Survey on Lightweight Primitives and Protocols for RFID in Wireless Sensor Networks

The use of radio frequency identification (RFID) technologies is becoming widespread in all kind of wireless network-based applications. As expected, applications based on sensor networks, ad-hoc or mobile ad hoc networks (MANETs) can be highly benefited from the adoption of RFID solutions. There is a strong need to employ lightweight cryptographic primitives for many security applications because of the tight cost and constrained resource requirement of sensor based networks. This paper mainly focuses on the security analysis of lightweight protocols and algorithms proposed for the security of RFID systems. A large number of research solutions have been proposed to implement lightweight cryptographic primitives and protocols in sensor and RFID integration based resource constraint networks. In this work, an overview of the currently discussed lightweight primitives and their attributes has been done. These primitives and protocols have been compared based on gate equivalents (GEs), power, technology, strengths, weaknesses and attacks. Further, an integration of primitives and protocols is compared with the possibilities of their applications in practical scenarios

Design and Analysis of Security Schemes for Low-cost RFID Systems

With the remarkable progress in microelectronics and low-power semiconductor technologies, Radio Frequency IDentification technology (RFID) has moved from obscurity into mainstream applications, which essentially provides an indispensable foundation to realize ubiquitous computing and machine perception. However, the catching and exclusive characteristics of RFID systems introduce growing security and privacy concerns. To address these issues are particularly challenging for low-cost RFID systems, where tags are extremely constrained in resources, power and cost. The primary reasons are: (1) the security requirements of low-cost RFID systems are even more rigorous due to large operation range and mass deployment; and (2) the passive tags' modest capabilities and the necessity to keep their prices low present a novel problem that goes beyond the well-studied problems of traditional cryptography. This thesis presents our research results on the design and the analysis of security schemes for low-cost RFID systems. Motivated by the recent attention on exploiting physical layer resources in the design of security schemes, we investigate how to solve the eavesdropping, modification and one particular type of relay attacks toward the tag-to-reader communication in passive RFID systems without requiring lightweight ciphers. To this end, we propose a novel physical layer scheme, called Backscatter modulation- and Uncoordinated frequency hopping-assisted Physical Layer Enhancement (BUPLE). The idea behind it is to use the amplitude of the carrier to transmit messages as normal, while to utilize its periodically varied frequency to hide the transmission from the eavesdropper/relayer and to exploit a random sequence modulated to the carrier's phase to defeat malicious modifications. We further improve its eavesdropping resistance through the coding in the physical layer, since BUPLE ensures that the tag-to-eavesdropper channel is strictly noisier than the tag-to-reader channel. Three practical Wiretap Channel Codes (WCCs) for passive tags are then proposed: two of them are constructed from linear error correcting codes, and the other one is constructed from a resilient vector Boolean function. The security and usability of BUPLE in conjunction with WCCs are further confirmed by our proof-of-concept implementation and testing. Eavesdropping the communication between a legitimate reader and a victim tag to obtain raw data is a basic tool for the adversary. However, given the fundamentality of eavesdropping attacks, there are limited prior work investigating its intension and extension for passive RFID systems. To this end, we firstly identified a brand-new attack, working at physical layer, against backscattered RFID communications, called unidirectional active eavesdropping, which defeats the customary impression that eavesdropping is a ``passive" attack. To launch this attack, the adversary transmits an un-modulated carrier (called blank carrier) at a certain frequency while a valid reader and a tag interacts at another frequency channel. Once the tag modulates the amplitude of reader's signal, it causes fluctuations on the blank carrier as well. By carefully examining the amplitude of the backscattered versions of the blank carrier and the reader's carrier, the adversary could intercept the ongoing reader-tag communication with either significantly lower bit error rate or from a significantly greater distance away. Our concept is demonstrated and empirically analyzed towards a popular low-cost RFID system, i.e., EPC Gen2. Although active eavesdropping in general is not trivial to be prohibited, for a particular type of active eavesdropper, namely a greedy proactive eavesdropper, we propose a simple countermeasure without introducing extra cost to current RFID systems. The needs of cryptographic primitives on constraint devices keep increasing with the growing pervasiveness of these devices. One recent design of the lightweight block cipher is Hummingbird-2. We study its cryptographic strength under a novel technique we developed, called Differential Sequence Attack (DSA), and present the first cryptanalytic result on this cipher. In particular, our full attack can be divided into two phases: preparation phase and key recovery phase. During the key recovery phase, we exploit the fact that the differential sequence for the last round of Hummingbird-2 can be retrieved by querying the full cipher, due to which, the search space of the secret key can be significantly reduced. Thus, by attacking the encryption (decryption resp.) of Hummingbird-2, our algorithm recovers 36-bit (another 28-bit resp.) out of 128-bit key with $2^{68}$ ($2^{60}$ resp.) time complexity if particular differential conditions of the internal states and of the keys at one round can be imposed. Additionally, the rest 64-bit of the key can be exhaustively searched and the overall time complexity is dominated by $2^{68}$. During the preparation phase, by investing $2^{81}$ effort in time, the adversary is able to create the differential conditions required in the key recovery phase with at least 0.5 probability. As an additional effort, we examine the cryptanalytic strength of another lightweight candidate known as A2U2, which is the most lightweight cryptographic primitive proposed so far for low-cost tags. Our chosen-plaintext-attack fully breaks this cipher by recovering its secret key with only querying the encryption twice on the victim tag and solving 32 sparse systems of linear equations (where each system has 56 unknowns and around 28 unknowns can be directly obtained without computation) in the worst case, which takes around 0.16 second on a Thinkpad T410 laptop

Lightweight symmetric cryptography

The Internet of Things is one of the principal trends in information technology nowadays. The main idea behind this concept is that devices communicate autonomously with each other over the Internet. Some of these devices have extremely limited resources, such as power and energy, available time for computations, amount of silicon to produce the chip, computational power, etc. Classical cryptographic primitives are often infeasible for such constrained devices. The goal of lightweight cryptography is to introduce cryptographic solutions with reduced resource consumption, but with a sufficient security level. Although this research area was of great interest to academia during the last years and a large number of proposals for lightweight cryptographic primitives have been introduced, almost none of them are used in real-word. Probably one of the reasons is that, for academia, lightweight usually meant to design cryptographic primitives such that they require minimal resources among all existing solutions. This exciting research problem became an important driver which allowed the academic community to better understand many cryptographic design concepts and to develop new attacks. However, this criterion does not seem to be the most important one for industry, where lightweight may be considered as "rightweight". In other words, a given cryptographic solution just has to fit the constraints of the specific use cases rather than to be the smallest. Unfortunately, academic researchers tended to neglect vital properties of the particular types of devices, into which they intended to apply their primitives. That is, often solutions were proposed where the usage of some resources was reduced to a minimum. However, this was achieved by introducing new costs which were not appropriately taken into account or in such a way that the reduction of costs also led to a decrease in the security level. Hence, there is a clear gap between academia and industry in understanding what lightweight cryptography is. In this work, we are trying to fill some of these gaps. We carefully investigate a broad number of existing lightweight cryptographic primitives proposed by academia including authentication protocols, stream ciphers, and block ciphers and evaluate their applicability for real-world scenarios. We then look at how individual components of design of the primitives influence their cost and summarize the steps to be taken into account when designing primitives for concrete cost optimization, more precisely - for low energy consumption. Next, we propose new implementation techniques for existing designs making them more efficient or smaller in hardware without the necessity to pay any additional costs. After that, we introduce a new stream cipher design philosophy which enables secure stream ciphers with smaller area size than ever before and, at the same time, considerably higher throughput compared to any other encryption schemes of similar hardware cost. To demonstrate the feasibility of our findings we propose two ciphers with the smallest area size so far, namely Sprout and Plantlet, and the most energy efficient encryption scheme called Trivium-2. Finally, this thesis solves a concrete industrial problem. Based on standardized cryptographic solutions, we design an end-to-end data-protection scheme for low power networks. This scheme was deployed on the water distribution network in the City of Antibes, France

Exploiting Transformations of the Galois Configuration to Improve Guess-and-Determine Attacks on NFSRs

Guess-and-determine attacks are based on guessing a subset of internal state bits and subsequently using these guesses together with the cipher\u27s output function to determine the value of the remaining state. These attacks have been successfully employed to break NFSR-based stream ciphers. The complexity of a guess-and-determine attack is directly related to the number of state bits used in the output function. Consequently, an opportunity exits for efficient cryptanalysis of NFSR-based stream ciphers if NFSRs used can be transformed to derive an equivalent stream cipher with a simplified output function. In this paper, we present a new technique for transforming NFSRs. We show how we can use this technique to transform NFSRs to equivalent NFSRs with simplified output functions. We explain how such transformations can assist in cryptanalysis of NFSR-based ciphers and demonstrate the application of the technique to successfully cryptanalyse the lightweight cipher Sprout. Our attack on Sprout has a time complexity of 2^70.87, which is 2^3.64 times better than any published non-TMD attack, and requires only 164 bits of plaintext-ciphertext pairs

State of the Art in Lightweight Symmetric Cryptography

Lightweight cryptography has been one of the hot topics in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a lightweight algorithm is usually designed to satisfy in both the software and the hardware case. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (NIST...) and international (ISO/IEC...) standards are listed. We identified several trends in the design of lightweight algorithms, such as the designers\u27 preference for ARX-based and bitsliced-S-Box-based designs or simpler key schedules. We also discuss more general trade-offs facing the authors of such algorithms and suggest a clearer distinction between two subsets of lightweight cryptography. The first, ultra-lightweight cryptography, deals with primitives fulfilling a unique purpose while satisfying specific and narrow constraints. The second is ubiquitous cryptography and it encompasses more versatile algorithms both in terms of functionality and in terms of implementation trade-offs

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Anahtarlı Boole geri besleme fonksiyonu olan kayan anahtar üreteçleri için gelişmiş saldırı yöntemi

Ultra-lightweight stream ciphers are highly optimized variation of stream ciphers for miniscule hardwares with limited power and calculation resources such as RFID product tags used in retail marketing and Wireless Sensor Network components that are indispensable part of modern SCADA systems. In FSE 2015, Armknecht and Mikhalev presented a unique ultra-lightweight stream cipher design approach defined as Keystream Generators with Keyed Update Function (KSG with KUF) along with a concrete cipher Sprout [1]. This design approach used by recent stream ciphers such as Fruit [2] and Plantlet [3], promises to make use of secret key during state updates in order to maintain security level as well as shorten internal state size to reduce hardware area in conjunction with power consumption. In 2018, definition of KSG with KUF is narrowed by Kara and Esgin [4], with new definition Keystream Generators with Boolean Keyed Feedback Function (KSG with Boolean KFF), on which a generic scope trade-off attack is also mounted. This attack relies on guess capacity definition given in the same article, to eliminate wrong states during exhaustive search operation. In this thesis, we examined this generic Kara and Esgin attack in-depth and accelerated by a factor up to about 60 times. In order to accomplish this speedup, a new guess capacity definition and sieving method are introduced in addition to the improved algorithm which contributes efficiency of the attack in both performance and stability. Improvements are validated with intense performance tests comprising nearly twenty sample feedback functions, including Sprout, with diverse existence of guess capacities.Yazarlık Beyanı ii Abstract iv Öz v Teşekkür vii Şekil Listesi xi Tablo Listesi xii Kısaltmalar xiii Sözlükçe xiv 1 Giriş 1 1.1 Motivasyon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 İlişkin Çalışmalar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 Katkılarımız . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.4 Tezin Bölümleri (Ana Hatları) . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Temel Kavramlar 10 2.1 Kriptografinin Kısa Geçmişi . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.1.1 İletişim Yöntemlerinin Gelişimi . . . . . . . . . . . . . . . . . . . . 10 2.1.2 Kriptografi Nedir? . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2 Kriptografik Algoritmaların Sınıflandırılması . . . . . . . . . . . . . . . . . 11 2.2.1 Antik Dönem Teknikleri . . . . . . . . . . . . . . . . . . . . . . . . 11 2.2.2 Elektronik Dünyaya Geçiş . . . . . . . . . . . . . . . . . . . . . . . 12 3 Dizi Şifreleme 14 3.1 Giriş & Kullanım Alanları . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.1.1 GSM (2G), UMTS(3G) ve LTE(4G) Güvenliği . . . . . . . . . . . 15 3.1.2 Kablosuz Ağ Güvenliği (WEP and WPA) . . . . . . . . . . . . . . 15 3.1.3 RFID Uygulamaları . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.1.4 Kablosuz Sensör Ağları (WSN) . . . . . . . . . . . . . . . . . . . . 16 3.1.5 ZigBee Protokolü . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2 Dizi Şifrelemenin Temel Kavramları . . . . . . . . . . . . . . . . . . . . . . 19 3.3 Tek Seferlik Şifre (One Time Pad) . . . . . . . . . . . . . . . . . . . . . . 19 3.4 Donanımsal Nitelikler ve Performans Ölçütleri . . . . . . . . . . . . . . . . 20 3.4.1 Donanım Boyutu (Kapı Eşdeğeri) . . . . . . . . . . . . . . . . . . . 20 3.4.2 Çıktı Hızı . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.4.3 Yayılım Gecikmesi . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.4.4 Operasyonel Saat Frekansı . . . . . . . . . . . . . . . . . . . . . . . 21 3.5 Lineer Geri Beslemeli Ötelemeli Saklayıcı (LFSR) . . . . . . . . . . . . . . 22 3.6 Lineer Olmayan Geri Beslemeli Ötelemeli Saklayıcı (NLFSR) . . . . . . . 23 3.7 A5/1 Algoritmasına Hızlı Bakış . . . . . . . . . . . . . . . . . . . . . . . . 23 3.7.1 Kayan Anahtar Üretecinin Tasarımı . . . . . . . . . . . . . . . . . 24 3.7.2 İlklendirme Fazı . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.8 Trivium Algoritmasına Hızlı Bakış . . . . . . . . . . . . . . . . . . . . . . 26 3.9 Espresso Algoritmasına Hızlı Bakış . . . . . . . . . . . . . . . . . . . . . . 26 4 Anahtarlı Güncelleme Fonksiyonu olan Kayan Anahtar Üreteçleri 28 4.1 Tanımlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 4.2 Sprout Algoritması . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 4.2.1 Çıkış Noktası . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2.2 Tasarım . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.2.3 İlklendirme Fazı . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2.4 Gerçekleştirilen Saldırılar . . . . . . . . . . . . . . . . . . . . . . . 35 5 ABGBF-KAÜ Ailesine Yönelik Genel Kapsamlı Saldırı 36 5.1 Saldırının Açıklaması . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 5.1.1 Tahmin Kapasitesi (Prg) . . . . . . . . . . . . . . . . . . . . . . . 37 5.1.2 Çıktı Kapasitesi (θ) . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.1.3 Karavana İhtimali () . . . . . . . . . . . . . . . . . . . . . . . . . 38 5.1.4 Sonlandırma Değeri (αter) . . . . . . . . . . . . . . . . . . . . . . 38 5.1.5 Eşik Değeri (αthr) . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 5.1.6 İç Durum Zaafiyet Göstergesi (d) . . . . . . . . . . . . . . . . . . . 38 5.2 İç Durum Geri Kazanım Algoritması . . . . . . . . . . . . . . . . . . . . . 38 5.2.1 İDGK Sözde Kodu . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 5.3 Determine Algoritması . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.4 Check & Guess Algoritması . . . . . . . . . . . . . . . . . . . . . . . . . . 41 5.5 Anahtar Geri Kazanım Fazı . . . . . . . . . . . . . . . . . . . . . . . . . . 42 6 Geliştirilmiş Saldırı Algoritması 44 6.1 Mevcut Algoritmadaki Darboğaz Noktaları . . . . . . . . . . . . . . . . . . 44 6.2 Hata Düzeltmesi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 6.2.1 Sözde Kodlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 6.3 İyileştirme No:1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 6.3.1 İyileştirilmiş Algoritma . . . . . . . . . . . . . . . . . . . . . . . . . 46 6.3.2 Sözde Kodlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 6.3.3 İyileştirmenin Performansa Etkisi . . . . . . . . . . . . . . . . . . . 47 6.4 İyileştirme No:3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 6.4.1 Sözde Kodlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 6.5 Geliştirilmiş Algoritmanın Nihai Tasarımı . . . . . . . . . . . . . . . . . . 51 6.5.1 Sözde Kodlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 7 Geliştirilmiş Algoritmanın Performans Analizi 53 7.1 Ön Bilgiler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 7.1.1 Benzetimin Bilgisayar Ortamında Gerçeklenmesi . . . . . . . . . . 53 7.1.2 Test Sistemi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 7.1.3 Test Senaryosu ve Test Fonksiyonları . . . . . . . . . . . . . . . . . 54 7.1.4 Performans Metrikleri . . . . . . . . . . . . . . . . . . . . . . . . . 56 7.2 Test Sonuçları . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 7.2.1 Grafiklerin Yorumlanması . . . . . . . . . . . . . . . . . . . . . . . 60 8 Sonuç 64 8.1 Yeni Algoritmanın Tasarımı . . . . . . . . . . . . . . . . . . . . . . . . . . 64 8.2 Bulgular . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 8.3 Bilinen Kısıtlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 8.4 İleriye Yönelik Araştırma Konuları . . . . . . . . . . . . . . . . . . . . . . 65 8.5 Son Yorumlar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 A KE Algoritması Bellek Kullanımı Raporu 67 B Benzetim Uygulaması Kaynak Kodları 69 B.1 Geliştirme Süreci . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 B.2 Proje Yapısı . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 B.3 Proje 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 B.4 Proje 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Kaynaklar 7