The work in the RFID-AP project will be organized through five technical work packages.

 

While it is anticipated that all parties of the consortium will contribute to the activities in each WP, the leader of each WP will be listed.

 

 

WP1	EURECOM	Survey of the art of RFID security mechanisms
WP2	FTRD	The design and implementation of cryptographic primitives for authentication and privacy protection.
WP3	INRIA	The design and implementation of security protocols for authentication and privacy protection.
WP4	CEALETI	Experimental validation and prototyping
WP5	EURECOM	A study of new concepts and emerging techniques such as micro- and nano-technologies that might provide new, innovative security features.

 

 

WP1: RFID Security: The State of the Art (leader: EURECOM)

 

The main objective of this work package is to survey and evaluate the current state-of-the-art of RFID security threats and security counter-measures. Work on this report will be an essential start to the project and it will help to lay the foundation for the work that follows.

 

It is intended that this particular report on RFID Security be not only a useful starting point for RFID-AP, but also that it will be a valuable resource for the larger research community. As such, we intend that it be a "living document" and that it be updated regularly by the partners of the consortium.

 

 

WP2: Cryptographic Primitives (leader:  FTRD)

 

WP2 is the first of two work packages to consider the building blocks of a security solution.

 

The work in this work package is aimed at the design and analysis of low-weight cryptographic algorithms and it will complement that in WP3. Most importantly, the work in WP2 will be supported and validated by work in WP4.

 

Cryptographic algorithms are typically divided into two classes according to how they use key material [6]. Symmetric algorithms, or secret key algorithms, require that all partners in a cryptographic exchange have access to the same secret key material. Asymmetric algorithms, or public key algorithms, do not require this.

 

In the field of symmetric algorithms, the two types of encryption primitives are stream ciphers and block ciphers. Traditionally stream ciphers are widely viewed as being the most suitable for compact implementation as would be required in RFID-based applications. However, there are no widely-trusted hardware-efficient stream ciphers available today and this is one of the motivations behind the eSTREAM project within the Framework VI NoE ECRYPT [1].

 

The multi-year eSTREAM project is entering its final year and appears to be yielding some very compact and energy-efficient alternatives. This is a project that is managed by one of the France Télécom researchers who will be active in RFID-AP, and it is a project to which France Télécom has made significant design and analytical contributions. Thus, one of the aims of RFIDAP will be to build on the expertise and knowledge accumulated in this project and to further extend the state-of-the-art of stream cipher design.

 

However recent work on block ciphers might also change the picture. In particular, the design of lightweight primitives [9] including block and stream ciphers [1] has become an important area of ongoing research, with recent work on the design of an ultra-compact block cipher having taken place at France Télécom R+D in collaboration with two academic partners. This recent work suggests that block ciphers may well provide a low-cost alternative to stream ciphers and there are some interesting associated research questions.  Looking at other primitives such as message authentication codes MACs or some dedicated protocol proposals [5], the opportunity to build on existing expertise [2, 3] is anticipated to yield promising new directions.

 

With regards to asymmetric algorithms, their use is often widely dismissed in low-cost RFID-tag deployments. However the GPS protocol is a public-key identification scheme [3] that has been standardised in ISO and which has particularly good on-tag performance characteristics. Indeed, recent implementation work on the GPS protocol has shown that certain optimisations make it particularly well-suited to resource-constrained applications [7, 8] and public key on-tag authentication capabilities are truly a practical possibility. However there remain many interesting implementation issues to consider, as well as the possibility of considering the implementation of other public key techniques.

 

The work in this work package, therefore, will be to consider the latest design trends in symmetric and asymmetric cryptography. In particular the goal is to explore different optimisations or modes of use that might yield either new algorithms or new implementation possibilities for established alternatives.

 

An important consideration, in conjunction with WP4, is to understand the physical limits, in terms of space and power consumption, that apply when trying to implement strong cryptographic solutions in low-resource environments.

 

While the work in this work package will likely support that in WP3, an important aspect to this work package will be its inter-relation with WP4. There some of the implementation expertise in the consortium will be used to implement prototypes and assess their true performance in practical situations.

 

 

References

 

[1] eSTREAM project. http://www.ecrypt.eu.org/stream/.

[2] H.Gilbert. Techniques for Low Cost Authentication and Message Authentication. In J.J.Quisquater, editor, Smart Card Research and Applications, Proceedings of CARDIS '98, Louvain-la-Neuve, Belgium, September, 14-16, 1998, volume 1820 of Lecture Notes in Computer Science, 183-192. Springer-Verlag, 2000.

[3] H.Gilbert, M.J.B.Robshaw, and H.Sibert. An Active Attack Against HB+: A Provably Secure Lightweight Authentication Protocol. IEE Electronics Letters, volume 41, number 21, 1169-1170, 2005.

[4] M.Girault, G.Poupard, and J.Stern. On the Fly Authentication and Signature Schemes Based on Groups of Unknown Order. Journal of Cryptology, vol.19, no.4, 2006.

[5] A.Juels and S.A.Weis. Authenticating Pervasive Devices With Human Protocols. In V.Shoup, editor, Advances in Cryptology - Crypto 05, Lecture Notes in Computer Science, volume 3126, 293-198, Springer-Verlag, 2005.

[6] A.Menezes, P.C.van Oorschot, and S.Vanstone. The Handbook of Applied Cryptography. CRC Press, 1996.

[7] M.McLoone and M.J.B.Robshaw. Public Key Cryptography and RFID. In M.Abe, editor, CT-RSA2007, Lecture Notes in Computer Science, vol. 4377, pages 372-384. Springer-Verlag, 2007.

[8] M.McLoone and M.J.B.Robshaw. New Architectures for Low-Cost Public Key Cryptography on RFID tags. In N.Ling and G.Setti, editors, Proceedings of ISCAS 2007, to appear.

[9] M.J.B.Robshaw. In Search of Compact Algorithms: CGEN. In N.Phong, editor, Vietcrypt 2006, Lecture Notes in Computer Science, vol. 4341, pages 37-49. Springer-Verlag, 2006.

 

WP3: Security and privacy protocols (leader: INRIA)

 

Starting from the current internal and independent work at INRIA, LETI and EURECOM on security protocols for RFID Tags, the first goal of this work package is to come up with a set of authentication, identification and key management protocols addressing the security and privacy requirements identified by WP1. The second goal is to define a complete multi-layer approach for secure data exchange between tags and readers using these protocols. The third step will be to specify and analyse a use-case as a proof-of-concept.

 

The current approach taken by CEA and INRIA focuses on the noisy tag and noisy reader concept. This approach aims to increase the confidentiality of exchanges between the reader and the tags and to protect privacy.  Protocols based on this concept can be used also by a reader and a tag to exchange a secret, such as a key. However they both assume that the readers are trusted. EURECOM’s approach to security protocols focuses on identification and authentication protocols with privacy, based on a minimal set of primitives such as simple hash functions and simple bit-wise arithmetic and logic operations.

Thus it is immediately clear that the work in WP2 may well have an important role to play in the work in WP3. We would anticipate that low-cost cryptographic techniques developed in WP2 may be of immediate use in the support of new security protocols that will be designed as part of WP3.

An important part of the WP3 is to explore whether the existing approaches based on noisy techniques and low-cost primitives can be extended. In particular, we intend to develop efficient protocols/solutions that allow tags to authenticate the readers. Unlike existing approaches whereby readers are trusted, the new protocols will provide mutual authentication between tags and readers. In addition, we will pursue some current research direction in order to implement id-based techniques to help tags provide different responses based on the readers’ identity.   

Like any work in modern security research, an essential part of our design work will aim at evaluating the security assurance of our protocols through various methods ranging from security proofs to simulation. Our recent work on the design of identification and authentication schemes brought up a very interesting direction for research in terms of security proofs for RFID protocols. RFID identification protocols can thus be evaluated along two directions: privacy and secrecy. Privacy mainly aims at preventing unauthorized readers from retrieving information about a tag’s identity whereas secrecy calls for the protection of the secret information kept within the tag. Preliminary work on privacy proofs in this context let us nail down a proof model based on the concept of indistinguishability akin to classical cryptographic proofs. Proof of secrecy on the other hand calls for classical security proofs or some probability analysis. We thus envision significant contributions to security research through the development of privacy and secrecy proofs for RFID protocols.

It is worth observing that reader authentication is an exacting quality. The tag must verify that the reader it is talking with is currently legitimate and has not been revoked. This is a surprisingly difficult problem. For instance, since the tag does not have a clock, we will need revocation techniques that do not require a secure clock. One possible solution is to have an RFID-tag listen to all the readers that it encounters and to use some filtering technique to evaluate the current time. While this is not perfect, it is an improvement over current solutions where a tag gets its time from the requesting reader. By computing its time from several readers the goal is to arrive at a more robust and secure system.

As the last year of RFID-AP moves forward, it is anticipated that the work of WP3 and WP4, which is concerned with the practical implementation and testing of primitives and protocols, will merge and the work efforts on WP3 will in fact be transferred to WP4.

 

 

WP4: Implementation (leader: LETI)

 

In many ways, this work package is core to the RFID-AP project.

 

The most important feature of our work is that we want our algorithms and our protocols to be practical. Ensuring this is a two-fold process. First, the algorithms and protocols have work as intended when viewed in isolation. But then, second, when trying to provide a privacy solution (say), the property we claim needs to be delivered by the system as a whole and not just by an isolated building block.

 

Electronic prototypes of algorithms and protocols as well as tags and readers will be designed. The main goal of this work is to implement, and to confirm, the work in other work packages.

 

In many cases, this confirmation of the work in the other work packages will involve implementation. We might imagine this to be particularly the case for validating the work in WP2. However, for some novel protocols such as those envisaged in noisy tags [1, 2, 3] for instance, experiments will be required to measure the performance of the different security concepts that are proposed.

 

This will require the development of a functional electronic platform involving multiple readers in different roles and multiple tags simulating the true environments in which tags will be deployed. These platforms will be highly configurable so as to implement the targeted solutions, to test their relevance and efficiency, and to correct and to improve the different solutions.

 

One important consideration, that will require collaboration between all partners and the interaction of WP2, WP3, and WP4, is that of genuinely providing some security goal, such as privacy, in reality.

 

 

Standard security services such as integrity, encryption and authenticity can be provided at each level of the protocol stack more or less independently. However, precautions taken at one layer do not always act as intended in practice because of interactions at another layer.

 

Interestingly, the dual of this also applies; it may in fact be possible to use the interactions of the different layers of the protocol stack to actually achieve some security goal.

For instance, secret key agreement can be performed at the application layer using public key cryptography. However, it has been shown that a RFID and a reader can agree on a key at almost no cost if the property of source indistinguishability is provided [1]. This property requires that while two RFID tags might send messages to a reader and even though an eavesdropper can read the messages, the source of a given message should remain ambiguous.  The verification of this type of protocol requires a multi-layer design to understand the full implications of this approach.

 

In a similar fashion, some properties such as traceability are a multi-layer phenomenon [4]. The tracking of the holder of an RFID-tag is widely viewed as a serious privacy threat. However each layer of the protocol stack can reveal information that might be used by a malicious user to trace a tag. In the application layer, RFID systems implement identification protocols that are used by the readers to identify the tags. Current systems are pretty simple: upon a request from the reader a tag will reply with its identifier. These identifiers are usually constant and can, therefore, easily be used by an eavesdropper to trace a user. At the communication layer, tags must co-ordinate their communication with a reader to avoid tags replying to a request simultaneously and creating collisions on the communication channel. As a result, collision avoidance protocols are required but these can leak information about a tag if they use constant identifiers. Some communication schemes use deterministically-derived time slots, which again can be used to trace a user. Finally, at the physical layer, the parameters of radio transmission (frequency, modulation, timing, etc) follow standard descriptions. However co-existing tags can use different standards which can permit tracing. Furthermore, even if the same standard is used, variation/skew in the frequency, clock, or time can be used to differentiate an RFID-tag.

 

All of this shows that, to provide secure solutions or a privacy-enabled system, the practical implementation and the practical implications must be considered. Thus, while one goal of the project is to design lightweight cryptographic algorithms and novel protocols, these designs must be practical and deliver their goal. It will be possible to assess the overheads of implementing the results of WP2 and WP3 as well as to measure the extra power or resources requirements. Assessing their suitability, and providing an holistic solution to issues such as authentication and privacy, can only be done by studying how components interact in practice.

 

 

References

 

[1] C. Castelluccia and G. Avoine. Noisy Tags: A Pretty Good Key Exchange Protocol for RFID Tags.  In J. Domingo-Ferrer, J. Posegga, and D. Schreckling, editors, Smart Card Research and Applications, Proceedings of CARDIS 2006. Springer-Verlag.

[2] C. Castelluccia and P. Mutaf. Shake Them Up (A movement-based pairing protocol for CPU-constrained devices)! ACM/Usenix Mobisys, June 2005, Seattle, USA.

[3] H. Chabanne and G. Fumaroli. Noisy cryptographic protocols for low cost RFID Tags. ECRYPT RFID Workshop, 2005.

[4] G. Avoine and P. Oechslin. RFID Traceability: A Multilayer Problem. Financial Cryptography 2005.

[5]  E. Crochon et Al., « PEA Card or Power Embedded Active Card », e-Smart, Sophia- Antipolis France, 2004

[6]  F. Vacherand et al. New Technologies for Contactless Air Interfaces. e-Smart, Sophia Antipolis France, 2005

[7]  F. Vacherand. New Technologies for RFID. sOc-EUSAI’05 Grenoble France 2005.

 

WP5: RFID Security: New Directions (leader: EURECOM)

This work package provides the dual to WP1 and aims to provide a starting point for ongoing RFID-based research in the long term. As such this work package will look beyond the life-time of RFID-AP and potentially point to future work.

 

RFID systems will evolve considerably and one thing to expect is that the security research issues and solutions will be quite different in a few years. For instance, while most of the cheapest RFID-tags are passive, gradually semi-passive or battery-aided tags will come down in price and be more widely available. In addition, the computational capabilities of the cheapest tags will increase as Moore's law takes hold. It could be that many of today's efficiency/performance issues might disappear.

 

On the other hand, the applications opened up by the cheap availability of micro-batteries, micro-sensors, micro-antennas, non-volatile memories might themselves create new threats.  This means that new security services might be necessary. For example, much current research focuses on the security and privacy of the RFID tags. As a system evolves, however, it might make sense to protect the privacy of the readers. In fact, since readers might be embedded in objects such as watches and phones we would also need to consider the traceability of readers in a privacy context. Efficient and effective protocols do not exist today and need to be designed.

 

Even without new technologies, new threats may evolve. For instance, most current PET (privacy enabling technology) solutions are implemented at the transport or application layers and rely on protocols that establish a shared secret between a tag and the reader. This secret is then used by the tag to communicate secretly with the reader using some kind of scrambling/encryption schemes. However even secure “application-layer” solutions will not protect user privacy if the identity of the tag is betrayed by the lower layers.

 

Thus, the conclusion of a three-year project on RFID security appears to be the ideal vantage point from which to survey the near-term, and potential long-term, development of RFID-tag security.