns. Since the
number of variables is less than the number of equation in the linear system,
thus, the attacker is able to reveal the secret parameters by solving this linear
system.
While the anonymous authentication provides user privacy, but this property may be misused to crash the system. The most obvious approach is that when an attack compromise one or several valid user devices, and launch multiple DoS attack simultaneously. The entry system would follow with a shut-down of authenticating service. Since this simple model does not support any mechanism to further identify who the user was, hence, the attacker could go away without leaving any trace after his successful attack.
