<%BANNER%>

Secure Ownership Transfer and Authentication Protocols for Radio Frequency Identification (RFID)

Permanent Link: http://ufdc.ufl.edu/UFE0022783/00001

Material Information

Title: Secure Ownership Transfer and Authentication Protocols for Radio Frequency Identification (RFID)
Physical Description: 1 online resource (76 p.)
Language: english
Creator: Kapoor, Gaurav
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2008

Subjects

Subjects / Keywords: Decision and Information Sciences -- Dissertations, Academic -- UF
Genre: Business Administration thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: There are substantial contributions made by Radio Frequency Identification (RFID)to society today. These contributions manifest themselves in various stages of the supply chain, including reduced inventory management, and improved customer relationships,leading to tremendous cost savings. Using minute transponders (or tags), it is possible to incorporate relevant information in any entity, from a plastic bottle of water to a jumbo jet. However, in today's mobile world, ready yet secure communication between multitude of devices (tags, tag-readers, databases) employing RFID networks is paramount. In addition, the ability to change (and even share) ownership of these devices is equally important. Given the low level of technology available in tags, it is necessary to keep these communications simple or lightweight, yet have the necessary cryptography built in. In this dissertation, we propose lightweight protocols that meet these requirements,and use them for tag authentication and ownership transfer. We rely on a Trusted Third Party in one, and use common cryptographic techniques in both. Thus they are easily implementable, even in the most basic tags. We also perform necessary security analysis to ensure that these protocols are accurate, maintain con?dentiality and provide forward security.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Gaurav Kapoor.
Thesis: Thesis (Ph.D.)--University of Florida, 2008.
Local: Adviser: Piramuthu, Selwyn.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2009-08-31

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2008
System ID: UFE0022783:00001

Permanent Link: http://ufdc.ufl.edu/UFE0022783/00001

Material Information

Title: Secure Ownership Transfer and Authentication Protocols for Radio Frequency Identification (RFID)
Physical Description: 1 online resource (76 p.)
Language: english
Creator: Kapoor, Gaurav
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2008

Subjects

Subjects / Keywords: Decision and Information Sciences -- Dissertations, Academic -- UF
Genre: Business Administration thesis, Ph.D.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: There are substantial contributions made by Radio Frequency Identification (RFID)to society today. These contributions manifest themselves in various stages of the supply chain, including reduced inventory management, and improved customer relationships,leading to tremendous cost savings. Using minute transponders (or tags), it is possible to incorporate relevant information in any entity, from a plastic bottle of water to a jumbo jet. However, in today's mobile world, ready yet secure communication between multitude of devices (tags, tag-readers, databases) employing RFID networks is paramount. In addition, the ability to change (and even share) ownership of these devices is equally important. Given the low level of technology available in tags, it is necessary to keep these communications simple or lightweight, yet have the necessary cryptography built in. In this dissertation, we propose lightweight protocols that meet these requirements,and use them for tag authentication and ownership transfer. We rely on a Trusted Third Party in one, and use common cryptographic techniques in both. Thus they are easily implementable, even in the most basic tags. We also perform necessary security analysis to ensure that these protocols are accurate, maintain con?dentiality and provide forward security.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Gaurav Kapoor.
Thesis: Thesis (Ph.D.)--University of Florida, 2008.
Local: Adviser: Piramuthu, Selwyn.
Electronic Access: RESTRICTED TO UF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE UNTIL 2009-08-31

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2008
System ID: UFE0022783:00001


This item has the following downloads:


Full Text

PAGE 1

1

PAGE 2

2

PAGE 3

3

PAGE 4

Iwouldliketothankmychair,Dr.SelwynPiramuthu,andmyadvisorsDr.PraveenPathak,Dr.SubhajyotiBandyopadhyay,andDr.StevenShuganforalltheirhelpinmakingthispractical. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 8 LISTOFFIGURES .................................... 9 ABSTRACT ........................................ 10 CHAPTER 1INTRODUCTION .................................. 11 1.1RadioFrequencyIdentication ......................... 11 1.2TheResearchProblem ............................. 12 2RFIDOVERVIEW .................................. 14 2.1RFIDHistory .................................. 14 2.2HowRFIDWorks ................................ 15 2.2.1Tags ................................... 15 2.2.2Readers ................................. 18 2.2.3HostInformationSystem ........................ 18 2.2.4Data ................................... 19 2.3BusinessApplications .............................. 19 2.4RFIDvsBarcodes ............................... 20 2.5RFIDDrawbacksandVulnerabilities ..................... 21 3RFIDSECURITYANDPRIVACY ......................... 23 3.1SecurityandPrivacyinMobileCommunication ............... 23 3.1.1Availability ............................... 23 3.1.2Condentiality .............................. 24 3.1.3Authentication .............................. 25 3.1.4Integrity ................................. 25 3.2SecurityRequirementsInRFID ........................ 25 3.2.1AvailabilityofTags ........................... 25 3.2.2CondentialityofMessageContent .................. 26 3.2.3AuthenticityoftheSenderandRecipient ............... 26 3.2.4IntegrityofMessageContent ...................... 26 4LITERATUREREVIEW .............................. 27 4.1AuthenticationProtocols ............................ 27 4.1.1SingleRoundSingleTagProtocols ................... 28 4.1.1.1ProtocolofWeis,Sarma,RivestandEngels ........ 28 4.1.1.2Someotherauthenticationprotocols ............ 30 5

PAGE 6

........ 30 4.1.2MultipleRoundSingleTagProtocols ................. 32 4.1.3SingleRoundMultipleTagProtocols ................. 33 4.2OwnershipTransferProtocols ......................... 33 4.2.1ProtocolsofSaito,Imamoto,andSakurai ............... 34 4.2.1.1ProtocolwithTTP ...................... 34 4.2.1.2Saito'stwo-partymodel ................... 35 4.2.2ProtocolofOsaka,Takagi,YamazakiandTakahashi ......... 36 4.2.3ProtocolofKoralalage,Reza,Miura,GotoandCheng ........ 36 4.2.4ProtocolofSeo,Asano,LeeandKim ................. 37 4.2.5ProtocolofFouladgarandA ..................... 38 4.2.6ProtocolofSong ............................. 39 4.2.7ProtocolofLeiandCao ......................... 41 4.3TheResearchProblemRevisited ....................... 43 5SECUREOWNERSHIPTRANSFERANDAUTHENTICATIONPROTOCOLS 44 5.1Preliminaries .................................. 44 5.2OwnershipTransferwithTTP ......................... 44 5.2.1Preamble ................................. 44 5.2.2OwnershipTransferProtocol ...................... 45 5.3IndependentOwnershipTransfer ....................... 47 5.4SharedOwnership ................................ 49 5.4.1VendorManagedInventory ....................... 50 5.4.2SharedOwnershipTransferProtocolwithaTTP ........... 50 5.4.3IndependentSharedOwnershipTransferProtocol .......... 52 5.5Authentication ................................. 53 5.6SecurityAnalysis ................................ 54 5.6.1OwnershipTransferProtocolwithTTP ................ 54 5.6.1.1Secrecy/dataintegrityandauthenticationofcommunicatingentities ............................. 54 5.6.1.2DoS/synchronizationproblem ................ 55 5.6.1.3Forwardsecurity ....................... 55 5.6.1.4Passivereplay/tracking .................... 56 5.6.2IndependentOwnershipTransferProtocol ............... 56 5.6.2.1Secrecyandauthenticationofcommunicatingentities ... 56 5.6.2.2DoS/synchronizationproblem ................ 56 5.6.2.3Forwardsecurity ....................... 57 5.6.2.4Passivereplay/tracking .................... 57 5.6.3Authentication .............................. 58 5.6.3.1Secrecy ............................ 58 5.6.3.2DoS/synchronizationproblem ................ 58 5.6.3.3Forwardsecurity ....................... 58 5.6.3.4Passivereplay/tracking .................... 58 5.7ImplementationDetails ............................. 60 6

PAGE 7

................................ 60 5.7.2ComputationalOverhead ........................ 60 5.7.3StorageOverhead ............................ 60 6CONCLUSIONSANDFUTUREWORK ...................... 61 APPENDIX ACRYPTOGRAPHYBASICS ............................ 63 A.1PlainText,CipherTextandKeys ........................ 63 A.2XORandConcatenationoperations ...................... 64 A.2.1XOR ................................... 64 A.2.2Concatenation .............................. 65 A.3Hashfunctions ................................. 65 A.3.1FunctionEnsembles ........................... 65 A.3.2ASimpleHashFunction ........................ 65 A.3.3KeyedHashFunction .......................... 66 A.4AnExampleofIndependentOwnershipTransfer ............... 66 BNOTATIONS ..................................... 68 REFERENCES ....................................... 69 BIOGRAPHICALSKETCH ................................ 76 7

PAGE 8

Table page 2-1Industrialclassicationfortags ........................... 17 5-1Securityanalysischart ................................ 59 5-2Protocols:Securitycomparisonchart ........................ 59 A-1BinaryXOROperation ................................ 64 8

PAGE 9

Figure page 2-1AsampleRFIDsystem ................................ 16 2-2Activeandpassivetags ................................ 17 2-3RFIDreader ...................................... 18 4-1ProtocolofWeisetal. ................................ 29 4-2ProtocolduetoYangetal. ............................. 31 4-3AroundofHBprotocol ............................... 32 4-4Ownerchangeschemaonthree-partymodelbySaitoetal. ............ 34 4-5Ownerchangeschemaontwo-partymodelbySaitoetal. ............. 35 4-6ProtocolofOsakaetal. ............................... 36 4-7ProtocolofKoralalageetal. ............................. 37 4-8ProtocolofSeoetal. ................................. 38 4-9ProtocolofFouladgaretal. ............................. 38 4-10ProtocolofSong:Stage1 .............................. 40 4-11ProtocolofSong:Stage2 .............................. 41 4-12ProtocolofLeiandCao ............................... 42 5-1Thepreamble ..................................... 45 5-2TheproposedprotocolwithaTTP ......................... 46 5-3Independentownershiptransferprotocol:Initialization .............. 47 5-4Independentownershiptransferprotocol:Keychange ............... 49 5-5SharedownershiptransferprotocolwithTTP ................... 51 5-6Independentsharedownershiptransferprotocol:Initialization .......... 52 5-7Independentsharedownershiptransferprotocol:Keychange ........... 52 5-8Theauthenticationhandshake ............................ 53 A-1Keyedcryptography:Schematic .......................... 64 A-2Keyedhashfunction:Schematic .......................... 67 9

PAGE 10

TherearesubstantialcontributionsmadebyRadioFrequencyIdentication(RFID)tosocietytoday.Thesecontributionsmanifestthemselvesinvariousstagesofthesupplychain,includingreducedinventorymanagement,andimprovedcustomerrelationships,leadingtotremendouscostsavings.Usingminutetransponders(ortags),itispossibletoincorporaterelevantinformationinanyentity,fromaplasticbottleofwatertoajumbojet. However,intoday'smobileworld,readyyetsecurecommunicationbetweenmultitudeofdevices(tags,tag-readers,databases)employingRFIDnetworksisparamount.Inaddition,theabilitytochange(andevenshare)ownershipofthesedevicesisequallyimportant.Giventhelowleveloftechnologyavailableintags,itisnecessarytokeepthesecommunicationssimpleorlightweight,yethavethenecessarycryptographybuiltin. Inthisdissertation,weproposelightweightprotocolsthatmeettheserequirements,andusethemfortagauthenticationandownershiptransfer.WerelyonaTrustedThirdPartyinone,andusecommoncryptographictechniquesinboth.Thustheyareeasilyimplementable,eveninthemostbasictags.Wealsoperformnecessarysecurityanalysistoensurethattheseprotocolsareaccurate,maintaincondentialityandprovideforwardsecurity. 10

PAGE 11

Youaredrivingthelatest,souped-upconvertibledownathree-lanehighway,athighspeed,withthewindowsrolleddownonacoolsunnyday.Youdon'thearthewindortheenginebecausethesweetsoundofaDavidGilmoursolo TherearesubstantialcontributionsmadebyRFIDtosociety.Thesecontributionsmanifestthemselvesinvariousstagesofthemanufacturingsupplychain,includingreducedinventorymanagementandimprovedcustomerrelationships.Usingminutetransponders(ortags),itispossibletoincorporaterelevantinformationonorinanyentity,fromaplasticbottleofwatertoajumbojet.LatestforecastsputworldwidespendingonRFID 11

PAGE 12

2 .Thisincludeshistory,operation,advantagesovercompetingtechnologylikebarcodesandsomedrawbacks. 3 ,whichlooksatproblemsinherenttomobilecommunication,andinparticularRFID. Weproposelight-weightprotocols(detailsinChapter 5 )thatmeetsthesecurityrequirementsofRFIDdevices,andusethemforownershiptransferandtagauthentication.Extantprotocolseitherlacktheabilitytodobothorhaveinherentawsintheirconstruction.WepresentadetailedreviewofrelatedliteratureinChapter 4 .One Spending to Surpass Trillion in 12

PAGE 13

6 concludesthisthesis,andpresentsavenuesforfutureresearch. 13

PAGE 14

29 55 ].TheydidsobyputtingatransmitteroneachBritishplane.Whenitreceivedsignalsfromradarstationsontheground,itbroadcastasignalbackthatidentiedtheaircraftasfriendly.RFIDessentiallyworksonthissamebasicconcept.Asignalissenttoatransponder,whichwakesupandeitherreectsbackasignal(apassiveRFIDsystem)orbroadcastsasignal(activesystem). Oneoftheearliest,ifnottherst,worksexploringRFIDisthelandmarkpaperbyHarryStockman,CommunicationbyMeansofReectedPower,publishedin1948[ 29 ].Inthelate1960'sandearly1970'stherewasasignicantpushbytheLosAlamosNationalLaboratory(forthetaggingofnuclearequipmentandpersonnel),andbyuniversitieslikeNorthwesternandtheMicrowaveInstituteofSwedentodevelopcommercialRFIDapplications.Amongtherstsuccessfulcommercialapplicationswasthetrackingoflivestock(namelycattle)byattachingsmalltransponderstotheirskin.ThiswasfollowedbyUSrailroadcompaniesusingRFIDtotrack/locatefreightcarsandtrailers.The1990'swereasignicantdecadeforRFIDsinceitsawthewide-scaledeploymentofelectronictollcollectionintheUnitedStates.Importantdeploymentsincludedseveralinnovationsinelectronictolling.Theworld'srstopenhighwayelectronictollingsystemopenedinOklahomain1991,wherevehiclescouldpasstollcollectionpointsathighwayspeeds,unimpededbyatollplazaorbarriersandwithvideocamerasforenforcement.TodayRFIDtechnologyanditsadvantagesareallaroundusintheformofmultipleusetoll-tagsthatcanbeusedtoaccessparkinggarages,trackingofproductsthroughthe 14

PAGE 15

1. ARFIDtagwithuniqueinformation 2. Areaderequippedwithanantenna 3. Ahostcomputerordatabaseandback-endsystems Thereaderemitsradiosignalstoactivatethetagandtoreadandwritedatatoit.Theseradiowavesareinrangesofanywherefromoneinchto100feetormore,dependinguponthepoweroutputandtheradiofrequencyused.WhenanRFIDtagpassesthroughtheelectromagneticzone,itdetectsthereader'sactivationsignal.Thetagthenprocessesthereader'ssignal(whichcouldbeanactivation,aquery,oracommand),andtransmitstheappropriateresponse.Thereaderdecodesthedatareceivedandthenthedataispassedtothehostcomputerforprocessing.Figure2-1showstheschematicoftheoperationofanRFIDsystem. 67 53 75 ],someofwhichareshowninFigure2-2. 1. 2. 15

PAGE 16

AsampleRFIDsystem suchRFIDtagscanbesmallenoughtobeeasilyattachedtoorevenembeddedinproductsorproductpackaging. 3. Tagsareeitherread-onlyorread-write.Thesetermsrefertowhetherornottheinformationstoredonthetagcanbechangedorerased.ARead-onlytag(alsocalledaWORMforWriteOnceReadMany)isaformofRFIDtagthathasanidenticationcode(morespecically,anElectronicProductCodeorEPC)recordedatthetimeofmanufactureorwhenthetagisallocatedtoanobject.Onceprogrammed,thedataonthetagcannotbemodiedorappendedbutitmaybereadmultipletimes.ARead-WriteTagisatagthatcanhaveitsmemorychanged,orwrittento,manytimes.BecausetheirIDcodescanbechanged,theyoergreaterfunctionalityalbeitathigherprice. 16

PAGE 17

RFIDtags.ThetagontheleftisaPassiveTagandtheoneontherightisActiveTag. InitialRFIDtagsinthelate1970'sutilizedlow-voltage,low-powerComplementarymetaloxidesemiconductor(CMOS)logiccircuitswithhard-wiredmemory.However,currentversionscontaincircuitsthatcanoperateinUltraHighFrequency(UHF)andVeryHighFrequency(VHF)radiospectrums,andcontainprogrammableElectricallyErasableProgrammableRead-OnlyMemory(EEPROM)forstoringdata.Table2-1isa(partial)tablewiththeEPC Table2-1. Industrialclassicationfortags EPCclassTypefeaturesTagtype Class0ReadonlyPassive(64bitonly)Class1Writeonce,readmany(WORM)Passive(96bitmin.)Class2(Gen2)Read/writePassive(96bitmin.)Class3Read/writeSemi-activeClass4Read/rriteActivetransmitter 17

PAGE 18

Ahand-heldRFIDreader. 26 30 ].Anumberoffactorscanaectthedistanceatwhichatagcanberead.Thefrequencyusedforidentication,theantennagain,theorientationandpolarizationofthereaderantennaandthetransponderantenna,themediumseparatingtagandreader,aswellastheplacementofthetagontheobjecttobeidentiedwillallhaveanimpactontheRFIDsystemsreadrange[ 73 ].Ahand-heldreaderisshowninFigure2-3. 18

PAGE 19

74 ]presentanarchitectureformanagingthevolumesofRFIDdatathatwillbegeneratedwithmoreusage. 61 ],andinverydierentforms[ 41 56 61 ].Someoftheseapplicationsarenowpresentedinfurtherdetail. 1. 2. 3. 4. 19

PAGE 20

6. 1. RFIDfollowstheEPCstandardforidentifyingobjects 2. RFID,unlikebarcodes,isnotanopticaltechnology,i.e.,itisnotbasedonline-of-sight.Henceinterferencethatmayaecttheoperationsofabar-codereader(likedust)hasnoinuenceonanRFIDreader.Thishastheaddedbenetofreducingthetimefortakinginventory,sincemultipleobjectscanbescannedatonce. 3. RFIDoerstheabilitytodynamicallyupdatetags,andittakesonlyaninstant.Thisisahugeadvantageoverbarcodes,becauseinformationaboutaproductcanchangeovertime.Itisalmostimpossibletomodifyabarcodetoreectnewdata. 4. RFIDtagscanbeembeddedintoobjectswithoutlossoffunctionality.Hence,theycanbeusedinharshenvironments,likeonthespaceshuttle. 5. RFIDtagscanprocessdata,andsenseambientconditionsviasensors.Theycanalsostoremuchmoredatathanabarcodeaboutanobject.

PAGE 21

72 ]andrepeatedusefeatureavailableinRFIDtags. 1. 2. 3 ,inparticularSection 3.2 3. 2 46 60 61 75 ]. 4. (a) ReaderrorsoccurwhenRFIDtagsarenotreadatallorreadincorrectlyduetotechnologyfailuresinthesystem.Theerrorratesaretypicallywithin0-15%[ 65 ]butbeashighas70% 62 ]inconjunctionwithbetterequipment[ 70 ].Adefectivetagobviouslycannotberead.Thustagreliabilityisparamount,andtherehavetobealgorithmsinplacethatimprovethisspeciccondition[ 70 ].Li 21

PAGE 22

65 ]havecollectedanddescribedsomecreativeimplementationstosolvethereaderrorproblem. (b) TheRadioFrequency(RF)spectrumistightlycontrolledandheavilyused.IntheUS,RFIDsystems[ 37 ]operateinthe902to918MHzrange.InEuropethesystemoperateinthe862to870MHzrange.Thesefrequenciessupportrangesaround20-30feet.Therearealsoshort-rangesystemsintheUSoperatingat13.56MHz.Thisfrequencylimitsrangeto2feet.Thedesignofantennas[ 50 ]mustbetomaximizethetransferofpowerintoandoutofthedeviceontheprotectedobject.Thisrequirescarefuldesigntomatchtheantennatofreespace,andisusuallybasedontheapplicationintended. (c) ThelackofstandardsanduniformityinRFIDtechnologykeepthecostshigh[ 16 ],andthesestandardsarethekeytotheproliferationofRFIDtechnology.Also,speedofmotion,minimalprocessingpowerintagsandcompetingtagenvironmentscandisruptoperationseasily.Also,activetagstodayhavearelativelybigphysicalfootprintandthatisalimitingfactor. 22

PAGE 23

SecurityandPrivacyaremajorconcernsinRFIDcommunication.Wenowpresentabriefoverviewofbothissueswithregardstomobilecommunication,andlookatthecurrentstateofthetechnologyaddressingthem. 80 ].Wirelessdevicesthathavenowcorneredpublicconsciousness(likecell-phonesandPDAs)werenotoriginallydesignedwithsecurityinmind[ 52 ].Asadversariesstepuptheirattacks,itischallengingtoimplementsecurityinsmall-footprintdeviceswithlowprocessingpowerandsmallmemorycapacitiesusingwirelessnetworks[ 54 ].Themajordierencebetweenwiredandwirelessnetworksistheanonymous,uncontrolledcoverageareasbetweentheendpointsofthenetwork.Inwideareacellularnetworks,thewirelessmediumcannotbecontrolledatall.Thisenablesattackersintheimmediatevicinityofawirelessnetworktoperformanumberofattacksthatarenotfoundintraditionalwirednetworks[ 23 49 54 ].Wefocusnowonhowthesecanaectthemainrequirementsofsecureandprivatecommunication: 81 ].ADenialofService(henceforthDoS)attackpreventsaccesstoaparticularcommunicationresource.Inwirelessnetworks,DoSusuallytakesplacethroughfrequencyjammingormessageblocking(malicious)orover-useofasharedresource(inadvertent).CertainlythebiggestimmediateissuefacingthisareaistheinterferencethatiscausedbythediverseoeringofwirelessdevicesandservicesusingthesameRFband[ 71 ].Also,manynaturalphenomenaandphysicalobjectscauseRFsignaldegradation,suchastrees,rain,earth,andbuildings. 23

PAGE 24

Theseattacksapplytoboth40-bitandtheso-called128-bitversionsofWEPequallywell.Theyalsoapplytonetworksthatuse802.11bstandard(802.11bisanextensionto802.11tosupporthigherdatarates;itleavestheWEPalgorithmunchanged).Interestedreadersshouldlookat[ 27 54 ]formoredetailsonWEP. Nevertheless,WEPoerssomeprotectionandshouldthereforebedenedinthepolicyifnootherencryptionispossible.TocombattheinsecuritiesofWEP,otherencryptionoptionsarecurrentlyavailableandshouldbeusedinstead,ifpossible.Yangetal.[ 79 ]discusssomealternativestoWLAN'slikeVirtualPrivateNetworks(VPN),CiscoLEAP,andSecureSocketLayer(SSL).However,Fabianetal.[ 7 ]discusslimitationsofusingtheseinanRFIDenvironment.Lately,thewirelessindustryhasmigratedtothenewerWPA(Wi-FiProtectedAccess)encryption[ 8 ],whichoersanumberofsignicantimprovementsoverWEPyetremainsbackwards-compatiblewithWEPdevices.Inorder 24

PAGE 25

3.1.2 )alsoworkjustaswellindestroyingintegrity. 60 ].Anotherwaytodenyservice,calledtagkilling[ 12 ],istoquerythetagrepeatedlytillitscircuitsareoverwhelmed.Fore.g.,ifatagstoresarandomnumberforauthentication,toomanyrequestswillultimatelycauseitscircuitstojam.Stillotherwaystodisableatag 25

PAGE 26

3 ],andmetalorfoil-linedcontainersthatareimpenetrabletoradio-frequencywaves(alsocalleda\Faradaycage"). 68 ].Theseallowaneavesdroppertoeasilycollectdataanduseitlater.CastellucciaandAvoine[ 10 ]propose\noisy"tagstoconfuseanadversaryfromdecipheringreader/tagconversation. 17 82 ],andtakesplaceasfollows:anattackerrelaysverbatimamessagefromthesendertoavalidreceiverofthemessage.So,thereceiverthinksitisreceivingavalidmessagefromavalidsender.Thesender,ontheotherhand,isundertheimpressionthattheattackeristheintendedreceiverofthemessage.Thiscanalsobeusedfortrackingatag,simplybymonitoringtheconversation.Asolutionisbasedondistancebounding.WereferthereadertoAvoine[ 17 ]formoredetails. 26

PAGE 27

SecureRFIDcommunicationprotocolshavesomeuniqueparameterstodealwith.Theyhavetouseaminimumnumberofgates(duetothesizeandstructureoftags),averysmallnumberofclockcycles(duetomobility),andhavetoleaveasmallmessagefoot-print.Theymustberobustandsimple,yetscalable.Severalpapersproposelightweightcryptographicprimitivesforresourceconstrainedapplicationssuchassmartcardsandsensornetworks[ 28 33 ].However,theresourcerequirementsarefarbeyondthatavailableinsimpleRFIDtags.Perrigetal.[ 5 ]proposeTESLA,anecientbroadcastauthenticationmechanismforsensornetworks,whichisbasedonsymmetric-keycryptography.However,TESLAuseshashchainsandstandardmessageauthenticationcodes,noneofwhichcanbeimplementedinlow-costRFIDtags.Moreover,TESLAreliesontimesynchronizationbetweenthebasestationandthesensors,whichisalsobeyondwhatisfeasibleinlow-costRFIDsystems. Itisindeedacomplextasktodeneaprotocolthataccomplishesallthesetaskssimultaneously.WenowpresentafewstateoftheartprotocolsusedforAuthenticationandOwnershipTransferandidentifysomevulnerabilitiesineachoneofthem.Mostofthemarebasedonelementarylogicalandarithmeticoperationsthatrequireminimalmemoryandprocessingpower(onlyafewgates). A ,especiallyhashfunctions,theXORoperation,andprivatesecrets(orkeys). 68 69 ]);however,itisimportanttounderstandhowtheseprotocolsworkandhowtheirvulnerabilitiesareexposed,beforewegetintothe 27

PAGE 28

4.2 .AmajorityofcommunicationprotocolsusedinRFIDtodayapplylightweightcryptography,buttherehavebeenattemptsusingultralightweightcryptography[ 51 63 ],aswellasadvancedencryptionalgorithmslikeAESandellipticcurvecryptography[ 36 44 ].Westartwithbasicprotocolsineachsubsectionbelow,andthereadermaynoticehowthemorerecentprotocolsusefarmorecomplexcryptographictechniques. 1. 2. 3. 4. 5. 6. 2]) 7. 8. 9. Note:Inalltheguresinthischapter,thetimescalerunsfromtoptobottom,i.e.,thetop-mostmessageissentrstandthebottom-mostmessageissentlast.Theconcatenationandexclusive-or(XOR)operatorsarerepresentedbyjjandrespectively. 76 ].Figure4-1providesasketchoftheirprotocol.Here,fx(r)isapseudorandomfunctionensemble. 28

PAGE 29

Reader (secretx) request ProtocolofWeisetal. Bothtagandreadersharesecret(orkey)x.Tagsareequippedwithaone-wayhashfunction,andalsohavearandomnumbergenerator.Tagsrespondtoreaderquerieswith(r;(IDjjh(ID))fx(r)).Readersmayidentifytagsbycomputingfx(r)foralltheirknownkeys,XORingitwiththesecondpartofthetagsresponse,andsearchingforavalueendinginthisform.Thisallowsreaderstoonlystoretagsecrets,withoutneedingtostoretagIDs.Totheadversarywithoutknowledgeofthekeyvalue,thetagsoutputisrandomandmeaningless. Thisprotocolisnotsecureagainstanadversarywhomountsareplayattack.Forexample,theadversarycaneavesdroponthemessagespassedbetweenatagandthereaderandrecordthemessages.Atsomelaterpointintime,theadversarycanreplaythemessagefromthetagtothereader,andthereaderwillacceptitasavalidtag,i.e.,theadversarywouldbeabletoimpersonatethetagtoalegitimatereader.Wecanmakeithardertomountareplayattackbylettingthereadergeneraterandsendingittothetagalongwiththerequest.Itisrelativelyhardforreplayattackswhenfreshrandomvaluesaregeneratedandusedduringeachnewauthenticationprocess.Anothervulnerabilityisduetotheopenbroadcastofthetag'sidentity(ID).Thiscanbeusedbyanadversarytotracktags. 29

PAGE 30

45 ]proposedaprotocolthatrelieson2hashchainsandarandomidentier.Thisprotocolassuresprivacyandforwardsecuritybutisvulnerabletoreplayattacks.Avoineetal.[ 18 ]proposeamodicationtothisprotocoltopreventreplayattacks.Asafurtherexperimenttowardssecurity,HenriciandMuller[ 13 ]proposedaprotocolthatkeepstrackofitssessionnumber.AvoineandOechslin[ 19 ]ndseveralscenariosunderwhichthisprotocolisvulnerable.MolnarandWagner[ 15 ]wereamongthersttoproposeaprotocolusingrandomnonces 64 ]usedXORandhashchainstoauthenticatetagsandreaders.Onemajorawwasthelossofsynchronizationthathappensinthekeyupdatestep,whereinthedatabasehasupdateditskeybutthetaghasnot.Kimetal.[ 21 ]useasymmetricencryptionscheme(withsharedkeys)toenhancesecurityinactivetags,buttheirschemehaslimitedscalability. 34 ],showninFigure4-2,communicationchannelsbetweentagandreaderaswellasreaderandback-endserverarenotassumedtobesecure,mirroringtherealworld. Theprotocolisquiteinvolved,butthemajordetailsareasfollows: Step 1:TheReadergeneratesarandomnumberr.ItformulatesaquerySbydoingahashofthenewlygeneratedr.Itsendsthisquerytothetag.(ThishashfunctionensembleusestheReader'skeysothatitcanbeauthenticated). Step 2:Thetagreplieswithamessage(A),thatisahashofSXORedwiththetag'skeyx1anditsID. 30

PAGE 31

ReaderR TagT (secretk) (secretx1;x2;ID) IFA==h(x1SID) ELSEabort x2x2A ProtocolduetoYangetal. Step 3:Thereaderpassesthisontothebackend(IDDatabase)alongwiththequeryandr.Itdoessotopreventaman-in-the-middleattack. Step 4:Sincethebackendknowsthereader'skey,itrstcheckstoseeifindeeditsavalidreader.ItdoessobycomputingSagain,andcheckingitagainstthevalueofSprovidedbythereader.Nextitcheckswhetherthetagisvalidinmuchthesameway.IfBsuccessfullynishestheauthenticationprocess,itgeneratesA0withoneofitssharedrandomsecretsx2.A0willbeusedtomakethesharedsecret,x1,anonymousintheremainingsteps. Step 5:ThebackendencryptstheDATAaboutthetag,usinghk(S),therandomlycreatedsharedsecretkeybetweenbackendandReaderR.Then,BrepliesA0andhk(S)[DATA].Then,Brandomizesitstwosharedkeys,x1andx2,simplybyXORing.ThesameprocesswillbeappliedtothenextstepformakingthecorrespondingsharedsecretsofTagTtobeanonymous.Afterthisstep,thecorrespondingdecryptionprocess,D:hk(S)(DATA),isprocessedbyRtogetDATA.Thus,DATAofTissecurelyobtainedonlybythelegitimateRevenifanadversaryeavesdropsthereplymessagesonthechannelthatisnotsecure. 31

PAGE 32

Reader(secretx) z! AroundofHBprotocol Step 6:RforwardsA0tothecorrespondingT.Then,Tprocessesthemutualauthentication.TveriestheforwardedA0,calculatesh(x2)andcomparesitwithA0.Ifmatched,themutualauthenticationissuccessful,andT,asthelastprocess,updatesthesharedsecretsx1andx2simplyXORswithAandA0,respectively.Otherwise,TwillnotupdatethemincaseareplayattackonToccurs. Piramuthu[ 68 ]detailshowanadversarycantracktagsandevencompletelybypassthereader. 48 ],andisbasedonthedicultyoftheLearningParitywithNoise(LPN)problem[ 77 ].AnoverviewofaroundoftheHBprotocolisgiveninFigure4-3.Here,rAxandrAxrepresentscalarproductandexclusive-or(XOR)ofk-bitbinaryvectorsrAandxrespectively.Also,isaprobability,rangingfrom0to1/2thattheresponsecalculatedbythetagwillbeipped(ifthecorrectresponsewas1,thetagwillsendback0,andviceversa).equals1withprobability. OneexecutionoftheHBProtocolconsistsofriterationsofthefollowingsteps: 1. ThereadercomputesaqueryrA,andsendsthequerytothetag. 2. ThetagcomputesthedotproductofrAanditssecretx,andthenXORstheresultwith.Theresultofthesecomputationsiscalledz. 3. Thetagrespondstothereader'squerywithz,theresponse. 32

PAGE 33

ThereadercomputesthedotproductofrAandx,sayr0A. 5. Thereadercomparesr0AtorA.Ifr0A=rA(so=0),thereaderrecordsanaccept.Otherwise,thereaderrecordsareject. Afterriterations,thereaderexpectstheTagtohaveaboutrerrors.Thereaderacceptsthetagifithasrerrors,whereisanerrorfactorrangingbetween0and1/2. Itismeantonlytobesecureagainstpassiveattacks,anditisnotsecureagainstactiveattacks.AsimpleactiveattackwhereanadversarypretendingtobethereadertransmitsaxedrAtothetagseveraltimescanretrievethevalueofx. JuelsandWeis[ 4 ]modiedtheHBprotocolandtheoreticallyprovedittobesecureagainstactiveattacks.However,Gilbertetal.[ 20 ]showedthevulnerabilitiesinthismodiedprotocol:theyprovedthatanactiveadversarycouldactuallyretrievetheentiresecretkeyheldbythetag.FurthermodicationsbyBringeretal.[ 25 ]werethoughttobesecure,howeverPiramuthu[ 66 ]showedthatanadversaryimitatinganauthenticreadercanstillgettothesecretkeysused. 1 32 ].However,asshownbyPiramuthu[ 68 ],theproofsprovidedforthecorrectness/securityofthesingleroundmultipletagprotocolsinboth[ 1 ]and[ 32 ]arevulnerabletoreplayattacks.Amodiedproofispresentedin[ 67 ]thataddressestheproblem. 33

PAGE 34

31 ].Theyproposedtwodierentprotocols,oneinvolvingaTTPandonewithout. Tag (secrets2) (secret:s) (secret:s;s1) Ownerchangeschemaonthree-partymodelbySaitoetal. TheprotocolshowninFigure4-4worksasfollows: 1. Owner1givesakeys1toOwner2byusingasecurecommunicationchannel. 2. Owner2generatesanewkeys2andsendss1ands2toTTPbyusingasecurecommunicationchannel. 3. TTPgeneratesaciphertextCTTP=fs(s1;s2)byusinghis(veriable)keysandsendstheciphertexttoOwner2. 4. Owner2sendtheciphertextCTTPtoTagT. 5. TdecryptsCTTPbyusings.Ifs1istrue,Tchangesthepreviouskeys1tothenewkeys2. 34

PAGE 35

(secrets2) (secret:s1) Ownerchangeschemaontwo-partymodelbySaitoetal. However,ascanbeseeninFigure4-4,theadversarycanblockthelastmessagefromOwner2toTag.Whenthishappens,thetaghasitspreviouskeywhileTTPandOwner2havethenewkey.Thisleadstode-synchronizationbetweenreaderandtag.ThiscouldbepreventedattheTTPlevelbykeepingthepreviouskeyandcheckingforcurrentandpreviouskeys.However,thiswillnotworkattheOwner2levelsinceR2doesnotknownorisitsupposedtoknowthetag'spreviouskey.ThechannelbetweenR1andR2isalsoassumedtobesecure,whichisnotavalidassumption. 1. Owner1givesakeys1toOwner2byusingasecurecommunicationchannel. 2. Owner2sendsaquerytoT. 3. TgeneratesanoncerandsendsittoOwner2. 4. Owner2generatesanewkeys2andgeneratesaciphertextC=fr(s1;s2).Owner2sendstheciphertextCtoT. 5. TdecryptsC,byusingnoncer.Ifs1istrue,Tchangess1tos2. Sincerandfr(s1;s2)aresentintheopen,knowingthesevalues,anadversarycanobtains1ands2,therebybeingabletoobtainallcommunicationtoandfromthetag. 35

PAGE 36

Reader Tag (secretk) (secret:k) Figure4-6. ProtocolofOsakaetal. 39 ]isthatanadversarycanintercepttherstmessagefromreadertotagwhichincludesarandomnumberr,sentintheclear,andsendr=0tothetag.ThetagthenrespondswithahashvalueH[fk(ID)]aslongaskeyitshareswiththedatabase,i.e.,kremainsthesame.Sotheadversarycantrackthetag.Leietal.[ 22 ]provideadetaileddescriptionofhowthesevulnerabilitiesaectsecurityparameters. 38 ]usestwosecretsinsidethetag,oneforauthenticationandoneasasharedsecret(seeFigure4-7fordetails).ThishelpsfacilitatewhattheauthorscallAnonymousOwnershipTransfer,i.e.,OTwithoutthepresenceofaTTP.However,tagscanbetrackedbecausetheresponsetoaqueryfromavalidreaderalwaysconsistsofthereader'sID.Soifwereplaytherstmessagefromreadertotag,wealwaysknowwhereitis.AnadversarycanimpersonateareaderbysendingQjjrtothetagusinganyrandomnoncer,andthetagwouldreplywiththesameCinCjjruntilitisupdatedbyaproxyorareader. 36

PAGE 37

Tag (secret:s;s0;ka;k0A) rTf0;1gl IDT;hkafIDT;rT;Fu;s;nullg! ProtocolofKoralalageetal. Seoetal.[ 83 ]proposeaprotocol,showninFigure4-8,thatisvulnerabletode-synchronization.Intheirprotocol,thelastmessagefromthenewownertothetagcanbeblockedbyanadversaryandthisleadstothenewownerhavinganupdatedsecret,whilethetagstillhastheprevioussecret.Unlessthenewownerhasthatprevioussecret,hecannotauthenticatethetag. 37

PAGE 38

R1 R2 Server (secrets2) (secret:s) (secret:s;s1) ProtocolofSeoetal. Reader Tag (secret:) (secret:ku;kp) (CredR) (CredR) ProtocolofFouladgaretal. 58 59 ].TheoperationofthisprotocolcanbedecipheredfromFigure4-9.Theyachievedelegation(providingareaderwithtemporarycredentialsforcommunicatingwiththetag,withouthavingtocommunicatewithadatabaseeverytime),aswellasOwnershipTransfer.Unfortunatelytheirprotocolhasthefollowingvulnerabilities:

PAGE 39

TheauthorsmentionthattheinteractionsbetweentheCentralDataBaseCDBandreaderRoccuroverasecurechannel,sowhenRismobiletheprotocolisvulnerable. 2. Inthedelegationrequestprotocol,anadversarycanimpersonateavalidRandobtaintheIDforanytagfromthecentraldatabaseCDB,byreplayingthecredibilityvalueofthereaderCredRthatissentincleartext. 3. Specicallyintheownershiptransferprotocol,RsendsitsCredRinplaintexttotheCDB.Thistooisvulnerabletoreplayattacks. 4. Inaddition,ittakesthreeroundsforanewownertocompletelypossessallitneedsfromatag 9 ]consistsoftwostages.Therststageisusedfortransferringownershipfromoneowner(R1)toanother(R2)andthesecondstageisusedtoupdatethesecret.Therationalehereisthatduringtherststagethecurrentownertransfersessentialinformation(i.e.,secrets,etc.)aboutthetagtothenewowner,andduringthesecondstagethenewownerupdatesthetag'ssecretssothatthepreviousownercannolongeraccessthetagasshouldbethecaseinanystrictownershiptransferprotocol. Thereareseveralvulnerabilitiesintheprotocols.CommunicationbetweencurrentownerR1andnewownerR2isassumedtobethroughasecurechannelonlywhenR1sendsthemessagetoR2.ItisnotthroughasecurechannelwhenthemessageoriginatesfromR2.Allothercommunicationamongtag,newandpreviousownersareassumedtobethroughchannelsthatarenotrequiredtobesecure.Hereinliesoneofthevulnerabilities.AnadversarycanhijackthecommunicationfromR2toR1(Figure4-10)andreplaythistothecurrentowner(i.e.,R1)andcontinuewiththeremainderoftheprotocolstoobtainownershipofthetag.Thisisanimplementationissue,andcanbepreventedthroughasecuretwo-waychannelbetweenR1andR2.Itisalsocurioustonotethatthecommunicationbetweenthetwoownersissecureoneway(i.e.,R1toR2)andnottheotherway(i.e.,R2toR1). 39

PAGE 40

(secrett;s) (secret:t;s) r2=M1t M3s(r2l t0t s(sl ifh(s)==t, Figure4-10. ProtocolofSong:Stage1 Althoughnotavulnerability,asproposed,itisnotstrictlyanownershiptransferprotocolsincethetwo-stageprotocolallowsallpreviousownerstocontinuetomaintainaccesstoatag.Althoughthepaperclaims,\ProtocolP2shouldbeperformedatadistancefromanyreaders

PAGE 41

(secret:t;s) ifh(s)==t, t0t;tt0 ProtocolofSong:Stage2 22 ])arisesduetofailureinexplicitlyauthenticatingofthereader.Forexample,anadversarycanimpersonateahonestreaderandsend(Query,r)tothetag,whichrespondswith(s;a).Theadversarythenforwards(r;s;a)tothedatabase,whichsharesinformationaboutthetagwiththeadversary(Info(ID)).Thisvulnerabilitycouldbepreventedbyincludingsomereader-specicinformationinthemessages. Althoughnotavulnerability,theprotocolaspresentedisstrictlynotforownershiptransfer.Rather,itisownershipsharingsinceallpreviousownerscontinuetomaintainaccesstothetag.

PAGE 42

Reader Tag (secret:k) (secret:k) H(fk(ID) H(fk(ID) iftrue,kk0 elsecheck iftrue,IDID selectk0 ifvalid, ifvalid, ProtocolofLeiandCao 42

PAGE 44

1. 2. 3. 4. 5. 6. 7. 8. the\loop"betweenTTP&tag,TTP&reader,reader&tagarerepeatedafterapre-determineddelayiftheoriginatorhasnotreceivedanacknowledgementfromtherecipient. 9. Tagiusesitsoldsecret(s1)untilithearsfromR2(thenewowner),afterthetransfer,whenitswitchestos2 Step 1:TheNewOwnerqueriesthetag,andsendsarandomnonceNR2. 44

PAGE 45

ti;rj;si Figure5-1. Thepreamble Step 2:ThetagrespondswithanonceNT,andavalueofthatnonceXORedwithNR2.Thisvalueisinahashfunction,keyedwithsi.Thisisthekeysharedbythetaganditscurrentowner. Step 3:Sincethenewownercannotdecryptthis,hepassesitontotheTTPwitharequestforownership. Step 1.1:UponreceivingaOTrequest,theTTPgeneratesanewkeys2.ItthengeneratesarandomnonceNTTP,andcommunicateswiththetagusingacryptographic 45

PAGE 46

Figure5-2. TheproposedprotocolwithaTTP functionf0encryptedwiththekeytisharedbetweentagianditself.ThisensuresthedataissecureandauthenticatestheTTPtothetag.Thus,thereisnoneedforasecurechanneltochangeanykeys.ThedatainthecommuniqueconsistsofthenewkeyXORedwiththenoncevalue.Inaddition,theTTPsendsthenoncevalueintheclearsoastoallowthetagtodecryptthedata. Step 1.2:Thetagdecryptsthedata,andacknowledgesthemessage.ItdoessobyrstgeneratinganonceNT,andsendingthenonceXORedwiththenoncesentbytheTTP,NTTP.Thismessageissentinahash-keyedfunction. Step 2:TheTTPinformscurrentowner(R1)thathisprivilegesarebeingrevoked.Itsendsasimplerevokemessageandakeyedcryptographicfunction. Step 3.1:NexttheTTPgrantsthenewowner(R2)fullpermissionsalongwithanydelegationprivilegesforthetag.Agrantmessageisissued,alongwithanencrypted 46

PAGE 47

s1;(s2) Figure5-3. Independentownershiptransferprotocol:Initialization functionencryptedwiththekey(r2)sharedbetweennewownerandTTP.Thefunctioncontainsthenewkeys2foraccessingthetag. Step 3.2:Thenewownersendsanacknowledgementmessageintheformofaone-wayhashwiththenewkeyvalue. Step 4.1:Finally,thenewowner\conrms"thenewkeywiththetag.HegeneratesanonceNR2,andestablishescontactwiththetagbysendingthetagNR2andNR2XORedwiths2.Theentiremessageisencryptedusings2asanaddedlayerofsecurity. Step 4.2:Thetagdecryptsthedata,andacknowledgesitwithaone-wayhashofanewrandomnonceN0TXORedwithNR2ands2. 47

PAGE 48

31 ],sincewedonotpasstheoriginalkeystothenewowner,therebypreservingtheforwardsecurityoftheoldowner'scommunicationswiththetag.Wecallthisprotocolindependentownershiptransfer,sinceitdoesnotinvolveaTTP. Inthisprotocol,weconsiderthe(traditional)caseinvolvingthefollowingparties,namelyTagTi,previousownerR1andnewownerR2.TheinnerworkingsoftheprotocolaredepictedinFigure5-3(Initialization)andFigure5-4(Keychange).Theprocedurefortheactualtransferofownershipworksasfollows: Step 1:UponreceivingaOTrequestfromR2,currentownerR1generatesafreshrandomnonceNR1,XORsthekeysharedwiththetag(s1)withthisnonceandsendsthistoboththetag(viaanencryptedmessage)andR2(viaasecurechannel).Thisisthe\initialization"phaseasdepictedinFigure5-3.ThestepsthatfollowaredepictedinFigure5-4. Step 2.1:UponreceivingNR1s1fromR1,thetaggeneratesafreshrandomnonceNT,andsendsthenonceXORedwiththekeys1toR2.NowbothTandR2knowN,(whereN=NR1NT).Asanothermeasureorlayertopreserveforwardsecurity(seesection 5.6 ),R2isnotallowedtoknows1. Step 2.2:ThetagnowrandomlyipsonebitinNandcreatesavectorN0andcreatesanotherfreshrandomnonceN0T.ItthensendsN0T,anencryptedfunctioncontainingN0N0TkeyedwithN0N0Tandasimilarlykeyedhashfunctionwiththesame 48

PAGE 49

s1;(s2) Independentownershiptransferprotocol:Keychange valuestoR2.Here,thehashedmessageisusedforauthenticatingthecommunicationandtheencryptedfunctioncontainstheactualvaluesofthemessage. Step 3.1:KnowingN,R2usesabruteforcetechniquetodetermineN0soastodecryptthevaluesentinf.SinceR2knowsthatN0isreallyjustNwithonlyoneippedbit,thisprocessisfeasible,evenforalargekeysize(e.g.akeysizeof128bits)andR2isassumedtopossessthenecessarycomputationalresourcestoaccomplishthisveryquickly.R2veriesthesolutionobtainedusingthehashedvalue. Step 3.2:ThenewownerR2nowgeneratesandsendsanewkeytothetagbyXORingandencryptingitwithN0.Thisstepisrepeatedafterapre-determinedtimeperioduntilstep4happens. Step 4:Finally,thetagacknowledgesreceiptofnewkeyusingahashfunction,keyedwiththenewkeys2.Thecontentofthemessageiss2XORedwithanewnonceN00T. PleaserefertoAppendix A forasimpleillustrativeexample. 49

PAGE 50

47 ].Thismeansthevendormonitorsthebuyer'sinventorylevels(physicallyorviaelectronicmessaging)andmakesperiodicresupplydecisionsregardingorderquantities,shipping,andtiming.Themanufacturerhasaccesstothedistributorsinventorydataandisresponsibleforgeneratingpurchaseorders. UsingasecureRFIDsystemforinventorymanagementinthesupplychaincomplicatesthisprocess.SincetheinventorydataisbasedonwhatisinRFIDtags,andtagscanonlybeaccessedbyvalidowners/readers,theauthorization/ownershipneededtoaccesstagshastobesharedbythemultipleowners.Inotherwords,thetaghastobevisibletomultipleentitiesinthesupplychain.Thisrequiresthecommunicationprotocol(forthetag/readerauthenticationprocess)thataddressesthisissue. 5.2.2 .TheTTPdecidesonthevalidityofthenewownersandprocessestheinformation.Oncetherequestfortransferofownershiphasbeeninvokedandapproved,theprocedurefortheactualtransferofownershipworksexactlyasdescribedinsubsection 5.2.2 withthefollowingchanges: Step 3.1:TheTTPgrantsallthenewowners(R21;R22;:::;R2N)fullpermissionsalongwithanydelegationprivilegesforthetag.Thisprocesstakesplacesimultaneously.Inotherwords,agrantmessageisissuedtoeachowner,alongwithanencrypted 50

PAGE 51

ti;rj;si Figure5-5. SharedownershiptransferprotocolwithTTP functionencryptedwiththekey(r2i)sharedbetweennewownerR2iandTTP.Thefunctioncontainsthenewkeys2foraccessingthetag. Step 3.2:Eachnewownersendsanacknowledgementmessageintheformofaone-wayhashwiththenewkeyvalue. Step 4.1:Finally,oneofthenewowners(sayR21)communicateswiththetagasfollows.ItgeneratesanonceNR21,andestablishescontactwiththetagbysendinghimNR21encryptedusings2andplaintextNR21.(InFigure5-6,thisisdepictedbythemoregeneralNR2i). Step 4.2:Thetagdecryptsthedata,andacknowledgesitwithaone-wayhashofanewrandomnonceN0TXORedwithNR21ands2.Note:Steps4.1and4.2willtakeplaceonlyonce.Withthetag'skeychanged,allownerswiththenewkeycannowcommunicatewithit.Weassumethattherstownertomakecontactnotiestheotherowners. 51

PAGE 52

s1;(s2) Figure5-6. Independentsharedownershiptransferprotocol:Initialization s1;(s2) Independentsharedownershiptransferprotocol:Keychange 52

PAGE 53

Theauthenticationhandshake Inthefollowingdiscussion,R1representstheprimaryentityofthegroupofcurrentowners(incaseofmultipleowners),andR2representstheprimaryentityofthegroupofnewowners.Inotherwords,R1andR2areresponsibleforsharingthekeyswithintheirrespectivegroups.Howaprimaryentityischosenisbeyondthescopeofthispaperorevencryptographyingeneral,sowedonotdiscussanymechanismsforthesame.Also,sharingofthekeyswithinagroupisassumedtotakeplaceviaasecurechannel.Sincethisisaone-timeoperation,thisisareasonableandvalidassumption.Wedonotadvocate,atanytime,sharingkeysbetweengroups.)Oncetherequestfortransferofownershiphasbeeninvokedandapproved,theprocedurefortheactualtransferofownershipworksasalmostexactlyasdescribedinSection 5.3 6 24 40 ].Thechallenge-responsemodelisawell-knownauthenticationmechanismandusedquiteheavilyincomputing-relatedelds[ 42 ].Note:Forthesakeofconsistencyandsimplicitywewilldemonstrateauthenticationbetweenreadersbelongingtothenewowner(R2)andthetag.Allvaluesandnomenclatureprovidedintheprecedingsectionsstillhold. Theauthenticationhandshake(showninFigure5-8)worksasfollows: 53

PAGE 54

1:TheNewOwnerqueriesthetag,alongwithNR2. Step 2:ThetagrespondswithanonceNT,andavalueofthatnonceXORedwithNR2.Thisvalueisinahashfunction,keyedwiths1.ThisisthekeysharedbythetaganditscurrentownerR1. Step 3:Sincethenewownercandecryptthis,henowsendsamessagetothetag.Thismessage(encryptedwiththesharedkeybetweentagandnewowner)consistsofanewnonceN0R2,andanoptionaloperation(Anexampleopwouldbetoupdateatagregister).Uponreceiptofthismessage,thetagsetsa1-bitaginaregistertotrue,soastopreventreplayattackswithamodiedop(seesub-section 5.6.3 foradetailedsecurityanalysisofthisprotocol). 57 ]demonstratehow\anattackerwithmodestresources-justafewhundreddollarsworthofcommodityequipmentandaPCcandefeattheDigitalSignatureTranspondersystem(DST)".ManufacturedbyTexasInstruments,DSTshavebeendeployedinapplicationslikeelectronicpaymentatgasstations(Exxon-MobilSpeedPassTMsystem).Theseapplicationsarenotable,bothforwide-scaledeploymentandforhighcostsincurredincaseofalarge-scalesecuritybreach.Thus,adetailedsecurityanalysisoftheprotocolispresentednext.Welookatsomeofthemoreimportantmeasures.(Note:Thesecurityanalysisforownershiptransferprotocolsappliesinequalmeasuretotheprotocolsforsharedownershipaswell). 5.6.1.1Secrecy/dataintegrityandauthenticationofcommunicatingentities 54

PAGE 55

43 ].Foranadversarytoforgetheauthenticationorcontentofthemessage,he/shewouldhavetobreaktheunderlyinghashfunction,whichisanexceedinglydicultproblem[ 81 ]. 55

PAGE 56

5.6.2.1Secrecyandauthenticationofcommunicatingentities 5.6.1.1 56

PAGE 57

57

PAGE 58

5.6.1.1 .Theoperationalcommandopisnotencoded. Table5-1showsthesecurityperformanceoftheproposedprotocols.AsshowninTable5-2,wecomparethesecurityperformanceofourtwoownershiptransferprotocols(OT-IdenotestheprotocolwithTTP 5.2 ,andOT-IIdenotestheindependentprotocol 58

PAGE 59

Securityanalysischart SecurityfeatureOTw/TTPprotocolIndependentOTprotocolAuthenticationprotocol SecrecyYYYDoSYPNForwardsecurityYPNTrackingYYY Protocols:Securitycomparisonchart FeatureSIS-ISIS-IIOTYTKSMGCFASALKOT-IOT-II-[ 31 ][ 31 ][ 39 ][ 38 ][ 59 ][ 83 ] 5.2 5.3 SecrecyYNYYYYYYYDoSNNYNNNYPTrackingYYNNNYYPSynchronizationNN=ANYYNYYForwardsecurityYYNYYYYPSecurechannelYYYNYNNNHashoperationsNNYXYXYY )ascomparedtootherexistingprotocols.ThevalueseachsecurityfeaturecantakeonareFullsatisfaction(Y),Partialsatisfaction(P),NoSatisfaction(N),Don'tCare(X),orNotApplicable(N/A).Here,Xusuallysigniesthattheprotocolinquestioncanbeimplementedinawaytofullthatparticularfeature'srequirements.Adescriptionoftheterminologyisasfollows: 1. 2. 3. 4. 5. 6. 7. 59

PAGE 60

5.7.1Scalability 11 ]. 35 ],forasetofcomponents(nonces,keysetc.)ofsizeLbits,thestoragerequirements(ormemorysize)forasinglehashfunctionandXORoperationsis21 2L,andthenumberofmessagesrequiredforfullownershiptransferissix. 60

PAGE 61

Adoptionofnewtechnologyisfacilitatedbyitsoperationbeingtransparenttotheenduser,whileitsoperationalbenetsareclearlyvisible.Aswehaveseen,mostattemptstoprovideasecureprotocol(thatensuresprivacy),eitherforauthenticationorOwnershipTransferhavebeenvulnerabletoattacks.Solvingthisproblemisnowcrucialtoinspiremorecondenceintheendusersofthistechnology.Tothatend,thecontributionofthisresearchismany-fold. First,weproposedOwnershipTransferprotocolsthataremoresecurethanthosecurrentlyexistandyetjustaslightweight.OneoftheseprotocolsrequiresthepresenceofaTrustedThirdParty(TTP).Anadditionaladvantageofthedesignisthatitdoesnotrequireasecurechannelbetweencommunicatingparties.Thesecondprotocolfacilitatesindependentownershiptransferwithoutdistributingkeysbetween(chronologically)dierentowners,althoughasexplainedinChapter??thisisnotstrictlyownershiptransferaspreviousownerscan,iftheysochoose,maintainaccesstothetag.Theseprotocolsareveryeasytoimplement,requiringnonewassumptions,andconsideringjustthecurrentstateoftechnology.Wehaveshownsomesecurity-basedvulnerabilitiesinexistingprotocolsandshowhowtheycanbeeliminated(orattheveryleasthowtheimpactofthesevulnerabilitiescanbemitigated)withanewdesign,byperformingafullsecurityanalysis.Welookatsomescenarioswhereweduplicatetheintentofamaliciousadversary,anddescribetheperformanceoftheprotocol. Second,wehaveshownhowthesameprotocolcanbeusedfortagauthenticationandsecurecommunicationbetweentagsandreaderswithoutmodication.Mostcurrentprotocolsrequiremultipleprotocolsuitestoperformbothactions,ifatall. Third,intheOwnershipTransferwithaTTPweprovideawaytopreventdisruptionandearlydetectionofDoSattacksbyamaliciousadversary,usinganacknowledgement-based 61

PAGE 62

Next,whilethereareseveralextantprotocolsforchangingownership,therearenoneinrelatedliteraturethataddresstheissueofsharingownership.Wedemonstratehowthedesignoftheprotocolscanbeeasilyextendedforsharedownershipoftags. Lastbutnotleastweprovideanoteaboutthecomputationalrequirements,memoryrequirementsandthecostofimplementingtheprotocols. AquestionthatourprotocolsintheircurrentstatedonotaddressspecicallyarerelayattacksasdescribedinChapter3,subsection 3.2.3 .Indeed,mostRFIDprotocolsarevulnerabletotheseattacksandnosimple,securesolutioncurrentlyexists.Weareintheprocessofextendingourresearchtoanswerthisquestion.Anotheravenueoffutureresearchconsistsofdesigningprotocolsformultipletagsthatresideinaggregatedobjects(forexampleacarmayhaveuniquetagsontheengine,onthetires,etc.).HowOwnershipTransferandupdatinginformationtakesplaceinsuchascenario,especiallywhenobjectsarebeingadded,removedorchangedisaninterestingquestiontoanswer. 62

PAGE 63

AccordingtoadenitionprovidedbytheISO InthescenariodepictedinFigureA-1,ifonlyone\key"isusedforbothencryptionanddecryption,theprocedureiscalledsymmetric-keycryptography.Otherwise,itisreferredtoasasymmetric-keycryptography.Ingeneral,asymmetriccryptographyconsumesmoreresourcesthanitssymmetriccounterpart. Akeyusedbyanencryptionalgorithmis(usually)astringofbits,i.e.,a128-bitkeywillhaveexactly128bitsinit.Keysareoftenwritteninhexadecimalformatwhereeachcharacterrepresents4bits,e.g.\FEDC"represents16bits.Theactualbitsinthisexampleare1111111011011100. Secretkeycryptographyschemesaregenerallycategorizedasbeingeitherstreamciphersorblockciphers.Streamciphersoperateonasinglebit(byteorcomputerword)atatimeandimplementsomeformoffeedbackmechanismsothatthekeyisconstantlychanging.Ablockcipherisso-calledbecausetheschemeencryptsoneblockofdataatatimeusingthesamekeyoneachblock.Ingeneral,thesameplaintextblockwillalwaysencrypttothesameciphertextwhenusingthesamekeyinablockcipherwhereasthesameplaintextwillencrypttodierentciphertextinastreamcipher. 63

PAGE 64

Keyedcryptography:Schematic TableA-1. BinaryXOROperation Input1Input2Output 000101011110 A.2.1XOR Formultiplearguments,asinparityproblems,anXORoperationisdenedtobetrueifanoddnumberofitsargumentsaretrue,andfalseotherwise. 64

PAGE 65

printHellojjWorld; whichproducestheoutput: HelloWorld A.3.1FunctionEnsembles 24 ]describesomeoftherulesfordecidingavalidandecientmapping.Akeyedensemblefk(x)isamappingthatcanonlybeinvertedbyusingkeyk. 43 ]suchthatthefollowingpropertieshold: 1. 2. 3. Thus,thesefunctions(someexamplesincludetheMessageDigest5(MD5)andSecureHashAlgorithmI(SHA-1)),areprimarilydesignedtobeunbreakableandcollisionresistant.Noticehowever,thatthiscryptographicnotiondoesnotinvolveanysecretkey.Indeed,thecollision-resistancepropertyisusuallyattachedtokeylessfunctions.Theprimemotivationforsuchfunctionsistobeabletocombinethemwithdigitalsignaturesinawaythatmakesthesesignaturesmoreecientandyetunforgeable. 65

PAGE 66

1. 2. LetN0=1010,i.e.,wehaveippedthesecondbitinNtocreateN0.Theremainingstepsaresimple,andlefttothereader. 66

PAGE 67

Keyedhashfunction:Schematic 67

PAGE 68

1. 2. 3. 4. 2]) 5. 6. 7. 10. 68

PAGE 69

[1] A.Juels,\YokingProofsforRFIDTags,"ProcceedingsoftheFirstInternationalWorkshoponPervasiveComputingandCommunicationSecurity,2004. [2] A.Juels,\RFIDSecurityandPrivacy:AResearchSurvey,"IEEEJournalonSelectedAreasinCommunications,vol.24,no.2,pp.381{394,Feb.2006. [3] A.Juels,R.RivestandM.Szydlo,\TheBlockerTag:SelectiveBlockingofRFIDTagsforConsumerPrivacy,"Proceedingsofthe10thACMconferenceonComputerandCommunicationsSecurity,pp.103{111,2003. [4] A.JuelsandS.Weis,\AuthenticatingPervasiveDeviceswithHumanProtocols,"AdvancesinCryptology,LNCS,vol.3126,pp.293{308,2005. [5] A.Perrig,R.Canetti,J.Tygar,andD.Song,\TheTESLABroadcastAuthenticationProtocol,"CryptoBytes,vol.5,2002. [6] B.Defend,K.FuandA.Juels,\CryptanalysisofTwoLightweightRFIDAuthenticationSchemes,"FifthAnnualIEEEInternationalConferenceonPer-vasiveComputingandCommunicationsWorkshops,vol.19,no.23,pp.211{216,March2007. [7] B.Fabian,O.GuntherandS.Spiekermann,\SecurityAnalysisoftheObjectNameService,"WorkingPaper. [8] B.Potter,\Wirelesssecurity'sfuture,"IEEESecurityandPrivacy,vol.1,no.4,pp.68{72,Jul.2003. [9] B.Song,\RFIDTagOwnershipTransfer,"ProceedingsofRFIDSec08,2008. [10] C.CastellucciaandG.Avoine,\Noisytags:aprettygoodkeyexchangeprotocolforRFIDtags,"InternationalConferenceonSmartCardResearchandAdvancedApplications,LectureNotesinComputerScience,vol.3928,pp.289-299,2006. [11] D.Duc,J.Park,H.Lee,K.Kim\EnhancingSecurityofEPCglobalGen-2RFIDTagagainstTraceabilityandCloning,"The2006SymposiumonCryptographyandInformationSecurity,2006. [12] D.Han,T.Takagi,H.Kim,andK.Chung,\NewSecurityProbleminRFIDSystemsTagKilling,"ComputationalScienceandItsApplicationsvol.3982,pp.375-384,2006. [13] D.HenriciandP.Muller,\Hash-basedEnhancementofLocationPrivacyforRadio-FrequencyIdenticationDevicesusingVaryingIdentiers,"Proceedingsofthe1stInternationalWorkshoponPervasiveComputingandCommunicationSecurity,pp.149{153,2004. 69

PAGE 70

D.Kwon,D.Han,J.LeeandY.Yeom,\VulnerabilityofanRFIDAuthenticationProtocolProposedinatSecUbiq2005,"EUCWorkshops2006,LNCS,vol.4097,pp.262-270,2006. [15] D.MolnarandD.Wagner,\PrivacyandsecurityinlibraryRFID:issues,practices,andarchitectures,"Proceedingsofthe11thACMconferenceonComputerandcommunicationssecurity,pp.210{219,2004. [16] E.Kay,\WhatsthenextstepforRFID,"FrontlineSolutions,pp.21{25,Mar.2003. [17] G.Avoine,\CryptographyinRadioFrequencyIdenticationandFairExchangeProtocols,"Ph.dThesis,EcolePolytechniqyeFederalDeLausanne,Dec.2005. [18] G.Avoine,E.DysliandP.Oechslin,\ReducingTimeComplexityinRFIDSystems,"Proceedingsofthe12thAnnualWorkshoponSelectedAreasinCryp-tography,pp.291{306,2005. [19] G.AvoineandP.Oechslin,\RFIDTraceability:AMultilayerProblem,"FinancialCryptography-FC'05,LNCS,2005. [20] H.Gilbert,M.RobshawandM.Sibert,\AnactiveattackagainstHB+-aprovablysecurelightweightprotocol,"IEEElectronicletters,vol.41,no.21,pp.1169-1170,2005. [21] H.Kim,S.LimandH.Lee,\SymmetricEncryptioninRFIDAuthenticationProtocolforStrongLocationPrivacyandForward-Security,"InternationalConfer-enceonHybridInformationTechnology,vol.2,pp.718{723,2006. [22] H.LeiandT.Cao,\RFIDProtocolenablingOwnershipTransfertoprotectagainstTraceabilityandDoSattacks,"TheFirstInternationalSymposiumonData,PrivcacyandE-commerce,pp.508{510,Nov.2007. [23] H.Yang,H.Luo,F.Ye,S.LuandL.Zhang,\Securityinmobileadhocnetworks:challengesandsolutions,"IEEEWirelessCommunications,vol.11,no.1,pp.38{47,2004. [24] I.VajdaandL.Buttyan,\LightweightAuthenticationProtocolsforLow-CostRFIDTags,"TheSecondConferenceonUbiquitiousComputing,2003. [25] J.Bringer,H.ChabanneandE.Dottax,\HB++:alightweightauthenticationprotocolsecureagainstsomeattacks,"IEEEInternationalConferenceonPervasiveServices,WorkshoponSecurity,PrivacyandTrustinPervasiveComputing,2006. [26] J.ChaandJ.Kim,\Novelanti-collisionalgorithmsforfastobjectidenticationinRFIDsystem,"Proceedingsofthe11thInternationalConferenceonParallelandDistributedSystems,vol.2,pp.63{67,Jul.2005. [27] J.Geier,\ThestateofWirelessLANs,"NetworkWorld,2002. 70

PAGE 71

J.Hostein,J.Pipher,andJ.Silverman,\NTRU:Aringbasedpublickeycryptosystem,"ANTSIII(LNCS)vol.1423,pp.267-288,1998. [29] J.Landt,\ThehistoryofRFID,"IEEEPotentials,vol.24,no.4,pp.8-11,Oct.-Nov.2005. [30] J.Myung,W.LeeandT.K.Shih,\AnAdaptiveMemorylessProtocolforRFIDTagCollisionArbitration,"IEEETransactionsonMultimedia,vol.8,no.5,pp.1096{1101,Oct.2006. [31] J.Saito,K.Imamoto,andK.Sakurai,\ReassignmentSchemeofanRFIDTag'sKeyforOwnerTransfer,"ProceedingsoftheIFIPInternationalConferenceonEmbeddedandUbiquitousComputing(EUC)Workshop,LNCS,vol.3823,pp.1303{1312,2005. [32] J.SaitoandK.Sakurai,\GroupingproofsforRFIDtags,"Procceedingsofthe19thInternationalConferenceonAdvancedInformationNetworkingandApplications,pp.621{624,2005. [33] J.SternandJ.Stern,\CryptanalysisoftheOTMsignatureschemefromFC02,"Proceedingsofthe7thFinancialCryptographyConference,2003. [34] J.Yang,J.Park,H.Lee,K.RenandK.Kim,\MutualAuthenticationProtocolforlow-costRFID,"ProceedingsoftheWorkshoponRFIDandLightweightCryptography,pp.17{24,2005. [35] J.Yang,K.RenandK.Kim,\Securityandprivacyonauthenticationprotocolforlow-costRFID,The2005SymposiumonCryptographyandInformationSecurity,2005. [36] J.Wolkerstorfer,\ScalingECCHardwaretoaMinimum,"ProceedingsofAustrochip2005,Oct.2005. [37] K.Chang,RFandMicrowaveWirelessSystems,John-WileyandSons,2002. [38] K.Koralalage,S.Reza,J.Miura,Y.GotoandJ.Cheng,\POPMethod:AnApproachtoEnhancetheSecurityandprivacyofRFIDSystemsUsedinProductLifecyclewithanAnonymousOwnershipTransferringMechanism,"Proceedingsofthe2007ACMSymposiumonAppliedComputing,pp.270{275,2007. [39] K.Osaka,T.Takagi,K.YamazakiandO.Takahashi,\AnEcientandSecureRFIDSecurityMethodwithOwnershipTransfer,"ProceedingsoftheInternationalConferenceonComputationalIntelligenceandSecurity(CIS),LNAI4456,pp.778{787,2007. [40] K.Rhee,J.Kwak,S.KimandD.Won,\Challenge-ResponseBasedRFIDAuthenticationProtocolforDistributedDatabaseEnvironment,"SecurityinPervasiveComputing,LNCS,vol.3450,pp.70{84,March2005. 71

PAGE 72

L.ChenandR.Nath,\Aframeworkformobilebusinessapplications,"InternationalJournalofMobileCommunications,vol.2,no.4,pp.368{381,2004. [42] L.Klienrock,\PrinciplesandLessonsinPacketCommunications,"ProceedingsoftheIEEE,vol.66,no.11,1978. [43] M.Bellare,R.CanettiandH.Krawczyk\KeyingHashFunctionsforMessageAuthentication,"AdvancesinCryptology,LectureNotesinComputerSciencevol.1109,1996. [44] M.Feldhofer,S.DominikusandJ.Wolkerstorfer\StrongAuthenticationforRFIDSystemsusingtheAESAlgorithm,"ProceedingsofWorkshopofCryptographicHardwareandEmbeddedSystems-CHES2004,LNCS,Vol.3156,pp.357{370,2004. [45] M.Ohkubo,K.SuzukiandS.Kinoshita,\Acryptographicapproachtoa'privacy-friendly'tags",RFIDPrivacyWorkshop,MIT,Nov.2003. [46] M.Ohkubo,K.SuzukiandS.Kinoshita,\RFIDprivacyissuesandtechnicalchallenges,"CommunicationsoftheACM,vol.48,no.9,pp.66{71,2005. [47] M.Waller,M.Johnson,andT.Davis\Vendor-managedinventoryintheretailsupplychain,"JournalofBusinessLogistics,vol.20,issue1,1999. [48] N.HopperandM.Blum,\SecureHumanIdenticationProtocols,"AdvancesinCrytology,LNCS,vol.2248,pp.52-66,2001. [49] P.Ashley,H.HintonandM.Vandenwauver,\WiredversusWirelessSecurity:TheInternet,WAPandiModeforE-Commerce,"17thAnnualComputerSecurityApplicationsConference,pp.0296,2001. [50] P.FosterandA.Burberry,\AntennaproblemsinRFIDsystems,"IEEColloquiumonRFIDTechnology,pp.1{5,1999. [51] P.Peris-Lopez,J.Hernandez-Castro,J.TapiadorandA.Ribagorda,\M2AP:AMinimalistMutual-AuthenticationProtocolforLow-costRFIDTags,"InternationalConferenceonUbiquitousIntelligenceandComputing,LNCSvol.4159,pp.912{923,2006. [52] P.Zimmerman,TheOcialPGPUser'sguide,McGraw-Hill,1995. [53] R.Angeles,\RdTechnologies:Supply-ChainApplicationsandImplementationIssues,"InformationSystemsManagement,vol.22,no.1,pp.51{65,Dec.2005. [54] R.NicholsandP.Lekkas,WirelessSecurity:Models,Threats,andSolutionsMcGraw-HillProfessional,2002. [55] R.Want,\AnIntroductiontoRFIDtechnology,"PervasiveComputing,IEEE,vol.5,no.1,pp.25{33,Jan-Mar.2006. 72

PAGE 73

R.Weinstein,\RFID:ATechnicalOverviewandItsApplicationtotheEnterprise,"ITProfessional,vol.7,no.3,pp.27{33,May-Jun.2005. [57] S.Bono,M.Green,A.Stubbleeld,A.Juels,A.RubinandM.Szydlo,\Securityanalysisofacryptographically-enabledRFIDdevice,"Proceedingsofthe14thconferenceonUSENIXSecuritySymposium,2005. [58] S.FouladgarandH.A,\ASimpleDelegationSchemeforRFIDSystems(SiDeS),"ProceedingsoftheIEEEInternationalConferenceonRFID,2007. [59] S.FouladgarandH.A,\AnEcientDelegationandTransferofOwnershipProtocolforRFIDTags,"ProceedingsoftherstInternationalEURASIPWorkshoponRFIDTechnology,pp.59{62,2007. [60] S.Garnkel,A.JuelsandR.Pappu,\RFIDPrivacy:AnOverviewofProblemsandProposedSolutions,"IEEESecurityandPrivacy,vol.3,no.3,pp.34{43,May2005. [61] S.GarnkelandB.Rosenberg,RFID:Applications,Security,andPrivacy,Addison-WesleyProfessional,2005. [62] S.Inoue,S.HagiwaraandH.Yasuura,\SystematicerrordetectionforRFIDreliability,"ARES'06:ProceedingsoftheFirstInternationalConferenceonAvailability,ReliabilityandSecurity,pp.280{286,Apr.2006. [63] S.KarthikeyanandM.Nesterenko\RFIDsecuritywithoutextensivecryptography,"Proceedingsofthe3rdACMworkshoponSecureAdHocSensorNetworks,pp.63{67,2005. [64] S.Lee,T.AsanoandK.Kim,\RFIDmutualauthenticationschemebasedonsynchronizedsecretinformation,"The2006SymposiumonCryptographyandInformationSecurity,Jan.2006. [65] S.Li,J.Visich,B.KhumawalaandC.Zhang,\Radiofrequencyidenticationtechnology:applications,technicalchallengesandstrategies,"SensorReview,vol.26,no.3,pp.193{202,2006. [66] S.Piramuthu,\HBandRelatedLightweightAuthenticationProtocolsforSecureRFIDTag/ReaderAuthentication,"ProceedingsoftheConferenceonCollaborativeElectronicCommerceTechnologyandResearch(CollECTerEurope),pp.239{247,2006. [67] S.Piramuthu,\OnExistenceProofsforMultipleRFIDTags,"IEEEInternationalConferenceonPervasiveServices(ICPS'06),pp.317{320,2006. [68] S.Piramuthu,\ProtocolsforRFIDtag/readerauthentication,"DecisionSupportSystems,vol.43,pp.897{914,2007. 73

PAGE 74

S.Piramuthu,\LightweightCryptographicAuthenticationinPassiveRFID-TaggedSystems,"IEEETransactionsonSystems,Man,andCybeneticsPartC:ApplicationsandReviews,vol.38,no.2,Mar.2008. [70] S.PiramuthuandY.Tu,\IdentifyingRFID-enabledObjectsinPervasiveHealthcareApplications,"DecisionSupportSystems,2008. [71] S.Russell,\Wirelessnetworksecurityforusers,"ProceedingsoftheInternationalConferenceonInformationTechnology:CodingandComputing,pp.172{177,2001. [72] S.Sarma,\Towardstheve-centtag,"TechnicalReportMIT-AUTOID-WH-006,Auto-IDLabs,2001. [73] S.Sarma,D.Engels\TheReaderCollisonProblem,"2002IEEEInternationalConferenceonSystems,ManandCybernetics,vol.3,2002. [74] S.Sarma,S.Chawathe,V.KrishnamurthyyandS.Ramachandrany,\ManagingRFIDData,"Proceedingsofthe30thVLDBConference,2004. [75] S.Sarma,S.WeisandD.Engels,\RFIDSystemsandSecurityandPrivacyImplications,"LectureNotesinComputerScience,vol.2523,pp.454{470,2002. [76] S.Weis,S.Sarma,R.RivestandD.Engels,\Securityandprivacyaspectsoflow-costradiofrequencyidenticationsystems,"Proceedingsofthe1stsecurityconferenceonPervasiveComputing,LNCS,vol.2802,pp.201{212,2004. [77] T.JohanssonandF.Jonsson,\FastCorrelationAttacksthroughReconstructionofLinearPolynomials,"CRYPTO'00:Proceedingsofthe20thAnnualInternationalCryptologyConferenceonAdvancesinCryptology,pp.300{315,2000. [78] T.LiandG.Wang,\SecurityAnalysisofTwoUltra-LightweightRFIDAuthenticationProtocols,"NewApproachesforSecurity,PrivacyandTrustinComplexEnvironments,vol.232,pp.109-120,2007. [79] T.YangandY.Zahur,\WirelessLANsecurityandlaboratorydesigns,"JournalofComputingSciencesinColleges,vol.19,no.3,pp.44{60,2004. [80] W.Ford,Computercommunicationssecurity:principles,standardprotocolsandtechniques,Prentice-Hall,1994. [81] W.Stallings,Networkandinternetworksecurity:principlesandpractice,Prentice-Hall,1995. [82] Y.Desmedt,C.GoutierandS.Bengio,\Specialusesandabusesoftheat-shamirpassportprotocol,"AdvancesinCryptologyCRYPTO87,LectureNotesinCom-puterScience,vol.293,pp.21-39,Aug.1988. 74

PAGE 75

Y.Seo,T.Asano,H.LeeandK.Kim,\ALightweightProtocolEnablingOwnershipTransferandGranularDataAccessofRFIDTags,"Proceedingsofthe2007Sympo-siumonCryptographyandInformationSecurity(SCIS),2007. 75

PAGE 76

GauravKapoorgraduatedfromtheUniversityofFlorida,withaPh.D.ininformationsystemsandoperationsmanagement.HehasworkedinapplyingIS/ITinthetelecommunicationsandconsultingindustryforanumberofyears.HehopestogobacktoIndiaanddisbursetheknowledgehehascollectedinthecourseofhissojourninacademics. 76