RFID Authentication Mini-Project report

Written by Roi Tzaig & Moria Damri

Introduction and theory
RFID Radio Frequency Identification is a technology for tagging using radio waves.
A RFID tag is a small electronic device, supplemented with an
antenna that can transmit and receive data. The RFID
technology is designed for unique identication of dierent
kinds of objects.
RFID systems usually contain three parts:
1. Tag a microchip that can send and receive data
(messages).
2. Verifier interfacing with the Tag, the Verifier can
read/write data and sends messages to access the Tags data.
3. Data base a small amount of memory that uses as a data base that can be
changed.
Limitations of RFID systems
Limits of RFID systems are very important. These systems were designed to be low
cost in order to enable mass production. Broadcast range is limited to a few meters,
therefore the Tag and the Verifier must be sufficiently close Due to their small size
the RFID systems have a limited computational power, and limited memory.
Hence, we can conclude that a "heavy" encryption algorithm can not be used by RFID
systems. There for we need a simple, low cost encryption protocol that is based on
hardware efficiency that will be embedded in the RFID existing systems.
The goal of this project is to show the efficiency and empirically prove the
theoretic claims upon the protocols 1 AP Ungeleralized/Generalized, 2 AP
Ungeleralized/Generalized and

2 AP
written by professor Shlomi Dolev
Typical scenario
Let us think of a typical scenario, in which an alarm car uses RFID system to
communicate between the remote control (the Tag) and the car alarm system (the
Verifier), farther more a thief (an Adversary) may or may not listen to the
communications.
The scenario is as follows:
The Tag (remote control) sends an encrypted request to the Verifier (car) to
open the car. The car processes and decrypts the request and composed an answer, if
the request is genuine then "Open" message is sent back. If it is not, a "DoNotOpen"
message is sent. The thief may or may not listen to the communications, and based on
them compose a false message that will be sent to the car in order to get an "Open"
message back.
The adversary model
The adversary has a few basic assumptions:
1. The adversary is weaker than the one in standard cryptography.
2. The adversary is Byzantine, it tries to harm the system as well as break in it.
3. One out of n consecutive communications the adversary does not listen.
1 1 i+1
The adversary does not listen
1
S , ,S , The adversary listen
i
i n
S
i i n
S S

'

K K
4. (Generalizing 3) k out of n consecutive communications the adversary does
not listen.
Every n consecutive communications are atomic, meaning, the adversary cannot
modify part of the communication in a session.

Protocol for RFID Tag Ungeneralized

1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon user request
5: keyentry = n (i 1) mod n
6: Create new random array LRV
7: Send s = (ARV [keyentry], LRV)
8: to Verifier
9: If Open received
10: Call Updating procedure
11: End user request

u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j =1 to n
u4: ARV [j] = ARV [j] xor LRV [j]

Protocol for RFID Verifier Ungeneralized

1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon reception of key message
5: keyentry = n (i 1) mod n
6: s = (X,LRV)
7: if X = ARV [keyentry]
8: Send Open and
9: Call Updating procedure
10: else Send DoNotOpen
11: End of key message reception

u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j = 1 to n
u4: ARV [j] = ARV [j] xor LRV [j]

AP1 Ungeneralized Protocol
(Adversary does not listen to one out of n consecutive communications)
Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and keyentry is
calculated in such a way that it is a legal index of ARV entry and with every
increment of i it is incremented as well with modulo n.
When the Tag sends a request, it composes a message form the current ARV entry
(ARV[keyentry]) concatenated with a pseudo random generated vector called LRV.
When the Verifier gets the message, it checks if the ARV[keyentry] in the message is
the same as its ARV[keyentry]. If so then an "Open" message is sent to the Tag and a
xor update is preformed on ARV using LRV (update procedure) to both the Tag and
the Verifier. If the ARV[keyentry] in the message is not the same as its
ARV[keyentry] the "DoNotOpen" message is sent and neither the Tag nor the Verifier
updates its ARV.
Message length is 1 n + which is
( ) O n
, so for an entire session (n consecutive
communication) ( )
2
O n
bytes will be transferred.
AP1 Generalized Protocol
(Adversary does not listen to k out of n consecutive communications)
Overview:
Much like in AP1 Ungeneralized protocol this protocol has an ARV vector, i index
and keyentry that function the as before. The LRV vector is replaced by reducedLRV
and Indices which are both vectors with
2log n
entries.
In every request, the Tag randomly selects
2log n
indices of ARVs entries and stores
them in Indices vector, then builds the vector reducedLRV by randomly selecting
2log n
numbers. The tag then composes a message from ARV[Keyentry]
concatenated with Indices and reducedLRV and sets it to the Verifier.
When the Verifier get the message it checks if the ARV[keyentry] in the message is
genuine and if so update only the ARV entries that was selected by the Tag.
Message length is
2log 1 n +
which is ( ) log O n
, so for an entire session (n
consecutive communication) ( ) log O n n
bytes will be transferred.

Protocol for RFID Tag

1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon user request
5: keyentry = n (i 1) mod n
6: Select random 2Log(n) indices
7: Build reducedLRV form indices
8: Send s = (ARV[keyentry],
Indices, reducedLRV) to Verifier
9: If Open received
10: Call Updating procedure
11: End user request

u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j =1 to 2Log(n)
u4: ARV [reducedLRV[j]] =
ARV [reducedLRV[j]] xor LRV[j]

Protocol for RFID Verifier

1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon reception of key message
5: keyentry = n (i 1) mod n
6: s = (X, Indices, reducedLRV)
7: if X = ARV [keyentry]
8: Send Open and
9: Call Updating procedure
10: else Send DoNotOpen
11: End of key message reception


u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j =1 to 2Log(n)
u4: ARV[reducedLRV[j]] =
ARV[reducedLRV[j]] xor LRV[j]

What is the probability that all ARVs entries will be xored?
The probability that a certain entry will be xored is equal to the probability that a
certain entry will be selected, which is
2log n
n
The probability that the a certain entry will not be selected is
2log
1
n
n

The probability that the a certain entry will not be selected for n consecutive
communications is
2log
1
n
n
n
_
+

,
Limiting the above probability gives
( )
2
2log log 2
2 2
2log 1 1
1
n
n n
n
p e e n p
n n n

_
+

,
Therefore the probability that at least one entry out of n will not be selected during
n consecutive communications is
2 2 2
n times
1 1 1 1
n
n n n n
+ + L
1 4 2 4 3
First conclusion : the probability that all n entries of ARV will be selected, and
therefore xored, is
1
1
n

Second conclusion : When increasing n, the probability for full refresh is

increasing.
Results
The following graphs present the result and curve fitting of the amount of full xor
coverage of ARV out of 100 sessions for 2, 4 and 6 bit. The curve fit is for the
function
100
B
y A
n
_


,
, which is the probability function as shown at the beginning
where A and B are parameters.
2 4 6 8 10 12
40
50
60
70
80
90
100
Data: Data1_bit6
Model: RFID
Chi^2 = 74.16455
A 1.11929 0.04837
B 1.01851 0.21341
number length is 6 bit
A
m
o
u
n
t

o
f

s
e
s
s
i
o
n
s

w
i
t
h

f
u
l
l

c
o
v
e
r
a
g
e

o
u
t

o
f

1
0
0
n
Result summary
Length of
number
A value A error B value B error
6 1.11929 0.04837 1.01851 0.21341
Summary and conclusions
1. Form the result, we can see that the values of A and B are much closed to
the theoretic ones 1.
2. The theoretic value of B, 1, is within the error range in all the experiments.
3. The theoretic value of A, 1, is not within the in error range in all the
experiments, however they are much closed.
4. So, it safe to conclude that the probability for full xor coverage is as
developed before
1
1 P
n
.
5. We can easily see form the graphs that even at 3 n there is a good
coverage, and a better in 4 n (no less the 95% and an average of
97.666%). For larger
n
's there isn't any significant improvement.
AP2 Ungeneralized Protocol
Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and the integer
seed is use for the generation of the prs, the initial seed value is initialized to zero.
The keyentry is calculated in such a way that it is a legal index of ARV entry and with
every increment of i it is incremented as well with modulo n.
When the Tag sends a request, it first create a pseudo random generated vector prs of
length m = n * l +k where k is the keyword length and l is the length in bits of each
ARV vector entry. The current ARV entry (ARV[keyentry]) xor with the old seed is
used as a seed for the generation of the pseudo random sequence prs. The old seed is
updated, (seed=ARV[keyentry] xor seed).
The Tag creates a new vector Y that should be send to the verifier. Y is equal to the
xor of the vector prs with the pseudo random generated vector called LRV
Protocol for RFID Verifier
Initialization:
Create int vector array ARV
[1..n]
int i := 1; seed := 0
int vector arrays keywords
Upon key message Y
reception
keyentry = n (i 1)mod n
Create pseudo-random
sequence
prs of length m from
seed = X[keyentry] xor seed
Z = Y xor prs
if Z[(n + 1)..m] belong to
keywords
Send Open and
Call Updating procedure
else
Send DoNotOpen
End of key message
reception
Updating procedure
Protocol for RFID Tag Ungeneralized
Initialization:
Create int vector array ARV
[1..n]
int i := 1; seed := 0
int vector arrays keywords
Upon user request:
Create new random array LRV
keyentry = n (i 1)mod n
X[keyentry] = ARV [keyentry]
Create pseudo-random
sequence
prs of length m from
seed = X[keyentry] xor seed
Y = (LRV ||keyword) xor prs
Send Y to Verifier
If Open received
Call Updating procedure
End user request
Updating procedure
ARV[keyentry] = 0
for j = 1 to n
ARV[j] = ARV[j] xor
concatenated with the keyword. Y=prs xor (LRV||keyword). Y is then send to the
Verifier.
Because we assume that both the Tag and the Verifier know how to produce the prs
vector, when the Verifier gets the message, he can decrypt the it by calculating Y xor
prs (which is equal to LRV||keyword) and checks if the suffix of the string
(Y xor prs)[n+1..m], is equal to keyword. If yes the Verifier return the message
'Open' to the Tag, else he return the message 'DoNotOpen'.
If the authentication successes, the updating procedure is called, and an update is
preformed on the ARV vector using the LRV vector, in both, the Tag and the Verifier
sides.
The computational security of the AP2 protocol is provided by the random seed
generation in each session.

AP2
Protocol - Resistance against Intruder-in the Middle-Attack
This protocol is an upgrade of previously discussed protocol 2 AP . This protocol can
cope with an intruder in the middle of an attack (IIMA). The Intruder is able to
capture the message, sent by the tag to the verifier, and modify it. Moreover, it should
be stated that such an attack can drive the protocols 1 AP and 2 AP to a deadlock!
We relax the assumption about the atomicity of each communication session. In order
to deal with IIMA the message is added with redundant bits and watermark bits while
no cryptographic hash function is used.
The protocol

2 AP
- like in 2 AP the encryption key is derived from the basic vector
ARV (ARV[keyentry]). The seed X splits into four independent seeds
1 2 3
, , X X X

and
4
X
which will be used to create pseudo-random sequences.

1
c
is used to create the sequence that encapsulates LRV.

2
c
is used to create the sequence that encapsulates the redundant bits.

3
c
is used to create the sequence that encapsulates the watermark bits.

3
c
is used to create a permutation of the message bits -
4
X

.
The message is constructed as follows:
[ ] [ ] [ ]
( )
4
1 1 2 1
|| sequence || , , sequence || ,
j
X q v
Y LRV keyword c r r c w w 1 1
] ]
K K
Let's explain the different parts of the message:
||
j
LRV keyword 1
]
is generated as in 2 AP , a concatenation of pseudo-random vector
with a keyword. The LRV has
n
entries each have l bits and the keyword is of length
k . So the total length of this part is m nl k + , as is [ ]
1
sequence c
so the xor of the
last two also gives
m
bits.
1
, ,
q
r r 1
]
K
is a sequence of
q
redundant bits generated as follows: looking at
||
j
LRV keyword 1
]
as a ( ) log m
dimensions hyper-cube, where every redundant bit
has the value of a parity check on one of the hyper-cube rows/columns.
Calcuation q number of Visualization Dimensions
parity checks
( )
0
1
1 2 1 1 1
( )
1
2
2 4 4 4 2
( )
2
3
3 8 12 12 3
Let us denote the number of dimensions as ( ) log d m
, According to the above table
we get
( )
( ) ( ) ( )
( )
( )
1
1
log 1
log
log
d
d
m
m
d
d
q d m d m m m

.
Another way to get
q
is by considering the hyper-cube as a d dimensions array where
in order to calculate the parity bits we only need a one "running-index" and 1 d
"fixed-indices". If the length of every row/column is 2 (indexed 0 or 1) then we have
{ { {
1
-
0 / 1 0 / 1
i d
fixed index running index fixed index
x

K K
We have d options to select the running-index and 2 options to select the index for
every row, moreover there are 1 d such entries in the array. So, in total, we have
( ) ( )
( )
( )
log 1
1
log 1
2 2 log
m
d
m d d
d
q d d m m

, which is the same as above expression.
A simpler expression is
1
log
2
q m m thus we see that ( ) log q O m m
.
The [ ]
2
sequence c
is of length
q
as well, and so is their xor result.
The last part is watermark bits [ ]
1
,
v
w w K
with length of
v
.
Finally, the permutation generated by
4
x
seed does not add or remove bits. Thus the
total length of the message is
Y m q v + +
.
Parity
check
Parity
checks
Parity checks
What is the probability for adversarial success?
The probability that the adversary will corrupt a watermark while changing the
bits of the original message is
v
t

The probability that the adversary will corrupt a bit from the original message
is 1 .
In order to successfully change the part of the original message, the adversary
has to corrupt at least
min
d
bits, where
min
d
is the minimal humming distance
and is equal to ( ) log 1 m +
.
From the second and third observations we get that in order for the adversary
to successes, he must change at least
min
d
bits of the original message.
So the probability for adversarial success is ( )
min
1
d
A
P .
The above probability can manipulate as follows ( ) ( )
( )
min
log 1
1 1
d m
A
P
+

( )
( )
( )
( )
( )
( )
log
log 1 log 1
1 2 1
m
m



, thus for
1
2
,
1
2
A
P
m
and for
1
4
,
0.415
3
4
A
P
m
.
Results
The following graphs present the result and curve fitting of the probability for
adversarial success. The curve fit is for the function
2
log
A
B
A
y m
B
_

,

, which is the
probability function as developed above.
0 100 200 300 400 500 600
0.05
0.10
0.15
0.20
0.25
0.30
The empirical porobability for adversarial success, with alpha = 1/4
Data: Data1_UpperBound.,Data1_P.a.0.25
Model: RFID2
Chi^2 = 0.0001
A 2.97074 1.73866
B 3.99292 2.41715
Probability upper bound
Empirical Probability
P
r
o
b
a
b
i
l
i
t
y
m [bits], the length of the message
0 100 200 300 400 500 600
0.000
0.005
0.010
0.015
0.020
0.025
0.030
0.035
The empirical porobability for adversarial success, with alpha = 1/2
Data: Data1_UpBound.0.5
Model: RFID2
Chi^2 = 9.2925E-7
A 0.9941 1.1072
B 1.9963 2.28614
Probability upper bound
Empirical Probability
P
r
o
b
a
b
i
l
i
t
y
m [bits], the length of the message
Result summary

A value A error Expected

value
B value B error Expected
value
1
4
2.97074 1.73866 3 3.99292 2.41715 4
1
2
0.9941 1.1072 1 1.9963 2.28614 2
Summary and conclusions
1. Form the result, it is clear that
A
P
is bounded by ( )
min
1
d
, and therefore
satisfies the relation ( )
min
1
d
A
P .
2. Form the result, we can see that the A and B for both
1
4

and
1
2

are
in the range of the expected value, 3, 4 A B and 1, 2 A B
respectively.
3. Therefore we may conclude that the expression for adversarial success is
( )
min
1
d
A
P or as developed above ( )
( ) log 1
1
A
P m

, when the adversary
changes
min
d
bits.
4. The error for
1
4

is greater then the error of
1
2

.