Results 1 - 10
of
19
Good Variants of HB+ are Hard to Find
- In Proceedings of Financial Crypto 2008
"... Abstract. The strikingly simple HB+ protocol of Juels and Weis [11] has been proposed for the authentication of low-cost RFID tags. As well as being computationally efficient, the protocol is accompanied by an elegant proof of security. After its publication, Gilbert et al. [8] demon-strated a simpl ..."
Abstract
-
Cited by 13 (2 self)
- Add to MetaCart
(Show Context)
Abstract. The strikingly simple HB+ protocol of Juels and Weis [11] has been proposed for the authentication of low-cost RFID tags. As well as being computationally efficient, the protocol is accompanied by an elegant proof of security. After its publication, Gilbert et al. [8] demon-strated a simple man-in-the-middle attack that allowed an attacker to recover the secret authentication keys. (The attack does not contradict the proof of security since the attacker lies outside the adversarial model.) Since then a range of schemes closely related to HB+ have been proposed and these are intended to build on the security of HB+ while offering re-sistance to the attack of [8]. In this paper we show that many of these variants can still be attacked using the techniques of [8] and the original HB+ protocol remains the most attractive member of the HB+ family. Key words: HB+, RFID tags, authentication, LPN. 1
How to encrypt with the LPN problem
- IN: AUTOMATA, LANGUAGES AND PROGRAMMING, 35TH INTERNATIONAL COLLOQUIUM, ICALP ’08
, 2008
"... We present a probabilistic private-key encryption scheme named LPN-C whose security can be reduced to the hardness of the Learning from Parity with Noise (LPN) problem. The proposed protocol involves only basic operations in GF(2) and an error-correcting code. We show that it achieves indistinguis ..."
Abstract
-
Cited by 9 (0 self)
- Add to MetaCart
(Show Context)
We present a probabilistic private-key encryption scheme named LPN-C whose security can be reduced to the hardness of the Learning from Parity with Noise (LPN) problem. The proposed protocol involves only basic operations in GF(2) and an error-correcting code. We show that it achieves indistinguishability under adaptive chosen plain-text attacks (IND-P2-C0). Appending a secure MAC renders the scheme secure under adaptive chosen ciphertext attacks. This scheme enriches the range of available cryptographic primitives whose security relies on the hardness of the LPN problem.
We Can Remember It for You Wholesale: Implications of Data Remanence on the Use of RAM for True Random Number Generation on RFID Tags
"... Abstract. Random number generation is a fundamental security primitive for RFID devices. However, even this relatively simple requirement is beyond the capacity of today’s average RFID tag. A recently proposed solution, Fingerprint Extraction and Random Number Generation in SRAM (FERNS) [14, 15], in ..."
Abstract
-
Cited by 7 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Random number generation is a fundamental security primitive for RFID devices. However, even this relatively simple requirement is beyond the capacity of today’s average RFID tag. A recently proposed solution, Fingerprint Extraction and Random Number Generation in SRAM (FERNS) [14, 15], involves the use of onboard RAM as the source of “true ” randomness. Unfortunately, practical considerations prevent this approach from reaching its full potential. First, this method must compete with other system functionalities for use of memory. Thus, the amount of uninitialized RAM available for utilization as a randomness generator may be severely restricted. Second, RAM is subject to data remanence; there is a time period after losing power during which stored data remains intact in memory. This means that after a portion of memory has been used for entropy collection once it will require a relatively extended period of time without power before it can be reused. In a usable RFID based security application, which requires multiple or long random numbers, this may lead to unacceptably high delays. In this paper, we show that data remanence negatively affects RAM based random number generation. We demonstrate the practical considerations that must be taken into account when using RAM as an entropy source. We also discuss the implementation of a true random number generator on Intel’s WISP RFID tag, which is the first such implementation to the authors ’ best knowledge. By relating this to the requirements of some popular RFID authentication protocols, we assess the (im)practicality of utilizing memory based randomness techniques on resource constrained devices.
Man-in-the-Middle Secure Authentication Schemes from LPN and Weak PRFs
"... We show how to construct, from any weak pseudorandom function, a 3-round symmetric-key authentication protocol that is secure against man-in-the-middle attacks. The construction is very efficient, requiring both the secret key and communication size to be only 3n bits long. Our techniques also exten ..."
Abstract
-
Cited by 5 (0 self)
- Add to MetaCart
(Show Context)
We show how to construct, from any weak pseudorandom function, a 3-round symmetric-key authentication protocol that is secure against man-in-the-middle attacks. The construction is very efficient, requiring both the secret key and communication size to be only 3n bits long. Our techniques also extend to certain classes of randomized weak-PRFs, chiefly among which are those based on the classical LPN problem and its more efficient variants such as Toeplitz-LPN and Ring-LPN. Building a man-in-the-middle secure authentication scheme from any weak-PRF resolves a problem left open by Dodis et al. (Eurocrypt 2012), while building a man-in-themiddle secure scheme based on any variant of the LPN problem solves the main open question in a long line of research aimed at constructing a practical light-weight authentication scheme based on learning problems, which began with the work of Hopper and Blum (Asiacrypt 2001). 1
Still and silent: Motion detection for enhanced rfid security and privacy without changing the usage model
- in Workshop on RFID Security (RFIDSec
, 2010
"... Abstract. Personal RFID devices – found, e.g., in access cards and contactless credit cards – are vulnerable to unauthorized reading, owner tracking and different types of relay attacks. We observe that accessing a personal RFID device fundamentally requires moving it in some manner (e.g., swiping a ..."
Abstract
-
Cited by 5 (2 self)
- Add to MetaCart
(Show Context)
Abstract. Personal RFID devices – found, e.g., in access cards and contactless credit cards – are vulnerable to unauthorized reading, owner tracking and different types of relay attacks. We observe that accessing a personal RFID device fundamentally requires moving it in some manner (e.g., swiping an RFID access card in front of a reader). Determining whether or not the device is in motion can therefore provide enhanced security and privacy; the device will respond only when it is in motion, instead of doing so promiscuously. We investigate extending the concept of min-entropy from the realm of random number generation to achieve motion detection on an RFID device equipped with an accelerometer. Our approach is quite simple and well-suited for use on low-cost devices because the min-entropy of an accelerometer’s distribution can be effi-ciently approximated. As opposed to alternative methods, our approach does not require any changes to the usage model expected of personal RFID devices.
Accelerometers and randomness: perfect together
- In Proceedings of the fourth ACM conference on Wireless network security
"... Accelerometers are versatile sensors that are nearly ubiquitous. They are available on a wide variety of devices and are particularly com-mon on those that are mobile or have wireless capabilities. Ac-celerometers are applicable in a number of settings and circum-stances, including important securit ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
(Show Context)
Accelerometers are versatile sensors that are nearly ubiquitous. They are available on a wide variety of devices and are particularly com-mon on those that are mobile or have wireless capabilities. Ac-celerometers are applicable in a number of settings and circum-stances, including important security and privacy domains. In this paper, we investigate the use of accelerometers for the purpose of true random number generation. As our first contribution, we dis-cover that an accelerometer possesses two unique and appealing properties when used as an entropy source. First, contrary to in-tuition, an accelerometer can derive sufficient entropy even when it is stationary (i.e., not subject to perceivable acceleration). Next, and more importantly, the entropy of a stationary accelerometer can not be reduced in the presence of a variety of environmental vari-ations or even under adversarial manipulations. This means that, unlike other sensors, accelerometers are resistant to changing envi-ronments, benign or otherwise. To support this claim, we develop a thorough experimental adversarial model for accelerometers that supply a system with entropy. To the authors ’ knowledge, this is the first real world model in the context of entropy collection. As our second contribution, we demonstrate the validity of ac-celerometer based random number generation on an RFID tag, which is a highly resource constrained device. We present the design and implementation of our method on an Intel WISP tag and conduct several novel experiments to evaluate its feasibility. Our results in-dicate that a high quality 128-bit random number can be extracted using an accelerometer in about 1.5 seconds even when the sensor is in a stationary state. To our knowledge, this is the first random number generation technique that is known to be viable for RFID devices based on general-purpose hardware.
Privacy through Noise: A Design Space for Private Identification
"... To protect privacy in large systems, users should be able to authenticate against a central server without disclosing their identity to others. Private identification protocols based on public key cryptography are computationally expensive and cannot be implemented on small devices like RFID tags. ..."
Abstract
-
Cited by 3 (0 self)
- Add to MetaCart
To protect privacy in large systems, users should be able to authenticate against a central server without disclosing their identity to others. Private identification protocols based on public key cryptography are computationally expensive and cannot be implemented on small devices like RFID tags. Symmetric key protocols, on the other hand, provide only modest levels of privacy, but can be efficiently executed on servers and cheaply implemented on devices. The privacy of symmetric-key privacy protocols derives from the fact that an attacker only ever knows a small fraction of the keys in a system while the legitimate reader knows all keys. We propose to amplify this gap in the ability to distinguish users by adding noise to user responses. We focus on scenarios where an attacker is not able to acquire multiple different reads known to be from the same device, and justify this threat model by proposing a simple modification to RFID tag designs. In such scenarios, we can use noise to blur the borders between groups of users that the attacker would otherwise be able to distinguish. We evaluate the effectiveness and cost of this randomization and find that the information leakage from the tree protocol can be decreased to two thousandths of its original value with 150 times the number of server-side cryptographic operations and minimal cost to the tag. Degrees of privacy up to those achieved by public key protocols can be reached while staying well below the cost of public key cryptography.
Wide Strong Private RFID Identification based on Zero-Knowledge ⋆
"... Abstract. We present the first wide-strong RFID identification protocol that is based on zero-knowledge. Until now this notion has only been achieved by schemes based on IND-CCA2 encryption. Rigorous proofs in the standard model are provided for the security and privacy properties of our protocol. F ..."
Abstract
-
Cited by 3 (1 self)
- Add to MetaCart
(Show Context)
Abstract. We present the first wide-strong RFID identification protocol that is based on zero-knowledge. Until now this notion has only been achieved by schemes based on IND-CCA2 encryption. Rigorous proofs in the standard model are provided for the security and privacy properties of our protocol. Furthermore our protocol is the most efficient solution presented in the literature. Using only Elliptic Curve Cryptography (ECC), the required circuit area can be minimized such that our protocol even fits on small RFID tags. Concerning computation on the tag, we only require two scalar-EC point multiplications. Keywords. RFID, Private Identification, Zero-Knowledge, Elliptic Curve Cryptography. 1
An optimal probabilistic solution for information confinement, privacy, and security in RFID systems
- Journal of Network and Computer Applications
"... In this paper, we provide the following contributions to enhance the security of RFID based systems. First, we assume that among multiple servers storing the information related to the tags some of them can be compromised. For this new threat scenario, we devise a technique to make RFID identificati ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
In this paper, we provide the following contributions to enhance the security of RFID based systems. First, we assume that among multiple servers storing the information related to the tags some of them can be compromised. For this new threat scenario, we devise a technique to make RFID identification server dependent, providing a different unique secret key shared by a tag and a server. The solution proposed requires the tag to store just a single key, thus fitting the constraints on tag’s memory. Second, we provide a probabilistic tag identification scheme that requires the server to perform just bitwise operations and simple list manipulation primitives, thus speeding up the identification process. The tag identification protocol assures privacy, security and resilience to DoS attacks thanks to its stateless nature. Moreover, we extend the tag identification protocol to achieve mutual authentication and resilience to reply attacks. The proposed identification protocol, unlike other probabilistic protocols, never rejects a legitimate tag. Furthermore, the identification protocol requires the reader to access the local Data Base (DB) of tags ’ keys O(n) times, while it has been shown in the literature that a privacy preserving identification protocol requires a reader to access Θ(n) times this DB. In this sense, our protocol is optimal. Finally, the three features suggested in this paper, namely, reader-dependent key
HB N : An HB-like protocol secure against man-in-the-middle attacks. Cryptology ePrint Archive, Report 2011/350
, 2011
"... We construct a simple authentication protocol whose security is based solely on the problem of Learning Parity with Noise (LPN) that is secure against Man-in-the-Middle attacks. Our protocol is suitable for RFID devices, whose limited circuit size and power constraints rule out the use of more heavy ..."
Abstract
-
Cited by 1 (0 self)
- Add to MetaCart
We construct a simple authentication protocol whose security is based solely on the problem of Learning Parity with Noise (LPN) that is secure against Man-in-the-Middle attacks. Our protocol is suitable for RFID devices, whose limited circuit size and power constraints rule out the use of more heavyweight operations such as modular exponentiation. The protocol is extremely simple: both parties compute a noisy bilinear function of their inputs. The proof, however, is quite technical, and we believe that some of our technical tools may be of independent interest. 1
