This action might not be possible to undo. Are you sure you want to continue?
IEEE TRANSACTIONS ON MOBILE COMPUTING,
NO. 7, JULY 2009
Message Authentication in Computationally Constrained Environments
Benjamin Arazi, Senior Member, IEEE
Abstract—RFID and Wireless Sensor Networks exemplify computationally constrained environments, where the compact nature of the components cannot support complex computations or high communication overhead. On the other hand, such components should support security applications such as message integrity, authentication, and time stamping. The latter are efficiently implemented by Hash Message Authentication Codes (HMAC). As clearly stated in the literature, current approved implementations of HMAC require resources that cannot be supported in constrained components. An approach to implement a compact HMAC by the use of stream ciphering is presented in this paper. Index Terms—Secured communications, HMAC, constrained environments, challenge response, stream ciphers.
The Challenge Response CR, generated in the interrogated component (top of the figure), is the MAC of three values: 1) the component’s secret key K, 2) a random challenge C received from the interrogator, and 3) the message M whose authenticity is to be proved. Subsequently, the interrogated component transmits: 1) the component’s public key P K, which is an encrypted version of K issued by the system manager and stored in the component, 2) M, and 3) CR. Upon receiving the above three values, the interrogator performs the operations shown at the bottom of the figure. The interrogator first retrieves K out of the received P K, using a system decryption key. In practice, the system decryption key is not necessarily stored at the interrogator’s facility. Here, the interrogation operations can be performed in an external secure place. Under another version, the key K of the interrogated component is retrieved from a secured network, rather than being recovered by decrypting a value P K submitted by the component. The interrogating receiver then has the same three values that generated the MAC at the interrogated component. The same MAC is now calculated at the interrogating receiver, and the output is compared to the received CR. If the two values match, the integrity and authenticity of the received message is confirmed. The interrogated component’s response CR is unique, as it depends on the private secret key K which differs for different components. The procedure prevents replay attacks, since the response sent by the interrogated component depends on the real-time random challenge C sent by the interrogator. The same mechanism can also be used in access control, preventing illegal writings of a message M into the component, by still executing a MAC operation in the component. Here, the component challenges the external party, asking it to prove that it knows the component’s secret key. In this scenario, the direction of flow of C and M in Fig. 1 is reversed. It is the component which generates C. The comparison of the MAC values is done in the component. Upon success, M is allowed to be written.
Published by the IEEE CS, CASS, ComSoc, IES, & SPS
MAC and Challenge-Response Interrogation ESSAGE integrity and authenticity, and replay prevention, are essential in security-related communications. Here, a receiver is expected to be able to verify that a received message, originally transmitted by a valid source, was not changed. Also, the receiver has to verify that the message was not transmitted by a cloned source, and is not a retransmission of an originally genuine message transmitted in the past by a valid source. Technically, verifying message integrity and authenticity is based on the receiver’s ability to prove to itself that the transmitter stores a valid secret key that was used when the message was transmitted. Surely, symmetric and asymmetric cryptographic schemes can also be used in satisfying the above. In this paper, we treat the case where the facility at the data source has limited resources. In such environments, message integrity and authenticity is usually verified using Message Authentication Code (MAC). MACðM; KÞ is a one-way transformation of the message M and a secret key K shared with the verifier. The values M and MACðM; KÞ are both sent to the verifier. Upon receiving these values, the verifier generates himself a value MAC 0 ðM; KÞ based on the received M and the value of K known to him. If MAC 0 ðM; KÞ = MACðM; KÞ, the verifier decides that the message is authentic and equals its original value. If an attacker has access to an oracle which possesses K and generates MACs for messages M chosen by the attacker, it should be infeasible to guess the MAC value for any new message not interrogated before. To prevent illegal replaying, there is also a need for a time-dependent proof. This is achieved by a challenge-response interrogation procedure, as depicted in Fig. 1.
. The author is with the Department of Electrical and Computer Engineering, Ben Gurion University, Beer Sheva 84105, Israel. E-mail: email@example.com. Manuscript received 23 Mar. 2008; revised 20 Nov. 2008; accepted 10 Feb. 2009; published online 11 Feb. 2009. For information on obtaining reprints of this article, please send e-mail to: firstname.lastname@example.org, and reference IEEECS Log Number TMC-2008-03-0104. Digital Object Identifier no. 10.1109/TMC.2009.40.
1536-1233/09/$25.00 ß 2009 IEEE
The American Government Accountability Office (GAO) states that “RFID tag should resist counterfeiting or cloning. or to insert malware that dupes an unsuspecting— and apparently. In this paper. Still. under the current state of affairs the Dutch RFID Transit Card has been hacked before it was even deployed . KÞ. can be found in . European efforts in this direction are described in . Kout ¼ K È opad and Kin ¼ K È ipad. 1. 1. The circuit is considered proprietary. stating that the attacks “do not contradict the security proof of HMAC. although its design leaked to the public. .ARAZI: MESSAGE AUTHENTICATION IN COMPUTATIONALLY CONSTRAINED ENVIRONMENTS 969 section.g. replay. and eavesdropping” . 1. It should be noted that hardware implementations of hash transformations do exist. It was shown how it is possible to clone RFID cards. . The implementation this transformation can be based on various approaches. as well as the above specified HMAC implementation. where K is about 100 bits. .” The suggested implementation of HMAC is of the form HMAC ðtext. derived from K. It does not have its own power source. Hash Message Authentication Code (HMAC) is a hash transformation parameterized with a secret key. In an article carrying the very serious title “RFID can prevent drug deaths. Let K be b-bytes long. where È denotes an XOR. P K and its handling are redundant.. KÞ is a one-way transformation of the message M and a secret key K. . MAC-based challenge-response procedure. This is the approach taken in this paper. . from a pharmaceutical perspective. opad and ipad denote b-byte values. In many applications an RFID tag is required to prove the authenticity of data it transmits. Samples of articles on this issue include . In other cases. That is. The following is one recommended way of constructing Kin and Kout out of K. Interrogation in Highly Constrained Environments Radio Frequency IDentification (RFID) facilitates. as it was broken. The following representing statement  summarizes the issue: “Tag MAC functionality would allow tags to authenticate themselves. Each such section is processed by a one-way block transformation whose parameters are limited in size to that of the processed . Any standard hash (e. This puts a severe limitation on the number of gates that can operate simultaneously. This is translated into a limited number of logic gates used in the tag. Here. . and text is the text to be hashed together with K. 1. For example. text is broken into sections. SHA-1 ). phone cards used in Europe are based on a very low cost proprietary microchip that hashes together the card’s information content and some secret codes. MACðM. and the purpose of the interrogation is just to verify that the interrogated component really has the valid K associated with P K. there is no message M to be authenticated. while the cost constraints of an RFID tag permit the use of no more than 2. Implementing hashing in RFID is the subject of numerous papers. k denotes a concatenation. . For example. The security of such implementations has been revised . K is installed in advance in the interrogated component and the interrogating transmitter-receiver. by iteratively processing it in parts. There are other variations to the circuit of Fig. This general approach is especially suitable when dealing with constrained hardware resources.2 MAC and HMAC in the Context of This Paper As described above.000 logic gates. Even if text is a few hundred of bits long. Then. not necessarily due to a faulty design. Two main constraints are considered here: 1) Costs: Wide adoption of RFID is crucially dependent on the price of a tag. . . RFID is also being used in medication control . where H is a cryptographic hash function. we adopt an implementation where text ¼ CkM. More can be found in . updated on a continuous basis. and more. in some cases. Kin and Kout are two keys. There is no way that such systems will pass regulations like The Health Insurance Portability and Accountability Act (HIPAA) without assuring patient’s privacy. by definition.” it is stated that “the inherent problem with EPC [RFID] technology.3 Fig.500 gates. identification by wireless communications.” An accurate analysis  states that the implementation of SHA-1 requires 12. but due to the selection of a short key . K Þ ¼ H½Kout kHðKin ktextÞ. we treat a standardized HMAC. like prevention of car-theft. . It is claimed that E-Passports can be cloned in minutes . which are processed one at a time. but is beyond current lowcost tag resources. relatively unsophisticated—card reader into unlocking the building for an intruder . . 1. but they improve our understanding of the security of HMAC based on the existing cryptographic hash functions. Other RFID security considerations concern user privacy. it would still be recommended to process text in parts. of b repetitions of the byte 01011100 and 00110110. . consisting. respectively. specified in  . is the lack of anticloning features in the EPC chip itself” . is specified in a way which facilitates the processing of a relatively long text. A TI technology for cattheft prevention recently received attention. In relation to the challenge response procedure of Fig. Such . 2) Power consumption: An RFID tag is operated by a magnetic field radiated from the reader. it is an implementation of MACðM. That is. An extensive RFID-security bibliographical list. The use of RFID in medical applications presents special security demands.
a one-way block transformation. yielding a ciphertext stream. Such implementations have already been introduced .4 Stream Ciphers A stream cipher is a symmetric encryptor (i. are presented in Section 3. It is the purpose of this paper to illuminate the use of stream ciphers in compact hashing from a different angle. Development and analysis of stream ciphers are subject of continuous activities. while the set fSj g maps to B2 . is first implemented as a stand-alone universal circuit. The presentation includes security analysis.e. A current major project is eSTREAM. nonproprietary methodology for designing compact circuits that implement a secure MAC. is desired. even if a short section of the output is stored. The final content of the CRC register is the output block B. generating a relatively long keystream and entering it into a CRC circuitry. widely accepted.1 The One-Way Strength of the Transformation Surely. based on stream ciphering. compact MAC implementations in constrained environments are of the essence. 7. The key forms a seed which generates a pseudorandom keystream. 2 is at least as strong as the underlying security of the cipher. As the latter is expected to be infeasible for secure cipher. activities in stream ciphering are continuously being pursued. Other approaches to the use of stream-ciphers-related techniques in MAC implementations concern streaming macs  and energy scalable universal hashing . (We purposely denote the parameterizing key differently from the secret key K used in the intended MAC application. On the other hand. . These again integrate hashing and encryption as a design philosophy. cannot have a lower complexity than the recovery of S from a fully given keystream. 1. These approaches concern stream-cipher-based designs dedicated to MAC implementations. 2 presents an approach for utilizing the above two features of a stream cipher in implementing a one-way block transformation. .3 Balanced Mapping We treat the case where the mapping SÀ !B is many-to-one. 8. The receiver. which preserves the randomness of its input. 2. the transmitter and receiver share the same secret key). At the transmitting end.. Here.5 Related Work and the Structure of the Paper As indicated. for the purpose of performing a general hash. organized by the EU ECRYPT . without entering a long keystream into a CRC circuitry. the circuit transforms the input block S into the output block B. NO. That is. Possible implementations of hash in constrained environments. even if the compression is based on a simple linear CRC. 1. the one-way feature of the transformation is still kept. well-analyzed. Ways of iterating a one-way block transformation. K Þ ¼ H½Kout kHðKin ktextÞ. This can then also be turned into an HMAC implementation.970 IEEE TRANSACTIONS ON MOBILE COMPUTING. yields a keystream that enters a Cyclic Redundancy Code (CRC) circuit. the irreversibility of the transformation of Fig. combining hashing and encryption within an integrated solution. based on a stream cipher. 2. This turns into HMAC transformation by implementing HMAC ðtext.2 Security Considerations 2. possibly consuming minimal resources while being highly secured. 2. The circuit of Fig. 2. Techniques for implementing MAC based on stream ciphers can therefore offer high efficiency. 2 ONE-WAY TRANSFORMATIONS BASED ON STREAM CIPHERING 2. VOL.2 Randomness Features of the Output and the Purpose of the CRC Circuitry Basically. based on block ciphers. JULY 2009 examples further emphasize the need for an approved. The input block S. However. acting as the parameterizing key of the stream cipher. 2. XORing with the received ciphertext yields the cleartext back. 1. Fundamental security requirements that should be satisfied by a stream cipher concern randomness characteristics of the generated keystream and inability to recover the secret seed key by knowing the generated keystream. Secure and well-analyzed stream ciphers offered by the eSTREAM project are very compact and use limited hardware resources. Therefore. having the same seed key.2. .2. Let fSi g be a set of inputs that maps to the same destination B1 . given an output keystream of any feasible length. this keystream is XORed with the cleartext stream. a relatively short string does not exhibit randomness properties and rather represents a limited event that may have a problematic pattern. The circuit is clocked for a number of cycles that is significantly larger than the length of S.) A minor change in S causes major output changes. recovering S from a compressed version of the cipher’s output keystream. A case study is treated and analyzed in detail in Section 4.1 Block Transformation Based on Stream Cipher A stream cipher exhibits the following features: It produces a pseudorandom keystream output which is very strongly dependent on a parameterizing secret key S.2. The output string of a . One-way block transformation based on stream cipher. generates synchronously the same keystream. Fig. while considering the specific scenarios where the offered solution is intended to be deployed. are surveyed in . . Techniques for turning a stream cipher into a one-way block transformation are presented in Section 2. The underlying security of the cipher is measured in terms of the difficulty in retrieving S. Stream ciphers operate at a higher speed than block ciphers and have relatively low hardware complexity.
not knowing K and unable to predict the specific random challenge C sent from the interrogator. it is proposed to treat values which are about 100 bits. (Two randomly generated keys can statistically be similar. as depicted in Fig. length. This is well clarified by the attack on Wired Equivalent Privacy (WEP) which uses the stream cipher RC4 to protect WiFi wireless networks .6 Related-Key Attacks A related-key attack is based on the assumption that an attacker observes the operation of a cipher under different keys. Such a procedure can follow the guidelines presented in . It should further be noted that for the implementation treated in this paper.) Related-key attacks on stream ciphers concern key scheduling. (It is noted that the random input C to the MAC at the interrogated component. in the sense that fSi g and fSj g are expected to have a similar cardinality. This is performed by iterations. That is. of lengths t and r. the session keys are related). forms the r rightmost . is depicted in Fig.5 Collision Attacks in Challenge-Response Scenario A one-way many-to-one mapping is expected to also resist a collision attack. which facilitates the mitigation of a collision attack. concerns the inability to recover the parameterizing key out of the generated keystream. The number of iterations is the number of t-bit blocks of which the input data consists. which is randomized in a key-scheduling process. The component therefore does not need random number generator circuitry. which is a system parameter. 3. A cheating party has to come up with a correct MAC output CR. The mere existence of the key-scheduling process Fig. the process consists of consecutive iterations.ARAZI: MESSAGE AUTHENTICATION IN COMPUTATIONALLY CONSTRAINED ENVIRONMENTS 971 stream cipher exhibits randomness properties and strong dependence on each bit of the seed key S. It is essential that the same key never be used more than once in a stream cipher. The stream cipher implementation proposed in this paper. unrelated. The best would be to use a randomly generated key for each new use of the cipher. a related-key attack on the cipher is associated with collision attack on the hash. The input K to the MAC in the interrogated component is known only to a valid party.1 Implementing an HMAC General hashing means transforming chained input blocks into an output block of a fixed. When the iterations are complete (i. which is the ultimate aim of this paper.e. 3 ITERATIONS OF THE ONE-WAY BLOCK TRANSFORMATION 3. collision is not an issue . In this respect. 2. That is. whereby a key generated by an isolated event (no relation to other keys) cannot be recovered from the generated keystream. it should be difficult to provide two different S that are mapped to the same B.4 Resistance to Correlation Attacks One of the devastating attacks on stream ciphers. Like a usual execution of a longinput hash transformation.) The procedure starts when a predetermined initializing value IV .) The above consideration has another fundamental aspect. This observation is made clear when observing Fig. as discussed before. CRC circuitry) is expected to provide the same output features. under which many were proved to be vulnerable. keeping the theme of low-cost implementation. As seen later. whereby the stream cipher acts as hash. collision attack is irrelevant in the cases where the hash is used in a challenge response implementation. It is essential to notice that in a challenge-response application. Yet. It should further be emphasized that a fundamental feature of a stream cipher requires that two slightly different parameterizing keys yield keystreams having a major. 2. relatively small. Processing the input in parts and where H is based on stream ciphering. a rather safe size. A compressed version of the output string which still keeps the randomness of the full string (e. is based on establishing the validity of a partial guess of the secret key by correlating the outcome of the guess with a given output string of the cipher.2. compressing the output string of the cipher into a block which is not longer than the parameterizing key leaves an external output too short for correlation analysis.2. but there is no algorithm associating the two. An approach for iterating a one-way block transformation. This security is associated with the fundamental requirement that a stream cipher must satisfy. to make the length of the input data a multiple of t.. Such an attack needs an output string whose length is considerably higher than the guessed value. This relates to applications where practical circumstances dictate the use a fixed key master key. the entire input chain has been processed) the output should be the hash of the entire input. Here. opens a possibility for related-key attack (i. The transformation is therefore expected to be balanced. 2.. difference. the Linear Feedback Shift Register (LFSR) that processes the cipher’s parameterizing key consists of two parts. is generated at the interrogator. .e. where input blocks enter one at a time and are combined with an accumulated value that consists of the hashing performed so far. relevant to the compact implementations proposed in this paper. to yield a different key for each communication session. An ability to perform here a collision attack is therefore irrelevant. based on stream ciphering. a related-key attack does not concern the case of two slightly different keys whose similarity cannot be modeled.. As a cheater has no benefit from a successful collision attack. 2. (Possible padding may take place. 1.2. where some relationship among the keys is known to him.g. 3. the application is of complexity OðnÞ rather pﬃﬃﬃ than Oð nÞ (characterizing the fact that birthday attacks are irrelevant here).
In the standard.2. the cipher should also provide for secured iterative implementation. The same goes when hashing the concatenation Kout kHðKin ktextÞ. that is. In the first iteration. The next 64 bits consist of a predetermined initializing value IV . Initializing the LFSR. between the keys Kin and Kout in the HMAC implementation: HMAC ðtext. which forms the foundations for the security of an HMAC. the output of the last iteration when generating HðKin ktextÞ.2. The rest of the 192 bits are a function (XOR operations) of the 144 bits of K and IV . After forming this initial content.1 Considerations per Iteration Each iteration in the described process performs a one-way block transformation on a ðr þ tÞ-bits block. It is shown that this HMAC resists a related-key attack if generally the underlying compression function is a Pseudorandom Function (PRF). 7. Second. 5. When the process terminates. The circuit of Fig. It is shown that under this condition. whereby B is updated in each iteration based on the preceding value of B and a new t-bit data block.2.e. 4 starts generating its keystream. The block B now forms the r rightmost bits of the LFSR for the next iteration.2. 6 implements the hash transformation of Fig. 5. This strong dependence on Kin and Kout . 2 to that of Fig. the t-bit input blocks are exhausted. K Þ ¼ H½Kout kHðKin ktextÞ. Besides its established and highly scrutinized security. randomness of the output. Being able to perform a hashing H on chained input blocks.2. which has this property. the HMAC is also a PRF. DECIM (v2) is depicted in Fig.972 IEEE TRANSACTIONS ON MOBILE COMPUTING. the circuit is clocked 4 Â 192 ¼ 768 times under the configuration of Fig. The transformation f is a Boolean function of 13 inputs. A related-key attack potentially concerns here the danger posed by a relation 4. The rest of the bits of the LFSR are formed according to DECIM specifications. 2.1 and the security consideration raised in Section 3. also has related-key aspects. 3. DECIM (v2). 8. The top register is a 192-bit LFSR. bits of the LFSR. ABSG is a simple 1-bit input 1-bit output procedure.2. correlation attack. One of the eSTREAM candidates.2 apply to each individual iteration of the HMAC. the circuit is configured according to Fig. This suits very well the hashing procedure of Section 3. the circuit of Fig. 3.. and clocked for a prescribed number of times. is strongly dependent on Kin (i. the initial left 80 bits of the LFSR consist of the first 80 bits of the message to be hashed. In this respect. 4 A CASE STUDY 3. the strong dependence on each input bit. Fig. 4. there is a need for an available wellanalyzed stream cipher which is based on having an initializing nonsecret value being a part of the parameterizing key. generating an output block B of r bits. 4. and collision attack. After 768 shifts under the configuration of Fig. is treated in detail in Section 4. 6. This applies to the irreversibility of the transformation.2 Considering the Transition from a Single-Block Transformation to Sequential Processing The transition from the structure depicted in Fig. After these 768 shifts. the size of its parameters suits the practical applications intended to be served by the HMAC proposed in this paper. VOL. an HMAC is implemented as HMAC ðtext. Such a procedure.1 DECIM (v2) and its HMAC Configuration DECIM (v2) was developed by a team of 13 researches from various industrial and academic French institutes . the output block B is the final output of the hash. Even if the stream cipher facilitates a strong one-way block transformation.3 HMAC Related-Key Attack Related-key attack pertaining to stream ciphering considerations have been treated in Section 2. yielding a 64-bit content of the CRC register. is standard . etc. 3 based on DECIM (v2).2 Security Considerations and Requested Features of the Stream Cipher 3. concatenated with the next t bits of the input data. JULY 2009 Fig. All security considerations presented in Section 2. 5. similar Kin yield totally different outputs). it implements a principle whereby the key consists of a secret part and an initializing public value. NO. The formed r þ t bits play the role of the input block S of Fig. 3 has its own security implications. HMAC aspects of such an attack are addressed in . starting with an initializing predetermined seed. DECIM (v2) was selected in this paper as a case study for two purposes. When generating H½Kout kHðKin ktextÞ. K Þ ¼ H½Kout kHðKin ktextÞ. The LFSR is initialized with an 80-bit secret key K and a 64-bit public value IV . these keys are related by: Kout ¼ K È opad and Kin ¼ K È ipad. balanced mapping. First. These are concatenated with t bits of the input data. It is suggested that the ABSG should .
based on DECIM (v2). and S.) It is hashed into a 64-bit value V by three iterations of the process of Section 3. 2006. Int’l Cryptology Conf. The content of the CRC register now forms the new IV .“ http://www. B. GAO.” www. Aug. Drugresearcher. H. respectively. 3 without changing the analyzed and scrutinized infrastructure of the cipher. If a 192-bit LFSR requires 2. based on standard procedures. the hash processes 80 bits per iteration. ðKin ktextÞ is a 240-bit value. where Kin and Kout are 80 bits.2. 1995. National Institute of Standards and Technology. 242-256.darkreading. etc.” FIPS PUB 180-1. G. then a 64-bit CRC requires 780 gates.com. based on stream ciphering. 2002. Kin is 80 bits. Apr. was presented. A. A specific implementation. Univ. The implementation of f and ABSG respectively requires 87 and 67 gates. there is a need to evaluate new approaches. where the strength of the hash is associated with the underlying security of the cipher. CONCLUSION generate at least 768 keystream bits. where the left 80 bits of the LFSR are a new section of the input data.1. used in the next iteration. which are. Ann. 4.gov/new.4 Hardware Resources Berbain et al. 2004.” pcworld. yielding a 160-bit value that is hashed by two iterations of the process of Section 3. P. pp.71. 2007. it provides for a transition from the one-way transformation of Fig. K Þ ¼ H½Kout kHðKin ktextÞ will consist of the concatenation CkM. Avoine. “Security Evaluation of the Disposable OV-chipkaart v1. yielding Kout ¼ K È opad and Kin ¼ K È ipad. and the randomization of the keystream that enters the CRC. the message M is an Electronic Product Code (EPC) currently specified to consist of 96 bits [?]. M.avoine. “GAO-05-551 Radio Frequency Identification Technology.” IETF RFC 2104. May 2005.htm. The rationale is that the randomization performed in Fig.pdf.ARAZI: MESSAGE AUTHENTICATION IN COMPUTATIONALLY CONSTRAINED ENVIRONMENTS 973 has to be hashed.1. Conf. Siekerman and M. respectively. “E-Passports Can be Cloned in Minutes. MD4. “Secure Hash Standard.” FIPS PUB 198. are characterized by similar demands.339 gates.drugresearcher.gao. Configuring DECIM (v2) as an HMAC.         . Security and Cryptography for Networks (SCN ’06).about. Information Technology Laboratory. and R. “RFID Security & Privacy Lounge.” www. Canetti.339 gates. “RFID under Attack Again. 1997. Preneel. 1.2. In particular it is noted that the existence of the initializing value IV . (text consists of a concatenation of C and M.2 Security Considerations This implementation was selected for the purpose of satisfying the specification of Section 3.4/ecrecommandation-rfid. while not sacrificing security. “On the Security of HMAC and NMAC Based on HAVALl. “Keyed Hash Message Authentication Code. van der Schee. V is now concatenated with Kout . As described before. The principle was to implement a hash transformation based on the stream cipher.” Proc. Feb. MD5. 2008. consist of 10 repetitions of 01011100 and 00110110. 5.net/ rfid/.edri. These two values. DECIM (v2) Implementation in RFID Environment In a practical RFID scenario. The latter hash is performed by padding W with two bytes (suggested possibility. giving a 144-bit value W that 4. two opad bytes). Canetti. Aug. The 192 flip-flops of the LFSR and the XOR gates require 2. Biryukov.3 RFID and Wireless Sensor Networks pose a need for efficient implementation of MAC.com/od/dataprotection/E-PassportsCan-Be-Cloned-in-M. and H. Concerning the sizes of the other values treated in Fig. It is noted that DECIM (v2) processes an 80-bit key and a 64-bit initial value IV . 2008. National Institute of Standards and Technology. 6 further requires a 64-bit CRC. was presented and analyzed in detail. there is a possibility of having a single 80-bit K.  include an accurate hardware evaluation. Higgins. respectively. while also utilizing any characteristic of the specific implementation of MAC that can enhance efficiency. 4.” System and Network Eng. REFERENCES      M. Kim.” ANSI X9. SHA-0 and SHA-1. PCWorld. 64 and 96 bits. Dept. Bellare.J. Apr. and the strong dependence of the keystream on this value. where opad and ipad. Krawczyk. Information Technology Laboratory. Bellare. is a part of the definition of the cipher. Claims Researcher. 1-15. A complete highly compact MAC implementation.”www. the final content of the CRC register is the HMAC output. 6. Hong. We propose that text in the expression HMAC ðtext.org/edrigram/number6. European Commission. R. The hash is then utilized to implement HMAC. The implementation of the circuit of Fig. 5 Fig.” Proc. 6 requires about 3. of Amsterdam. 2 to the iteration procedure depicted in Fig.7. Krawczyk. After all the input data are shifted in. That is. ANS Institution. “The KeyedHash Message Authentication Code (HMAC). (CRYPTO ’96).1. K. 2000. yielding the HMAC. pp.300 gates. That is. “Draft Recommendation on RFID Privacy and Security.com/Researchmanagement/RFID-can-prevent-drug-deaths.” www. the circuit of Fig. 1996. J. “Keying Hash Functions for Message Authentication. “Breaking News on Drug Discovery—RFID Can Prevent Drug Deaths. Altogether.items/d05551. 2008.. 2009. “HMAC: Keyed-Hashing for Message Authentication. To achieve efficiency. suit the values t and r of the hash implementation of Section 3. the challenge C and the challenge response CR are proposed to consist of 64 bits. a highly scrutinized stream cipher.
1-24. (CRYPTO ’01). critical infrastructures. 2009. and P. Int’l Conf. Kinoshita. July 2006. JULY 2009  J. Kaps. 1-16. O. pp. Ohkubo.” Cryptology ePrint Archive.  M. and S. He has been involved in information assurance research and education for the past 25 years. revision 1. 2005. Oechslin. Green. He developed a computer arithmetic algorithm. H. Billet. Schneier. A. A. Krawczyk. Lucks. 2008. 2009. Yuksel.  ECRYPT. Dunkelman and E. 2006. Won. Ann. Pornin. 2008. vol. Krovetz.  A. Report 2005/020. “Phelix—Fast Encryption and Authentication in a Single Cryptographic Primitive. and B. (CRYPTO 94). Feldhofer and C.” Proc. 2007. please visit our Digital Library at www.” Proc. 2523. named after him. Stubblefield. Rogaway. 2002. Whiting. “The Estream Project. Bono. Apr. M. “A Framework for Iterative Hash Functions—HAIFA. 2004. pp. Security (PerSec ’05).  K. 54.computer. Juels. A. 2004. RFID Privacy Workshop. Sunar. L. Kwak. Weis. and a former chairman of this department. 2006. “Lightweight Authentication Protocols for Low-Cost RFID Tags.org/publications/dlib.” Proc. K. Int’l Cryptology Conf. Courtois.  G. (CRYPTO ’99). 2005. Leander. and Y. 1994. Rechberge. Avoine and P.com/blog/archives/2005/02/.” Proc. N. “Challenge-Response Based RFID Authentication Protocol for Distributed Database Environment. Antokol. (CRYPTO ’06). “‘Schneier on Security’—SHA-1 Has Been Broken. Robshaw. Report 2004/271.. A. Sibert. “Weaknesses in the Key Scheduling Algorithm of RC4.  P. “A Scalable and Provably Secure Hash-Based RFID Protocol. For more information on this or any other computing topic.” http://www.” Proc. and C. 2005.” http://www.  B. Fluhrer.G. Granboulan. M. 2005.” Proc. 8. Goubin. and G. Cryptographic Hardware and Embedded Systems. pp. Ann. Nov. S.” Cryptology ePrint Archive.” Int’l J. Shamir. Report 2004/ 301. S. B.eu/docs/ficheiros/ antokol.  S. “LFSR-Based Hashing and Authentication. A. Engels. Bogdanov. 2005. 602-619. Rose. Israel. Halevi.  S. Berbain. G. Computers. and food supply chain security. Muller. Oct. 2003. T. 454-469. S. Zoltak. C. Benjamin Arazi is a professor in the Department of Electrical and Computer Engineering at Ben-Gurion University.  J. Debraize.” Proc. H. and M. pp. USENIX Security Symp. C. Int’l Cryptology Conf. Workshop Cryptographic Hardware and Embedded Systems (CHES ’02). vol. “Ecrypt Phase 3 DECIM 2 2007. 2. Szydlo. 110-114. 216-233. and A. NO. “Energy Scalable Universal Hashing. “Hash Functions and RFID Tags: Mind the Gap.org/stream/decimp3. Kim. Aug. He is the author of an MIT Press book on coding theory. Gouget. His current interests include certification protocols. Schneier. “Cryptographic Approach to ‘Privacy-Friendly’ Tags.  C. Computer Science. Int’l Cryptology Conf. H.” RFID Security Workshop (RFIDSec ’06). 2003. wireless sensor networks security.  D. Seurin. Int’l Cryptology Conf. 131-136.html.  J.” IEEE Trans. Second Cryptographic Hash Workshop.  B. “UMAC: Fast and Secure Message Authentication.schneier. Poschmann. A. 1999.” Proc.  M.974 IEEE TRANSACTIONS ON MOBILE COMPUTING. and D. M. .  H.” The eSTREAM Portfolio. Gilbert. “A Case against Currently Used Hash Functions in RFID Protocols.ecrypt. Sept. S. Paar.pdf. that serves as standard practice in the smartcard industry and developed a cryptographic arithmetic algorithm that appears in Knuth’s The Art of Computer Programming. 2001. B. pp.” Proc. Second Workshop Security Ubiquitous Computing (Ubicomp ’03). “Security Analysis of a Cryptographically Enabled RFID Device.  I. Workshop Cryptographic Hardware and Embedded Systems (CHES ’08). “New Proofs for NMAC and HMAC: Security without Collision-Resistance. Rhee. Paddon. He is also an IEEE Distinguished Lecturer and a senior member of IEEE. M. K.  S.rfidconsultation. “VMPC-MAC: A Stream Cipher Based Authenticated Encryption Scheme. “RFID Systems and Security and Privacy Implications. Sarma.” Proc. “The Mundja Streaming MAC. Hawkes. Lauradoux.” Proc. 129-139. Ann. pp. 1484-1495. VOL.  K. and D.” http://www. Berbain. vol. I. T. pp.” Ecrypt Stream Cipher Project. Wirt. May 2006. Minier. printed handout. pp. “ASC a Stream Cipher with Built in MAC Functionality. and F. Second IEEE Int’l Workshop Pervasive Computing and Comm. Bellare. . 7.eu. Rubin. Mantin. Suzuki. “RFID and Healthcare: Privacy and Security Considerations. Black. J. pp.  M. Canteaut. Ann. Krawczyk. L. Security in Pervasive Computing (SPC ’05).  O.” Proc. Biham. Buttyan. Vajda and L.