Professional Documents
Culture Documents
RFID Authentication Mini-Project Report: Introduction and Theory
RFID Authentication Mini-Project Report: Introduction and Theory
RFID – Radio Frequency Identification is a technology for tagging using radio waves.
A RFID tag is a small electronic device, supplemented with an
antenna that can transmit and receive data. The RFID
technology is designed for unique identification of different
kinds of objects.
The goal of this project is to show the efficiency and empirically prove the
theoretic claims upon the protocols AP1 Ungeleralized/Generalized, AP 2
Ungeleralized/Generalized and � AP 2 written by professor Shlomi Dolev
Typical scenario
Let us think of a typical scenario, in which an alarm car uses RFID system to
communicate between the remote control (the Tag) and the car alarm system (the
Verifier), farther more a thief (an Adversary) may or may not listen to the
communications.
The scenario is as follows:
The Tag (remote control) sends an encrypted request to the Verifier (car) to
open the car. The car processes and decrypts the request and composed an answer, if
the request is genuine then "Open" message is sent back. If it is not, a "DoNotOpen"
message is sent. The thief may or may not listen to the communications, and based on
them compose a false message that will be sent to the car in order to get an "Open"
message back.
Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and keyentry is
calculated in such a way that it is a legal index of ARV entry and with every
increment of i it is incremented as well with modulo n.
When the Tag sends a request, it composes a message form the current ARV entry
(ARV[keyentry]) concatenated with a pseudo random generated vector called LRV.
When the Verifier gets the message, it checks if the ARV[keyentry] in the message is
the same as its ARV[keyentry]. If so then an "Open" message is sent to the Tag and a
xor update is preformed on ARV using LRV (update procedure) to both the Tag and
the Verifier. If the ARV[keyentry] in the message is not the same as its ARV[keyentry]
the "DoNotOpen" message is sent and neither the Tag nor the Verifier updates its
ARV.
Message length is n + 1 which is O ( n ) , so for an entire session (n consecutive
2
( )
communication) O n bytes will be transferred.
AP1 Generalized Protocol
(Adversary does not listen to k out of n consecutive communications)
Overview:
Much like in AP1 Ungeneralized protocol this protocol has an ARV vector, i index
and keyentry that function the as before. The LRV vector is replaced by reducedLRV
and Indices which are both vectors with 2 log n entries.
In every request, the Tag randomly selects 2 log n indices of ARVs entries and stores
them in Indices vector, then builds the vector reducedLRV by randomly selecting
2 log n numbers. The tag then composes a message from ARV[Keyentry]
concatenated with Indices and reducedLRV and sets it to the Verifier.
When the Verifier get the message it checks if the ARV[keyentry] in the message is
genuine and if so update only the ARV entries that was selected by the Tag.
2 log n
certain entry will be selected, which is
n
2 log n
The probability that the a certain entry will not be selected is 1 -
n
The probability that the a certain entry will not be selected for n consecutive
n
� -2 log n �
1+
communications is � �
� n �
Limiting the above probability gives
n
� -2 log n � -2log n 1 1
p ===ޣ
�
�
1 �+=
n �
� e (e )
log n -2
n -2
n2
p
n2
Therefore the probability that at least one entry out of n will not be selected during
1 1 1 1
+ L + 2 = n �2 =
n consecutive communications is 12
n 4243 n n n
n times
First conclusion: the probability that all n entries of ARV will be selected, and
1
therefore xored, is 1 -
n
Second conclusion: When increasing n, the probability for full refresh is
increasing.
Results
The following graphs present the result and curve fitting of the amount of full xor
coverage of ARV out of 100 sessions for 2, 4 and 6 bit. The curve fit is for the
� B�
function y = 100 �A - �, which is the probability function as shown at the beginning
� n�
where A and B are parameters.
100
90
80
70
Data: Data1_bit6
Model: RFID
Chi^2 = 74.16455
60 A 1.11929 ±0.04837
B 1.01851 ±0.21341
50
40
2 4 6 8 10 12
Result summary
1. Form the result, we can see that the values of A and B are much closed to
the theoretic ones 1.
2. The theoretic value of B, 1, is within the error range in all the experiments.
3. The theoretic value of A, 1, is not within the in error range in all the
experiments, however they are much closed.
4. So, it safe to conclude that the probability for full xor coverage is as
1
developed before P = 1 - .
n
5. We can easily see form the graphs that even at n = 3 there is a good
coverage, and a better in n = 4 (no less the 95% and an average of
97.666%). For larger n 's there isn't any significant improvement.
AP2 Ungeneralized Protocol
Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and the integer
seed is use for the generation of the prs, the initial seed value is initialized to zero.
The keyentry is calculated in such a way that it is a legal index of ARV entry and with
every increment of i it is incremented as well with modulo n.
When the Tag sends a request, it first create a pseudo random generated vector prs of
length m = n * l +k where k is the keyword length and l is the length in bits of each
ARV vector entry. The current ARV entry (ARV[keyentry]) xor with the old seed is
used as a seed for the generation of the pseudo random sequence prs. The old seed is
updated, (seed=ARV[keyentry] xor seed).
The Tag creates a new vector Y that should be send to the verifier. Y is equal to the
xor of the vector prs with the pseudo random generated vector called LRV
concatenated with the keyword. Y=prs xor (LRV||keyword). Y is then send to the
Verifier.
Because we assume that both the Tag and the Verifier know how to produce the prs
vector, when the Verifier gets the message, he can decrypt the it by calculating Y xor
prs (which is equal to LRV||keyword) and checks if the suffix of the string
(Y xor prs)[n+1..m], is equal to keyword. If yes the Verifier return the message 'Open'
to the Tag, else he return the message 'DoNotOpen'.
If the authentication successes, the updating procedure is called, and an update is
preformed on the ARV vector using the LRV vector, in both, the Tag and the Verifier
sides.
The computational security of the AP2 protocol is provided by the random seed
generation in each session.
�
AP2 Protocol - Resistance against Intruder-in the Middle-Attack
The protocol �
AP 2 - like in AP 2 the encryption key is derived from the basic vector
ARV (ARV[keyentry]). The seed X splits into four independent seeds X 1 , X 2 , X 3 and
(
Y = p X4 � ��[ c1 sequence] || �
LRV j || keyword �
� ��[ c2 sequence] || [ w1 ,K wv ]
r1 ,K , rq �
� )
( )
0
1 1 1 �1 2 =1
Parity
check
( )
1
Parity checks
2 4 2 �2 4 = 4
Parity
checks
( )
2
3 12 3 �3 8 = 12
Let us denote the number of dimensions as d �log ( m ) , According to the above table
( )
d -1 d -1
log ( m ) -1
= d ( m) = log ( m ) � ( ( m)
log m )
we get q = d �d m d .
We have d options to select the running-index and 2 options to select the index for
every row, moreover there are d - 1 such entries in the array. So, in total, we have
d -1 log ( m ) -1
q=d�
2 d -1
(2
=d� d
) d = log ( m ) �
m log ( m ) , which is the same as above expression.
1
A simpler expression is q = m log m thus we see that q = O ( m log m ) .
2
The [ c2 sequence ] is of length q as well, and so is their xor result.
Finally, the permutation generated by x4 seed does not add or remove bits. Thus the
v
bits of the original message is a =
t
The probability that the adversary will corrupt a bit from the original message
is 1 - a .
In order to successfully change the part of the original message, the adversary
has to corrupt at least d min bits, where d min is the minimal humming distance
log ( m ) +1
The above probability can manipulate as follows PA �( 1 - a ) = ( 1-a )
d min
=
( 2log( 1-a ) )
log ( m )
( 1-a ) � = ( 1 - a ) mlog( 1-a ) , thus for
1 1 1 3
a= , PA � and for a = , PA � 0.415 .
2 2m 4 4m
Results
The following graphs present the result and curve fitting of the probability for
�A �
A log 2 � �
adversarial success. The curve fit is for the function y = �m �B �, which is the
B
probability function as developed above.
0.30
Data: Data1_UpperBound.,Data1_P.a.0.25
Model: RFID2
0.20 Chi^2 = 0.0001
A 2.97074 ±1.73866
Probability
B 3.99292 ±2.41715
0.15
0.10
0.05
0.035
Probability upper bound
Empirical Probability
0.030
Data: Data1_UpBound.0.5
0.025 Model: RFID2
Chi^2 = 9.2925E-7
A 0.9941 ±1.1072
0.020 B 1.9963 ±2.28614
Probability
0.015
0.010
0.005
0.000
Result summary
2. Form the result, we can see that the A and B for both a = 1 4 and a = 1 2 are
or as developed above PA �( 1 - a ) m
log ( 1-a )
PA �( 1 - a )
d min
, when the adversary