Page 1

Introduction

HB family protocols

Conclusion about Tree-HB+

RFID SEMINAR Using HB Family of Protocols for Privacy-Preserving Authentication of RFID Tags in a Population

Maciej Lichoń Wrocław University of Technology Faculty of Fundamental Problems of Technology

30 November 2009

1\30


Introduction

HB family protocols

HB protocols

Known types Of HB protocols

We will consider usage of 4 types of HB protocols.

2\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Known types Of HB protocols

We will consider usage of 4 types of HB protocols. RFID TYPES HB HB+ Tree-HB+ Random-HB#

2\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Known types Of HB protocols

We will consider usage of 4 types of HB protocols. RFID TYPES HB HB+ Tree-HB+ Random-HB#

2\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Known types Of HB protocols

We will consider usage of 4 types of HB protocols. RFID TYPES HB HB+ Tree-HB+ Random-HB#

2\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Known types Of HB protocols

We will consider usage of 4 types of HB protocols. RFID TYPES HB HB+ Tree-HB+ Random-HB#

2\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Known types Of HB protocols

We will consider usage of 4 types of HB protocols. RFID TYPES HB HB+ Tree-HB+ Random-HB#

2\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

3\30

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

3\30

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

3\30

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

3\30

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast Bad sides

3\30

1

Easy to attack

2

The reader is not prepared for non-standard RFID’s

3

Error Rates

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast Bad sides

3\30

1

Easy to attack

2

The reader is not prepared for non-standard RFID’s

3

Error Rates

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

Why HB family?

Good sides 1 2 3

We don’t show our ID to the reader Low costs (Only RAM, not many computations) Fast Bad sides

3\30

1

Easy to attack

2

The reader is not prepared for non-standard RFID’s

3

Error Rates

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

What’s an error rate?

There are two error rates in HB family protocols

4\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

What’s an error rate?

There are two error rates in HB family protocols Error Rates in HB FAR - False Accept Rate When

4\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocols

What’s an error rate?

There are two error rates in HB family protocols Error Rates in HB FAR - False Accept Rate When FRR - False Reject Rate

4\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocols

What’s an error rate?

There are two error rates in HB family protocols Error Rates in HB FAR - False Accept Rate When FRR - False Reject Rate

We assume that there will be network errors. It’s a good information for an attacker.

4\30


Introduction

HB family protocols

Hard HB family protocols problem

The LPN problem Definition 1 η – the probability that νi bit of ν will be 1 ν – the noise vector |x| – the hamming weight of an bit vector · – a logical AND ⊕ – a logical XOR

5\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

Hard HB family protocols problem

The LPN problem Definition 1 η – the probability that νi bit of ν will be 1 ν – the noise vector |x| – the hamming weight of an bit vector · – a logical AND ⊕ – a logical XOR Definition 2 - an NP hard problem - Learning Parity with Noise The LPN problem with security parameters q, k, η, with η ∈ [0, 12 ) is defined as follows: given a random q × k binary matrix A, a random k-bit vector x,a vector ν such that |ν| ¬ ηq, and the product z = A · x ⊕ ν,find a k-bit vector x 0 such that |A · x 0 ⊕ z| ¬ ηq. 5\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Hard HB family protocols problem

An explanation

We’re looking here for S The Easy problem 

   q1 r1  q2  · S =  r2  q3 r3 If you know linear algebra enough, you know that’s easy to compute S. But when you add some random noise ν to r (randomly flip bit with a probability of η) then this becomes infeasible.

6\30


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

HB one round Implementation (2001) TAG(secret x)

7\30

Communication

Reader(secret x)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

HB one round Implementation (2001) TAG(secret x) ν ∈ {0, 1|Prob(ν = 1) = η

7\30

Communication

Reader(secret x)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

HB one round Implementation (2001) TAG(secret x) ν ∈ {0, 1|Prob(ν = 1) = η

Communication a

←−

7\30

Reader(secret x) Choose challenge a ∈R {0, 1}k


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

HB one round Implementation (2001) TAG(secret x) ν ∈ {0, 1|Prob(ν = 1) = η

Communication a

←− Compute z = a · x ⊕ ν

7\30

z

−→

Reader(secret x) Choose challenge a ∈R {0, 1}k Check a · x = z


Introduction

HB family protocols

HB protocol

Possible Attacks on HB

Attacks Active attack

8\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocol

Possible Attacks on HB

Attacks Active attack DOS attack - due to exhaustive search

8\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB protocol

Possible Attacks on HB

Attacks Active attack DOS attack - due to exhaustive search Noise function is a PRNG Hb protocol can withstand passive attacks.

8\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

Active attack The reader should give different challenges to the tag on each iteration. But if an attacker will act as a reader: The attacker chooses he’s special challenges: a1 , ..., ar The algorithm Declare j as a round counter From a1 , ...ar pick aj = (1, 0, ..., 0) tag always computes: zj = 1 · x1 ⊕ 0 · x2 ⊕ ... ⊕ 0 · xn ⊕ ν j All answers are a noisy version of x1 Majority decision reveals true value of x1

Repeat for x2 , ..., xn

9\30


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

Attack Diagram

TAG(secret x)

10\30

Communication

Attacker Reader


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

Attack Diagram

TAG(secret x) ν ∈ {0, 1|Prob(ν = 1) = η

10\30

Communication

Attacker Reader


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

Attack Diagram

TAG(secret x) ν ∈ {0, 1|Prob(ν = 1) = η

Communication a

s ←−

10\30

Attacker Reader Choose challenge as ∈R {0, 1}k


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

Attack Diagram

TAG(secret x) ν ∈ {0, 1|Prob(ν = 1) = η

Communication a

s ←−

Compute z = a · x ⊕ ν

10\30

z

−→

Attacker Reader Choose challenge as ∈R {0, 1}k majority test


Introduction

HB family protocols

Conclusion about Tree-HB+

HB protocol

Solution

Use HB+ instead of HB! Or try to reduce the challenges of the reader only to efficient linear codes.

11\30


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

HB+ Implementation of one round (2005)

TAG(secret x,y)

12\30

Communication

Reader(secret x,y)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

HB+ Implementation of one round (2005)

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

12\30

Communication

Reader(secret x,y)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

HB+ Implementation of one round (2005)

12\30

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

Communication

choose blinding vector b ∈R {0, 1}k

−→

b

Reader(secret x,y)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

HB+ Implementation of one round (2005)

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

Communication

choose blinding vector b ∈R {0, 1}k

−→

b

a

←−

12\30

Reader(secret x,y)

Choose challenge a ∈R {0, 1}k


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

HB+ Implementation of one round (2005)

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

Communication

choose blinding vector b ∈R {0, 1}k

−→

b

a

←− Compute z = a · x t ⊕ b · y t ⊕ ν

12\30

Reader(secret x,y)

z

−→

Choose challenge a ∈R {0, 1}k Check a · xt ⊕ b · yt = z


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

Optimal HB+ parameters Legend of symbols

13\30

k the length secret

r number of rounds

Ρ noise level

t threshold for tag acceptation


Introduction

HB family protocols

HB+ protocol

HB+ Possible attacks

Attack types

14\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB+ protocol

HB+ Possible attacks

Attack types DOS attack

14\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB+ protocol

HB+ Possible attacks

Attack types DOS attack GRS attack- MITM attack

14\30

Conclusion about Tree-HB+


Introduction

HB family protocols

HB+ protocol

HB+ Possible attacks

Attack types DOS attack GRS attack- MITM attack Noise PRNG Here the attacker cannot act as a Reader.

14\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

GRS attack Attacker can add bits to communication between tag and reader. The attack Attacker modifies all challenges r by adding (1,0,...,0) declare j as round counter Tag Computes: zj = ((aj ⊕ (1, 0, ..., 0)) · x) ⊕ (bj · y )) ⊕ νj = (((aj · x) ⊕ ((1, 0, 0, ..., 0) · x) ⊕ (bj · y )) ⊕ νj = (aj · x) ⊕ x1 ⊕ (bj · y ) ⊕ νj Thus, all responses are changed by x1 (either all are ipped, or none) Attacker observes reader’s reaction: If he accepts, then x1 = 0, otherwise x1 = 1 Repeat for x2, ..., xn 15\30


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

Attack Diagram

TAG(secret x,y)

16\30

Communication

Reader(secret x,y)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

Attack Diagram

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

16\30

Communication

Reader(secret x,y)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

Attack Diagram

16\30

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

Communication

choose blinding vector b ∈R {0, 1}k

−→

b

Reader(secret x,y)


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

Attack Diagram

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

Communication

choose blinding vector b ∈R {0, 1}k

−→

b

a0 =a⊕δ

a

←− ... ←−

16\30

Reader(secret x,y)

Choose challenge a ∈R {0, 1}k


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

Attack Diagram

TAG(secret x,y) ν ∈ {0, 1|Prob(ν = 1) = η}

Communication

choose blinding vector b ∈R {0, 1}k

−→

b

a0 =a⊕δ

a

←− ... ←−

Compute z = a0 · x t ⊕ b · y t ⊕ ν

16\30

Reader(secret x,y)

z

−→

Choose challenge a ∈R {0, 1}k Check a · xt ⊕ b · yt = z


Introduction

HB family protocols

Conclusion about Tree-HB+

HB+ protocol

HB+ Possible solution

Solutions more secure Random-HB# protocol. reader server with challenge counter and a hard memory on the tag holding the challenge counter.

17\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Why Tree-HB+? Reasons Faster to find a tag to authenticate (light exhaustive O(logb n) instead of exhaustive O(n)).

18\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Why Tree-HB+? Reasons Faster to find a tag to authenticate (light exhaustive O(logb n) instead of exhaustive O(n)). Created to use in a big 106 tag population. Costs

18\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Why Tree-HB+? Reasons Faster to find a tag to authenticate (light exhaustive O(logb n) instead of exhaustive O(n)). Created to use in a big 106 tag population. Costs More communication packets.

18\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Why Tree-HB+? Reasons Faster to find a tag to authenticate (light exhaustive O(logb n) instead of exhaustive O(n)). Created to use in a big 106 tag population. Costs More communication packets. A little more RAM memory needed.

18\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Why Tree-HB+? Reasons Faster to find a tag to authenticate (light exhaustive O(logb n) instead of exhaustive O(n)). Created to use in a big 106 tag population. Costs More communication packets. A little more RAM memory needed.

18\30


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Implementation

Tree-HB+ has got two stages:

19\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Implementation

Tree-HB+ has got two stages: Tree-HB+ stages Tree traversal Stage - Find the best node

19\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Implementation

Tree-HB+ has got two stages: Tree-HB+ stages Tree traversal Stage - Find the best node Authentication stage - Authenticate the node

19\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Implementation

Tree-HB+ has got two stages: Tree-HB+ stages Tree traversal Stage - Find the best node Authentication stage - Authenticate the node

Authentication is the same as the standard HB+.

19\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Tree-HB+ Tree traversal stage Continues

Keys in the nodes Each tag associated with a leaf, gets all the keys on root-leaf path To authenticate: Start at the root At each level, use ’light exhaustive search’ to decide on the next child to go to

20\30


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Tree traversal stage Continues

21\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Decision about the most appropriate node

22\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Tree-HB+ Tree Traversal stage Algorithm We are trying to find the most likely tag to authenticate. To do that we use The Algorithm Tag sends the challenge matrix and all the vectors Zi Zi = Byi ⊕ νi Noise vector νi is generated for each stage Reader chooses most likely node for each stage Goes down the tree until arrives to one of the leaves

23\30


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Possible attacks

The same attack’s as HB+

24\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Possible attacks

The same attack’s as HB+ PRNG function

24\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Possible attacks

The same attack’s as HB+ PRNG function GRS attack

24\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

Tree-HB+ Possible attacks

The same attack’s as HB+ PRNG function GRS attack But we don’t have to worry about the DOS attack anymore.

24\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Tree-HB+

What the attacker can do?

Attacker Actions eavesdrops on communication

25\30

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

What the attacker can do?

Attacker Actions eavesdrops on communication communicate directly with a reader or tag(cannot modify messages)

25\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

What the attacker can do?

Attacker Actions eavesdrops on communication communicate directly with a reader or tag(cannot modify messages) Guess the noise Vector PRNG

25\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Solutions

The Tree-HB+ will be more secure if we use an Random-HB# protocol instead of HB+ for authentication step.

26\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+

Solutions

The Tree-HB+ will be more secure if we use an Random-HB# protocol instead of HB+ for authentication step. reader server with challenge counter and a hard memory on the tag holding the challenge counter.

26\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Random-HB# Single round Implementation

TAG(secret X,Y)

27\30

Communication

Reader(secret X,Y)


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Random-HB# Single round Implementation

TAG(secret X,Y) ν ∈ {{0, 1}m | Prob(νi = 1) = η for i in {1,2,...,m}}

27\30

Communication

Reader(secret X,Y)


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Random-HB# Single round Implementation

27\30

TAG(secret X,Y) ν ∈ {{0, 1}m | Prob(νi = 1) = η for i in {1,2,...,m}}

Communication

choose blinding vector b ∈R {0, 1}KY

−→

b

Reader(secret X,Y)


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Random-HB# Single round Implementation

TAG(secret X,Y) ν ∈ {{0, 1}m | Prob(νi = 1) = η for i in {1,2,...,m}}

Communication

choose blinding vector b ∈R {0, 1}KY

−→

b

a

←−

27\30

Reader(secret X,Y)

Choose challenge a ∈R {0, 1}KX


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Random-HB# Single round Implementation

TAG(secret X,Y) ν ∈ {{0, 1}m | Prob(νi = 1) = η for i in {1,2,...,m}}

Communication

choose blinding vector b ∈R {0, 1}KY

−→

b

a

←− Compute z = a · X ⊕ b · Y ⊕ ν

27\30

Reader(secret X,Y)

z

−→

Choose challenge a ∈R {0, 1}KX Check Hwt(a · X ⊕ b · Y ) ¬ um


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Legend of symbols

um - u ∈ (η, 12 ) m is the vector length shown later it’s a threshold of authentication level Hwt(x) - Hamming weight of x

28\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Random-HB#

Legend of symbols

um - u ∈ (η, 12 ) m is the vector length shown later it’s a threshold of authentication level Hwt(x) - Hamming weight of x

It has been proven that Random-HB# is infeasible for known computers, it needs to have a Real Random Number Generator.

28\30


Introduction

HB family protocols

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses 1

29\30

It’s easier to find a tag, so the computations are lowered.

Conclusion about Tree-HB+


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses

29\30

1

It’s easier to find a tag, so the computations are lowered.

2

Tree-HB+ can handle an out-of-the-system tag with no DOS.


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses

29\30

1

It’s easier to find a tag, so the computations are lowered.

2

Tree-HB+ can handle an out-of-the-system tag with no DOS.

3

Can handle a big population of tags.


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses 1

It’s easier to find a tag, so the computations are lowered.

2

Tree-HB+ can handle an out-of-the-system tag with no DOS.

3

Can handle a big population of tags.

Minuses 1

29\30

The same problems with security as all HB family protocols.


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses 1

It’s easier to find a tag, so the computations are lowered.

2

Tree-HB+ can handle an out-of-the-system tag with no DOS.

3

Can handle a big population of tags.

Minuses

29\30

1

The same problems with security as all HB family protocols.

2

More memory increases costs.


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses 1

It’s easier to find a tag, so the computations are lowered.

2

Tree-HB+ can handle an out-of-the-system tag with no DOS.

3

Can handle a big population of tags.

Minuses

29\30

1

The same problems with security as all HB family protocols.

2

More memory increases costs.

3

More communication packets creates more noise.


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

Tree-HB+ - Is it better? Pluses 1

It’s easier to find a tag, so the computations are lowered.

2

Tree-HB+ can handle an out-of-the-system tag with no DOS.

3

Can handle a big population of tags.

Minuses 1

The same problems with security as all HB family protocols.

2

More memory increases costs.

3

More communication packets creates more noise.

Questions? 29\30


Introduction

HB family protocols

Conclusion about Tree-HB+

Tree-HB+ protocol

The End

Thank You for Your attention!

30\30

RFID seminar  

my old RFID seminar

Read more
Read more
Similar to
Popular now
Just for you