轻量级移动RFID认证协议研究设计

一种新的超轻量级RFID双向认证协议马庆;郭亚军;曾庆江;徐铎【期刊名称】《信息网络安全》【年(卷),期】2016(000)005【摘要】文章针对当前典型的一类超轻量级RFID安全认证协议，首先给出了一种非同步攻击方案，随后分析了RAPP协议中存在的安全问题，最后提出一种改进的超轻量级RFID双向认证协议PAPP。

新的协议改进了RAPP协议对消息的设计，并在标签存储中加入了只属于标签的伪随机数信息。

伪随机数会在标签产生消息前进行更新，保证了标签端消息的新鲜性。

该协议避免了已有RFID认证协议存在的安全缺陷。

安全和性能分析表明该协议具有很强的安全和隐私保护属性，而且能抵抗各种恶意攻击，并且满足低成本RFID标签的要求。

%Targeting to current typical ultra-lightweight RFID security authentication protocol, we proposed a desynchronization attack scheme. Then we analyzed the security vulnerabilities of RAPP protocol and proposed a novel ultra-lightweight RFID mutual authentication protocol named PAPP, which avoided the security hole in the previous RFID authentication protocols. The new protocol improved the design of the message of RAPP protocol, and added a random number that belongs only to the label, Random number would be updated in advance to ensure the freshness of the messge generated by the tag. Security analysis and performance evaluation showed that the protocol had not only possessed robustsecurity and privacy protection properties, but also could resist various attacks and ift for the requirement of low-cost RFID system.【总页数】7页(P44-50)【作者】马庆;郭亚军;曾庆江;徐铎【作者单位】华中师范大学计算机学院，湖北武汉430079;华中师范大学计算机学院，湖北武汉430079;华中师范大学计算机学院，湖北武汉430079;北京警察学院，北京102202【正文语种】中文【中图分类】TP309【相关文献】1.一种超轻量级的RFID双向认证协议 [J], 彭朋;赵一鸣;韩伟力;金波2.一种新的超轻量级RFID认证协议 [J], 张亚力;郭亚军;崔建群;曾庆江3.一种低成本超轻量级RFID双向认证协议 [J], 杨昕;凌捷4.一种超轻量级RFID双向认证协议 [J], 刘亚丽;秦小麟;王超5.基于位重排变换的超轻量级RFID双向认证协议 [J], 黄可可;刘亚丽;殷新春因版权原因，仅展示原文概要，查看原文内容请购买。

An Efficient and Private RFID Authentication Protocol Supporting Ownership Transfer S¨u leyman Karda¸s1,2,Serkan C¸elik1,2,Atakan Arslan1,and Albert Levi21T¨UBITAK BILGEM UEKAE Gebze,Kocaeli2SabancıUniversity,Faculty of Engineering and Natural Sciences,˙Istanbul,TR-34956,TurkeyAbstract.R adio F requency ID entification(RFID)systems are gettingpervasively deployed in many daily life applications.But this increasedusage of RFID systems brings some serious problems together,securityand privacy.In some applications,ownership transfer of RFID labels issine qua non need.Specifically,the owner of RFID tag might be requiredto change several times during its lifetime.Besides,after ownership trans-fer,the authentication protocol should also prevent the old owner to tracethe tags and disallow the new owner to trace old transactions of the tags.On the other hand,while achieving privacy and security concerns,thecomputation complexity should be considered.In order to resolve theseissues,numerous authentication protocols have been proposed in the lit-erature.Many of them failed and their computation load on the serverside is very high.Motivated by this need,we propose an RFID mutualauthentication protocol to provide ownership transfer.In our protocol,the server needs only a constant-time complexity for identification whenthe tag and server are synchronized.In case of ownership transfer,ourprotocol preserves both old and new owners’privacy.Our protocol isbackward untraceable against a strong adversary who compromise tag,and also forward untraceable under an assumption.Keywords:RFID,Privacy,Security,Ownership Transfer Protocol.1IntroductionToday,ubiquitous information and communication technology has been widely accepted by everyone that aspire to reach information anytime and anywhere. Radio-frequency identification(RFID)systems are one of the ubiquitous com-puting in which technology provides practical services to people in their daily life.RFID technology aims to identify and track an item or a person by using radio waves.It has been pervasively deployed in several daily life applications such as contact-less credit cards,e-passports,ticketing systems,etc.A RFID system basically consists of several tags(transponders),a set of read-ers(interrogator)and a back-end receiver.A tag contains a microchip which carries data and antenna.It is interrogated by a reader via its modulated radio signals.A RFID reader that is the central part of an RFID system,acquires G.Avoine and O.Kara(Eds.):LightSec2013,LNCS8162,pp.130–141,2013.c Springer-Verlag Berlin Heidelberg2013An Efficient and Private RFID Authentication Protocol131 the data of the tag and conveys it to the back-end system for further processing. Moreover,RFID tags can be categorized into three groups by using energy source such as active,passive and semi-passive or battery assisted tags.Passive RFID tags do not have internal energy sources.Instead,they use the radio energy transmitted by the reader[10].Furthermore,RFID systems can also be grouped into three basic ranges by their using operating frequency:Low frequency(LF, 30-300KHz),high frequency(HF3-30MHz)and ultra high frequency(300 MHz-3GHz)/microwave(>3GHz)[9].Nowadays,the number of RFID applications have been proliferating because of their productivity,efficiency,reliability and so on.Many companies also prefer low-cost tags with tiny sizes.This brings some computational and memory re-strictions to RFID tags.On the other hand,RFID tags and readers communicate with each other over an air interface.This insecure channel and the limited ca-pabilities of RFID tags cause security and privacy vulnerabilities.An adversary can do tag impersonating,tracking,eavesdropping,and denial of service(DoS) attack.Besides the vulnerabilities,a tag might be distinguishable in its life-span by an attacker.If it is once recognized by an adversary,it can be easily traceable. At that situation,there might be two attacks.(i)An attacker might track the previous interactions of the tag or(ii)he may track the future ones.These two attacks are called backward traceability and forward traceability,respectively. The protocol used for RFID system should provide not only resistance against passive attacks,replay attacks,cloning attacks but also resistance against active attacks.There are public-key cryptography solutions in the literature but none of them are convenient for the low-cost tags used in lots of applications because of their limitations.It needs tofind much light-weight approaches.Therefore, many light-weight authentication protocols are proposed to defeat adversaries that deceive the capacity-restricted tags.But,designing light-weight crypto-graphic authentication protocols with basic cryptographic primitives(xor,hash function)is a challenging task[18].Another significant problem is the changing ownership of an RFID tag several times during its life-cycle.For instance,tags are initially created and attached to objects by producers,then labeled objects are taken over to retailers,and finally consumers buy tagged objects from shopping malls[13].The ownership of a labeled object may be frequently transferred from one party to another.At the moment of the transfer,both new and old owners have the same information about the tag.This might cause privacy problems.This transfer should guarantee that the old owner should no longer be able to trace the future interactions and the new owner should not be able to trace old interactions.Besides having secure authentication protocols by providing privacy,the performance of the entire system becomes an important issue.Therefore,designing authentication protocol without compromising security and privacy begets decreases the efficiency of the whole system.However,achieving both security and privacy properties,the computational complexity of the tag and the server side can vary dramatically from one protocol to another.Hence,while handling security and privacy issues, it is also important to realize it with less computational complexity.132S.Karda¸s et al.In order to resolve these security and privacy issues,numerous RFID authen-tication protocols have been recently proposed[1,4,5,7,8,11,12,14–17].How-ever,some of them are not compliant to ownership transfer.Also,none of them achieves constant-time complexity for identification while providing forward un-traceability against old-owner and backward untraceability(forward secrecy) against the new owner.Our Contributions.We propose an efficient,secure and private RFID mu-tual authentication protocol which needs constant-time complexity to identify a tag.Then,we utilize this protocol and achieve a secure and efficient ownership transfer.We prove that our protocol achieves forward secrecy against the new owner and forward untraceability against the old owner.Moreover,we also show that our protocol provides forward secrecy against a strong attack and forward untraceability under an assumption that the adversary misses one subsequent successful protocol between the reader and the compromised tag.The outline of the paper is as follows.In Section2,security and threat model, security and privacy concerns are discussed in RFID systems for ubiquitous networks.Section3describes our proposed protocol.In Section4,analysis of our protocol is given in detail.In Section5,we conclude the paper.2Adversarial ModelIn this section we describe our adversarial model used in analyzing the proposed protocol,then define the privacy notions which are also used to be proved.Since the tags and the reader communicates over an insecure wireless channel,we consider Byzantine adversarial model[6].–Each tag memory is not tamper resistant and vulnerable to physical attacks.–Each tag/reader performs cryptographic hash operations.–The reader and tags communicate over an insecure wireless channel and so an active attacker can intercept,modify and generate messages.–The messages between server and readers are transmitted securely.–The reader and the server are assumed to be trusted parties.They cannot be compromised.Since the tags are not tamper resistant,we assume that a strong adversary can corrupt a tag and access to its persistent memory.In this case,the adversary should not be able link any current and past communication of the victim tags. This privacy notion is called backward untraceability.We define it more formally as follows.Definition1.Backward Untraceability:An RFID scheme provides backward untraceability if A compromising T i at time t cannot trace the past interactions of T i that occurred at time t <t.On the other hand,the strong adversary should not be able to trace the future interactions of the victim tag.This privacy notion,called forward untraceability, is described as follows.An Efficient and Private RFID Authentication Protocol133Definition2.Forward Untraceability:An RFID scheme provides forward un-traceability if A compromising T i at time t cannot trace the future interactions of T i that occurred at time t >t.3The Proposed ProtocolIn this section,we propose a novel scalable RFID authentication protocol which is the enhanced version of the scheme presented in[12].In our protocol,we achieve the constant-time complexity for the authentication of synchronized tags whereas the complexity in[12]is O(N)where N is the number of tag in the system.The notations used in the protocol are defined.Then,the initialization and the authentication phases are described in detail.The protocol is summarized in Figure1.3.1The Notations–∈R:The random choice operator that randomly selects an element from a finite set.–⊕,||:XOR operator and concatenation operator,respectively.–h,H:A hash function s.t.h:{0,1}∗→{0,1}n,H:{0,1}∗→{0,1}2n.Both of them are one-way and collision resistant functions.–N:The number of tags in the database.–N a,N b:n-bit nonce generated by the reader and the tag,respectively.–K:n-bit secret shared between the tag and the reader.–val1,val2:n-bit the server validator of the tag and the reader,respectively.–K old1,K old2:Previous n-bit secret shared between the tag and the reader.–val old1,val old2:Previous n-bit the server validator of the tag and the reader,respectively.–L,S:The seed value of val1and val2,respectively.–r1,r2:n-bit random bit strings produced by h(N a),h(N b,K),respectively.–v i:n-bit random bit strings produced by h(K,r1,r2).–M1,M2:M1=v1⊕L,M2=v2⊕S.–DB:Server database.–γ:n-bit string.–state:1-bit string is0or1.3.2The Registration PhaseFor each tag T i,the following steps have to be performed by the registrar(e.g. the tag manufacturer)before the authentication protocol:1.The registrar generates three n-bit random nonce(K,S,L).It also computesval1=h(L,K),val2=h(S).Initially,K old1and K old2are both equal to K, S old is equal to S,and val old1is equal to val1.Finally,state is set to0and it computes hash of the shared secret key K,γ=h(K).134S.Karda¸s et al.2.The registrar creates an entry in its back-end database and stores(K,S,val1,K old1,K old2,S old,val old1,h(K))in the entry.3.The registrar assigns(K,L,val2,state)to the tag T i.3.3The Authentication PhaseIn our protocol(see Figure1)each tag stores its own triple values K,L,val2,γ,and state.The reader stores the K,S,val1for that tag.The steps are de-scribed below.Step1.A reader randomly generates an n-bit nonce N a and computes hash of it r1=h(N a).Then it sends r1to the tag T i.Step2.The tag T i randomly generates a n-bit N b nonce and computes hash of it,r2=h(N b,K).Then,it checks the state.If its own state is0,it computes hash of the shared secret key K.If it is not,the tag randomly generates a n-bitγter,the tag uses a pseudo-random function that digests r1, r2messages with shared secret key K to compute v1||v2=H(K,r1,r2).The length of each v1and v2are both equal to n.After that,the tag computes message M1by simply XORing v1with secret L.Finally,the tag sends r2, M1andγmessages to the reader.Step3.The reader transfers N a,r1,r2,M1,andγto the server.Step4.The serverfirstly searches in DB that there exists h(K)equals toγ.The server performs an exhaustive search among all tags in the database.It computes v1||v2=H(K,r1,r2)and h(M1⊕v1,K).The server checks whether h(M1⊕v1,K old1)is equals to val1.If one match is found,then the server computes M2message by XORing v2with S and then sends M2to the reader.After that,it updates K old2=K old1,K old1=K,S old=S, val old1=val1,K=v2,S=N a,and val1=r2.If no match is found, then the server performs another an exhaustive search among all tags in the database.In this time,it computes v1||v2=H(K old1,r1,r2)and it checks whether h(M1⊕v1,K old2)is equals to val old1.If one match is found,the server computes M2message by XORing v2with S and sends M2to the tag.After that,it updates K=v2,S=N a,and val1=r1.However,if there is no match,the server generates an n-bit random bit string and sends it to the reader.The reason behind sending random bit string is that this prevents any attacker to validate M1for random nonce r1and r2.Step5.The reader forwards M2to the tag T i.Upon receiving M2message,T i computes h(M2⊕v2)and checks whether it is equal to val2.If equal,then it updates K=v2,L=N b,and val2=r1.3.4The Ownership TransferWhen the owner of the tags are required to change one party to another,the tags arefirst synchronized with the server.The server runs at least two successful authentication protocols with tags in a secure environment where no adversaryAn Efficient and Private RFID Authentication Protocol 135is allowed to perform any passive/active attacks.Then,all the tags and their related information are transferred to new owner.Once the new owner receives the information and tags,he/she runs at least one successful protocol between readers and the tags in a secure environment where a malicious adversary is not allowed.During the ownership transfer,the old owner does not need to transfer the se-cret values of K old 2and S old of the tags to the new owner because the remaining secrets are enough to communicate with the synchronized tags.Server[K,K old 1,K old 2,S,S old ,val 1,val old 1,h (K )]Tag [K,L,val 2,state ]Reader N a ∈R {0,1}n r 1=h (N a )r 1-N b ∈R {0,1}n r 2=h (N b ,K )if(state =0)γ=h (K )else γ∈R {0,1}n v 1||v 2=H (K,r 1,r 2)|v 1|=|v 2|=n M 1=v 1⊕L state =1r 2,M 1,γ r 1,r 2,N a ,M 1,γ -M 2-M 2if h (M 2⊕v 2)=val 2K =v 1,L =N b ,val 2=r 1.state =0.if ∃γ=h (K )in DB if h (M 1⊕v 1,K old 1)=val 1s.t.v 1||v 2=H (K,r 1,r 2)M 2=v 2⊕S ,K old 2=K old 1K old 1=K,S old =S ,val old 1=val 1,K =v 1,S =N a ,val 1=r 2.else {For each record in DBif h (M 1⊕v 1,K old 2)=val 1s.t.v 1||v 2=H (K old 1,r 1,r 2)M 2=v 2⊕S ,K old 2=K old 1K old 1=K,S old =S ,val old 1=val 1,K =v 1,S =N a ,val 1=r 2.else M 2∈R {0,1}n }Fig.1.The Proposed RFID Authentication Protocol4Security,Privacy,and Performance AnalysisIn this section,we first describe the adversarial capabilities.Then,we analyze our ownership transfer protocol depicted in Figure 1against passive and strong attacks.In our model,we assume that each tag can perform cryptographic hash op-erations.The communication between server and readers are assumed to be136S.Karda¸s et al.secure because they have no restriction on using SSL/TLS protocol.However, the reader and tags communicate over an insecure wireless channel and so an attacker can intercept,modify and generate messages.Also,each tag memory isnot tamper-proof.4.1The Security against Timing AttacksThe proposed protocol is vulnerable to timing attacks[3].An adversary candistinguish synchronized tags and un-synchronized tags by simply considering the response time of the server because the identification time for the latter tags requires much more than the former tags.This kind of attacks can beavoided by using distributed computation servers.Let us illustrate the solution. Assume that we have220tags in the database and the server does only223hashcomputation per second.Then,the time to identify an un-synchronized tag is 220/223=0.125s but for the synchronized tag is almost zero.For the solution,we can use multiple distributed server(say16),then the identification time can bereduced to0.125/16=7,8125ms and when a synchronized tag is to be identified the server waits up to7,8125ms.4.2The Security against Passive AdversaryAn offline passive adversary may want to know the contents of the secrets K and L stored in the tag T i.Then,the adversary simply eavesdrops the channels between a legitimate reader and T i in order to get r1,r2,M1,M2andγ.With these information and publish hash function H,she cannot obtain the secret K or L because of one-wayness of the hash function.Moreover,the protocol also resists against replay attack because a challenge-response scheme is used in the protocol.In addition,for each session of the protocol a new pair of random numbers(r1,r2)are used.This prevents to use the same challenge-response values in other sessions.Furthermore,our protocol is resistant against desynchronization even if’last flow of the protocol drops.Normally,this causes desynchronization of the tag secrets and the back-end server.However,this issue is resolved by storing pre-vious tag secrets in the database.Hence the server can resynchronize with the tags in such a condition.4.3The Security against Strong AdversaryIn this section,we will analyze the protocol depicted at Figure1in terms of backward and forward untraceability[2,15,19]against old owner,new owner, and a strong malicious adversary who can compromise a tag.As a starting point, we assume that at time t i,the owner of the system is changed.We test backward untraceability for the new owner,denoted by A n,with assumption that A n has had control over communications between reader and tags made before time t i.Note that,the number of these communications isfinite.Similarly,we testAn Efficient and Private RFID Authentication Protocol 137forward untraceability against the old owner,denoted by A o .Also,we test these two privacy properties against a strong adversary A s with assumption that A s has ability of corrupting a tag and captures its secrets.Throughout the analysis,in order to make proofs more understandable,without loss of generality,we assume that there are only two tags in the system,namely T 0and T 1.First of all,let us give the definitions of concepts mentioned above and the oracle that we use in the proofs of theorem given below.Definition 3.Oracle O k :The oracle chooses b ∈R {0,1}.If b =0,O k sends to the adversary the protocol transcript which was realized between tag T 0and the reader at time t k .Similarly,if b =1,the protocol transcript which was realized between tag T 1and the reader at time t k is sent to the adversary by the oracle.At the end,the adversary sends the bit b by after investigating the transcript sent.If P r [(b =b )=1]=12+ ,where is non-negligible,than the adversarywins.One can give simplified version of the oracle defined above as follows:At time t i ,A gets information of server and the tag T 0.Then at time t k ,O k chooses b ∈R {0,1}.The transcript sent to the adversary according to value of b same as above.Then,A returns b =0if he thinks the transcript sent by oracle realized between reader and tag T 0.Otherwise the adversary returns b =1.If P r [(b =b )=1]=12+ ,where is non-negligible,than the adversary wins.Throughout the proofs given to the corresponding theorem,four subsequent successful protocol transactions are enough.Thus,without loss of generality,we assume that i =4is the time where server owner changed,i.e.at time t 4.Moreover,addition to the notations given at protocol steps,we use left subscript part to denote the time that it was used.In order to obtain traceability capability of A n ,we start studying with more powerful adversary A c ,who has had all secrets of the server and tags at time t i and observed all protocol transactions realized before given time.Theorem 1.The system has backward untraceability property for time t k sat-isfying k <i −3for the adversary A cProof.Since at time t 4,A c knows the value of 4val 1and this value equals to 3r 2,then at time t 3,A c can traces T 0.Moreover,as A c knows the value of 4S old 1,then she knows the value of 3S .Thus,2N a value is known.Therefore,at time t 2,A c can trace T 0as he can figure out the value of 2r 1from h (2N a ).Note that,after that point,A c knows 2r 2and 2M 2and since 2K =4K old 2,the values of 2v 1and 2v 2are known.Hence,2S is known.So,A c learns the value of 1N a .From this knowledge,A c calculates 1r 1.Therefore,A c can trace T 0at time t 1,which means A c also learns the values of 1r 2,1M 1,1M 2.Apart from these values,1L is also known.Note that,the only thing A c knows about the transaction happened at time t 0is 0N b .Thus,the probability of A c ’s finding the correct value of 0r 2is 12n since 0K is not known and the range of hash function h is {0,1}n .Similarly,finding correct values of 0r 1,0M 1,0M 2is 12n .Thus,theprobability that A c distinguishes the transcript that the oracle sent is 12+12n .However,12n is negligible.138S.Karda¸s et al.Therefore,if A c has all secrets of the server and tags at time t i ,then the system has backward untraceability property for time t k satisfying k <i −3.Remark 1.The values of K old 2and S old of tags are stored in server database in order to overcome synchronization problem.If the system is synchronized when ownership transfer is realized,then K old 2and S old values are not given to A n .At the next part,we give a backward traceability result for an adversary A cR ,which is like A c with exception indicated at Remark 1.Corollary 1.The system has backward untraceability property for time t k sat-isfying k <i −2for the adversary A cR .Remark 2.The privacy is the main aim that should be reached.Therefore,just before ownership transfer,A o completes two successful protocol transactions with tags such that no part of the protocol transcripts are seen by A n .Note that the adversary A c with incapability explained at Remark 2corre-sponds to the new owner,A n .Thus,we have the following corollary.Corollary 2.For the new owner,A n ,the system has backward untraceability property for time t k satisfying k <i .Theorem 2.If A o has all secrets of the server and tags at time t i ,then the system has forward untraceability property for time t k satisfying k >i .Proof.Since ownership transfer occurs,A o misses at least one of the subsequent successful protocol transactions between A n and tags.We can get the best result if one subsequent successful transaction miss is assumed.In that case,A o only knows values of 5K old 1,4K old 2,5S old 1and 4val 1old .Since the attacker missed a subsequent successful transaction,the other values are unknown.Note that,A o can find the value of 4r 2with possibility of 12n since the value of 4N b is not known.By similar arguments,A o guesses the value 4r 2with possibility of 12n .Although A o knows the values of 4S and 4L ,as 4v 1and 4v 2are not known,A o can figure out the values of 4M 1and 4M 2with possibility of 12n .Hence,the probability that A n distinguishes the transcript that the oracle sent is at most 12+12n .However,12n is negligible.Therefore,if A 0has all secrets of the server and tags at time t i ,then the system has forward untraceability property for time t k satisfying k >i .Our next result is about the adversary,A s ,who can corrupt a tag and capture all secrets of the tag at any given time and follow all steps of the each successful protocol runs before and after the time that corruption occurs.Corollary 3.If A s corrupts a tag at time t j with j =i ,then the system has backward untraceability for time t k satisfying k <j −1and forward untraceabil-ity for time t k satisfying k >j +1under the assumption that A s misses the transactions occurred at time j +1and j −1.An Efficient and Private RFID Authentication Protocol139 Proof.Forward secrecy part is direct result of Theorem2.Moreover,the back-ward secrecy result is derived from Remark3Remark3.If A s does not miss the transaction at j−1,then by the knowledge ofj val2,he deduces the value of j−1r1.Thus,the values of j−1r2,j−1M1,j−1M2areknown to him.Thus,in this case,A s can trace the corrupted tag at time t j−1. However,no more traces are possible,because A s knows only the value of j−2N b about the transaction realized at time t j−2and from the similar arguments given at proof of Theorem1,the success probability that A s traces the corrupted tagat time t j−2is12+12nand12nis negligible.Remark4.If A s does not miss any transaction after corruption occurs,then A s can trace the corrupted tag forever.Theorem3.The proposed protocol satisfies tag authentication under the as-sumption specified in Corollary3.Proof.First of all,let us assume that the adversary has no corrupt tag capa-bility.In this case,the adversary has to learn the value of either K or K old1to impersonate the tag.To learn the values of these variables,the adversary has to learn the value of v1of previous protocol transcript.However,to learn the value of v1,the adversary has tofigure out the value of K of previous runs or the value of L.However,the value of L is the chosen random N b value of previous run. Thus,the adversary can only guess the value of L.Therefore,the values v1,K and K old1are dependent each other.Thus,the only remained way for the ad-versary to impersonate the tag is to guess the value of v1,K or K old1correctly. Since the space of these variables are large enough,the success probability of the adversary is negligible.Moreover,since the tag authentication is investigated under the assumption Corollary3,the system satisfies tag authentication for the case where the ad-versary can corrupt the tag.4.4Performance IssuesConsidering memory storage for tag identifiers or keys and other information, our protocol requires3n+1bit(3n-bit for K,L,and val2and1-bit for state) memory in tag side.Contrary to tags,server has no limited resource so we do not consider the server-side memory usage.Concerning computational cost,our protocol requires at most4hash com-putation overhead for the tag.If the tags and the server are synchronized,the computational complexity at the server side is O(1).Otherwise,the complexity is at most O(N).5ConclusionsIn this paper,wefirst proposed a secure and efficient an RFID mutual authen-tication protocol which is the revised version of the scheme presented in[12].140S.Karda¸s et al.With the use of the authentication protocol,we achieve ownership transfer.We prove that our protocol provides forward untraceability against the old owner of the tags and backward untraceability against the new owner of the tags.Also, we show that our authentication protocol provides backward untraceability of a tag against an adversary who compromises the tag and forward untraceability under the assumption that the adversary misses at least one of the subsequent authentication protocol between the tag and the reader.Our protocol requires O(1)complexity to identify a synchronized tag.References1.Alomair, B.,Clark, A.,Cuellar,J.,Poovendran,R.:Scalable RFID systems:a privacy-preserving protocol with constant-time identification.In:InternationalConference on Dependable Systems and Networks,pp.1–10(2010)2.Avoine,G.:Cryptography in Radio Frequency Identification and Fair ExchangeProtocols.PhD thesis,EPFL,Lausanne,Switzerland(December2005)3.Avoine,G.,Coisel,I.,Martin,T.:Time Measurement Threatens Privacy-FriendlyRFID Authentication Protocols.In:Ors Yalcin,S.B.(ed.)RFIDSec2010.LNCS, vol.6370,pp.138–157.Springer,Heidelberg(2010)4.Burmester,M.,de Medeiros,B.,Motta,R.:Anonymous RFID authentication sup-porting constant-cost key-lookup against active adversaries.IJACT1(2),79–90 (2008)5.Dimitriou,T.:A Lightweight RFID Protocol to protect against Traceability andCloning attacks.In:SECURECOMM2005:Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Net-works,pp.59–66.IEEE Computer Society,Washington,DC(2005)6.Dolev,D.,Yao,A.C.:On the security of public key protocols.In:Proceedings ofthe22nd Annual Symposium on Foundations of Computer Science,pp.350–357.IEEE Computer Society,Washington,DC(1981)7.Erguler,I.,Anarim,E.:Practical attacks and improvements to an efficient radiofrequency identification authentication protocol.Concurrency and Computation: Practice and Experience(October2011)8.Fern`a ndez-Mir,A.,Trujillo-Rasua,R.,Castell`a-Roca,J.,Domingo-Ferrer,J.:Scal-able RFID Authentication Protocol Supporting Ownership Transfer and Controlled Delegation.In:Juels,A.,Paar,C.(eds.)RFIDSec2011.LNCS,vol.7055,pp.147–162.Springer,Heidelberg(2012)9.Finkenzeller,K.:RFID Handbook.John Wiley and Sons(2003)10.Garfinkel,S.,Rosenberg,B.:RFID:Applications,Security,and Privacy.Addison-Wesley(2005)11.Ha,J.,Moon,S.-J.,Nieto,J.M.G.,Boyd,C.:Low-Cost and Strong-Security RFIDAuthentication Protocol.In:EUC Workshops,pp.795–807(2007)12.Karda¸s,S.,Levi,A.,Murat,E.:Providing Resistance against Server InformationLeakage in RFID Systems.In:New Technologies,Mobility and Security–NTMS 2011,Paris,France,pp.1–7.IEEE Computer Society(February2011)13.Lim,C.H.,Kwon,T.:Strong and Robust RFID Authentication Enabling Per-fect Ownership Transfer.In:Ning,P.,Qing,S.,Li,N.(eds.)ICICS2006.LNCS, vol.4307,pp.1–20.Springer,Heidelberg(2006)。

一种基于SASI的轻量级RFID双向认证协议作者：吴立知来源：《电脑知识与技术》2013年第24期摘要：对于轻量级RFID系统的认证协议的研究，既要考虑标签与读写器之间的无线通信的安全性问题，又需要兼顾系统在计算量、存储量和通信量等方面的硬件资源限制。

该文针对现有的轻量级RFID安全协议存在的缺陷，提出了一种基于SASI的轻量级RFID双向认证协议，并对协议的安全性进行了分析。

关键词：射频识别；安全协议；轻量级；双向认证中图分类号： TP393 文献标识码：A 文章编号：1009-3044（2013）24-5419-041 概述RFID作为一种新型的自动识别技术，可以同时对多个物体进行识别，识别过程使用无线射频，不需要激光或外部材料透明，因此可以透过外部材料对物体进行识别[1]。

RFID具有无需直接与被识别物体进行接触和人工干预、数据存储量大、操作简单方便等优点，被广泛应用于停车场管理系统、汽车或火车等的交通监控系统、高速公路自动收费系统、物流管理系统、安全出入检测、流水线生产自动化、动物管理、仓库存储管理、车辆防盗等应用领域的数据收集和处理。

随着RFID的广泛应用，因为其具有的强大标签追踪能力，用户的信息隐私问题及信息交互时的数据认证问题成为了系统主要的安全问题[2]。

所谓信息隐私问题是指阅读器不用通过安全认证就能读取标签内容，从而造成标签被非法跟踪及信息泄露；数据认证问题指的是读写器在读取标签数据时，不需要通过认证，从而造成标签数据被复制或篡改等安全问题[3]。

2 RFID系统的安全需求分析设计RFID标签应用方案时应注意保护消费者隐私，从解决ID泄漏，ID追踪、信息推断、信息回溯等问题着手。

因此RFID系统安全的需求如下[4]：1）访问授权：即标签对读写器进行认证。

2）标签认证：即读写器对标签进行认证，标签和读写器之间的双向认证。

3）标签的匿名性：标签用户的真实身份等信息要经过加密，以保证通信过程中隐私信息的机密性。

轻量级RFID安全协议研究作者：王灿明卢友敏关键词: RFID技术RFID系统安全电子标签读写器【提要】当前射频识别技术己被广泛应用于_32业自动化、商业自动化、交通运输控制管理等众多领域，其安全性越来越得到重视．首先分析了RFID技术中存在的安全风险，介绍了几种物理安全机制．并对RFID协议进行研究，探讨了RFID协议的安全性分析和证明方法。

1 引言射频识别(RFID，Radio Frequency Identification) 技术是一种非接触自动识别技术，它利用射频信号的空间藕合(交变磁场或电磁场)实现无接触信息传递并通过所传递的信息达到识别目的。

射频识别技术在20世纪80年代开始兴起，在最近几年在世界范围内得到了迅猛的发展。

RFID的识别范围从几厘米到几米，可同时识别多个物体并且不受物体速度的影响，识别过程极为方便。

RFID技术可以对每一件非常具体的物体进行识别，而不是只对一类物体进行识别；识别过程不需要激光和光学可视，可以透过外部材料读取数据；可以同时识别多个物体。

此外，射频识别无需直接接触和人工干预、存储量大、操作方便，正是由于RFID的诸多优点，被广泛应用于生产、物流、交通、医疗、跟踪等应用领域的数据收集和处理。

2 RFID系统原理和安全性分析2．1 RFID 系统概述RFID系统一般由三部分组成。

标签(Tag)：它是RFID的核心部件，主要包括用于收发信息的藕合元件和一块微控制芯片组成，芯片内存有唯一的电子编码；阅读器(Reader)：用来对标签进行读写操作的设备；天线(Antenna)：传递射频信号必需的收发装置。

RFID系统一般工作流程是：由读写器通过天线发射一定频率的射频信号。

当电子标签进入读写器天线工作区域时即被激活，电子标签将预置的信息通过内置的天线发送出去。

读写器天线接收到的电磁信号被传送到读写器内部，由读写器对信号进行解调和解码后送后台处理系统进行处理。

后台处理系统可以对收到的信息进行恰当运算后判断该卡的合法性，根据不同的业务逻辑要求命令其它信息系统做出动作或对电子标签作进一步处理，包括将电子标签信息记录人中心数据库、写入或修改电子标签中信息等等动作。

随着射频识别（Radio Frequency Identification，RFID）技术的广泛应用，阅读器与电子标签之间的信道安全越来越受到重视。

由于阅读器与标签之间的通信通过无线空中接口实现，在通信过程中，攻击者可以轻松监视、拦截和伪造所有信息。

为了保护无线通信过程中的信息安全，近年来基于密码学的低成本RFID安全保护技术得到了广泛的发展。

例如，Tewari等人[1]提出一种超轻量级RFID认证协议，仅使用异或、移位、循环等操作实现对隐私数据的加密。

Sohrabi-Bonab等人[2]提出一种基于CRC的RFID安全认证协议，将CRC函数和伪随机数发生器（Pseudo Random Number Generator，PRNG）相结合并保障了协议的安全性；此外，采用PRNG的方案中比较典型的，还包括Pang等[3]提出的基于EPCGen2标准的轻量级RFID认证协议等。

但是经过分析发现，目基于RRAM PUF的轻量级RFID认证协议陈飞鸿1，2，张锋2，陈军宁1，吴秀龙11.安徽大学电子信息工程学院，合肥2306012.中国科学院微电子研究所微电子器件与集成技术重点实验室，北京100029摘要：针对当前轻量级的射频识别（RFID）加密方案信息防护手段有限的问题，结合由阻变存储器（RRAM）构成的物理不可克隆函数（PUF），提出了一种新型的轻量级RFID双向认证协议。

利用多级响应加密机制实现阅读器与标签之间的安全认证处理。

结合RRAM PUF模型，采用了特殊的纠错处理方法提高PUF响应的可靠性并阻止了信息泄露。

此外添加了密钥更新机制和异常攻击标识，抵御了追踪攻击和去同步攻击等威胁。

经仿真、分析和对比结果表明，该协议可以有效抵抗多种攻击手段，具有较高的安全性和较低的计算成本。

关键词：射频识别（RFID）；阻变存储器（RRAM）；物理不可克隆函数（PUF）；安全认证协议；轻量级文献标志码：A中图分类号：TP393doi：10.3778/j.issn.1002-8331.1912-0079Lightweight RFID Authentication Protocol Based on RRAM PUFCHEN Feihong1，2,ZHANG Feng2,CHEN Junning1,WU Xiulong11.School of Electronics and Information Engineering,Anhui University,Hefei230601,China2.Key Laboratory of Microelectronic Devices and Integrated Technology,Institute of Microelectronics of Chinese Acade-my of Sciences,Beijing100029,ChinaAbstract：Aiming at the problem of limited information protection methods of current lightweight Radio Frequency Iden-tification（RFID）encryption schemes,combined with a Physical Unclonable Function（PUF）composed of Resistive Ran-dom Access Memory（RRAM）,a new type of lightweight RFID mutual authentication protocol is proposed.A multi-level response encryption mechanism is used to implement the secure authentication processing between the reader and the tag. Combined with the RRAM PUF model,a special error correction processing method is adopted to improve the reliability of the PUF response and prevent information leakage.In addition,key update mechanisms and anomalous attack identifi-cation have been added to prevent threats such as tracking attacks and desynchronization attacks.Simulation,analysis and comparison results show that the protocol can effectively resist multiple attack methods,and has higher security and lower computational cost.Key words：Radio Frequency Identification（RFID）;Resistive Random Access Memory（RRAM）;Physical Unclonable Function（PUF）;security authentication protocol;lightweight基金项目：国家重点研发计划（2018YFB0407500）。