An Automatic, Time-Based, Secure Pairing Protocol for Passive RFID

This paper introduces the Adopted-Pet (AP) protocol, an automatic (i.e. requiring no human interaction) secure pairing protocol, adequate for the pairing between a passive RFID tag and a reader. Most pairing protocols rely for their security on a certain advantage that the legitimate devices have over any malicious users. Such advantages include proximity (employing near-field communication) or secret keys that are either produced with the assistance of, or verified by, the legitimate user. The advantage exploited by our novel AP protocol is the amount of uninterrupted time spent by the two devices in the proximity (although not requiring near-field communication) of each-other. We discuss several implementation configurations, all based on pseudo-random bit generators, employing short-length LFSRs, and requiring no more than 2000 transistors. This makes the protocol ideally suited for low-cost passive RFID tags. For each configuration we show that the AP protocol is highly secure against occasional malicious entities

Survey and Systematization of Secure Device Pairing

Secure Device Pairing (SDP) schemes have been developed to facilitate secure communications among smart devices, both personal mobile devices and Internet of Things (IoT) devices. Comparison and assessment of SDP schemes is troublesome, because each scheme makes different assumptions about out-of-band channels and adversary models, and are driven by their particular use-cases. A conceptual model that facilitates meaningful comparison among SDP schemes is missing. We provide such a model. In this article, we survey and analyze a wide range of SDP schemes that are described in the literature, including a number that have been adopted as standards. A system model and consistent terminology for SDP schemes are built on the foundation of this survey, which are then used to classify existing SDP schemes into a taxonomy that, for the first time, enables their meaningful comparison and analysis.The existing SDP schemes are analyzed using this model, revealing common systemic security weaknesses among the surveyed SDP schemes that should become priority areas for future SDP research, such as improving the integration of privacy requirements into the design of SDP schemes. Our results allow SDP scheme designers to create schemes that are more easily comparable with one another, and to assist the prevention of persisting the weaknesses common to the current generation of SDP schemes.Comment: 34 pages, 5 figures, 3 tables, accepted at IEEE Communications Surveys & Tutorials 2017 (Volume: PP, Issue: 99

An Automatic, Time-Based, Secure Pairing Protocol for Passive RFID

This paper introduces the Adopted-Pet (AP) protocol, an automatic (i.e. requiring no human interaction) secure pairing protocol, adequate for the pairing between a passive RFID tag and a reader. Most pairing protocols rely for their security on a certain advantage that the legitimate devices have over any malicious users. Such advantages include proximity (employing near-field communication) or secret keys that are either produced with the assistance of, or verified by, the legitimate user. The advantage exploited by our novel AP protocol is the amount of uninterrupted time spent by the two devices in the proximity (although not requiring near-field communication) of each-other. We discuss several implementation configurations, all based on pseudo-random bit generators, employing short-length LFSRs, and requiring no more than 2000 transistors. This makes the protocol ideally suited for low-cost passive RFID tags. For each configuration we show that the AP protocol is highly secure against occasional malicious entities.This is a post-peer-review, pre-copyedit version of an article published in Lecture Notes in Computer Science. The final authenticated version is available online at DOI: 10.1007/978-3-642-25286-0_8. Posted with permission.</p

Desarrollo de un sistema exportable de confianza corporativa: Aplicación a entornos de trazabilidad de productos

Cada vez es más habitual que en los procesos de fabricación participen diversos fabricantes y empresas. Por otro lado, una característica de los productos muy valorada hoy en día por los consumidores, es la calidad. Ya no es suficiente con producir barato, sino que cada vez es más importante producir con calidad, siendo ésta un factor diferenciador de las manufacturas que se realizan bajo las diversas marcas. La calidad se está integrando cada vez más en las empresas y en sus procesos productivos y de gestión, como un valor añadido y diferenciador del producto. Es habitual encontrar diversos controles de calidad a lo largo de los procesos de fabricación. Lo que ya no es tan habitual es que se pueda identificar a los operarios encargados del control de calidad. A lo sumo, el encargado del control de calidad final deja algún tipo de identificación (por ejemplo un pequeño adhesivo o etiqueta con un número impreso), pero esta identificación carece de sentido en cuanto el producto entra en otra cadena de producción o llega al comprador. En este escenario, aparece otro factor importante como es la confianza. En los actuales sistemas productivos se deben establecer relaciones de confianza entre las empresas encargadas de las diferentes fases de producción (todas esperan que las demás hagan su trabajo según lo acordado). Además, los agentes designados para verificar la adecuación de los productos a lo esperado en las diversas fases de producción, son depositarios de la confianza de la empresa a la que pertenecen. El objetivo principal de la tesis es el desarrollo de un modelo de confianza corporativa exportable, que sea sencillo y económico de implementar. Para ello, se ha propuesto un sistema confiable de identidad digital de los productos. Es decir, cada producto posee un conjunto de atributos que definen su identidad digital, que lo hace único, pero además, cada uno de estos atributos está avalado por el agente de control que lo verificó, por tanto se puede afirmar que es una identidad de calidad. Con este planteamiento, y con una infraestructura mínima, se pueden integrar en el sistema todos los procesos y compañías involucrados en la cadena de producción, bajo un sello de calidad común: la identidad de calidad del producto. Para comprobar la validez de esta propuesta, se ha realizado una prueba de concepto, integrando este sistema de identidad de calidad en un entorno de trazabilidad alimentaria basada en RFID (identificación por radiofrecuencia). Este prototipo, que sirve para securizar la trazabilidad de un producto cárnico elaborado, se ha realizado sobre la tecnología de etiquetado basada en RFID. Con esta tecnología, y para las condiciones ambientales donde se ha desarrollado el proceso de producción de las piezas a controlar en este caso concreto, el tipo de etiquetas idóneo dispone de una cantidad de memoria extremadamente reducida. Además, debido a que anualmente deben utilizarse cientos de miles de etiquetas, el coste de estas etiquetas debe ser sumamente bajo, por lo que sólo es posible utilizar etiquetas muy sencillas (y por tanto sin capacidades de cálculo). Para poder utilizar este tipo de etiquetas, se ha planteado que las operaciones criptográficas no sean realizadas en la etiqueta, sino en un sistema externo basado en una Infraestructura de Clave Pública (PKI), de manera que la etiqueta sólo sirve como soporte de datos en texto plano (sin cifrar), pero firmados electrónicamente. Para resolver el problema del poco espacio de memoria disponible para las firmas de los diferentes agentes de control, se ha recurrido a la utilización de firmas agregadas. Además, al trabajar con criptografía de curvas elípticas, el tamaño de la firma es notablemente menor, para un mismo nivel de seguridad, que el de otros sistemas. Adicionalmente, el sistema propuesto permite transferir la confianza entre las compañías implicadas en un proceso de producción (basta compartir las claves públicas de los firmantes y sus nombres), y se adapta a cualquier entorno productivo. Por todo ello, el sistema propuesto resuelve de forma eficaz la integración de diversas empresas en el proceso de fabricación de un producto, con escaso coste, y permitiendo una verificación de la identidad digital en cualquier parte del proceso, incluida la fase de comercialización

Design and Analysis of Security Schemes for Low-cost RFID Systems

With the remarkable progress in microelectronics and low-power semiconductor technologies, Radio Frequency IDentification technology (RFID) has moved from obscurity into mainstream applications, which essentially provides an indispensable foundation to realize ubiquitous computing and machine perception. However, the catching and exclusive characteristics of RFID systems introduce growing security and privacy concerns. To address these issues are particularly challenging for low-cost RFID systems, where tags are extremely constrained in resources, power and cost. The primary reasons are: (1) the security requirements of low-cost RFID systems are even more rigorous due to large operation range and mass deployment; and (2) the passive tags' modest capabilities and the necessity to keep their prices low present a novel problem that goes beyond the well-studied problems of traditional cryptography. This thesis presents our research results on the design and the analysis of security schemes for low-cost RFID systems. Motivated by the recent attention on exploiting physical layer resources in the design of security schemes, we investigate how to solve the eavesdropping, modification and one particular type of relay attacks toward the tag-to-reader communication in passive RFID systems without requiring lightweight ciphers. To this end, we propose a novel physical layer scheme, called Backscatter modulation- and Uncoordinated frequency hopping-assisted Physical Layer Enhancement (BUPLE). The idea behind it is to use the amplitude of the carrier to transmit messages as normal, while to utilize its periodically varied frequency to hide the transmission from the eavesdropper/relayer and to exploit a random sequence modulated to the carrier's phase to defeat malicious modifications. We further improve its eavesdropping resistance through the coding in the physical layer, since BUPLE ensures that the tag-to-eavesdropper channel is strictly noisier than the tag-to-reader channel. Three practical Wiretap Channel Codes (WCCs) for passive tags are then proposed: two of them are constructed from linear error correcting codes, and the other one is constructed from a resilient vector Boolean function. The security and usability of BUPLE in conjunction with WCCs are further confirmed by our proof-of-concept implementation and testing. Eavesdropping the communication between a legitimate reader and a victim tag to obtain raw data is a basic tool for the adversary. However, given the fundamentality of eavesdropping attacks, there are limited prior work investigating its intension and extension for passive RFID systems. To this end, we firstly identified a brand-new attack, working at physical layer, against backscattered RFID communications, called unidirectional active eavesdropping, which defeats the customary impression that eavesdropping is a ``passive" attack. To launch this attack, the adversary transmits an un-modulated carrier (called blank carrier) at a certain frequency while a valid reader and a tag interacts at another frequency channel. Once the tag modulates the amplitude of reader's signal, it causes fluctuations on the blank carrier as well. By carefully examining the amplitude of the backscattered versions of the blank carrier and the reader's carrier, the adversary could intercept the ongoing reader-tag communication with either significantly lower bit error rate or from a significantly greater distance away. Our concept is demonstrated and empirically analyzed towards a popular low-cost RFID system, i.e., EPC Gen2. Although active eavesdropping in general is not trivial to be prohibited, for a particular type of active eavesdropper, namely a greedy proactive eavesdropper, we propose a simple countermeasure without introducing extra cost to current RFID systems. The needs of cryptographic primitives on constraint devices keep increasing with the growing pervasiveness of these devices. One recent design of the lightweight block cipher is Hummingbird-2. We study its cryptographic strength under a novel technique we developed, called Differential Sequence Attack (DSA), and present the first cryptanalytic result on this cipher. In particular, our full attack can be divided into two phases: preparation phase and key recovery phase. During the key recovery phase, we exploit the fact that the differential sequence for the last round of Hummingbird-2 can be retrieved by querying the full cipher, due to which, the search space of the secret key can be significantly reduced. Thus, by attacking the encryption (decryption resp.) of Hummingbird-2, our algorithm recovers 36-bit (another 28-bit resp.) out of 128-bit key with $2^{68}$ ($2^{60}$ resp.) time complexity if particular differential conditions of the internal states and of the keys at one round can be imposed. Additionally, the rest 64-bit of the key can be exhaustively searched and the overall time complexity is dominated by $2^{68}$. During the preparation phase, by investing $2^{81}$ effort in time, the adversary is able to create the differential conditions required in the key recovery phase with at least 0.5 probability. As an additional effort, we examine the cryptanalytic strength of another lightweight candidate known as A2U2, which is the most lightweight cryptographic primitive proposed so far for low-cost tags. Our chosen-plaintext-attack fully breaks this cipher by recovering its secret key with only querying the encryption twice on the victim tag and solving 32 sparse systems of linear equations (where each system has 56 unknowns and around 28 unknowns can be directly obtained without computation) in the worst case, which takes around 0.16 second on a Thinkpad T410 laptop