[next] [prev] [prev-tail] [tail] [up]

4.3 The Security Enhanced Protocol

Set-up Phase
In order to protect the secret function A(x,u) and B(x,u), we need to introduce several variables in the system, su,a¯u,b¯u. The tag-specified secret variables su,a¯u,b¯u are established at the time when the RFID tag was manufactured, while λ were randomly chosen at each transmit session. In order to reduce the computational cost on the tag side, points parameter, including αuu,1u,0, were pre-computed and pre-loaded in the code at tag-creation time. Therefore, it is necessary to have a data structure to maintain such list of points and provide efficient look-up.

Thus, each smart tag is preloaded with a secret identifier, u, and two polynomial functions:

Au(x) = su A(x,u) -a¯u
= su Au,1 x + su Au,0 -a¯u
Bu(x) = su B(x,u) -¯bu
= su Bu,1 x + su Bu,0 -¯bu
αu = α × su
βu,1 = α λ(a¯u c1 + b¯u d1)
βu,0 = α λ(a¯ u c0 + b¯ u d0)

Communication Phase
The reader initiates the communication by sending a random session nonce, γ0 to the tag. After receiving data from reader, the tag responses a random session nonce of its own, called γ1, and hash the concatenations of these two random session. That is, γ2 = H(γ1|γ0). Following by that, the user computes its secret function given γ2. Last, the tag sends back a packet of data < γ1Au(γ2)Bu(γ2)u λ,βu,1u,0 > to reader side.

Authentication Phase
With the carefully selected coefficients, the authentication process could be achieved by checking the following equality, as shown in the next figure 26:

Ĉ(γ2) ×λAu(γ2) + ˆD(γ2) ×λBu(γ2) + βu,1 γ2 + βu,0
= α × C(γ2) λ(su A(γ2,u) -a¯u)
+ α × D(γ2) λ(su B(γ2,u) -b¯u)
+ α × su λ(¯a u c1 + ¯b u d1) γ2
+ α × su λ(¯au c0 + ¯bu d0)
= α × su λ(C(γ2) A(γ2,u) + D(γ2) B(γ2,u))
= α × su λE(γ2) (Equation 6)

pict

Figure 2: Security Enhanced Protocol

4.3.1 Security Analysis

Resistance against Tag Compromise Attack
In order to obfuscate the coefficients in the secret functions A(x,u) and B(x,u), we use three tag-based parameters, su,¯au,¯ bu. Similarly, the attack could retrieve 4 pieces of information for each tag. However, this scheme can successfully defend against k-tag compromise attack, and following equations will tell you why.

Tag 1 ( || su1 ⋅(a11u1 +a10)⋅x ||{ su1 ⋅(a01u1 +a00)- a¯u1 su ⋅(b11u1 +b10)⋅x ||| s 1⋅(b u +b )- b¯ |( u1 01 1 00 u1
Tag k ( ||| suk ⋅(a11uk +a10) ⋅x |{ suk ⋅(a01uk +a00) - a¯uk suk ⋅(b11uk +b10)⋅x |||| suk ⋅(b01uk +b00)- b¯uk (
There are also 4k equations, however, the unknown variables have turned into
{u ,...,u ,s ,...,s ,a ,...,a ,b ,...,b ,a ,a ,a ,a ,b ,b ,b ,b } ◟-1------k-u1------uk--u1-----uk--u1◝◜---uk--00--01--10--11--00--01-10--11◞(4k+8) unknowns. Since there is no other way to solve a linear system where the number of unknown variables is grater than the number of equation. Therefore, the system is secure.

Vulnerability to Eavesdropping Attack
Unfortunately, if an eavesdropper had been tailing and monitoring the same tag for k successful sessions, then number of the session-based variables would be the factor to break the system.
Session 1 ( A ′(x) = s ⋅(a ⋅u + a )⋅x + (a ⋅u+ a ) - ¯a { 1′ u 11 10 1 01 00 ¯ u ( B 1(x ) = su ⋅(b11 ⋅u + b10)⋅ x1 + (b01 ⋅u + b00) - bu
Session k ( { A ′k(x ) = su ⋅(a11 ⋅u + a10)⋅xk + (a01 ⋅u + a00) - ¯au B ′k(x ) = su ⋅(b11 ⋅u + b10) ⋅xk + (b01 ⋅u + b00)- ¯bu (
There would be 2k equations, and the unknowns now become {◟x1,...,xk,u◝,◜-su, ¯au, ¯bu-}◞(k+4) unknowns, since u,su,¯au,¯bu live through the tag lifetime. Security wise, this system is vulnerable against eavesdropping attack.

[next] [prev] [prev-tail] [front] [up]