RFID Authentication Mini-Project report

Written by Roi Tzaig & Moria Damri

Introduction and theory

RFID – Radio Frequency Identification is a technology for tagging using radio waves.
A RFID tag is a small electronic device, supplemented with an
antenna that can transmit and receive data. The RFID
technology is designed for unique identification of different
kinds of objects.

RFID systems usually contain three parts:

1. Tag – a microchip that can send and receive data
(messages).
2. Verifier – interfacing with the Tag, the Verifier can
read/write data and sends messages to access the Tags data.
3. Data base – a small amount of memory that uses as a data base that can be
changed.

Limitations of RFID systems

Limits of RFID systems are very important. These systems were designed to be low
cost in order to enable mass production. Broadcast range is limited to a few meters,
therefore the Tag and the Verifier must be sufficiently close Due to their small size the
RFID systems have a limited computational power, and limited memory.
Hence, we can conclude that a "heavy" encryption algorithm can not be used by RFID
systems. There for we need a simple, low cost encryption protocol that is based on
hardware efficiency that will be embedded in the RFID existing systems.

The goal of this project is to show the efficiency and empirically prove the
theoretic claims upon the protocols AP1 Ungeleralized/Generalized, AP 2
Ungeleralized/Generalized and � AP 2 written by professor Shlomi Dolev
Typical scenario
Let us think of a typical scenario, in which an alarm car uses RFID system to
communicate between the remote control (the Tag) and the car alarm system (the
Verifier), farther more a thief (an Adversary) may or may not listen to the
communications.
The scenario is as follows:
The Tag (remote control) sends an encrypted request to the Verifier (car) to
open the car. The car processes and decrypts the request and composed an answer, if
the request is genuine then "Open" message is sent back. If it is not, a "DoNotOpen"
message is sent. The thief may or may not listen to the communications, and based on
them compose a false message that will be sent to the car in order to get an "Open"
message back.

The adversary model

The adversary has a few basic assumptions:
1. The adversary is weaker than the one in standard cryptography.
2. The adversary is Byzantine, it tries to harm the system as well as break in it.
3. One out of n consecutive communications the adversary does not listen.
�Si The adversary does not listen
$i 1 �i �n �
�S1 ,K Si -1 ,Si+1 ,K S n The adversary listen

4. (Generalizing 3) k out of n consecutive communications the adversary does

not listen.
Every n consecutive communications are atomic, meaning, the adversary cannot
modify part of the communication in a session.
AP1 Ungeneralized Protocol

(Adversary does not listen to one out of n consecutive communications)

Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and keyentry is
calculated in such a way that it is a legal index of ARV entry and with every
increment of i it is incremented as well with modulo n.
When the Tag sends a request, it composes a message form the current ARV entry
(ARV[keyentry]) concatenated with a pseudo random generated vector called LRV.
When the Verifier gets the message, it checks if the ARV[keyentry] in the message is
the same as its ARV[keyentry]. If so then an "Open" message is sent to the Tag and a
xor update is preformed on ARV using LRV (update procedure) to both the Tag and
the Verifier. If the ARV[keyentry] in the message is not the same as its ARV[keyentry]
the "DoNotOpen" message is sent and neither the Tag nor the Verifier updates its
ARV.
 Message length is n + 1 which is O ( n ) , so for an entire session (n consecutive

2
( )
communication) O n bytes will be transferred.
AP1 Generalized Protocol
(Adversary does not listen to k out of n consecutive communications)

Overview:
Much like in AP1 Ungeneralized protocol this protocol has an ARV vector, i index
and keyentry that function the as before. The LRV vector is replaced by reducedLRV
and Indices which are both vectors with 2 log n entries.
In every request, the Tag randomly selects 2 log n indices of ARVs entries and stores
them in Indices vector, then builds the vector reducedLRV by randomly selecting
2 log n numbers. The tag then composes a message from ARV[Keyentry]
concatenated with Indices and reducedLRV and sets it to the Verifier.
When the Verifier get the message it checks if the ARV[keyentry] in the message is
genuine and if so update only the ARV entries that was selected by the Tag.

 Message length is 2 log n + 1 which is O ( log n ) , so for an entire session (n

consecutive communication) O ( n log n ) bytes will be transferred.

What is the probability that all ARVs entries will be xored?
 The probability that a certain entry will be xored is equal to the probability that a

2 log n
certain entry will be selected, which is
n
2 log n
 The probability that the a certain entry will not be selected is 1 -
n
 The probability that the a certain entry will not be selected for n consecutive

n
� -2 log n �
1+
communications is � �
� n �
 Limiting the above probability gives
n
� -2 log n � -2log n 1 1
p ‫===ޣ‬
�
�
1 �+=
n �
� e (e )
log n -2
n -2
n2
p
n2
 Therefore the probability that at least one entry out of n will not be selected during

1 1 1 1
+ L + 2 = n �2 =
n consecutive communications is 12
n 4243 n n n
n times

 First conclusion: the probability that all n entries of ARV will be selected, and

1
therefore xored, is 1 -
n
 Second conclusion: When increasing n, the probability for full refresh is
increasing.
Results
The following graphs present the result and curve fitting of the amount of full xor
coverage of ARV out of 100 sessions for 2, 4 and 6 bit. The curve fit is for the
� B�
function y = 100 �A - �, which is the probability function as shown at the beginning
� n�
where A and B are parameters.

number length is 6 bit

Amount of sessions with full coverage out of 100

100

90

80

70
Data: Data1_bit6
Model: RFID
Chi^2 = 74.16455
60 A 1.11929 ±0.04837
B 1.01851 ±0.21341

50

40
2 4 6 8 10 12

Result summary

Length of A value A error B value B error

number

6 1.11929 0.04837 1.01851 0.21341

Summary and conclusions

1. Form the result, we can see that the values of A and B are much closed to
the theoretic ones 1.
2. The theoretic value of B, 1, is within the error range in all the experiments.
3. The theoretic value of A, 1, is not within the in error range in all the
experiments, however they are much closed.
4. So, it safe to conclude that the probability for full xor coverage is as

1
developed before P = 1 - .
n
5. We can easily see form the graphs that even at n = 3 there is a good
coverage, and a better in n = 4 (no less the 95% and an average of
97.666%). For larger n 's there isn't any significant improvement.
 AP2 Ungeneralized Protocol

Protocol for RFID Tag Ungeneralized Protocol for RFID Verifier

Initialization: Initialization:
Create int vector array ARV Create int vector array ARV
[1..n] [1..n]
int i := 1; seed := 0 int i := 1; seed := 0
int vector arrays keywords int vector arrays keywords

Upon user request: Upon key message Y

Create new random array LRV reception
keyentry = n − (i − 1)mod n keyentry = n − (i − 1)mod n
X[keyentry] = ARV [keyentry] Create pseudo-random
Create pseudo-random sequence
sequence prs of length m from
prs of length m from seed = X[keyentry] xor seed
seed = X[keyentry] xor seed Z = Y xor prs
Y = (LRV ||keyword) xor prs if Z[(n + 1)..m] belong to
Send Y to Verifier keywords
If Open received Send Open and
Call Updating procedure Call Updating procedure
End user request else
Send DoNotOpen
Updating procedure End of key message reception
ARV[keyentry] = 0
for j = 1 to n Updating procedure
ARV[j] = ARV[j] xor LRV[j] ARV[keyentry] = 0

Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and the integer
seed is use for the generation of the prs, the initial seed value is initialized to zero.
The keyentry is calculated in such a way that it is a legal index of ARV entry and with
every increment of i it is incremented as well with modulo n.
When the Tag sends a request, it first create a pseudo random generated vector prs of
length m = n * l +k where k is the keyword length and l is the length in bits of each
ARV vector entry. The current ARV entry (ARV[keyentry]) xor with the old seed is
used as a seed for the generation of the pseudo random sequence prs. The old seed is
updated, (seed=ARV[keyentry] xor seed).
The Tag creates a new vector Y that should be send to the verifier. Y is equal to the
xor of the vector prs with the pseudo random generated vector called LRV
concatenated with the keyword. Y=prs xor (LRV||keyword). Y is then send to the
Verifier.
Because we assume that both the Tag and the Verifier know how to produce the prs
vector, when the Verifier gets the message, he can decrypt the it by calculating Y xor
prs (which is equal to LRV||keyword) and checks if the suffix of the string
(Y xor prs)[n+1..m], is equal to keyword. If yes the Verifier return the message 'Open'
to the Tag, else he return the message 'DoNotOpen'.
If the authentication successes, the updating procedure is called, and an update is
preformed on the ARV vector using the LRV vector, in both, the Tag and the Verifier
sides.
The computational security of the AP2 protocol is provided by the random seed
generation in each session.
�
AP2 Protocol - Resistance against Intruder-in the Middle-Attack

This protocol is an upgrade of previously discussed protocol AP 2 . This protocol can

cope with an intruder in the middle of an attack (IIMA). The Intruder is able to
capture the message, sent by the tag to the verifier, and modify it. Moreover, it should
be stated that such an attack can drive the protocols AP1 and AP 2 to a deadlock!
We relax the assumption about the atomicity of each communication session. In order
to deal with IIMA the message is added with redundant bits and watermark bits while
no cryptographic hash function is used.

The protocol �
AP 2 - like in AP 2 the encryption key is derived from the basic vector

ARV (ARV[keyentry]). The seed X splits into four independent seeds X 1 , X 2 , X 3 and

X 4 which will be used to create pseudo-random sequences.

 c1 is used to create the sequence that encapsulates LRV.

 c2 is used to create the sequence that encapsulates the redundant bits.

 c3 is used to create the sequence that encapsulates the watermark bits.

 c3 is used to create a permutation of the message bits - p X 4 .

The message is constructed as follows:

(
Y = p X4 � ��[ c1 sequence] || �
LRV j || keyword �
� ��[ c2 sequence] || [ w1 ,K wv ]
r1 ,K , rq �
� )

Let's explain the different parts of the message:

�
LRV j || keyword �
� �is generated as in AP 2 , a concatenation of pseudo-random vector
with a keyword. The LRV has n entries each have l bits and the keyword is of length

k . So the total length of this part is m = nl + k , as is [ c1 sequence] so the xor of the

last two also gives m bits.

�
r1 ,K , rq � q
� �is a sequence of redundant bits generated as follows: looking at

� �as a log ( m ) dimensions hyper-cube, where every redundant bit

LRV j || keyword �
�
has the value of a parity check on one of the hyper-cube rows/columns.
Dimensions Visualization q – number of Calcuation
 parity checks

( )
0
1 1 1 �1 2 =1
Parity
check

( )
1

Parity checks
2 4 2 �2 4 = 4

Parity
checks

( )
2
3 12 3 �3 8 = 12

Let us denote the number of dimensions as d �log ( m ) , According to the above table

( )
d -1 d -1
log ( m ) -1
= d ( m) = log ( m ) � ( ( m)
log m )
we get q = d �d m d .

Another way to get q is by considering the hyper-cube as a d dimensions array where

in order to calculate the parity bits we only need a one "running-index" and d - 1
"fixed-indices". If the length of every row/column is 2 (indexed 0 or 1) then we have
1 i d
0 /1
{ K {x K 0 /1
{
fixed -index running -index fixed - index

We have d options to select the running-index and 2 options to select the index for
every row, moreover there are d - 1 such entries in the array. So, in total, we have

d -1 log ( m ) -1

q=d�
2 d -1
(2
=d� d
) d = log ( m ) �
m log ( m ) , which is the same as above expression.

1
A simpler expression is q = m log m thus we see that q = O ( m log m ) .
2
The [ c2 sequence ] is of length q as well, and so is their xor result.

The last part is watermark bits [ w1 ,K wv ] with length of v .

Finally, the permutation generated by x4 seed does not add or remove bits. Thus the

total length of the message is Y = m + q + v .

What is the probability for adversarial success?
 The probability that the adversary will corrupt a watermark while changing the

v
bits of the original message is a =
t
 The probability that the adversary will corrupt a bit from the original message
is 1 - a .
 In order to successfully change the part of the original message, the adversary

has to corrupt at least d min bits, where d min is the minimal humming distance

and is equal to log ( m ) + 1 .

 From the second and third observations we get that in order for the adversary

to successes, he must change at least d min bits of the original message.

 So the probability for adversarial success is PA �( 1 - a )

d min
.

log ( m ) +1
The above probability can manipulate as follows PA �( 1 - a ) = ( 1-a )
d min
=

( 2log( 1-a ) )
log ( m )
( 1-a ) � = ( 1 - a ) mlog( 1-a ) , thus for

1 1 1 3
a= , PA � and for a = , PA � 0.415 .
2 2m 4 4m
Results
The following graphs present the result and curve fitting of the probability for
�A �
A log 2 � �
adversarial success. The curve fit is for the function y = �m �B �, which is the
B
probability function as developed above.

The empirical porobability for adversarial success, with alpha = 1/4

0.30

Probability upper bound

0.25 Empirical Probability

Data: Data1_UpperBound.,Data1_P.a.0.25
Model: RFID2
0.20 Chi^2 = 0.0001
A 2.97074 ±1.73866
Probability

B 3.99292 ±2.41715

0.15

0.10

0.05

0 100 200 300 400 500 600

m [bits], the length of the message
 The empirical porobability for adversarial success, with alpha = 1/2

0.035
Probability upper bound
Empirical Probability
0.030

Data: Data1_UpBound.0.5
0.025 Model: RFID2
Chi^2 = 9.2925E-7
A 0.9941 ±1.1072
0.020 B 1.9963 ±2.28614
Probability

0.015

0.010

0.005

0.000

0 100 200 300 400 500 600

m [bits], the length of the message

Result summary

a A value A error Expected

value
B value B error Expected
value

1 2.97074 1.73866 3 3.99292 2.41715 4

4

1 0.9941 1.1072 1 1.9963 2.28614 2

2
Summary and conclusions

1. Form the result, it is clear that PA is bounded by ( 1 - a )

d min
, and therefore

satisfies the relation PA �( 1 - a )

d min
.

2. Form the result, we can see that the A and B for both a = 1 4 and a = 1 2 are

in the range of the expected value, A = 3, B = 4 and A = 1, B = 2

respectively.
3. Therefore we may conclude that the expression for adversarial success is

or as developed above PA �( 1 - a ) m
log ( 1-a )
PA �( 1 - a )
d min
, when the adversary

changes d min bits.

4. The error for a = 1 4 is greater then the error of a = 1 2 .