论文信息 - Cryptography in radio frequency identification and fair exchange protocols

Cryptography in radio frequency identification and fair exchange protocols

This PhD thesis focuses on fair exchange protocols and radio frequency identification protocols. Fair exchange stems from a daily life problem: how can two people exchange objects (material or immaterial) fairly, that is, without anyone being hurt in the exchange? More formally, if Alice and Bob each have objects mA and mB respectively, then the exchange is fair if, at the end of the protocol, both Alice and Bob have received mB and mA respectively, or neither Alice nor Bob have received the expected information, even partially. Ensuring fairness in an exchange is impossible without introducing additional assumptions. Thus, we propose two approaches to overcome this problem. The first consists in attaching to each person, a guardian angel, that is, a security module conceived by a trustworthy authority and whose behavior cannot deviate from the established rules. In such a model, the fairness of the exchange can be ensured with a probability as close to 1 as desired, implying however a communication complexity cost. We then use results from the distributed algorithm to generalize this approach for n people. Finally, we propose a second approach that consists in no more considering the exchange in an isolated manner, but to replace it in its context, in the heart of a network, where each person in the pair has a few honest neighbors. In this framework, fairness can lie on these neighbors, who are solicited only in the case of a conflict during the exchange. We then look into Radio Frequency Identification (RFID), which consists in remotely identifying objects or subjects having a transponder. The great achievements that radio frequency identification has made today, lies essentially on the willingness to develop low cost and small size transponders. Consequently, they have limited computation and storage capabilities. Due to this reason, many questions have been asked regarding RFID's potential and limitations, more precisely in terms of security and privacy. Since this is a recent problem, the works presented in this document first outline completely the framework by introducing certain basic concepts. In particular, we present and classify threats, we show the link between traceability and the communication model, and we analyze existing RFID protocols. We also present the complexity issues due to key management. We show that the solution proposed by Molnar and Wagner has weaknesses and we propose another solution based on time-memory trade-offs. Finally, we continue our time-memory trade-off analysis by proposing a method based on checkpoints, which allows detecting false alarms in a probabilistic manner.

Gildas Avoine

[1] Dieter Gollmann,et al. On Fairness in Exchange Protocols , 2002, ICISC.

[2] David Chaum,et al. Wallet Databases with Observers , 1992, CRYPTO.

[3] Tsutomu Matsumoto,et al. Achieving higher success probability in time-memory trade-off crypt analysis without increasing memory size , 1999 .

[4] Markus Jakobsson,et al. A Micro-Payment Scheme Encouraging Collaboration in Multi-hop Cellular Networks , 2003, Financial Cryptography.

[5] Jean-Didier Legat,et al. A Time-Memory Tradeoff Using Distinguished Points: New Analysis & FPGA Results , 2002, CHES.

[6] Andreas Pfitzmann,et al. Value exchange systems enabling security and unobservability , 1990, Comput. Secur..

[7] Alex Biryukov,et al. Real Time Cryptanalysis of A5/1 on a PC , 2000, FSE.

[8] Paul Müller,et al. Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[9] Markus G. Kuhn,et al. Low Cost Attacks on Tamper Resistant Devices , 1997, Security Protocols Workshop.

[10] Torben P. Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[11] Dorothy E. Denning,et al. Cryptography and Data Security , 1982 .

[12] Markus Jakobsson,et al. Ripping Coins For a Fair Exchange , 1995, EUROCRYPT.

[13] Li Gong. New protocols for third-party-based authentication and secure broadcast , 1994, CCS '94.

[14] Sandra Dominikus,et al. Strong Authentication for RFID Systems Using the AES Algorithm , 2004, CHES.

[15] Robert H. Deng,et al. Efficient and practical fair exchange protocols with off-line TTP , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[16] Serge Vaudenay,et al. Cryptography with Guardian Angels: Bringing civilization to pirates - Abstract , 2003 .

[17] Moni Naor,et al. Timed Commitments , 2000, CRYPTO.

[18] Gildas Avoine,et al. Privacy Issues in RFID Banknote Protection Schemes , 2004, CARDIS.

[19] Ning Zhang,et al. Achieving Non-Repudiation of Receipt , 1996, Comput. J..

[20] Joos Vandewalle,et al. On the time-memory tradeoff between exhaustive key search and table precomputation , 1998 .

[21] Marko Vukolic,et al. Reducing Fair Exchange to Atomic Commit , 2005 .

[22] Amos Fiat,et al. How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[23] Johan Håstad,et al. Some optimal inapproximability results , 2001, JACM.

[24] Ning Zhang,et al. A Flexible Approach to Secure and Fair Document Exchange , 1999, Comput. J..

[25] Paul F. Syverson,et al. Weakly secret bit commitment: applications to lotteries and fair exchange , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[26] Nadarajah Asokan,et al. Fairness in electronic commerce , 1998, Research report / RZ / IBM / IBM Research Division / Zürich Research Laboratory.

[27] David A. Wagner,et al. Privacy and security in library RFID: issues, practices, and architectures , 2004, CCS '04.

[28] Holger Vogt. Asynchronous Optimistic Fair Exchange Based on Revocable Items , 2003, Financial Cryptography.

[29] Witold Kinsner,et al. Transient analysis and genetic algorithms for classification , 1995, IEEE WESCANEX 95. Communications, Power, and Computing. Conference Proceedings.

[30] Michael K. Reiter,et al. Fair Exchange with a Semi-Trusted Third Party (extended abstract) , 1997, CCS.

[31] Matthias Schunter,et al. Optimistic fair exchange , 2000 .

[32] Philippe Oechslin,et al. A scalable and provably secure hash-based RFID protocol , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[33] Sean W. Smith,et al. Building the IBM 4758 Secure Coprocessor , 2001, Computer.

[34] Oliver Günther,et al. Security Analysis of the Object Name Service , 2005 .

[35] Indrajit Ray,et al. Fair exchange in E-commerce , 2002, SECO.

[36] Benjamin Cox,et al. NetBill Security and Transaction Protocol , 1995, USENIX Workshop on Electronic Commerce.

[37] Kazuo Ohta,et al. How to simultaneously exchange secrets by general assumptions , 1994, CCS '94.

[38] Steve Kremer,et al. Formal analysis of optimistic fair exchange protocols , 2004 .

[39] Matthew J. B. Robshaw,et al. An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .

[40] Katherine Albrecht,et al. Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID , 2005 .

[41] Ronald L. Rivest,et al. The blocker tag: selective blocking of RFID tags for consumer privacy , 2003, CCS '03.

[42] N. Asokan,et al. Asynchronous protocols for optimistic fair exchange , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[43] Manuel Blum. How to exchange (secret) keys , 1983, STOC '83.

[44] Ernest F. Brickell,et al. Gradual and Verifiable Release of a Secret , 1987, CRYPTO.

[45] Ari Juels,et al. Soft blocking: flexible blocker tags on the cheap , 2004, WPES '04.

[46] Robert H. Deng,et al. Evolution of Fair Non-repudiation with TTP , 1999, ACISP.

[47] Oded Goldreich,et al. A randomized protocol for signing contracts , 1985, CACM.

[48] Elwyn R. Berlekamp,et al. On the inherent intractability of certain coding problems (Corresp.) , 1978, IEEE Trans. Inf. Theory.

[49] Markus G. Kuhn,et al. An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[50] T. Elgamal. A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[51] Robert H. Deng,et al. Multi-party fair exchange with an off-line trusted neutral party , 1999, Proceedings. Tenth International Workshop on Database and Expert Systems Applications. DEXA 99.

[52] Richard Cleve,et al. Controlled Gradual Disclosure Schemes for Random Bits and Their Applications , 1989, CRYPTO.

[53] Ivan Damgård. Practical and Provably Secure Release of a Secret and Exchange of Signatures , 1993, EUROCRYPT.

[54] Jan Camenisch,et al. Untraceable RFID tags via insubvertible encryption , 2005, CCS '05.

[55] Jaecheol Ryou,et al. Enhancing Privacy of Universal Re-encryption Scheme for RFID Tags , 2004, EUC.

[56] Matthew K. Franklin,et al. Secure Group Barter: Multi-party Fair Exchange with Semi-Trusted Neutral Parties , 1998, Financial Cryptography.

[57] Philippe Oechslin,et al. Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[58] Thomas Hjorth. Supporting Privacy in RFID Systems , 2004 .

[59] Felix C. Freiling,et al. Secure Multi-Party Computation with Security Modules , 2005, Sicherheit.

[60] Kwangjo Kim,et al. Mutual Authentication Protocol for Low-cost RFID , 2005, CRYPTO 2005.

[61] Samy Bengio,et al. Special Uses and Abuses of the Fiat-Shamir Passport Protocol , 1987, CRYPTO.

[62] David Chaum,et al. Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[63] Ari Juels,et al. Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[64] Tom Tedrick,et al. How to Exchange Half a Bit , 1983, CRYPTO.

[65] Philippe Oechslin,et al. RFID Traceability: A Multilayer Problem , 2005, Financial Cryptography.

[66] Matthias Schunter,et al. Optimistic Protocols for Multi-Party Fair Exchange , 1996 .

[67] Serge Vaudenay,et al. Optimistic Fair Exchange Based on Publicly Verifiable Secret Sharing , 2004, ACISP.

[68] Marko Vukolic,et al. Gracefully Degrading Fair Exchange with Security Modules , 2005, EDCC.

[69] Felix C. Freiling,et al. Supporting Fair Exchange in Mobile Environments , 2003, Mob. Networks Appl..

[70] Hartmut Pohl,et al. RFID security , 2004, Inf. Secur. Tech. Rep..

[71] Hovav Shacham,et al. Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[72] Ari Juels,et al. Squealing Euros: Privacy Protection in RFID-Enabled Banknotes , 2003, Financial Cryptography.

[73] Richard J. Lipton,et al. Cryptographic Primitives Based on Hard Learning Problems , 1993, CRYPTO.

[74] Daniel W. Engels,et al. RFID Systems and Security and Privacy Implications , 2002, CHES.

[75] Stephen A. Weis. Security parallels between people and pervasive devices , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[76] Michael Kearns,et al. Efficient noise-tolerant learning from statistical queries , 1993, STOC.

[77] Markus Jakobsson,et al. Abuse-Free Optimistic Contract Signing , 1999, CRYPTO.

[78] M. Usami. An ultra-small RFID chip: /spl mu/-chip , 2004, Proceedings of 2004 IEEE Asia-Pacific Conference on Advanced System Integrated Circuits.

[79] Nicolás González-Deleito,et al. Exclusion-Freeness in Multi-party Exchange Protocols , 2002, ISC.

[80] Ronald L. Rivest,et al. Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[81] Nancy A. Lynch,et al. Impossibility of distributed consensus with one faulty process , 1985, JACM.

[82] Manuel Blum,et al. Secure Human Identification Protocols , 2001, ASIACRYPT.

[83] Laurent Bussard,et al. Distance-Bounding Proof of Knowledge to Avoid Real-Time Attacks , 2005, SEC.

[84] Zhan Bang,et al. Certified Electronic Mail with Perfect Confidentiality , 1999 .

[85] Ari Juels,et al. Minimalist Cryptography for Low-Cost RFID Tags , 2004, SCN.

[86] Seif Haridi,et al. Distributed Algorithms , 1992, Lecture Notes in Computer Science.

[87] Thomas Peyrin,et al. Advances in Alternative Non-adjacent Form Representations , 2004, INDOCRYPT.

[88] Ingrid Verbauwhede,et al. Cracking Unix Passwords using FPGA Platforms , 2005 .

[89] F. MacWilliams,et al. The Theory of Error-Correcting Codes , 1977 .

[90] Amos Fiat,et al. Rigorous time/space tradeoffs for inverting functions , 1991, STOC '91.

[91] Paul Müller,et al. Tackling Security and Privacy Issues in Radio Frequency Identification Devices , 2004, Pervasive.

[92] Markus Stadler,et al. Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[93] Gildas Avoine. Fraud Within Asymmetric Multi-hop Cellular Networks , 2005, Financial Cryptography.

[94] Michel Raynal,et al. Optimal early stopping uniform consensus in synchronous systems with process omission failures , 2004, SPAA '04.

[95] David A. Wagner,et al. Secure verification of location claims , 2003, WiSe '03.

[96] David A. Wagner,et al. Security and Privacy Issues in E-passports , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[97] Felix C. Freiling,et al. Approaching a formal definition of fairness in electronic commerce , 1999, Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems.

[98] Sam Toueg,et al. Distributed agreement in the presence of processor and communication faults , 1986, IEEE Transactions on Software Engineering.

[99] Olivier Markowitch,et al. Les protocoles de non-répudiation , 2001 .

[100] Tom Tedrick,et al. Fair Exchange of Secrets , 1984, CRYPTO.

[101] Serge Vaudenay,et al. Optimal Fair Exchange with Guardian Angels , 2003, WISA.

[102] Gildas Avoine. Adversarial Model for Radio Frequency Identification , 2005, IACR Cryptol. ePrint Arch..

[103] Bing Jiang,et al. Some Methods for Privacy in RFID Communication , 2004, ESAS.

[104] M. Aigner. Secure Symmetric Authentication for RFID Tags , 2005 .

[105] Koutarou Suzuki,et al. Cryptographic Approach to “Privacy-Friendly” Tags , 2003 .

[106] Tatsuaki Okamoto,et al. A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[107] Michael O. Rabin,et al. Transaction Protection by Beacons , 1983, J. Comput. Syst. Sci..

[108] A. Juels,et al. Universal Re-encryption for Mixnets , 2004, CT-RSA.

[109] G. R. BLAKLEY. Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[110] Juan A. Garay,et al. Abuse-Free Multi-party Contract Signing , 1999, DISC.

[111] Indrajit Ray,et al. An Optimistic Fair Exchange E-commerce Protocol with Automated Dispute Resolution , 2000, EC-Web.

[112] Olivier Markowitch,et al. Optimistic Fair Exchange with Transparent Signature Recovery , 2002, Financial Cryptography.

[113] Nancy A. Lynch,et al. A Tradeoff Between Safety and Liveness for Randomized Coordinated Attack , 1996, Inf. Comput..

[114] Jim Gray,et al. Notes on Data Base Operating Systems , 1978, Advanced Course: Operating Systems.

[115] Felix C. Freiling,et al. Using Smart Cards for Fair Exchange , 2001, WELCOM.

[116] Robert H. Deng,et al. Practical protocols for certified electronic mail , 1996, Journal of Network and Systems Management.

[117] Philippe Oechslin,et al. Reducing Time Complexity in RFID Systems , 2005, Selected Areas in Cryptography.

[118] Berry Schoenmakers,et al. A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic , 1999, CRYPTO.

[119] Pascal Junod,et al. Time-Memory Trade-Offs: False Alarm Detection Using Checkpoints , 2005, INDOCRYPT.

[120] Dongho Won,et al. Challenge-Response Based RFID Authentication Protocol for Distributed Database Environment , 2005, SPC.

[121] Michael Waidner,et al. Optimistic Synchronous Multi-Party Contract Signing , 1998 .

[122] Silvio Micali,et al. A fair protocol for signing contracts , 1990, IEEE Trans. Inf. Theory.

[123] Laura Quilter,et al. Radio Frequency Identification and Privacy with Information Goods , 2004 .

[124] N. Asokan,et al. Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[125] Olivier Markowitch,et al. Probabilistic Non-Repudiation without Trusted Third Party , 1999 .

[126] Steve H. Weingart. Physical Security Devices for Computer Subsystems: A Survey of Attacks and Defences , 2000, CHES.

[127] Tom Coffey,et al. Non-repudiation with mandatory proof of receipt , 1996, CCRV.

[128] Indrajit Ray,et al. A Fair-exchange E-commerce Protocol with Automated Dispute Resolution , 2000, DBSec.

[129] Simson L. Garfinkel,et al. RFID: Applications, Security, and Privacy , 2005 .

[130] N. Asokan,et al. Optimistic protocols for fair exchange , 1997, CCS '97.

[131] David A. Wagner,et al. A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags , 2005, IACR Cryptol. ePrint Arch..

[132] Dieter Gollmann,et al. A fair non-repudiation protocol , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[133] Srdjan Capkun,et al. Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[134] Günter Karjoth,et al. Disabling RFID tags with visible confirmation: clipped tags are silenced , 2005, WPES '05.

[135] Tassos Dimitriou,et al. A Lightweight RFID Protocol to protect against Traceability and Cloning attacks , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[136] Yvo Desmedt,et al. Identification Tokens - or: Solving the Chess Grandmaster Problem , 1990, CRYPTO.

[137] Adi Shamir,et al. How to share a secret , 1979, CACM.

[138] Marc Girault,et al. Public Key Authentication with One (Online) Single Addition , 2004, CHES.

[139] Robert H. Deng,et al. Some Remarks on a Fair Exchange Protocol , 2000, Public Key Cryptography.

[140] Sandra Dominikus,et al. Symmetric Authentication for RFID Systems in Practice , 2005 .

[141] Victor R. Lesser,et al. Advantages of a Leveled Commitment Contracting Protocol , 1996, AAAI/IAAI, Vol. 1.

[142] Ari Juels,et al. RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[143] Marko Vukolic,et al. Modern Security with Traditional Distributed Algorithms , 2004 .

[144] Martin E. Hellman,et al. A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[145] Jean-Jacques Quisquater,et al. How Easy is Collision Search? Application to DES (Extended Summary) , 1990, EUROCRYPT.

[146] Russ Housley,et al. Counter with CBC-MAC (CCM) , 2003, RFC.

[147] Brian King,et al. Integrity Improvements to an RFID Privacy Protection Protocol for Anti-counterfeiting , 2005, ISC.

[148] Stephen A. Weis. Security and Privacy in Radio-Frequency Identification Devices , 2003 .

[149] Baruch Awerbuch,et al. Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[150] Tsutomu Matsumoto,et al. Optimization of Time-Memory Trade-Off Cryptanalysis and Its Application to DES, FEAL-32, and Skipjack (Special Section on Cryptography and Information Security) , 1996 .

[151] Daniel W. Engels,et al. I. Radio-Frequency Identification: Security Risks and Challenges , 2003 .