轻量级移动RFID认证协议研究设计

可证明安全的轻量级无服务型RFID安全搜索协议作者：王鑫贾庆轩高欣赵兵崔宝江来源：《湖南大学学报·自然科学版》2014年第08期收稿日期：20131203基金项目：国家重大基础研究发展计划（973计划）资助项目（2012CB724400）；国际科技合作专项资助项目（2013DFG72850）作者简介：王鑫（1986-），男，山西忻州人，北京邮电大学博士研究生通讯联系人，Email：buptwxin@摘要：针对RFID标签搜索过程中产生的安全与隐私问题，设计了一个轻量级无服务型RFID安全搜索协议.通过严格时间戳的方式对移动读写器的时间权限进行管理，提出松散时间戳和HASH函数相结合的方式对无线信道进行安全防护，其利用HASH函数的单向性保证了协议消息的完整性和保密性，利用碰撞原理实现了可调节的隐私强度及搜索效率.在UC框架下证明了协议满足通用可组合安全性，使得协议可运行在并发环境当中，在标准安全模型下证明了协议满足抵抗重放、去同步、跟踪及匿名性等攻击方式，提出的搜索协议具有强安全性和强隐私性.关键词：无线射频识别（RFID）；搜索协议；通用可组合；标准安全模型中图分类号：TN918.5 文献标识码：AProvable Security LightweightServiceless RFID Security Search ProtocolWANG Xin1， JIA Qingxuan1， GAO Xin 1， ZHAO Bing2， CUI Baojiang3（1. School of Automation， Beijing Univ of Posts and Telecommunications，Beijing100876， China；2. State Grid Metering Center， Beijing 100192， China；3. School of Computer Science， Beijing Univ of Posts and Telecommunications，Beijing100876， China）Abstract：To solve the problems of security and privacy caused by RFID tags search process， a lightweight serviceless RFID security search protocol was designed. Firstly， through strict timestamp， the time permissions of the mobile reader were managed. Secondly， the method of combining loose timestamp and HASH function for the safety protection of the wireless channel was put forward， the oneway character of HASH function was used to ensure the integrity and confidentiality of interactive messages. Finally， the collision thought was made use of to realize the adjustable intensity of privacy and search efficiency. Under the UC framework， it was proved that the protocol could meet universally composable security， enabling the protocol to run in the concurrent environment. Under the standard security model， it was proved that the protocol could effectively resist replay attack， desynchronization attack， track attack， anonymity attack and so on. It follows that the proposed protocol has strong security and privacy.Key words：Radio Frequency Identification； search protocol； universally composable；standard security modelRFID技术具有非接触式读取、批量读取及可适用于恶劣环境等诸多优点.因此，RFID技术在识别、传感定位、物流跟踪等领域受到广泛关注，并不断被开发出新的用途[1].然而，大规模推广使安全与隐私问题日益凸显，成为制约其发展的关键因素，利用无线信道非接触式读取在带来便利的同时也为攻击者提供了良好的攻击条件，利用被动攻击可致使公司数据及顾客个人隐私泄漏、恶意跟踪等后果，利用主动攻击可使RFID系统瘫痪，标签与读写器之间的认证被永久性破坏，进而导致物品流失等严重后果.同时，出于成本考虑，在实际应用中一般选用被动式标签，其通过读写器电磁耦合提供能量，因而，具有计算能力弱、存储能力低的特点.传统安全协议类似SSL/TLS可提供安全可靠的信道，但由于其耗能较大，并不适应于被动标签.因此，设计轻量级或超轻量级的RFID安全协议成为亟需解决的关键问题.目前，大多RFID安全协议主要针对具有后台服务器的情况进行相关设计.文献[2]根据标签支持的加密运算对RFID安全协议进行了分类：成熟类安全协议，其标签支持成熟加密算法如ECC，AES，DES及非对称加密体制[3]；轻量级安全协议，其标签支持HASH函数、随机数生成、冗余校验码等计算量较小的运算[4-5]；超轻量级安全协议，其利用异或、且、非等位运算对交互数据进行加密[6].其中，成熟类安全协议虽然可提供高等级安全防护，然而对标签计算性能要求较高仅能在有源标签上运行，故无法得到广泛应用.超轻量级安全协议对标签计算性能要求极低，然而目前提出的大多数该类协议易受去同步攻击、全泄漏攻击和跟踪攻击等常见攻击手段的攻击[7].相比之下轻量级安全协议使用HASH函数等较为轻量的加密函数在提供较高安全等级防护的同时对标签的要求也较低.同时，由于近年来的硬件加工工艺进步使得低价无源RFID标签可有效支持HASH函数等加密运算[8].虽然具有后台服务器的安全协议可提供有效的无线信道安全防护，然而，在许多实际应用中需要读写器进行移动操作，例如电力系统中掌机对其电表RFID标签的识别需要掌机进行移动识别等应用情况.对无服务型RFID安全协议进行研究有助于提升系统的灵活性，可移动读写器更加适用于实际应用环境.进一步，在许多实际应用中只需对单个标签进行认证和识别，无需对可识别范围内所有标签进行安全认证.鉴于无服务器应用环境，目前，针对RFID搜索协议的研究较少，文献[9-10]对标签搜索协议进行了研究并设计了相关安全协议，其通过非目标标签随机概率应答读写器搜索信号以防护目标标签隐私性，但只进行了简单论证和非形式化证明，其安全性并没有得到严格的证明，因此，易受延迟攻击等攻击手段的攻击[11].文献[12]利用伪随机函数及动态分散种子更新机制以实现对标签安全搜索过程当中的无线信道安全，然而分散种子动态更新使得其易受去同步攻击方式的攻击.文献[8]在之前研究的基础上提出了安全性较高的搜索协议，使用对被动标签较难实现的AES算法对交互信息进行加密，算法复杂度较高，难以推广.文献[13]提出了一种轻量级无服务型搜索协议，并在UC框架下证明了其具有通用可组合安全性，具有实现简单，算法复杂度低的优点，然而其仍然存在泄露隐私性及易受去同步化攻击等弱点.同时，以上文献对搜索协议的研究没有考虑实际运行环境下移动读写器的安全性，仅对其读写器与标签之间的信道进行了相应的安全防护措施.本文基于松散时间戳与HASH函数相结合的方式设计了一个轻量级无服务型搜索安全协议.协议限定了读写器时间权限进而保证了读写器安全性，并利用碰撞的思想保证了目标标签隐私性.在UC框架和标准安全模型下分别证明了其安全性，使其具有双向认证安全搜索、通用可组合安全性和强隐私性等安全特性.1设计搜索协议需满足的安全属性RFID搜索协议可快速确定目标标签的存在性，为保障安全性与隐私性，安全搜索协议需满足以下安全属性：1）可用性.攻击者利用去同步攻击使标签迁移到不可认证状态，即读写器与标签之间的共享信息不同步，从而导致合法标签和读写器不能正确有效地识别对方，使其认证识别功能失效.因此，协议应抗去同步化攻击.2）认证性.读写器通过获得标签证明（利用共享信息计算），进而证明标签应答信息的正确性，以此来认定目标标签的存在性和合法性.搜索过程应保证匿名认证，即标签的唯一标识对通信链路监听者不可知.3）隐私性.包括标签匿名性和不可追踪性，标签的匿名性保证了攻击者通过相应的攻击策略并不能获得标签的任何相关信息；不可追踪性保证了攻击者不能通过分析协议交互信息进而实现对某个标签的跟踪.4）并发安全性.RFID搜索协议的运行处于物联网协议底层.因此，保证搜索协议在UC框架下安全是RFID系统安全的必然要求.2可证明安全本文通过可证明安全来保证协议具有安全性和隐私性.UC框架下证明协议的安全性其优点在于保证协议的并发安全性，使协议可并发运行于复杂环境；标准安全模型的优点在于分析协议的孤立安全性.本文从两个层面上对协议安全性进行相关证明，以下对UC框架和标准安全模型进行简要说明.2.1UC框架为适应复杂应用环境，单个协议经常会多次运行在并发网络环境中.UC框架的优点在于可实现模块化设计，在UC框架下保证安全性就可以保证其具有并发安全性[14].RFID标签与读写器之间的安全协议属于物联网底层协议，具有高并发性和应用环境多样复杂等特点，因此，有必要在UC框架下证明协议的并发安全性.UC安全框架证明过程如图1所示，首先设定协议π的参与者为ITM（交互式图灵机），包括（U1，U2，…，Ui，…，Un）及现实环境攻击者A.理想环境下虚拟参与者U1，U2，…，Ui，…，Un，理想攻击者S及理想功能F，F代表协议需要满足的安全属性，参与者与S给予F输入，F相应给出输出，充当不可攻破的可信第三方.在这两种情况下引入环境机Z，Z代表协议运行外部环境（包括并发运行的其他协议，如用户等），Z能够为参与者及攻击者提供任意输入.最后，Z收集真实环境下和理想环境下参与者和攻击者的全局输出，进而判断Z是在与真实攻击者A存在的情况下真实协议交互还是与理想攻击者S存在的情况下理想环境交互，若Z不能区分这两种情况，则可证明协议满足UC安全.2.2标准安全模型标准安全模型首先设定攻击者A的攻击目标.然后，根据协议实际运行，A调用一系列功能预言机从而形成攻击策略，其反应了A的攻击能力.若A在概率多项式时间（PPT）内成功达到攻击目标的概率可以忽略，则协议在标准模型下是安全的[15].这里假设A对信道具有完全控制能力，即A可调用预言机如下.1）O1（πsearch）：获取读写器与标签之间的交互消息；2）O2（πsearch，tag，m1，m2）：发送挑战消息m1给标签并获得返回的应答消息m2；3）O3（πsearch，Reader，m3，m4）：发送消息m3给读写器并获得返回应答消息m4；4）O4（πsearch，Reader，tag）：篡改交互消息.攻击实验Exp（A）分为两个阶段，学习阶段和猜测阶段.在学习阶段A可调用预言机O∈{O1，O2，O3，O4}进行监听、打断、篡改读写器和标签之间的交互消息，以此来进行攻击知识积累.在猜测阶段A根据学习阶段的知识积累进行判断并得出攻击结论，安全搜索协议的攻击目标为A通过分析可判定标签是否存在，若A在PPT内成功的概率与掷硬币的概率相等，则攻击实验失败，即攻击者成功的优势Adv满足：Adv=|P（Exp（A）标签存在）-12|≤ε（n）.（1）否则，A的攻击实验Exp（A）成功，协议不满足标准安全模型下的安全性.3RFID安全搜索协议以下对提出的安全搜索协议进行具体阐述.首先，读写器在CA处下载Li时，利用SSL/TLS协议协商会话密钥的过程中加入系统当前时间作为分散因子，从而限定了规定时间内读写器定时到系统处更新原有列表，使读写器在一定时间间隔内到CA处进行“报道”，实现了时间权限管理，同时，实现了读写器标识更新和读写器列表定时更新，将标签密钥与读写器标识码进行HASH绑定，即使读写器列表泄露，攻击者也不能得到标签密钥，因而可抵抗标签仿造攻击.提出松散时间戳和碰撞机制相结合的方式实现了对标签隐私性和抗跟踪性的防护，防止了恶意跟踪和目标标签存在性泄露.其协议流程如图2所示.3.1协议初始化读写器在CA处利用SSL/TLS协议进行认证，并获得与CA中心共享的会话密钥.在预主密钥的协商中加入新的分散因子：CA当前时间Ts，协商后的会话密钥为ksc=hash（TS，ns，nc，…），并规定读写器唯一标识为rt=hash（TS，Rid），在完成标签搜索任务后，在规定时限读写器需到CA中心注册新标识rt.超过时限后读写器自行删除内部列表，CA中心对该读写器发起警报认定其违规操作并作标记，时限取决于系统安全等级要求以及完成不同搜索任务所需时长.其后，CA中心利用数字证书对认证通过后的读写器下发认证列表Li，读写器根据自身当前时间计算新的列表L′i，Tcur为当前读写器时间：Li=f（ri，ks1）…id1f（ri，ksn）…idn→L′i=f（ri，ksi）f（ri，ks1）Tcurid1f（ri，ksnf（ri，ksn）Tcuridn（2）3.2协议执行步骤协议执行流程如下：1）读写器确定搜索目标标签Tj，令Tj在搜索列表L′i中的相应值为GT=f（rj，ksj）Tcur，同时，取随机数nr∈R0，1l，计算A和B.A=f（nr，idj，GT），B=f（nr，idj，GT）→k. （3）假定f（nr，idj，GT）长度为k位，A为f（nr，idj，GT）的前位，剩余部分为B，则根据实际运行环境中标签数量及需要达到的安全等级确定，f为HASH函数，在总标签数为n的情况下，i个标签具有相同位前缀的概率为P（i）.根据HASH函数特性，经HASH运算后，其结果独立均匀分布，因此有：P（i）=ni21i1-12i.（4）由此可知：E（i）=∑ni=1i*P（i）.（5）E（i）为i个标签具有相同位前缀的期望，当E（i）≥L（L≥2）时，有至少平均L个标签对搜索信号进行应答.因此，即使在目标标签不存在的情况下，仍然可能有标签应答，A不能判断目标标签的存在性，保证了目标标签的隐私性.这里可以调节的长度进而控制应答标签的数量，越小则L越大，目标标签隐私性越强，然而，其搜索速度越慢.因此，可根据具体应用环境设定来满足隐私性要求和搜索速度要求，其思想在于利用数据串前缀碰撞的思想对目标标签隐私性进行了安全防护.随后，读写器发送A，nr，Tcur，ri给标签.2）标签根据接收到的nr，Tcur，ri，并利用自身保存的密钥ks1及自身标识ID计算相应的A′和B′：A′={f（nr，idj，G′T）}；（6）B′={f（nr，idj，G′T）}→k.（7）标签进一步比对A′是否等于接收到的A，若相等，则标签认定自身为目标标签，否则认为为非目标标签，不应答.同时，比对自身保存时间Tlast与接收到的时间戳Tcur，令TΔ=Tc ur-Tlast.（8）若TΔ>0，则取随机数nj为空字符串，并做如下计算：flag=0，β11=f（flag，B′，Tcur，idj），（9）β2=（β11）0→k2，β3=（β11）k2→k，（10）δ=B′.（11）同时，将标签时钟Tlast置为Tcur：Tlast←Tcur.（12）否则，取nj∈R0，1l：flag=1，β21=f（flag，B′，nj，idj），Tlast←Tlast，（13）β2=（β21）0→k2，β3=（β21）k2→k，（14）δ=空字符串. （15）发送flag‖nj‖β2‖δ给读写器，标签保存β3，Tcur，并发送flag‖nj‖β2‖δ给读写器，这里通过松散时间戳比对，使协议可有效抵抗重放攻击等攻击手段.3）读写器接收到flag‖nj‖β2‖δ，首先判断flag值，若flag=0，利用自身保存值对应地计算B和β2，并比对如下值：δ=B，β′2=β2.（16）若相等，则判定该标签为目标标签，这里令：β′3=（β1′1）k/2→k.（17）否则，判定标签为非目标标签.若flag=1，则利用nj计算：β′2=（β2′1）0→k/2.（18）并判定：β′2=β2，若相等则该标签为目标标签，但目标标签的时间戳不正确，需进行修改，这里令：β′3=（β2′1）k/2→k.（19）否则，判定标签为非目标标签.在判定为目标标签的情况下，发送β′3给标签，否则，β′3为任意随机数.4）标签接收到读写器发送的β′3，比对自身保存的β3与接收到的β′3，若相等，则置Tlast为Tcur，否则，保持Tlast不变.目标标签可以通过β′3确认自己的目标身份地位，同时实现了对读写器的安全认证.4安全性分析4.1并发安全性UC安全性需根据协议所要满足的安全属性，设计理想功能F并进行形式化与抽象，然后通过构造理想环境下的攻击者来模拟真实环境下敌手的行为.若Z不能区分两种环境下攻击者的行为，则证明协议实现了并发安全性.4.1.1RFID搜索协议理想功能定义理想功能为Faut_anon，使其满足认证性和匿名搜索性，如图3所示.1）在UC框架下，搜索会话唯一标识符sid反映了协议外部环境，搜索协议的所有参与者共享同一sid，Z最开始被激活，随后标签和读写器被激活，当标签和读写器之间没有激活发生时，Z再次被激活并输出判定结果.2）参与者包括标签和读写器，搜索会话sid当中包括单一读写器和多个实体标签，一次sid包括多个子会话s.成功完成对指定标签的搜索任务后，读写器认定目标标签的存在性.3）Faut_anon中攻击者只能获得其交互实体的主客体关系.即Init_session（R，s）和Init_session（s′，T）仅仅反映了该实体为标签还是读写器，因此，实现了匿名性.在搜索过程中利用碰撞机制实现了多个标签判定其自身为目标标签，从而，攻击者无法判断目标标签是否存在，更不能判定目标标签具体为哪个标签.4）通过Search消息，读写器可实现对目标标签的认证及识别；通过Accept消息，实现标签对读写器的认证；攻击者可通过Corrupt攻陷标签，攻陷后攻击者获得了标签的所有内部状态.在理想仿真下，对攻陷标签状态的删除将对攻陷标签的控制权转移给了攻击者S.4.1.2UC安全性分析结论1提出的安全搜索协议πsearch可实现理想功能Faut_anon，从而具有通用可组合性.证构造了真实环境下读写器R，标签T和攻击者A的副本，，，并将真实环境下{RTA}之间的消息传输等价转换到理想环境下{}的消息交互.通过{}与Z之间的交互来仿真真实协议运行过程，Faut_anon给出了{}之间的仿真交互方式，其仿真交互如图4所示.图4 协议仿真交互Fig.4Protocol simulation interaction由图4可知，若标签被攻陷则仿真可成功将真实协议运行情况下的攻击者转化为理想环境下的理想攻击者，对于环境机Z而言不可区分他们之间的行为，因此，实现了UC框架下的并发安全.若标签没有被攻陷，假设f为随机噪声源产生的真随机函数，则在子会话中交互消息独立均匀分布.在该假设下，其可区分性仅仅在于理想环境下攻击者对功能Search（s，s′）和Accept（s，i）进行干扰的情况下，在实际环境中，相应地使读写器或标签接收攻击者篡改后的消息，其对应于在实际环境下传输消息受篡改的标签和读写器输出与理想环境下子会话s的输出一致.然而，假设f为真随机函数.因此，这种情况不可能发生.由此可知，若Z可以区分是与真实协议下攻击者A交互还是与理想攻击者进行交互，则Z 也能区分真随机数和伪随机数.然而，对攻击者而言，在PPT内真随机数和伪随机数区分不可能实现，由此可知，Z也不能区分实际环境下读写器、标签、攻击者交互信息视图与理想环境下理想功能、读写器、标签、攻击者的交互信息视图.因此，协议πsearch可实现UC框架下的安全搜索.4.2标准安全模型下证明安全性结论2在标准安全模型下，A对搜索协议的目标存在性攻击实验Exp（A）的成功优势Adv≤ε（n），攻击者通过调用预言机O∈{O1，O2，O3，O4}判断目标标签是否存在.分以下几种情况进行证明：1）A调用预言机O1（πsearch）获取读写器与标签之间的交互消息，即协议正常执行流程下，A判断目标标签存在性.A成功的优势Adv≤ε（n）.证攻击者A在学习阶段获取协议消息体A，nr，Tcur，ri，flag‖nj‖β2‖δ，β′3.在猜测阶段，根据其学习阶段获取信息做出目标标签存在性判定.根据碰撞原理可知，在消息A，nr，Tcur，ri发送后有L个标签应答，即使标签不存在的情况下，仍然有平均L个标签应答，因此，A根据flag‖nj‖β2‖δ无法判断其是否为目标标签；β′3根据是否为目标标签而生成，若为目标标签，则β′3=（β1′1）k/2→k或β′3=（β2′1）k/2→k，否则为任意随机数.若采用真随机函数生成任意随机数的话，则A利用β′3实现对是否为目标标签的判定，其难度等同于区分真随机数与伪随机数，因此，在该情况下Adv≤ε（n）.得证.2）A调用预言机O1（πsearch）获取协议交互消息，在随后的PPT内，攻击者可利用O∈{O2，O3，O4}重放，篡改消息流，进行自适应攻击来判断目标标签存在性，A成功的优势Adv≤ε（n）.证攻击者A利用预言机O2拦截搜索消息A*，n*r，T*cur，ri，并重放学习阶段消息A，nr，Tcur，ri.由于TΔ=0，碰撞标签集当中L个标签进行应答，其应答消息为1‖nj‖β2‖δ，β2中加入新的分散因子nj，A无法判断目标标签与非目标标签应答消息的区别，也无法判断同一标签的会话链接性.同时，读写器若接收到重放flag‖nj‖β2‖δ后，若为目标标签的重放消息，则读写器应答β′3=任意随机数，若为非目标标签，则β′3=任意随机数.因此，A无法利用O∈{O2，O3}判定目标标签存在性，可知Adv≤ε（n）.进一步，若攻击者同时重放消息A，nr，Tcur，ri 及Tcur‖β′3，由于TΔ=0，目标标签自身计算的β3=（β21）k/2→k加入了新的分散因子nj，因此，β′3≠β3，标签对读写器的认证失败.若A利用预言机O4对消息体进行篡改来验证目标标签存在性，在学习阶段首先收集篡改协议消息后标签或读写器的应答消息，并结合O∈{O2，O3}进行消息重放等攻击策略，进而在猜测阶段得出结论.首先，A对消息A，nr，Tcur，ri的篡改是没有必要的，因为，若篡改该消息，则目标标签判定标准发生变化使应答标签发生变化，相应的目标标签也发生变化；对消息体flag‖nj‖β2‖δ进行篡改后，认证通不过，目标标签被读写器认定为非目标标签.因此，应答消息β′3为任意随机数，若为非目标标签，其应答消息β′3仍然为任意随机数，故攻击者无法判断其目标标签的存在性，可知Adv≤ε（n）.得证.结论3提出的搜索协议可抵抗去同步攻击.证标签保存信息为Tlast，ks，id，其中ks，id为不变量，与CA中心永久保持同步，虽然Tlast为可变量，但其只参与协议的时间戳比对，即使在不同步的情况下，协议仍然可正常运行.因此，其松散同步性对搜索协议的去同步化攻击影响可以忽略，故协议可有效抵抗去同步攻击.结论4提出的搜索协议具有不可追踪性和匿名性.证攻击者A调用O∈{O1，O2，O3}收集并发送相同搜索消息，根据应答消息跟踪标签，若应答消息相同则可实现对标签的跟踪.若A发送相同搜索消息A，nr，Tcur，ri，则由于TΔ=0，对β2的计算引入了新的分散因子nj，因此，A无从利用重放搜索消息对标签进行跟踪.即使攻击者利用暴力攻击致使标签自身保存Tlast变为无限大，即首次搜索flag=1，β2中引入nj，在随后的跟踪当中，若A截断β′3的传输，那么Tlast仍然为无限大，因此下次搜索中flag=1，β2中的nj换为新的随机数，A无法跟踪标签.若A不截断β′3的传输，则读写器对标签Tlast进行了修改，A也无法跟踪标签.同时，利用碰撞原理实现了匿名性，平均L个标签进行应答，致使A无法对标签进行区分，可有效保证目标标签匿名性.5协议性能分析受限于RFID标签的计算能力及存储能力，搜索协议的设计有必要考虑标签的存储量、计算量、通信量以及协议的搜索效率.存储量：搜索协议中标签需保存Tlast，IDj，ksj及中间计算结果Tcur和β′3，因此，运行协议需要的标签存储量为length（T）+3length（ID）/2+length（ks），由此可知，若length （ID）=length（ks）=96，length（T）=64，则所需标签存储量仅为304 bit，低价被动标签即可满足其存储量需求.计算量：协议采用了HASH运算、异或运算、截取运算，根据文献[2]的分类，轻量级安全协议设计可满足其计算需求，相比于文献[3]的搜索协议，标签增加了一次HASH运算，其主要用来防护标签密钥信息不被攻击者所获取，进而攻击者无法利用攻陷的读写器列表对标签进行伪造，从而提高了安全性.通信量：读写器发送两个消息体A，nr，Tcur，ri和β′3，其由于搜索而发生的传输能量消耗较低，读写器具有单独电源供应，传输耗能可不考虑；而标签需传输消息为flag‖nj‖β2‖δ，在标签时间戳不正确的情况下，δ为空字符串，传输数据长度仅仅为flag‖nj‖β2.在标签时间戳正确的情况下，其由于传输flag‖β2‖δ而产生的耗能极低.相比于文献[13]的协议，增加了β′3，然而实现了标签对读写器的安全认证，由此也实现了搜索协议双向认证.协议搜索效率：读写器通过消息A，nr，Tcur，ri进行查询，根据碰撞原理，L个标签进行应答，因此，搜索任务仅仅需比对L次标签传输消息.同时，正常情况下标签时间戳正确，因此，读写器可离线计算好β2和δ并保存，在搜索过程中仅需进行比对操作.若A利用暴力攻击漫无目的发送A，nr，Tcur，ri，其中Tcur为无穷大，利用碰撞致使部分标签时间戳变为无穷大的情况下，读写器依然可以利用β′3对目标标签的时间戳更正，进而搜索过程中读写器仅需进行比对计算.因此，读写器仅需比对L次搜索结果，搜索效率为L/2，可通过调节的长度来满足实际应用场景下隐私强度和搜索效率的要求.。

一种新的超轻量级RFID双向认证协议马庆;郭亚军;曾庆江;徐铎【期刊名称】《信息网络安全》【年(卷),期】2016(000)005【摘要】文章针对当前典型的一类超轻量级RFID安全认证协议，首先给出了一种非同步攻击方案，随后分析了RAPP协议中存在的安全问题，最后提出一种改进的超轻量级RFID双向认证协议PAPP。

新的协议改进了RAPP协议对消息的设计，并在标签存储中加入了只属于标签的伪随机数信息。

伪随机数会在标签产生消息前进行更新，保证了标签端消息的新鲜性。

该协议避免了已有RFID认证协议存在的安全缺陷。

安全和性能分析表明该协议具有很强的安全和隐私保护属性，而且能抵抗各种恶意攻击，并且满足低成本RFID标签的要求。

%Targeting to current typical ultra-lightweight RFID security authentication protocol, we proposed a desynchronization attack scheme. Then we analyzed the security vulnerabilities of RAPP protocol and proposed a novel ultra-lightweight RFID mutual authentication protocol named PAPP, which avoided the security hole in the previous RFID authentication protocols. The new protocol improved the design of the message of RAPP protocol, and added a random number that belongs only to the label, Random number would be updated in advance to ensure the freshness of the messge generated by the tag. Security analysis and performance evaluation showed that the protocol had not only possessed robustsecurity and privacy protection properties, but also could resist various attacks and ift for the requirement of low-cost RFID system.【总页数】7页(P44-50)【作者】马庆;郭亚军;曾庆江;徐铎【作者单位】华中师范大学计算机学院，湖北武汉430079;华中师范大学计算机学院，湖北武汉430079;华中师范大学计算机学院，湖北武汉430079;北京警察学院，北京102202【正文语种】中文【中图分类】TP309【相关文献】1.一种超轻量级的RFID双向认证协议 [J], 彭朋;赵一鸣;韩伟力;金波2.一种新的超轻量级RFID认证协议 [J], 张亚力;郭亚军;崔建群;曾庆江3.一种低成本超轻量级RFID双向认证协议 [J], 杨昕;凌捷4.一种超轻量级RFID双向认证协议 [J], 刘亚丽;秦小麟;王超5.基于位重排变换的超轻量级RFID双向认证协议 [J], 黄可可;刘亚丽;殷新春因版权原因，仅展示原文概要，查看原文内容请购买。

An Efficient and Private RFID Authentication Protocol Supporting Ownership Transfer S¨u leyman Karda¸s1,2,Serkan C¸elik1,2,Atakan Arslan1,and Albert Levi21T¨UBITAK BILGEM UEKAE Gebze,Kocaeli2SabancıUniversity,Faculty of Engineering and Natural Sciences,˙Istanbul,TR-34956,TurkeyAbstract.R adio F requency ID entification(RFID)systems are gettingpervasively deployed in many daily life applications.But this increasedusage of RFID systems brings some serious problems together,securityand privacy.In some applications,ownership transfer of RFID labels issine qua non need.Specifically,the owner of RFID tag might be requiredto change several times during its lifetime.Besides,after ownership trans-fer,the authentication protocol should also prevent the old owner to tracethe tags and disallow the new owner to trace old transactions of the tags.On the other hand,while achieving privacy and security concerns,thecomputation complexity should be considered.In order to resolve theseissues,numerous authentication protocols have been proposed in the lit-erature.Many of them failed and their computation load on the serverside is very high.Motivated by this need,we propose an RFID mutualauthentication protocol to provide ownership transfer.In our protocol,the server needs only a constant-time complexity for identification whenthe tag and server are synchronized.In case of ownership transfer,ourprotocol preserves both old and new owners’privacy.Our protocol isbackward untraceable against a strong adversary who compromise tag,and also forward untraceable under an assumption.Keywords:RFID,Privacy,Security,Ownership Transfer Protocol.1IntroductionToday,ubiquitous information and communication technology has been widely accepted by everyone that aspire to reach information anytime and anywhere. Radio-frequency identification(RFID)systems are one of the ubiquitous com-puting in which technology provides practical services to people in their daily life.RFID technology aims to identify and track an item or a person by using radio waves.It has been pervasively deployed in several daily life applications such as contact-less credit cards,e-passports,ticketing systems,etc.A RFID system basically consists of several tags(transponders),a set of read-ers(interrogator)and a back-end receiver.A tag contains a microchip which carries data and antenna.It is interrogated by a reader via its modulated radio signals.A RFID reader that is the central part of an RFID system,acquires G.Avoine and O.Kara(Eds.):LightSec2013,LNCS8162,pp.130–141,2013.c Springer-Verlag Berlin Heidelberg2013An Efficient and Private RFID Authentication Protocol131 the data of the tag and conveys it to the back-end system for further processing. Moreover,RFID tags can be categorized into three groups by using energy source such as active,passive and semi-passive or battery assisted tags.Passive RFID tags do not have internal energy sources.Instead,they use the radio energy transmitted by the reader[10].Furthermore,RFID systems can also be grouped into three basic ranges by their using operating frequency:Low frequency(LF, 30-300KHz),high frequency(HF3-30MHz)and ultra high frequency(300 MHz-3GHz)/microwave(>3GHz)[9].Nowadays,the number of RFID applications have been proliferating because of their productivity,efficiency,reliability and so on.Many companies also prefer low-cost tags with tiny sizes.This brings some computational and memory re-strictions to RFID tags.On the other hand,RFID tags and readers communicate with each other over an air interface.This insecure channel and the limited ca-pabilities of RFID tags cause security and privacy vulnerabilities.An adversary can do tag impersonating,tracking,eavesdropping,and denial of service(DoS) attack.Besides the vulnerabilities,a tag might be distinguishable in its life-span by an attacker.If it is once recognized by an adversary,it can be easily traceable. At that situation,there might be two attacks.(i)An attacker might track the previous interactions of the tag or(ii)he may track the future ones.These two attacks are called backward traceability and forward traceability,respectively. The protocol used for RFID system should provide not only resistance against passive attacks,replay attacks,cloning attacks but also resistance against active attacks.There are public-key cryptography solutions in the literature but none of them are convenient for the low-cost tags used in lots of applications because of their limitations.It needs tofind much light-weight approaches.Therefore, many light-weight authentication protocols are proposed to defeat adversaries that deceive the capacity-restricted tags.But,designing light-weight crypto-graphic authentication protocols with basic cryptographic primitives(xor,hash function)is a challenging task[18].Another significant problem is the changing ownership of an RFID tag several times during its life-cycle.For instance,tags are initially created and attached to objects by producers,then labeled objects are taken over to retailers,and finally consumers buy tagged objects from shopping malls[13].The ownership of a labeled object may be frequently transferred from one party to another.At the moment of the transfer,both new and old owners have the same information about the tag.This might cause privacy problems.This transfer should guarantee that the old owner should no longer be able to trace the future interactions and the new owner should not be able to trace old interactions.Besides having secure authentication protocols by providing privacy,the performance of the entire system becomes an important issue.Therefore,designing authentication protocol without compromising security and privacy begets decreases the efficiency of the whole system.However,achieving both security and privacy properties,the computational complexity of the tag and the server side can vary dramatically from one protocol to another.Hence,while handling security and privacy issues, it is also important to realize it with less computational complexity.132S.Karda¸s et al.In order to resolve these security and privacy issues,numerous RFID authen-tication protocols have been recently proposed[1,4,5,7,8,11,12,14–17].How-ever,some of them are not compliant to ownership transfer.Also,none of them achieves constant-time complexity for identification while providing forward un-traceability against old-owner and backward untraceability(forward secrecy) against the new owner.Our Contributions.We propose an efficient,secure and private RFID mu-tual authentication protocol which needs constant-time complexity to identify a tag.Then,we utilize this protocol and achieve a secure and efficient ownership transfer.We prove that our protocol achieves forward secrecy against the new owner and forward untraceability against the old owner.Moreover,we also show that our protocol provides forward secrecy against a strong attack and forward untraceability under an assumption that the adversary misses one subsequent successful protocol between the reader and the compromised tag.The outline of the paper is as follows.In Section2,security and threat model, security and privacy concerns are discussed in RFID systems for ubiquitous networks.Section3describes our proposed protocol.In Section4,analysis of our protocol is given in detail.In Section5,we conclude the paper.2Adversarial ModelIn this section we describe our adversarial model used in analyzing the proposed protocol,then define the privacy notions which are also used to be proved.Since the tags and the reader communicates over an insecure wireless channel,we consider Byzantine adversarial model[6].–Each tag memory is not tamper resistant and vulnerable to physical attacks.–Each tag/reader performs cryptographic hash operations.–The reader and tags communicate over an insecure wireless channel and so an active attacker can intercept,modify and generate messages.–The messages between server and readers are transmitted securely.–The reader and the server are assumed to be trusted parties.They cannot be compromised.Since the tags are not tamper resistant,we assume that a strong adversary can corrupt a tag and access to its persistent memory.In this case,the adversary should not be able link any current and past communication of the victim tags. This privacy notion is called backward untraceability.We define it more formally as follows.Definition1.Backward Untraceability:An RFID scheme provides backward untraceability if A compromising T i at time t cannot trace the past interactions of T i that occurred at time t <t.On the other hand,the strong adversary should not be able to trace the future interactions of the victim tag.This privacy notion,called forward untraceability, is described as follows.An Efficient and Private RFID Authentication Protocol133Definition2.Forward Untraceability:An RFID scheme provides forward un-traceability if A compromising T i at time t cannot trace the future interactions of T i that occurred at time t >t.3The Proposed ProtocolIn this section,we propose a novel scalable RFID authentication protocol which is the enhanced version of the scheme presented in[12].In our protocol,we achieve the constant-time complexity for the authentication of synchronized tags whereas the complexity in[12]is O(N)where N is the number of tag in the system.The notations used in the protocol are defined.Then,the initialization and the authentication phases are described in detail.The protocol is summarized in Figure1.3.1The Notations–∈R:The random choice operator that randomly selects an element from a finite set.–⊕,||:XOR operator and concatenation operator,respectively.–h,H:A hash function s.t.h:{0,1}∗→{0,1}n,H:{0,1}∗→{0,1}2n.Both of them are one-way and collision resistant functions.–N:The number of tags in the database.–N a,N b:n-bit nonce generated by the reader and the tag,respectively.–K:n-bit secret shared between the tag and the reader.–val1,val2:n-bit the server validator of the tag and the reader,respectively.–K old1,K old2:Previous n-bit secret shared between the tag and the reader.–val old1,val old2:Previous n-bit the server validator of the tag and the reader,respectively.–L,S:The seed value of val1and val2,respectively.–r1,r2:n-bit random bit strings produced by h(N a),h(N b,K),respectively.–v i:n-bit random bit strings produced by h(K,r1,r2).–M1,M2:M1=v1⊕L,M2=v2⊕S.–DB:Server database.–γ:n-bit string.–state:1-bit string is0or1.3.2The Registration PhaseFor each tag T i,the following steps have to be performed by the registrar(e.g. the tag manufacturer)before the authentication protocol:1.The registrar generates three n-bit random nonce(K,S,L).It also computesval1=h(L,K),val2=h(S).Initially,K old1and K old2are both equal to K, S old is equal to S,and val old1is equal to val1.Finally,state is set to0and it computes hash of the shared secret key K,γ=h(K).134S.Karda¸s et al.2.The registrar creates an entry in its back-end database and stores(K,S,val1,K old1,K old2,S old,val old1,h(K))in the entry.3.The registrar assigns(K,L,val2,state)to the tag T i.3.3The Authentication PhaseIn our protocol(see Figure1)each tag stores its own triple values K,L,val2,γ,and state.The reader stores the K,S,val1for that tag.The steps are de-scribed below.Step1.A reader randomly generates an n-bit nonce N a and computes hash of it r1=h(N a).Then it sends r1to the tag T i.Step2.The tag T i randomly generates a n-bit N b nonce and computes hash of it,r2=h(N b,K).Then,it checks the state.If its own state is0,it computes hash of the shared secret key K.If it is not,the tag randomly generates a n-bitγter,the tag uses a pseudo-random function that digests r1, r2messages with shared secret key K to compute v1||v2=H(K,r1,r2).The length of each v1and v2are both equal to n.After that,the tag computes message M1by simply XORing v1with secret L.Finally,the tag sends r2, M1andγmessages to the reader.Step3.The reader transfers N a,r1,r2,M1,andγto the server.Step4.The serverfirstly searches in DB that there exists h(K)equals toγ.The server performs an exhaustive search among all tags in the database.It computes v1||v2=H(K,r1,r2)and h(M1⊕v1,K).The server checks whether h(M1⊕v1,K old1)is equals to val1.If one match is found,then the server computes M2message by XORing v2with S and then sends M2to the reader.After that,it updates K old2=K old1,K old1=K,S old=S, val old1=val1,K=v2,S=N a,and val1=r2.If no match is found, then the server performs another an exhaustive search among all tags in the database.In this time,it computes v1||v2=H(K old1,r1,r2)and it checks whether h(M1⊕v1,K old2)is equals to val old1.If one match is found,the server computes M2message by XORing v2with S and sends M2to the tag.After that,it updates K=v2,S=N a,and val1=r1.However,if there is no match,the server generates an n-bit random bit string and sends it to the reader.The reason behind sending random bit string is that this prevents any attacker to validate M1for random nonce r1and r2.Step5.The reader forwards M2to the tag T i.Upon receiving M2message,T i computes h(M2⊕v2)and checks whether it is equal to val2.If equal,then it updates K=v2,L=N b,and val2=r1.3.4The Ownership TransferWhen the owner of the tags are required to change one party to another,the tags arefirst synchronized with the server.The server runs at least two successful authentication protocols with tags in a secure environment where no adversaryAn Efficient and Private RFID Authentication Protocol 135is allowed to perform any passive/active attacks.Then,all the tags and their related information are transferred to new owner.Once the new owner receives the information and tags,he/she runs at least one successful protocol between readers and the tags in a secure environment where a malicious adversary is not allowed.During the ownership transfer,the old owner does not need to transfer the se-cret values of K old 2and S old of the tags to the new owner because the remaining secrets are enough to communicate with the synchronized tags.Server[K,K old 1,K old 2,S,S old ,val 1,val old 1,h (K )]Tag [K,L,val 2,state ]Reader N a ∈R {0,1}n r 1=h (N a )r 1-N b ∈R {0,1}n r 2=h (N b ,K )if(state =0)γ=h (K )else γ∈R {0,1}n v 1||v 2=H (K,r 1,r 2)|v 1|=|v 2|=n M 1=v 1⊕L state =1r 2,M 1,γ r 1,r 2,N a ,M 1,γ -M 2-M 2if h (M 2⊕v 2)=val 2K =v 1,L =N b ,val 2=r 1.state =0.if ∃γ=h (K )in DB if h (M 1⊕v 1,K old 1)=val 1s.t.v 1||v 2=H (K,r 1,r 2)M 2=v 2⊕S ,K old 2=K old 1K old 1=K,S old =S ,val old 1=val 1,K =v 1,S =N a ,val 1=r 2.else {For each record in DBif h (M 1⊕v 1,K old 2)=val 1s.t.v 1||v 2=H (K old 1,r 1,r 2)M 2=v 2⊕S ,K old 2=K old 1K old 1=K,S old =S ,val old 1=val 1,K =v 1,S =N a ,val 1=r 2.else M 2∈R {0,1}n }Fig.1.The Proposed RFID Authentication Protocol4Security,Privacy,and Performance AnalysisIn this section,we first describe the adversarial capabilities.Then,we analyze our ownership transfer protocol depicted in Figure 1against passive and strong attacks.In our model,we assume that each tag can perform cryptographic hash op-erations.The communication between server and readers are assumed to be136S.Karda¸s et al.secure because they have no restriction on using SSL/TLS protocol.However, the reader and tags communicate over an insecure wireless channel and so an attacker can intercept,modify and generate messages.Also,each tag memory isnot tamper-proof.4.1The Security against Timing AttacksThe proposed protocol is vulnerable to timing attacks[3].An adversary candistinguish synchronized tags and un-synchronized tags by simply considering the response time of the server because the identification time for the latter tags requires much more than the former tags.This kind of attacks can beavoided by using distributed computation servers.Let us illustrate the solution. Assume that we have220tags in the database and the server does only223hashcomputation per second.Then,the time to identify an un-synchronized tag is 220/223=0.125s but for the synchronized tag is almost zero.For the solution,we can use multiple distributed server(say16),then the identification time can bereduced to0.125/16=7,8125ms and when a synchronized tag is to be identified the server waits up to7,8125ms.4.2The Security against Passive AdversaryAn offline passive adversary may want to know the contents of the secrets K and L stored in the tag T i.Then,the adversary simply eavesdrops the channels between a legitimate reader and T i in order to get r1,r2,M1,M2andγ.With these information and publish hash function H,she cannot obtain the secret K or L because of one-wayness of the hash function.Moreover,the protocol also resists against replay attack because a challenge-response scheme is used in the protocol.In addition,for each session of the protocol a new pair of random numbers(r1,r2)are used.This prevents to use the same challenge-response values in other sessions.Furthermore,our protocol is resistant against desynchronization even if’last flow of the protocol drops.Normally,this causes desynchronization of the tag secrets and the back-end server.However,this issue is resolved by storing pre-vious tag secrets in the database.Hence the server can resynchronize with the tags in such a condition.4.3The Security against Strong AdversaryIn this section,we will analyze the protocol depicted at Figure1in terms of backward and forward untraceability[2,15,19]against old owner,new owner, and a strong malicious adversary who can compromise a tag.As a starting point, we assume that at time t i,the owner of the system is changed.We test backward untraceability for the new owner,denoted by A n,with assumption that A n has had control over communications between reader and tags made before time t i.Note that,the number of these communications isfinite.Similarly,we testAn Efficient and Private RFID Authentication Protocol 137forward untraceability against the old owner,denoted by A o .Also,we test these two privacy properties against a strong adversary A s with assumption that A s has ability of corrupting a tag and captures its secrets.Throughout the analysis,in order to make proofs more understandable,without loss of generality,we assume that there are only two tags in the system,namely T 0and T 1.First of all,let us give the definitions of concepts mentioned above and the oracle that we use in the proofs of theorem given below.Definition 3.Oracle O k :The oracle chooses b ∈R {0,1}.If b =0,O k sends to the adversary the protocol transcript which was realized between tag T 0and the reader at time t k .Similarly,if b =1,the protocol transcript which was realized between tag T 1and the reader at time t k is sent to the adversary by the oracle.At the end,the adversary sends the bit b by after investigating the transcript sent.If P r [(b =b )=1]=12+ ,where is non-negligible,than the adversarywins.One can give simplified version of the oracle defined above as follows:At time t i ,A gets information of server and the tag T 0.Then at time t k ,O k chooses b ∈R {0,1}.The transcript sent to the adversary according to value of b same as above.Then,A returns b =0if he thinks the transcript sent by oracle realized between reader and tag T 0.Otherwise the adversary returns b =1.If P r [(b =b )=1]=12+ ,where is non-negligible,than the adversary wins.Throughout the proofs given to the corresponding theorem,four subsequent successful protocol transactions are enough.Thus,without loss of generality,we assume that i =4is the time where server owner changed,i.e.at time t 4.Moreover,addition to the notations given at protocol steps,we use left subscript part to denote the time that it was used.In order to obtain traceability capability of A n ,we start studying with more powerful adversary A c ,who has had all secrets of the server and tags at time t i and observed all protocol transactions realized before given time.Theorem 1.The system has backward untraceability property for time t k sat-isfying k <i −3for the adversary A cProof.Since at time t 4,A c knows the value of 4val 1and this value equals to 3r 2,then at time t 3,A c can traces T 0.Moreover,as A c knows the value of 4S old 1,then she knows the value of 3S .Thus,2N a value is known.Therefore,at time t 2,A c can trace T 0as he can figure out the value of 2r 1from h (2N a ).Note that,after that point,A c knows 2r 2and 2M 2and since 2K =4K old 2,the values of 2v 1and 2v 2are known.Hence,2S is known.So,A c learns the value of 1N a .From this knowledge,A c calculates 1r 1.Therefore,A c can trace T 0at time t 1,which means A c also learns the values of 1r 2,1M 1,1M 2.Apart from these values,1L is also known.Note that,the only thing A c knows about the transaction happened at time t 0is 0N b .Thus,the probability of A c ’s finding the correct value of 0r 2is 12n since 0K is not known and the range of hash function h is {0,1}n .Similarly,finding correct values of 0r 1,0M 1,0M 2is 12n .Thus,theprobability that A c distinguishes the transcript that the oracle sent is 12+12n .However,12n is negligible.138S.Karda¸s et al.Therefore,if A c has all secrets of the server and tags at time t i ,then the system has backward untraceability property for time t k satisfying k <i −3.Remark 1.The values of K old 2and S old of tags are stored in server database in order to overcome synchronization problem.If the system is synchronized when ownership transfer is realized,then K old 2and S old values are not given to A n .At the next part,we give a backward traceability result for an adversary A cR ,which is like A c with exception indicated at Remark 1.Corollary 1.The system has backward untraceability property for time t k sat-isfying k <i −2for the adversary A cR .Remark 2.The privacy is the main aim that should be reached.Therefore,just before ownership transfer,A o completes two successful protocol transactions with tags such that no part of the protocol transcripts are seen by A n .Note that the adversary A c with incapability explained at Remark 2corre-sponds to the new owner,A n .Thus,we have the following corollary.Corollary 2.For the new owner,A n ,the system has backward untraceability property for time t k satisfying k <i .Theorem 2.If A o has all secrets of the server and tags at time t i ,then the system has forward untraceability property for time t k satisfying k >i .Proof.Since ownership transfer occurs,A o misses at least one of the subsequent successful protocol transactions between A n and tags.We can get the best result if one subsequent successful transaction miss is assumed.In that case,A o only knows values of 5K old 1,4K old 2,5S old 1and 4val 1old .Since the attacker missed a subsequent successful transaction,the other values are unknown.Note that,A o can find the value of 4r 2with possibility of 12n since the value of 4N b is not known.By similar arguments,A o guesses the value 4r 2with possibility of 12n .Although A o knows the values of 4S and 4L ,as 4v 1and 4v 2are not known,A o can figure out the values of 4M 1and 4M 2with possibility of 12n .Hence,the probability that A n distinguishes the transcript that the oracle sent is at most 12+12n .However,12n is negligible.Therefore,if A 0has all secrets of the server and tags at time t i ,then the system has forward untraceability property for time t k satisfying k >i .Our next result is about the adversary,A s ,who can corrupt a tag and capture all secrets of the tag at any given time and follow all steps of the each successful protocol runs before and after the time that corruption occurs.Corollary 3.If A s corrupts a tag at time t j with j =i ,then the system has backward untraceability for time t k satisfying k <j −1and forward untraceabil-ity for time t k satisfying k >j +1under the assumption that A s misses the transactions occurred at time j +1and j −1.An Efficient and Private RFID Authentication Protocol139 Proof.Forward secrecy part is direct result of Theorem2.Moreover,the back-ward secrecy result is derived from Remark3Remark3.If A s does not miss the transaction at j−1,then by the knowledge ofj val2,he deduces the value of j−1r1.Thus,the values of j−1r2,j−1M1,j−1M2areknown to him.Thus,in this case,A s can trace the corrupted tag at time t j−1. However,no more traces are possible,because A s knows only the value of j−2N b about the transaction realized at time t j−2and from the similar arguments given at proof of Theorem1,the success probability that A s traces the corrupted tagat time t j−2is12+12nand12nis negligible.Remark4.If A s does not miss any transaction after corruption occurs,then A s can trace the corrupted tag forever.Theorem3.The proposed protocol satisfies tag authentication under the as-sumption specified in Corollary3.Proof.First of all,let us assume that the adversary has no corrupt tag capa-bility.In this case,the adversary has to learn the value of either K or K old1to impersonate the tag.To learn the values of these variables,the adversary has to learn the value of v1of previous protocol transcript.However,to learn the value of v1,the adversary has tofigure out the value of K of previous runs or the value of L.However,the value of L is the chosen random N b value of previous run. Thus,the adversary can only guess the value of L.Therefore,the values v1,K and K old1are dependent each other.Thus,the only remained way for the ad-versary to impersonate the tag is to guess the value of v1,K or K old1correctly. Since the space of these variables are large enough,the success probability of the adversary is negligible.Moreover,since the tag authentication is investigated under the assumption Corollary3,the system satisfies tag authentication for the case where the ad-versary can corrupt the tag.4.4Performance IssuesConsidering memory storage for tag identifiers or keys and other information, our protocol requires3n+1bit(3n-bit for K,L,and val2and1-bit for state) memory in tag side.Contrary to tags,server has no limited resource so we do not consider the server-side memory usage.Concerning computational cost,our protocol requires at most4hash com-putation overhead for the tag.If the tags and the server are synchronized,the computational complexity at the server side is O(1).Otherwise,the complexity is at most O(N).5ConclusionsIn this paper,wefirst proposed a secure and efficient an RFID mutual authen-tication protocol which is the revised version of the scheme presented in[12].140S.Karda¸s et al.With the use of the authentication protocol,we achieve ownership transfer.We prove that our protocol provides forward untraceability against the old owner of the tags and backward untraceability against the new owner of the tags.Also, we show that our authentication protocol provides backward untraceability of a tag against an adversary who compromises the tag and forward untraceability under the assumption that the adversary misses at least one of the subsequent authentication protocol between the tag and the reader.Our protocol requires O(1)complexity to identify a synchronized tag.References1.Alomair, B.,Clark, A.,Cuellar,J.,Poovendran,R.:Scalable RFID systems:a privacy-preserving protocol with constant-time identification.In:InternationalConference on Dependable Systems and Networks,pp.1–10(2010)2.Avoine,G.:Cryptography in Radio Frequency Identification and Fair ExchangeProtocols.PhD thesis,EPFL,Lausanne,Switzerland(December2005)3.Avoine,G.,Coisel,I.,Martin,T.:Time Measurement Threatens Privacy-FriendlyRFID Authentication Protocols.In:Ors Yalcin,S.B.(ed.)RFIDSec2010.LNCS, vol.6370,pp.138–157.Springer,Heidelberg(2010)4.Burmester,M.,de Medeiros,B.,Motta,R.:Anonymous RFID authentication sup-porting constant-cost key-lookup against active adversaries.IJACT1(2),79–90 (2008)5.Dimitriou,T.:A Lightweight RFID Protocol to protect against Traceability andCloning attacks.In:SECURECOMM2005:Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Net-works,pp.59–66.IEEE Computer Society,Washington,DC(2005)6.Dolev,D.,Yao,A.C.:On the security of public key protocols.In:Proceedings ofthe22nd Annual Symposium on Foundations of Computer Science,pp.350–357.IEEE Computer Society,Washington,DC(1981)7.Erguler,I.,Anarim,E.:Practical attacks and improvements to an efficient radiofrequency identification authentication protocol.Concurrency and Computation: Practice and Experience(October2011)8.Fern`a ndez-Mir,A.,Trujillo-Rasua,R.,Castell`a-Roca,J.,Domingo-Ferrer,J.:Scal-able RFID Authentication Protocol Supporting Ownership Transfer and Controlled Delegation.In:Juels,A.,Paar,C.(eds.)RFIDSec2011.LNCS,vol.7055,pp.147–162.Springer,Heidelberg(2012)9.Finkenzeller,K.:RFID Handbook.John Wiley and Sons(2003)10.Garfinkel,S.,Rosenberg,B.:RFID:Applications,Security,and Privacy.Addison-Wesley(2005)11.Ha,J.,Moon,S.-J.,Nieto,J.M.G.,Boyd,C.:Low-Cost and Strong-Security RFIDAuthentication Protocol.In:EUC Workshops,pp.795–807(2007)12.Karda¸s,S.,Levi,A.,Murat,E.:Providing Resistance against Server InformationLeakage in RFID Systems.In:New Technologies,Mobility and Security–NTMS 2011,Paris,France,pp.1–7.IEEE Computer Society(February2011)13.Lim,C.H.,Kwon,T.:Strong and Robust RFID Authentication Enabling Per-fect Ownership Transfer.In:Ning,P.,Qing,S.,Li,N.(eds.)ICICS2006.LNCS, vol.4307,pp.1–20.Springer,Heidelberg(2006)。

一种基于SASI的轻量级RFID双向认证协议作者：吴立知来源：《电脑知识与技术》2013年第24期摘要：对于轻量级RFID系统的认证协议的研究，既要考虑标签与读写器之间的无线通信的安全性问题，又需要兼顾系统在计算量、存储量和通信量等方面的硬件资源限制。

该文针对现有的轻量级RFID安全协议存在的缺陷，提出了一种基于SASI的轻量级RFID双向认证协议，并对协议的安全性进行了分析。

关键词：射频识别；安全协议；轻量级；双向认证中图分类号： TP393 文献标识码：A 文章编号：1009-3044（2013）24-5419-041 概述RFID作为一种新型的自动识别技术，可以同时对多个物体进行识别，识别过程使用无线射频，不需要激光或外部材料透明，因此可以透过外部材料对物体进行识别[1]。

RFID具有无需直接与被识别物体进行接触和人工干预、数据存储量大、操作简单方便等优点，被广泛应用于停车场管理系统、汽车或火车等的交通监控系统、高速公路自动收费系统、物流管理系统、安全出入检测、流水线生产自动化、动物管理、仓库存储管理、车辆防盗等应用领域的数据收集和处理。

随着RFID的广泛应用，因为其具有的强大标签追踪能力，用户的信息隐私问题及信息交互时的数据认证问题成为了系统主要的安全问题[2]。

所谓信息隐私问题是指阅读器不用通过安全认证就能读取标签内容，从而造成标签被非法跟踪及信息泄露；数据认证问题指的是读写器在读取标签数据时，不需要通过认证，从而造成标签数据被复制或篡改等安全问题[3]。

2 RFID系统的安全需求分析设计RFID标签应用方案时应注意保护消费者隐私，从解决ID泄漏，ID追踪、信息推断、信息回溯等问题着手。

因此RFID系统安全的需求如下[4]：1）访问授权：即标签对读写器进行认证。

2）标签认证：即读写器对标签进行认证，标签和读写器之间的双向认证。

3）标签的匿名性：标签用户的真实身份等信息要经过加密，以保证通信过程中隐私信息的机密性。

一种新的超轻量级RFID认证协议张亚力;郭亚军;崔建群;曾庆江【期刊名称】《计算机科学》【年(卷),期】2017(44)1【摘要】RFID(无线射频识别)技术以无线通信的方式广泛运用于生活生产的各个领域,如门禁设备、支付设备等,但阅读器和标签之间无线开放的通信环境使得RFID 设备面临更多的恶意攻击和安全威胁.低成本标签只具有非常有限的计算能力和存储空间,一般的分组密码和hash函数等都不能用于低成本标签中.为了解决低成本标签的安全性问题,采用比特位运算密码原语,提出一种新的超轻量级RFID认证协议——SIUAP.SIUAP协议在SIMON类算法的超轻量级轮函数F(x)和非线性函数MIXBITS运算的基础上,使用3种简单的比特位运算:比特AND运算、异或运算和循环移位运算,大大降低了计算复杂度.通过GNY逻辑对协议进行形式化的分析,证明了SIUAP协议能够实现阅读器和标签双向合法身份的认证,同时对SIUAP进行安全性分析.与现有的超轻量级认证协议相比,SIUAP协议具有较小的计算开销,能够满足RFID系统低成本、高安全性的需求.%RFID (Radio Frequency Identification) technology is widely applied in many fields of life and production,such as access control equipment,payment equipment and others in wireless communication way.However,the wireless communication environment between the reader and the tag makes the RFID device face more malicious attacks and security threats.Because the low-cost tag only has very limited computing power and storage space,the common block cipher and hash function cannot be used for low costtag.To solve the security problem of the low cost tag,this paper proposed a new ultra-lightweight RFID authentication protocol—SIUAP by using the bit operation code.Based on the lightweight wheel function F(x) and nonlinear function MIXBITS operations,which belong to SIMON algorithm,SI-UAP protocol adopts three simple bit operations:Bits AND operation,XOR and cyclic shift operations,which greatly reduces the computational complexity.Through formally analyzing the protocol by GNY logic,it has been proved that the SIUAP protocol can realize the authentication of the reader and tag.Meanwhile,a security analysis of the SIUAP was also pared with the existing ultra-lightweight authentication protocol,the SIUAP protocol has lower computational cost,which can meet the requirements of the RFID system of low cost and high security.【总页数】5页(P183-187)【作者】张亚力;郭亚军;崔建群;曾庆江【作者单位】华中师范大学计算机学院武汉430079;华中师范大学计算机学院武汉430079;华中师范大学计算机学院武汉430079;华中师范大学计算机学院武汉430079【正文语种】中文【中图分类】TP309【相关文献】1.一种新的超轻量级RFID双向认证协议 [J], 马庆;郭亚军;曾庆江;徐铎2.一种超轻量级的RFID双向认证协议 [J], 彭朋;赵一鸣;韩伟力;金波3.一种低成本超轻量级RFID双向认证协议 [J], 杨昕;凌捷4.一种超轻量级RFID双向认证协议 [J], 刘亚丽;秦小麟;王超5.一种改进的超轻量级 RFID 认证协议 [J], 沈金伟;凌捷因版权原因，仅展示原文概要，查看原文内容请购买。

摘要射频识别（RFID）是一种非接触式的自动识别技术。

二十世纪九十年代，随着集成电路技术和通信技术的发展，射频识别技术也开始兴起，并因其广泛的应用范围而受到人们的关注。

随着射频识别技术的深入发展和实用，其安全与隐私问题越来越受到人们的关注。

当前，安全与隐私问题已经成为制约射频识别技术发展的主要因素之一。

本文针对射频识别系统的攻击模型，以设计满足轻量级要求的安全协议为目标，在以下几个方面进行了研究：首先，在分析总结已有安全认证协议的基础上，设计了一个基于散列函数的射频识别安全认证协议，对协议的安全性进行了分析，并用BAN 逻辑以形式化分析方法证明了协议的安全性。

该协议实现了读写器和标签间的双向认证，满足了射频识别系统的安全与隐私权需求。

接着，本文针对ISO/IEC 15693 标准进行了协议的兼容性设计，包括安全指令的制定、标签存储空间的分配等，并在此基础上完成了标签基带控制器数字部分的设计。

最后，在Modelsim SE 6.0 环境下完成了标签各个模块的功能仿真，并对认证模块进行了综合。

结果表明，基带控制器的设计符合既定的要求。

关键词：射频识别安全认证协议形式化分析ISO/IEC15693 基带控制器AbstractRadio Frequency Identification is an non-contact automatic identification technology. As the developed of the maturity of communication technology and large scale integrated circuits, RFID technology was gradual rised since Nineties the twentieth century, and its wide range of application challenged our attention.As RFID edge closer towards wide-spread deployment, security issues and privacy problems became a central concern, which was viewed as a primary barrier to the widespread adoption of RFID technology. This paper against the attack model to RFID system, aimed at designing a lightweight security protocol, studied in following aspects: Firstly, we analyzed and summarized the existing RFID security protocol, and designed a hash algorithm based RFID security protocol, then analyzed the security of protocol use the BAN logic. The protocol realized mutual authentication between reader and tag, that satisfied the security and privacy requirement of RFID system.Secondly, the paper designed the digital controller of a security RFID tag chip according to ISO/IEC 15693 and our security protocol, which including the formulation of safety instruction, the allocation of storage space, and the designing of sub-module.At last, the function simulation is executed in Modelsim SE 6.0, and the results showed it can works well.Keywords: RFID Security anthentication protocol Formal analysisISO/IEC 15693 Digital controller独创性声明本人声明所呈交的学位论文是我个人在导师的指导下进行的研究工作及取得的研究成果。

移动 RFID 双向认证协议设计与分析霍成义【摘要】Based on wireless communication, signal broadcasting, and non-symmetry between the forward channel and the backward channel,mobile RFID systems are confronted with many security challenges.To address these issues,the features and issues pertinent to several current typical RFID security protocols are analyzed.A new mutual authentication protocol for mobile RFID is pro-posed.It can achieve mutual authentication between tags,readers and back-end database server.Its implementation only involves Hash and exclusive XOR operations,which reduces computing complexity. The security of the proposed protocol is analyzed. GNY logic is applied to prove its correctness.%移动射频识别（RFID）系统独有的无线传输、信号广播以及前向信道与后向信道的非对称性，使得移动RFID 系统面临着诸多安全问题。

针对这些问题，分析了现有的几个典型的 RFID 安全协议的特点和缺陷，提出一种新的移动 RFID 双向认证协议，实现了标签、读写器与后端数据库服务器三者的双向认证，在实现上仅使用 Hash 和异或运算，降低了标签的计算复杂性，并对其安全性进行了分析和 GNY 逻辑证明。