Qingsong Yao,Yong Qi,Jinsong Han,Jizhong Zhao,Xiangyang Li,Yunhao Liu

DOI: https://doi.org/10.1109/percom.2009.4912773

2009-01-01

Abstract:Privacy protection is increasingly important during authentications in Radio Frequency Identification (RFID) systems. In order to achieve high-speed authentication in large-scale RFID systems, researchers propose tree-based approaches, in which any pair of tags share a number of key components. Such designs, being efficient, often fail to achieve forward secrecy and resistance to attacks, such as compromising and desynchronization. Indeed, these attacks may still take effect even after a tag successfully finishes the authentication and key-updating procedure. To address the issue, we propose a lightweight RFID private authentication protocol, RWP, based on the random walk concept. RWP also provides the forward security and temporal resistance to the tracking attack. The analysis results show that RWP effectively enhances the security protection for RFID private authentication, and increases the authentication efficiency from O(logN) to O(1).

Yongming Jin,Huiping Sun,Wei Xin,Song Luo,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-25243-3_6

2011-01-01

Abstract:The wide deployment of RFID systems has raised many concerns about the security and privacy. Many RFID authentication protocols are proposed for these low-cost RFID tags. However, most of existing RFID authentication protocols suffer from some feasible problems. In this paper, we first discuss the feasible problems that exist in some RFID authentication protocols. Then we propose a lightweight RFID mutual authentication protocol against these feasible problems. To the best of our knowledge, it is the first scalable RFID authentication protocol that based on the SQUASH scheme. The new protocol is lightweight and can provide the forward security. In every authentication session, the tag produces the random number and the response is fresh. It also prevents the asynchronization between the reader and the tag. Additionally, the new protocol is secure against such attacks as replay attack, denial of service attack, man-in-the-middle attack and so on. We also show that it requires less cost of computation and storage than other similar protocols.

Qingsong Yao,Yong Qi,Jizhong Zhao,Jinsong Han

DOI: https://doi.org/10.1109/MOBHOC.2009.5337025

2009-01-01

Abstract:Radio Frequency Identification (RFID) technologies are on their highway to pervasive usage. However privacy protection is still an important problem since RFID tags attached to items are so cost constrained. Privacy preserving authentication approaches are proposed to authenticate tags without private information leaking. Previously designed approaches based on synchronization seeks 0(1) complexity. While these synchronization based methods are efficient in normal case, they have weak points when desynchronized. When maliciously scanned, information stored in tag and reader goes farther and farther away from each other. An adversary can utilize this point to track a tag. We propose an Enhanced Synchronization aPproach for RFID private authentication, ESP, to solve this problem. ESP can eliminate the problem caused by Desynchronization Attack and help detecting Replay Attack Analysis shows that ESP enhances privacy protection while still maintaining the authentication efficiency.

Shucheng Yu,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/milcom.2007.4454918

2007-01-01

Abstract:Radio frequency identification (RFID) is an emerging technology for automatic object identification. For successful deployment of tags, a RFID system should provide effective protection over security and privacy. In particular, traceability is the main concern for user privacy. To address these issues, mutual authentication between the reader and tags is required when deploying a RFID system. Unfortunately, because low-cost RFID tags are highly resource constrained, they are not able to carry out expensive cryptographic primitives to achieve strong authentication. This paper introduces a lightweight authentication protocol for low-cost RFID tags. Compared with previous work, our solution provides better traceability protection while keeping the system efficient in terms of computation and communication. Our scheme also maintains comparable strength regarding other security aspects.

Li Lu,Jinsong Han,Lei Hu,Lionel M. Ni

DOI: https://doi.org/10.1109/percom.2007.13

IF: 1.938

2012-01-01

International Journal of Distributed Sensor Networks

Abstract:The objective of private authentication for Radio Frequency Identification (RFID) systems is to allow valid readers to explicitly authenticate their dominated tags without leaking the private information of tags. In previous designs, the RFID tags issue encrypted authentication messages to the RFID reader, and the reader searches the key space to identify the tags. Without key updating, those schemes are vulnerable to many active attacks, especially the compromising attack. We propose a strong and lightweight RFID private authentication protocol, SPA. By designing a novel key updating method, we achieve the forward secrecy in SPA with an efficient key search algorithm. We also show that, compared with existing designs, (SPA) is able to effectively defend against both passive and active attacks, including compromising attacks. Through prototype implementation, we demonstrate that SPA is practical and scalable for current RFID infrastructures.

Yuanchao Shu,Yu Gu,Jiming Chen

DOI: https://doi.org/10.1109/MASS.2012.6502522

2012-01-01

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges can not be transferred among trusted users. In this work, we introduce a sensory-data-enhanced authentication for access control systems. By combining sensory-data obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss and stolen. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with simple sensor data and empirically demonstrate simple rotations can increase key space by more than 30, 000 times with an authentication accuracy of 95%. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Ben Niu,Xiaoyan Zhu,Hui Li

DOI: https://doi.org/10.1109/WCNC.2013.6554848

2013-01-01

Abstract:Existing work on RFID authentication problems always make assumptions that 1) hash function can be fully used in designing RFID protocols; 2) channels between readers and the server are always secure. However, the first assumption is not suitable for EPC Class-1 Gen-2 tags, which has been challenged in many research work, while the second one cannot be adopted in mobile RFID applications where the wireless channels between readers and the server are always insecure. In this paper, we propose a new ultralightweight authentication protocol for mobile RFID systems. We only use bitwise XOR, and special constructed pseudo-random number generators (RNGs) to achieve our aims in insecure mobile RFID environment. Security analysis shows that our protocol can provide several privacy properties and avoid suffering from kinds of attacks, including tag anonymity, tag location privacy, reader privacy, forward secrecy, and mutual authentication, replay attack, desynchronization attack etc. We implement our protocol and compare authentication delays with several existing work, the results indicate us that our protocol significantly improves the efficiency. © 2013 IEEE.

Kai Bu,Junze Bao,Minyu Weng,Jia Liu,Bin Xiao,Xuan Liu,Shigeng Zhang

DOI: https://doi.org/10.1016/j.adhoc.2015.06.006

IF: 4.816

2016-01-01

Ad Hoc Networks

Abstract:Radio-Frequency Identification (RFID) technology has fostered many object monitoring applications. Along with this trend, a corresponding important problem is to verify the intactness of a set of objects using that of their attached tags. Existing solutions necessitate the knowledge of tag identifiers (IDs), sharing the intuition that verifying whether any tag is absent comes after knowing which tags are supposed to be present. Such solutions, however, can hardly live up to the recent vision of anonymous RFID systems that isolate tag IDs from protocols design for privacy concern. In this paper, we take the first leap toward verifying intactness of anonymous RFID systems. We first identify three critical solution requirements—deterministic verification, anonymity preservation, and scalability—for applications tolerating no absence. Without tag IDs as a priori, we propose a series of crypto-free, lightweight protocols that satisfy the requirements. The proposed protocols explore tag-cardinality difference or leverage Direct-Sequence Spread Spectrum enabled RFID. We validate their performance in terms of accuracy, privacy, and scalability through both analytical and simulation results. To cater for applications that tolerate losing some tagged objects, we further explore probabilistic intactness verification to trade tiny accuracy for boosted efficiency.

Ning, Jianting

DOI: https://doi.org/10.1007/s12083-023-01471-3

IF: 3.488

2023-04-25

Peer-to-Peer Networking and Applications

Abstract:As one of the key identity authentication technologies in the Internet of Things (IoT), Radio Frequency Identification (RFID) technology has been widely adopted in various wireless communication fields. However, increasing security and privacy issues have been limiting the development of RFID system. Most of the existing RFID authentication protocols are vulnerable to many malicious attacks. Key updating is a common security mechanism in RFID authentication protocol, but the existing RFID authentication protocols using traditional key updating mechanism usually cannot resist against desynchronization attack. To address this issue, we present a new shared key updating method by using pseudo-random number generator (PRNG) with the seeds negotiated by tag and server. Moreover, a new bit flipping operation is proposed to reduce the computation cost of tag. On these basis, we design a lightweight RFID mutual authentication protocol SDRLAP based on double physical unclonable function (PUF) by using PRNG and bit flipping operation. Compared with most of the existing RFID authentication protocols with the traditional key updating mechanism, SDRLAP guarantees the security and privacy of RFID systems, and meanwhile has the obvious advantages in terms of computational cost, storage requirement and communication overhead.

computer science, information systems,telecommunications

J Yang,Kui Ren,Kwangjo Kim

2005-01-01

Abstract:In the near future, radio frequency identiflcation (RFID) technology is expected to play an important role for object identiflcation as a ubiquitous infrastructure. However, low-cost RFID tags are highly resource-constrained and cannot support its long-term security, so they have potential risks and may violate privacy for their bearers. To remove security vulnerabilities, we propose a robust mutual authentication protocol between a tag and a back-end server for low-cost RFID system that guarantees data privacy and location privacy of tag bearers. Difierent from the previous works (4, 14), our protocol flrstly provides reader authentication and prevent active attacks based on the assumption that a reader is no more a trusted third party and the communication channel between the reader and the back-end server is insecure like wireless channel. Also, the proposed protocol exhibits forgery resistant against simple copy, or counterfeiting prevailing RFID tags. As tags only have hash function and exclusive-or operation, our proposed protocol is very feasible for low-cost RFID system compared to the previous works. The formal proof of correctness of the proposed authentication protocol is given based on GNY logic.

Hung-Min Sun,Chen-En Lu,Shuai-Min Chen

DOI: https://doi.org/10.1109/tencon.2007.4429060

2007-01-01

Abstract:RFIDs have been popularly used in daily life. To avoid being intruded on user privacy, proper protection is necessary. The privacy issues, such as object tracking and forgery of tags, are widely studied in the literature. Traditionally, the reader is regarded as a part of the system. In mobile RFID environment, however, anyone who holds the reader can connect to the server and acquire other information about the objects he owns. To verify whether a reader has the rights to access the tags has become essential. In this paper, we propose an RFID authentication protocol that can achieve the above goal and provide tag anonymity and forgery resistance. Hence, the user privacy is guaranteed.

Kai Bu,Jia Liu,Bin Xiao,Xuan Liu,Shigeng Zhang

DOI: https://doi.org/10.1109/PADSW.2014.7097801

2014-01-01

Abstract:Radio-Frequency Identification (RFID) technology has fostered many object monitoring systems. Along with this trend, tagged objects' value and privacy become a primary concern. A corresponding important problem is to verify the intactness of a set of tagged objects without leaking tag identifiers (IDs). However, existing solutions necessitate the knowledge of tag IDs. Without tag IDs as a priori, this paper studies intactness verification in anonymous RFID systems. We identify three critical solution requirements, that is, deterministic verification, anonymity preservation, and scalability. We propose Cardiff and Divar, two crypto-free, lightweight protocols that isolate tag IDs from intactness verification and satisfy solution requirements. Cardiff explores tag cardinality as intactness proof while Divar leverages Direct-Sequence Spread Spectrum (DSSS) enabled RFID. Both analytical and simulation results demonstrate that Cardiff and Divar can satisfy the requirements of accuracy, privacy, and scalability.

Li Lu,Jinsong Han,Renyi Xiao,Yunhao Liu

DOI: https://doi.org/10.1109/infcom.2009.5062117

2015-01-01

Abstract:In order to protect privacy, radio frequency identification (RFID) systems employ privacy-preserving authentication (PPA) to allow valid readers to explicitly authenticate their dominated tags without leaking private information. Typically, an RF tag sends an encrypted message to the reader, then the reader searches for the key that can decrypt the cipher to identify the tag. Due to the large-scale deployment of today's RFID systems, the key search scheme for any PPA requires a short response time. Previous designs construct balance-tree based key management structures to accelerate the search speed to 0(logN), where N is the number of tags. Being efficient, such approaches are vulnerable to compromising attacks. By capturing a small number of tags, compromising attackers are able to identify other tags that have not been corrupted. To address this issue, we propose an Anti- Compromising authenticaTION protocol, ACTION, which employs a novel sparse tree architecture, such that the key of every tag is independent from one another. The advantages of this design include: 1) resilience to the compromising attack, 2) reduction of key storage for tags from 0(logN) to 0(1), which is significant for resource critical tag devices, and 3) high search efficiency, which is 0(logN), as good as the best in the previous designs.

Qingsong Yao,Jinsong Han,Yong Qi,Lei Yang,Yunhao Liu

DOI: https://doi.org/10.1109/ICPP.2011.52

2011-01-01

Abstract:Existing RFID Privacy-Preserving Authentication (PPA) solutions mainly focus on the design of crypto based interactive protocols between readers and tags. Although the cryptographic mechanisms enable randomization and enhance protocol-level privacy, the access mode in RFID systems is less random and may leak private information. We introduce anew attack based on such privacy leakage in access mode, where we show that the mainstream RFID PPA protocols, including the linear, tree-based, and synchronization-based solutions, are not private. We also show that this new attack is easy to conduct, e.g., we can track tags that employ typical tree-based PPA protocols without the need of compromising tags. We discuss the applicability of the attack. Moreover, we provide useful recommendations to strengthen existing PPA protocols in defending against such attacks. The simulation results demonstrate the practicability and effectiveness of this attack.

Wei Xie,Chen Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.48550/arXiv.1304.1318

2013-04-04

Cryptography and Security

Abstract:This paper address a new problem in RFID authentication research for the first time. That is, existing RFID authentication schemes generally assume that the backend server is absolutely secure, however, this assumption is rarely tenable in practical conditions. It disables existing RFID authentication protocols from being safely applied to a reallife scenario in which the backend server is actually vulnerable, compromised or even malicious itself. We propose an RFID authentication scheme against an unsecure backend server. It is based on hash chain, searching over encrypted data, and coprivacy, defending against the privacy revealing to the backend server. The proposed scheme is scalable, resistant to desynchronization attacks, and provides mutual authentication in only three frontend communication steps. Moreover, it is the first scheme meeting the special security and privacy requirement for a cloud-based RFID authentication scenario in which the backend server is untrustworthy to readers held by cloud clients.

Lifu Wang

2013-01-01

Abstract:RFID discovery service is not widely used and related standard is not published,one main reason is the existence of some security issues.Typical security issues are analyzed,and related security requirements are given,i.e.RFID privacy protection,authorized RFID code access,untraceability of supply chain node,node authentication,message correctness,etc.According to these security requirements,a double random number based secure communication mechanism of RFID discovery service is proposed.Random number is used for node authentication and message authentication,and related query generating and routing algorithm are given.This mechanism is implemented in PKU RFID3S system.The simulation tests show that the system not only implements security requirements mentioned above,but also has acceptable query hit rate and query responding time.

Shuai-Min Chen,Mu-En Wu,Hung-Min Sun,King-Hang Wang

DOI: https://doi.org/10.1016/j.future.2013.05.004

IF: 7.307

2014-01-01

Future Generation Computer Systems

Abstract:Radio-frequency identification (RFID) systems can benefit from cloud databases since information on thousands of tags is queried at the same time. If all RFID readers in a system query a cloud database, data consistency can easily be maintained by cloud computing. Privacy-preserving authentication (PPA) has been proposed to protect RFID security. The time complexity for searching a cloud database in an RFID system is O(N), which is obviously inefficient. Fortunately, PPA uses tree structures to manage tags, which can reduce the complexity from a linear search to a logarithmic search. Hence, tree-based PPA provides RFID scalability. However, in tree-based mechanisms, compromise of a tag may cause other tags in the system to be vulnerable to tracking attacks. Here we propose a secure and efficient privacy-preserving RFID authentication protocol that uses a cloud database as an RFID server. The proposed protocol not only withstands desynchronizing and tracking attacks, but also provides scalability with O(logN) search complexity.

Hung‐Min Sun,Shuai-Min Chen,Chen-En Lu,Cheng‐Ta Yang

2009-01-01

Abstract:There are varies of RFID authentication schemes have been proposed. Most of them address on privacy issues over the tag and the user, however, they are still vulnerable to different attacks and with some weaknesses. In addition, the readers and the back-end server are considered as a single entity for these typical RFID schemes, hence, the communication channel is assumed to be secure. Recently, a concept of mobile reader has been proposed in which the reader is possessed by the user and is equipped inside a mobile device. The mobile RFID reader possessor can extract the information about the tagged objects by communicating with the back-end server through an insecure channel; consequently, a secure RFID authentication is needed. In this paper, two RFID authentication schemes are proposed for the reader-portable RFID environment. These schemes not only provide a novel usage of RFID system, but resolve privacy threats while a mobile reader is not authorized to acquire every tag’s information.

Yongming Jin,Wei Xin,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-29253-8_27

2012-01-01

Abstract:RFID tags are now pervasive in our everyday life. They raise a lot of security and privacy issues. Many authentication protocols against these problems assume that the tags can contain a secret key that is unknown to the adversary. However, physical attacks can lead to key exposure and full security breaks. On the other hand, many protocols are only described and analyzed. However, we cannot explain why they are designed like that. Compare with the previous protocols, we first propose a universal RFID authentication protocol and show the principle why the protocol is designed. It can be instantiated for various types and achieve different security properties according to the implementation of the functions. Then we introduce a general prototype of delay-based PUF for low-cost RFID systems and propose a new lightweight RFID authentication protocol based on the general prototype of PUF. The new protocol not only resists the physical attacks and secret key leakage, but also prevents the asynchronization between the reader and the tag. It also can resist the replay attack, man-in-the-middle attack etc. Finally, we show that it is efficient and practical for low-cost RFID systems.

Wei Xie,Lei Xie,Chen Zhang,Quan Zhang,Chaojing Tang

DOI: https://doi.org/10.1109/RFID.2013.6548151

2013-01-01

Abstract:Along with the development of cloud computing, cloud-based RFID is receiving more and more attentions of researchers and engineers. However, there is no research in which cloud computing is applied to RFID authentication schemes. Most current works lay emphasis on functionalities, lacking considerations about security and privacy. Classical RFID authentication schemes fail to meet the special security and privacy requirements of cloud-based RFID. The basic postulates of traditional backend-sever-based RFID authentication, i.e. secure backend channel and entirely trustworthy database, are no longer natively tenable in cloud-based RFID scenarios. In this paper, a virtual private network agency is suggested to build secure backend channels and to provide readers with anonymous access to the cloud. The cloud database is structured as an encrypted hash table. The first cloud-based RFID authentication protocol preserving tag/reader privacy to database keepers is proposed. Comparing with classical schemes, the proposed scheme has advantages in deployment cost saving, pervasiveness of authentication, scalability of O(1) complexity to verify a tag, mobile reader holders' privacy preserving, and database security.