Julio C. Hernandez-Castro

M 2 AP: a minimalist mutual-authentication protocol for low-cost RFID tags

Low-cost Radio Frequency Identification (RFID) tags affixed to consumer items as smart labels are emerging as one of the most pervasive computing technologies in history. This presents a number of advantages, but also opens a huge number of security problems that need to be addressed before its successful deployment. Many proposals have recently appeared, but all of them are based on RFID tags using classical cryptographic primitives such as Pseudorandom Number Generators (PRNGs), hash functions, or block ciphers. We believe this assumption to be fairly unrealistic, as classical cryptographic constructions lie well beyond the computational reach of very low-cost RFID tags. A new approach is necessary to tackle the problem, so we propose a minimalist lightweight mutual authentication protocol for low-cost RFID tags that offers an adequate security level for certain applications, which could be implemented even in the most limited low-cost tags as it only needs around 300 gates.

EMAP: an efficient mutual-authentication protocol for low-cost RFID tags

RFID tags are devices of very limited computational capabilities, which only have 250-3K logic gates that can be devoted to security-related tasks Many proposals have recently appeared, but all of them are based on RFID tags using classical cryptographic primitives such as PRNGs, hash functions, block ciphers, etc We believe this assumption to be fairly unrealistic, as classical cryptographic constructions lie well beyond the computational reach of very low-cost RFID tags A new approach is necessary to tackle this problem, so we propose an extremely efficient lightweight mutual-authentication protocol that offers an adequate security level for certain applications and can be implemented even in the most limited low-cost RFID tags, as it only needs around 150 gates.

Advances in Ultralightweight Cryptography for Low-Cost RFID Tags: Gossamer Protocol

The design of ultralightweight authentication protocols that conform to low-cost tag requirements is imperative. This paper analyses the most important proposals (except for those based in hard problems such as the HB [1-3] family) in the area [4-6] and identifies the common weaknesses that have left all of them open to various attacks [7-11]. Finally, we present Gossamer, a new protocol inspired by the recently published SASI scheme [13], that was lately also the subject of a disclosure attack by Hernandez-Castro et al.[14]. Specifically, this new protocol is designed to avoid the problems of the past, and we examine in some deep its security and performance.

RFID systems: a survey on security threats and proposed solutions

Low-cost Radio Frequency Identification (RFID) tags affixed to consumer items as smart labels are emerging as one of the most pervasive computing technology in history. This can have huge security implications. The present article surveys the most important technical security challenges of RFID systems. We first provide a brief summary of the most relevant standards related to this technology. Next, we present an overview about the state of the art on RFID security, addressing both the functional aspects and the security risks and threats associated to its use. Finally, we analyze the main security solutions proposed until date.

LAMED - A PRNG for EPC Class-1 Generation-2 RFID specification

RFID is a relatively heterogenous radio technology, where it is necessary to put an extra effort on security and privacy-related issues. As early as 2004, some authors suggested the use of a PRNG for increasing security. This was later questioned because many thought a PRNG implementation may go well beyond the very limited computational capabilities of low-cost RFID tags. However, its use has been ratified by EPCGlobal (EPC Class-1 Generation-2) and ISO (ISO/IEC 18000-6C). This motivates our proposal of a new PRNG, named LAMED, which is compliant with the standards and successfully passes several batteries of very demanding randomness tests (ENT, DIEHARD, NIST, and SEXTON). A study of its hardware complexity shows that LAMED can be implemented with slightly less than 1.6 K gates, and that pseudo-random numbers can be generated each 1.8 ms. So we can affirm this is a realist proposal both conforming with the EPC-G1C2 standard, and suitable for low-cost RFID tags.

Flaws on RFID grouping-proofs. Guidelines for future sound protocols

During the last years many RFID authentication protocols have been proposed with major or minor success (van Deursen and Radomirovic, 2008). Juels (2004) introduced a different and novel problem that aims to evidence that two tags have been simultaneously scanned. He called this kind of evidence a yoking-proof that is supposed to be verifiable offline. Then, some authors suggested the generalization of the proof for a larger number of tags. In this paper, we review the literature published in this research topic and show the security flaws of the proposed protocols, named RFID grouping-proofs generally. More precisely, we cryptanalyze five of the most recent schemes and we also show how our techniques can be applied to older proposals. We provide some guidelines that should be followed to design secure protocols and preclude past errors. Finally, we present a yoking-proof for low-cost RFID tags, named Kazahaya, that conforms to the proposed guidelines.

Steganography in games: A general methodology and its application to the game of Go

Techniques to hide valuable information within seemingly harmless messages have been widely used for centuries. Typically, their use is appropriate when encryption is not available or not adequate (e.g. when available cryptography is too weak), or simply when it is convenient that no external observer can infer that some information is being exchanged. In the digital era, new cover mediums for hiding data in communication are constantly being proposed, from the classical image files (such as bmp, gif, and jpg formats) to audio files (i.e. wav and mp3), text and html documents, emails disguised as spam, TCP/IP packets, executables programs, DNA strands, etc. In this work, we present and analyze a novel methodology that illustrates how games (such as Chess, Backgammon, Go, etc.) can be used to hide digital contents. We also look at some of its possible advantages and limitations when compared with other techniques, discussing some improvements and extensions. Finally, we present the results of a first implementation of an open-source prototype, called StegoGo, for hiding digital contents in Go games.

Cryptanalysis of an EPC Class-1 Generation-2 standard compliant authentication protocol

Recently, Chen and Deng (2009) proposed an interesting new mutual authentication protocol. Their scheme is based on a cyclic redundancy code (CRC) and a pseudo-random number generator in accordance with the EPC Class-1 Generation-2 specification. The authors claimed that the proposed protocol is secure against all classical attacks against RFID systems, and that it has better security and performance than its predecessors. However, in this paper we show that the protocol fails short of its security objectives, and in fact offers the same security level than the EPC standard it tried to correct. An attacker, following our suggested approach, will be able to impersonate readers and tags. Untraceability is also not guaranteed, since it is easy to link a tag to its future broadcast responses with a very high probability. Furthermore, readers are vulnerable to denial of service attacks (DoS), by obtaining an incorrect EPC identifier after a successful authentication of the tag. Moreover, from the implementation point of view, the length of the variables is not compatible with those proposed in the standard, thus further discouraging the wide deployment of the analyzed protocol. Finally, we propose a new EPC-friendly protocol, named Azumi, which may be considered a significant step toward the security of Gen-2 compliant tags.

An Efficient Authentication Protocol for RFID Systems Resistant to Active Attacks

RFID technology is a ubiquitous technology, and seems destined to become more a more ubiquitous. Traditional cryptographic primitives are not supported on low-cost RFID tags since, at most, 4K gates can be devoted to security-related tasks. Despite this, there are a vast number of proposals based on the use of classical hash functions, an assumption that is not realistic (at least at the present time). Furthermore, none of the published authentication protocols are resistant to active attacks. We try to address these two issues in this work by designing a new authentication protocol, secure against passive and active attacks, inspired by Shieh et al.’s protocol for smart-cards, but adapted to RFID systems. The original Shieh et al.’s scheme is considered one of the most secure an efficient protocols in the smart-card field. Because in this protocol tags should support a hash-function on-board, a new lightweight hash function, named Tav-128, is also proposed. A preliminary security analysis is shown, as well as a study on its hardware complexity, which concludes that its implementation is possible with around 2.6K gates.

Cryptographic puzzles and distance-bounding protocols: Practical tools for RFID security

Widespread adoption of RFID technology is being slowed down because of increasing public concerns about associated security threats. This paper shows that it is possible to enhance the security of RFID systems by requiring readers to perform a computational effort test. Readers must solve a cryptographic puzzle - one of the components of the Weakly Secret Bit Commitment (WSBC) sent by tags - to obtain the static identifier of the interrogated tag. The method we present is based on a simple concept already used in security applications such as anti-spam or TCP SYN flooding protection, yet original in the RFID context until now. The scheme provides privacy protection while being an effective countermeasure against the indiscriminate disclosure of the whole contents of a large number of tags. Then, we scrutinize the combined use of cryptographic puzzles and distance-bounding protocols. First, a classical and relatively straight-forward solution is presented. Secondly, we introduce a protocol named Noent, that follows a new approach that reduces drawbacks associated with WSBC such as key delegation, whilst gaining all the advantages of employing distance-bounding protocols such as the certainty on the distance between a tag and reader.