Efficient detection of counterfeit products in large-scale RFID systems using batch authentication protocols

RFID technology facilitates processing of product information, making it a promising technology for anti-counterfeiting. However, in large-scale RFID applications, such as supply chain, retail industry, pharmaceutical industry, total tag estimation and tag authentication are two major research issues. Though there are per-tag authentication protocols and probabilistic approaches for total tag estimation in RFID systems, the RFID authentication protocols are mainly per-tag-based where the reader authenticates one tag at each time. For a batch of tags, current RFID systems have to identify them and then authenticate each tag sequentially, one at a time. This increases the protocol execution time due to the large volume of authentication data. In this paper, we propose to detect counterfeit tags in large-scale system using efficient batch authentication protocol. We propose FSA-based protocol, FTest, to meet the requirements of prompt and reliable batch authentication in large-scale RFID applications. FTest can determine the validity of a batch of tags with minimal execution time which is a major goal of large-scale RFID systems. FTest can reduce protocol execution time by ensuring that the percentage of potential counterfeit products is under the user-defined threshold. The experimental result demonstrates that FTest performs significantly better than the existing counterfeit detection approaches, for example, existing authentication techniques.     

一种基于Hash函数的改进RFID安全认证协议

为了改善RFID系统中阅读器与标签通信的安全隐私问题,针对现有基于Hash函数的安全认证协议的不足,提出了一种改进安全认证协议。通过论证分析,该协议可以有效的提高RFID系统的安全性,具有效率高、标签成本低等特点。     

供应链环境下UC安全的RFID所有权转移协议*

针对供应链环境下无线射频识别(RFID)标签流动所涉及的节点隐私和供应链可见性管理问题,定义了供应链环境下RFID标签所有权转移的安全需求,提出了通用可组合安全模型,并基于所提出的RFID认证协议,设计了一个能实现该模型的RFID标签所有权转移协议。安全性证明和效率分析表明该协议通过利用授权机制和哈希函数的单向性,很好地解决了可见性和不可追踪性问题,采用索引机制和标签端轻量级的计算方式提高了执行效率。与同类方案相比,该协议降低了标签端的计算量且安全性更高。     

位替换运算的超轻量级移动RFID认证协议

在传统的RFID系统中,读写器与服务器之间采用安全的有线信道通信;而新产生的移动RFID系统则与传统的RFID系统中不同,读写器与服务器之间基于无线信道进行通信,使得适用于传统RFID系统的认证协议并不能运用在移动RFID系统中。为解决该缺陷,提出一种基于位替换运算的超轻量级移动射频识别系统双向认证协议MSB。MSB基于按位运算对信息进行加密,降低通信实体的计算量;标签、读写器、服务器先认证再通信机制,使得MSB能抵抗常见的攻击。对协议进行安全性分析,表明协议具备较高的安全属性;对协议进行性能分析,表明协议具备低计算量的特征;对协议进行基于GNY逻辑形式化分析,给出协议严谨的推理证明过程。     

Fingerprint-based access control using smart cards in IPTV

In internet protocol television (IPTV) environments, authentication should be implemented to provide the IPTV contents to those legitimate subscribers. After successful authentication, a legitimate subscriber is unconditionally granted access to the contents. However, each content might have its own policy that restricts access according to subscriber’s attribute such as age. Authentication only is not sufficient to realize access control embracing diverse policies depending on contents. In this paper, we propose a novel fingerprint-based scheme that enables fine-grained access control according to the policies of contents providers and subscriber’s attribute. The proposed scheme is robust against man-in-the-middle attacks, replay attacks, and impersonation attacks which are considered as common threats in IPTV environments. The scheme also prevents cloning and McCormac Hack problems, that are critical attacks specific to authentication using smart cards.     

Scalable RFID security protocols supporting tag ownership transfer

We identify privacy, security and performance requirements for radio frequency identification (RFID) protocols, as well as additional functional requirements such as tag ownership transfer. Many previously proposed protocols suffer from scalability issues because they require a linear search to identify or authenticate a tag. In support of scalability, some RFID protocols, however, only require constant time for tag identification, but, unfortunately, all previously proposed schemes of this type have serious shortcomings. We propose a novel scalable RFID authentication protocol based on the scheme presented in Song and Mitchell (2009) [1], that takes constant time to authenticate a tag. We also propose secret update protocols for tag ownership and authorisation transfer. The proposed protocols possess the identified privacy, security and performance properties and meet the requirements for secure ownership transfer identified here.     

基于ECC的支持标签所有权转移的RFID认证协议

针对射频识别（RFID）标签认证及其所有权转移过程的隐私泄露等安全问题,以及认证协议通常与标签所有权转移协议单独设计的现状,基于支持椭圆曲线加密（ECC）的标签,提出了一个适用于开放环境的兼具标签认证和所有权转移的协议。该协议结构类似于Diffie-Hellman密钥交换算法结构,协议的标签隐私保护基于椭圆曲线上的计算性Diffie-Hellman问题的难解性。经证明,该协议满足标签隐私保护要求及认证协议的其他安全需求。与近年来其他基于标签支持ECC的RFID认证协议相比,从支持标签所有权转移、标签计算开销、协议通信开销和标签隐私保护等多方面综合评估,所提出的认证协议优于对比协议。另外,针对较安全的应用场合,给出了阅读器单向认证标签的简化版协议。     

A robust NFC-based personalized IPTV service system

Internet Protocol Television (IPTV) is becoming a platform that changes the way we obtain information and entertainment, and offers interactive features and personalized services. Although IPTV service providers can perform TV viewer identification and authentication through a unique hardware identifier in the form of a set-top box (STB), it is based on STB-level identification which leads to the situation where all members of a subscriber family get the same level of access to services. This indicates that existing identification schemes are inconsistent with IPTV’s main intent, namely, providing personalized services. Smartphones with NFC (Near Field Communication) capabilities have grown to become very popular over the years. In this study, we present a novel personalized IPTV service system in which NFC-based identification with HCE (Host Card Emulation) is adopted. The experiments and analyses show that the proposed system can meet the system requirements and provide great usability, deployability and service scalability for personalized IPTV services.     

EPC Gen2标准下强安全射频识别认证协议

由于现在很多射频识别（RFID）认证协议不符合EPC Class 1 Gen 2(EPC Gen2)标准的要求,同时对RFID系统的计算能力要求很高,因此很难在低端标签中实现。针对上述问题,通过分析已有协议的安全性,总结出不安全协议的缺陷,提出了一种新的基于EPC Gen2 标准的RFID认证协议,并采用BAN逻辑对协议进行了安全性证明。通过安全性分析,新协议满足了信息机密性、数据完整性和身份真实性的RFID系统认证协议的安全需求。     

基于秘密共享方案RFID认证协议

标签的认证效率一直以来都是影响无线射频识别（RFID）技术广泛应用的一个重要因素,但是目前还没有一个较好的解决方法。在基于树的RFID协议的基础上,通过秘密共享方案将各边的共享密钥分成多份,在保持查找效率的条件下构建了新的密钥树,并设计了基于共享密钥的认证协议。通过分析表明,协议保证较高的认证效率,同时还具有足够的安全性,而且解决了RFID系统研究中长期困扰的密钥更新问题。     

Secure authentication scheme for passive C1G2 RFID tags

Privacy and security concerns inhibit the fast adaption of RFID technology for many applications. A number of authentication protocols that address these concerns have been proposed but real-world solutions that are secure, maintain low communication cost and can be integrated into the ubiquitous EPCglobal Class 1 Generation 2 tag protocol (C1G2) are still needed and being investigated. We present a novel authentication protocol, which offers a high level of security through the combination of a random key scheme with a strong cryptography. The protocol is applicable to resource, power and computationally constraint platforms such as RFID tags. Our investigation shows that it can provide mutual authentication, untraceability, forward and backward security as well as resistance to replay, denial-ofth-service and man-in-the-middle attacks, while retaining a competitive communication cost. The protocol has been integrated into the EPCglobal C1G2 tag protocol, which assures low implementation cost. We also present a successful implementation of our protocol on real-world components such as the INTEL WISP UHF RFID tag and a C1G2 compliant reader.     

基于流密码的RFID安全认证协议

针对无线射频识别(RFID)认证协议安全性较差的问题,在分布式RFID询问-应答认证协议的基础上,设计一个基于流密码算法的RFID安全认证协议。理论分析结果表明,该协议能够抗假冒攻击、重传攻击、追踪,解决去同步化问题,并使后台数据库的响应速度更快,实用性更强。     

Design of a password-based authenticated key exchange protocol for SIP

The Session Initiation Protocol (SIP) is a signaling communications protocol, which has been chosen for controlling multimedia communication in 3G mobile networks. In recent years, password-based authenticated key exchange protocols are designed to provide strong authentication for SIP. In this paper, we address this problem in two-party setting where the user and server try to authenticate each other, and establish a session key using a shared password. We aim to propose a secure and anonymous authenticated key exchange protocol, which can achieve security and privacy goal without increasing computation and communication overhead. Through the analysis, we show that the proposed protocol is secure, and has computational and computational overheads comparable to related authentication protocols for SIP using elliptic curve cryptography. The proposed protocol is also provably secure in the random oracle model.     

PUF-enhanced offline RFID security and privacy

RFID (Radio Frequency IDentification) based communication solutions have been widely used nowadays for mobile environments such as access control for secure system, ticketing systems for transportation, and sport events. These systems usually depend on readers that are not continuously connected to a secure backend system. Thus, the readers should be able to perform their duties even in offline mode, which generally requires the management by the readers of the susceptible data. The use of RFID may cause several security and privacy issues such as traceability of tag owner, malicious eavesdropping and cloning of tags. Besides, when a reader is compromised by an adversary, the solution to resolve these issues getting worse. In order to handle these issues, several RFID authentication protocols have been recently proposed; but almost none of them provide strong privacy for the tag owner. On the other hand, several frameworks have been proposed to analyze the security and privacy but none of them consider offline RFID system.Motivated by this need, in this paper, we first revisit Vaudenay's model, extend it by considering offline RFID system and introduce the notion of compromise reader attacks. Then, we propose an efficient RFID mutual authentication protocol. Our protocol is based on the use of physically unclonable functions (PUFs) which provide cost-efficient means to the fingerprint chips based on their physical properties. We prove that our protocol provides destructive privacy for tag owner even against reader attacks.     

A novel mutual authentication scheme based on quadratic residues for RFID systems

In 2004, Ari Juels proposed a Yoking-Proofs protocol for RFID systems. Their aim is to permit a pair of tags to generate a proof which is verifiable off-line by a trusted entity even when the readers are potentially untrusted. However, we found that their protocol does not possess the anonymity property but also suffers from both known-plaintext attack and replay attack. Wong et al. [Kirk H.M. Wong, Patrick C.L. Hui, Allan C.K. Chan, Cryptography and authentication on RFID passive tags for apparel products, Computer in Industry 57 (2005) 342–349] proposed an authentication scheme for RFID passive tags, attempting to be a standard for apparel products. Yet, to our review, their protocol suffers from guessing parameter attack and replay attack. Moreover, both of the schemes have the common weakness: the backend server must use brute search for each tag’s authentication. In this paper, we first describe the weaknesses in the two above-mentioned protocols. Then, we propose a novel efficient scheme which not only achieve the mutual authentication between the server and the tag but also can satisfy all the security requirements needed in an RFID system.     

Vulnerability of an RFID authentication protocol conforming to EPC Class 1 Generation 2 Standards

Recently, Chien et al. proposed an RFID authentication protocol, which consists of only the cyclic redundancy code (CRC) and the pseudo-random number generator (PRNG) [H. Chien, C. Chen, Mutual Authentication Protocol for RFID Conforming to EPC Class 1 Generation 2 Standards, Computer Standards & Interfaces, vol. 29, Elsevier, 2007, pp. 254–259]. They claimed that the protocol conforms to current EPC tags, and would be secure against all attacks on RFID systems. However, in this paper, we show that the protocol is not secure; firstly an attacker can impersonate a valid tag temporarily by a single eavesdropping. Secondly the attacker can forge a tag permanently by eavesdropping two consecutive sessions. Finally he can make a valid tag useless (DoS attack) by modifying the second attack slightly. The computational complexities of the attacks are so practicable that Chien et al.'s protocol cannot enhance the RFID security any more than the original EPC standard.     

一种适合于低成本标签的RFID双向认证协议

在分析现有一些RFID认证协议的基础上,提出了一种新的适合低成本标签的双向认证协议,并对其进行了SMV模型检测形式化证明和性能分析。结果表明该认证协议具有认证性、保密性和完整性,能够满足低成本标签的安全需求,并且在安全性能提高的同时仍具有较好的执行性能。     

一种新的轻量级RFID双向认证协议

RFID技术是一种广泛应用于各种物体识别和跟踪的自动识别技术,它适用于多个领域。然而,设计出一个安全的轻量级的RFID认证协议是一项具有挑战性的任务。最近Kulseng等人提出了一种轻量级RFID认证协议,该协议采用物理不可克隆技术和线性反馈移位寄存器来实现,非常适合轻量级操作。分析发现,该协议存在几个严重的安全问题。在分析上述协议的基础上,提出了一种新的轻量级RFID双向认证协议。分析表明,新协议在保持轻量级操作的同时,具有更好的安全性和保密性。     

供应链环境下安全的RFID通信协议

射频识别(RFID)技术给供应链管理带来极大的便利。安全的RFID通信协议是实现和保护基于RFID供应链系统安全性的重要方法。描述了供应链环境下RFID通信协议的安全需求,提出了一个新的供应链环境下安全的RFID通信协议。新协议具有较高的效率,且标签端的计算负荷和存储成本较低。     

一种基于PUF的超轻量级RFID标签所有权转移协议

针对RFID标签所有权转移协议中存在的数据完整性受到破坏、物理克隆攻击、去同步攻击等多种安全隐私问题,新提出一种基于物理不可克隆函数(PUF)的超轻量级RFID标签所有权转移协议—PUROTP.该协议中标签所有权的原所有者和新所有者之间直接进行通信完成所有权转移,从而不需要引入可信第三方,主要涉及的运算包括左循环移位变换(Rot(X,Y))和异或运算($\oplus$)以及标签中内置的物理不可克隆函数(PUF),并且该协议实现了两重认证,即所有权转移之前的标签原所有者与标签之间的双向认证、所有权转移之后的标签新所有者与标签之间的双向认证.通过使用BAN(Burrows-Abadi-Needham)逻辑形式化安全性分析以及协议安全分析工具Scyther对PUROTP协议的安全性进行验证,结果表明该协议的通信过程是安全的,Scyther没有发现恶意攻击,PUROTP协议能够保证通信过程中交互信息的安全性及数据隐私性.通过与现有部分经典RFID所有权转移协议的安全性及性能对比分析,结果表明该协议不仅能够满足标签所有权转移过程中的数据完整性、前向安全性、双向认证性等安全要求,而且能够抵抗物理克隆攻击、重放攻击、中间人攻击、去同步攻击等多种恶意攻击.在没有额外增加计算代价和存储开销的同时克服了现有方案存在的安全和隐私隐患,具有一定的社会经济价值.