Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

1

advertisement 
1
>>: Welcome. Thank you for something. I'm happy to introduce Guang Gong to
you today, Guang is a professor at the University of Waterloo. She's the
director of the Communication Security Lab and also of the Center For Applied
Cryptographic Research.
Her research interests are broad. They span theory, information theory and
combinatorics, all the way to very practical research, network security,
communication security. Today, I think the topic is in the more practical
side. So with that, I'll let you start.
>> Guang Gong: Okay.
Peter, for hosting.
Thank you, Greg, for that introduction and thank you,
So today, I would like to introduce some work we did in University of Waterloo
so the title is securing RFID systems using lightweight stream cipher.
So first I think I will spend some time giving introduction to RFID and how
they restrict in the RFID systems. Then I will give the review for the
lightweight cryptographic solution for the RFID security. Then we will
introduce our own solutions. So we were using the stream cipher and show how
we can provide the privacy, reserving authentication for the RFID systems.
Then I will show you some related research activities which conducted the
University of Waterloo, especially in the Communication Security Lab.
So what is RFID? So it's shorthand for radio frequency identification. I
believe the first people will introduce this, I met this guy in a conference,
and he told me, our idea is to try to give ID to every items in the universe.
So that's why -- so ef object will have the ID. But this ID will be using the
radio frequency.
Okay. So the currently, this RFID technology basically is one of the most
promising technology to enable ubiquitous and the internet things computation.
So possibility you already see some of those tags. However, currently, it's
not RFID. If an RFID tag, that will cause a problem so that's why the research
always should be a few years before those technologies really deploy the
[indiscernible] department to store [indiscernible] which sell the really
expensive things.
And how it works.
So basically, the RFID contains three components.
So those
2
RFID tags so each of those tags consists of a micro chip attached to a radio
antenna, then they will have the reader. So reader unit is a device which can
emit the radio waves and the receive signals back from the tag.
Then the communication between the reader and the database, so this is wired
network. So unit will assume this part is secured. So the only part is
wireless part. So which means the communication between the tag and the reader
so this is only part we think is currently [indiscernible] didn't mention how
they can secure those parts. However, this part will be secured and like
the -- could implement the SSAO, secure socket [indiscernible] so this is
[indiscernible] something.
Okay. And for the characteristic of the RFID system, so I already mentioned so
channel between the reader and the back-end database might be wired channels
that are usually assumed to be secure. Also, both reader and back-end server
can implement the crypto algorithm and the strong crypto protocols. So this is
also the reason we can assume this link is secure.
So the weakest lipping is the wireless link between the reader and the tag. So
usually, the tag are constrained devices so the constrained every aspect of the
computing and the communication and the storage. The reason is they ask so
little. For example, some company, when they approach us, they said okay, we
want you have some [indiscernible] for our RFID product and then they said our
tag only sale for the ten cents. They only give you one cent for security
design. Then I said no way. One cent for security design, we can do anything.
So that's the reason, because the cost of the tag itself is so cheap. Then you
also want the security. How they can distribute. So they distribute only for
one cent. Yeah. So I believe that's the challenging part.
Okay. So for the different RFID tags, they divide it into the three different
tags. To one cannot -- I'm sorry. One can see the active tags and the
semi-passive and the passive ones. So active tags, basically they have
battery, so this one can treat it as a general wireless device. So they can
initialize communication, but those are very expensive. The transmission range
also very high.
And the second class is the semi-passive tag. So for those tags, they have
battery. However, this battery only use the [indiscernible] chip's circuit.
For the communication, you have to par vest the power from the reader signal.
3
So those also expensive, but not as expensive as this one.
And the third class, this is the class people were interested, because those
are the passive tag. So those passive tag basically no battery inside. So if
no battery, basically, limited maintain this for those devices because they
don't have battery. So how can they do the computing and the communication?
They harvest power from the signal sending from reader. So that's the, also
the reason they are -- they cannot implement the strong crypto.
So for these two classes, so their weak in computing, but they can be operated
in a large range. So this class called the EPC tags. This is a class I will
focus on. And there's a second class is they could perform intensive
computation in near proximity, for example, [indiscernible] you're very close
to the reader, just one centimeter. So this can grab the power strongly. So
they even can do the elliptical cryptography for those, we call the near field
communication.
For example, currently, for the cell phone, like Google, Samsung implemented
the Google -- the Google phone, and they have that near field communication
mode. And the Blackberry also have this mode already implemented. But I think
the iPhone didn't. The iPhone 5.
>>:
Windows Phone 8 does.
>> Guang Gong: Yeah, Windows Phone 8 does have this near field mode, which
means you can switch your phone as a reader, also switch your phone as your
QWERTY call so you can do both. But those are very cheap and smaller, and the
distance is shorter. So supposedly, you already see some of those product.
>>:
Do the EPC tags have any long-term storage?
>> Guang Gong: Yes. No, long-term communication distance, because they can do
maybe one meter to four meters. Like the [indiscernible] different prices, the
reader could need to be far away and still read their product. Yeah. But
[indiscernible] is one centimeter, close by.
So this graph shows that if the active ones, they have battery for both
communication and the computing. And for the semi-passive ones, they have
battery, but those only for power up the tag. Cannot do the communication. So
the powerful communication also harvest from the reader signal. And for the
4
passive one, do not have battery. So whatever they power up or do the
communication, all get power from the signal sending from the reader. So this
is a [indiscernible].
And for the radio frequency, then we look at this classification. For the low
frequency tags, so the reader frequency range is 125 to 134 kilohertz. Reading
range could be the ten centimeter. The application, like it's smart cards and
ticketing and also those [indiscernible] keyless entry. So those are also we
see this category.
And the other two classes are high frequency tags now. So this class operating
on the 13.56 megahertz, and this class operated on the 866 to 915 megahertz.
And the distance also increased.
>>: You get this number like seven meters, did someone write 20 feet? Because
it's [indiscernible] precision. I'm sure if you were six meters, eight meters
too, inverse square is inverse square.
>> Guang Gong: Those take from standard so I don't know how they measured, but
they specified in the different frequency range what is the distance could
arrange. But I do not know if -- because those current -- all those in the
reserve area, not really manufactured. But this type is already in the
application. So all of the near field FC tags is already there. So this is
the different RFID tags.
So in this talk, I will focus on the EPC tag. So because this is the class
currently in the standard that didn't specify any security. I think they are
waiting for they got a problem, they come to rescue there.
For the NFC tags. So this is the -- they have the capability to implement the
public key, such as the elliptical public key. So this is also in the standard
and in the NFC standard so they said we can do the public key. So like the
[indiscernible] possible because right now your key is embedded. When you have
AES they are so the key is embedded. Supposedly in the near term can be also
shared key and using the public key approach.
And for the EPC tag, so this is -- so they call this the EPC global class
generation 2. Shorthand is the EPC Gen2. This was approved by ISO 18000-6C in
July of 2006. However this is class people think possibly later on will be
widely deployed.
5
So in this standard, what is specified? So it is specified four types of
memory in the EPC tags. So first class is reserved memory. So those for store
the password, which has 32 bit. However, those password here basically is for
the kill the tag. For example, a tag not working well, they do not other
people could -- other reader could read the information from this tag so they
issue the command, kill this tag. So this is not really password we use for
access computer or the servers.
And the EPC memory -- the next category is EPC memory. So this contain 96-bit.
So this part use the for identify the tag. However, this memory is locked. So
you only can read out. You cannot write. So although they said you can have
96-bit. I'm sorry.
And another is TID memory, and this is a 64-bit.
store the information that can identify the tag.
64-bit.
This is the part you for
Also, this can be used, this
User memory, this is optional memory. So most of tag I think in the market
they do not have this one there yet. Also, for the communications and the EPC
standard also specify the restricted number of the command, which is basic
functionality of the RFID enabled application.
So the command is select, this command is used by the reader to select a subset
of tag population. And the second command is the inventory. So these commands
are used to establish communications between different tags and the reader.
And there's a third class command is access control command. So those you can
have the five different things. So this is request the tag to return 16-bit
random number. So this is one restriction. Any communication between reader
and the tag is 16-bit. So that's why if you want to use AES, then you have to
run AES once. You get 128 bit. Then you need to throw away others.
If you use ECC, for example, you field smallest one, 160 bit. Then you get the
number is 160 bit, but you only can use 16. So this is what restriction they
have there. Of course, you can read the memory the tag, you can write to the
memory on the tag, and the kill. This is what the security function this was.
The security means this kill command. So you can, no longer can read the tag
so they call this a kill. And this is permanently disable the tag. And the
lock is lock the memory. So that's two function they call the security
6
function in the RFID tag.
>>:
So you could lock and you could also kill the tag.
So does request RN respond the same ran document number every time?
>> Guang Gong: No, different, which means communications only each time only
transmit 16 bits. That's it. That's the restriction.
And the attacks, I think our general attack which can apply to wireless
communication also apply to her. And here also has some special concern. For
example, RFID technology raises two main privacy concern for users. One is the
clandestine, those physical tracking of tags and the inventory of tags, okay.
And also behavior readers can harvest the information from the well-behaved
RFID tags. So those are -- can read the privacy. So because between the
communication, the communication between RFID tag and the RFID reader is RFID
tag -- RFID reader basically is sending the command continuously. So the tag
will automatically respond to the interrogation from the reader without
alerting the owner. So basically, you do not know your device is replying,
okay. So that's the part. So the person carrying the RFID tag is prone to
clandestine physical tracking.
So this is the, I think, from this behavior, the adversary equipped with RFID
readers can effectively trace a person carrying a tagged item by linking
different sightings of the same RFID tag. For example, if like in the Macy's
department store, then if you buy something and someone want to tracking you,
then they can [indiscernible] the reader. So currently, you can spend possibly
I think 200 U.S. dollar that you can build the reader, then they can read what
you purchased. So that, I think that's something need to be [indiscernible]
someone know your behavior, your spending behavior, they could. Also, cost not
that high.
I think five years ago, if someone wants to build a reader, it costs more than
$2,000. But now, only $200 you can build one. And I think here has a store
called the Fry's, you go there, you only need to spend about $200.
>>: When it comes to carrying a tag, if I know it is RFID, I'm not able to
break it with a hammer. But what I do worry about is like mail order. There's
a package on my door step and every single person can figure out something
about what I'm buying without even getting too near my house.
7
>> Guang Gong:
>>:
No, no.
You said seven meters.
>> Guang Gong:
That's a sidewalk.
Yeah, they can just stand on your sidewalk.
>>: They can stand there and say oh, this guy is buying pornographic
magazines.
>> Guang Gong: Yeah, see exactly. So that's with the RFID technology
[indiscernible] deployed, I think the privacy issue first they need to solve.
Otherwise, people will get check anywhere. If someone want to know what you
buy or your life behavior, then they can. Also, the cost is so little for
those [indiscernible], right. $200 is just nothing for their spending, yeah.
Also, those industry [indiscernible] in supply chain applications, so
individually tagged objects in stores allow competitors to learn about the
stock turnover rates, like those inventory. So those are not in our paper, but
these are more serious. Also, those are [indiscernible] so this is also
another.
And a second problem is authentication. So authentication is focused on the
problem of well-behaved readers receiving information from the misbehaving
tags, like those counterfeit tags. So, for example, I think I believe this
problem is more serious in China. If some brand is very good and
[indiscernible] that brand. And then they just forge the tag. So this is how
you can check your tag is [indiscernible] then definitely the crypto problem
they you do the authentication to check this tag is [indiscernible] or not.
So this is basic RFID. For example, for the EPC tag, are vulnerable to simple
counterfeiting attack or cloning attacks. So the attacker can skim the
electronic product code from the target tag and then program it to a
counterfeit tag. So this is much easier. Now, before that, they made some -the tag that you need [indiscernible] to do many things. But if it is
electronically, then you just need to grab the information that you can produce
and not new ones.
Okay. So authentication, basically is important issue when the RFID tags are
used for access control or as security devices to detect counterfeit products
such as medicines, electronics accessories, and high valued items.
8
So this is the, I think in general, if you erased this problem, then people
think you can implement the crypto. So the main problem is those very cheap
RFID tags, they cannot implement the crypto.
So for the communication attack, as I mentioned, any attack which apply to the
wireless communications also apply to her. So like the spoofing and the
replay, eavesdropping and jamming and the traffic analysis. So those is
general for any wireless twice. Because as communication between tag and
reader is wireless parts so all of those attack apply to here.
And the countermeasures. So this is the [indiscernible] in the [indiscernible]
because they have those countermeasures so they think that we'll be okay. So
physical protection, so they could some distance measurement. For example, if
that signal comes from the distance not [indiscernible], you could suspect has
some misbehaved reader is trying to read the information. Or called the
Faraday cage approach, which means you put the tag into some cage. But I think
those not for the signaling applications. Those are only applicable for the
government or miniature applications.
Then the second function is deactivation. So you could have the killing
operator, sleeping operator, or hash lock. Question?
>>: You mentioned government. But in [indiscernible] driver's license
emotional state, there's a Faraday cage. So. Can't read it unless you would
take it out.
>> Guang Gong: Also, I think the password, like the U.S. password, then they
have the RFID. That one does not have the cage implemented. Yeah, uh-huh.
Faraday cage implemented. Or could be renaming. And user-oriented so that
they will think that was crypto-based approaches. So this is what I will
introduce. Or using the watch dog tag or RFID guardian. So those are similar
approaches Faraday cage.
And for the jamming. So jamming is a currently is a very serious attack. So
basically, not much good measured. If you want the blocking those jamming
signal, then you have to introduce another type of communication called the
spread spectrum communication. But if you introduce the spread spectrum
communication, then the tag cannot do this. So that's why there's not much
solution here yet.
9
And the entity authentication, so those basically should be using cryptographic
approach. So that I will show you later [indiscernible].
So for the identification authentication, so the identification protocol is a
standard they combined. They call the privacy-preserving authentication. But
that's divided into two steps. First is to the identification. So the
identification protocol allows the reader to obtain the identity of a queried
tag but no proof is required. So that's -- so you just query the tag and the
tag reply with his ID. So this is currently the standard. No security at all.
So basically, once the reader got the queried once, then everyone for the tag
[indiscernible] get own IDs. So [indiscernible] whatever she want to do, he
can use those information of the ID. So currently, like those application,
localization and the stock management so those need identification information.
And the authentication, so this is the same as a general communications, which
allow the reader to be convinced of the identity of the queried data or queried
tag. On the other hand, also allow tag to be convinced of the identity of the
querying reader. So usually, if that two satisfied, that's a mutual
authentication.
So in this sense, if there's a symmetric key approach, then they both should
care [indiscernible]. So this is also the case for the symmetric-key based
approach. So we know for the authentication from the cryptographic approach,
you use [indiscernible], use a symmetric key approach. Then both parties
should share the key or use a public key, using the digital signature to create
the response, okay. So that's your authenticating protocol.
So for example, you can do these access control, E-document, and anti-clone and
anti-counterfeiting. So those are currently authentication.
Okay. So for the performance requirements, you need low computational costs.
And also the low communication cost and the low storage requirement, and the
scaleability. So back end database should be able to efficiently identify an
individual tag even though the tag population is huge. So all of those is
restricted. So that's the reason in the standard they didn't want to specify
the secretive part, because everything is constrained. The limited power and
the limited bandwidth, and the memory also extremely constrained.
10
And for the cryptographic solutions, what is a zip goal for implementing the
security mechanisms on resource-constrained smart devices like RFID tags. So
this is what we need to consider, so three performance attributes. The size of
the implementation as measured by gate equivalents, the peak and average power
consumption, the time required to complete a computation.
So what is available on an RFID tag? So this is depends on the security level,
intended market, cost of fabrication and deployment. So usually, then they
will think around 2,000 gate equivalents. That's the marketing you could do.
If your algorithm cannot be implemented within 2,000 equivalent gets, so
basically, those pack cannot handle those crypto. So this is what we were
thinking. Anything designed should be, we think, this range.
And for the crypto primitives, symmetric-key approach, block cipher, stream
cipher, hash and the MAC. And the public key, you also have public key
encryption, but usually it's [indiscernible]. Most [indiscernible] is deck tal
signature nature and the identification schemes. However, classical crypto
primitives designed for the full-fledged computers my not be suited for RFID
tags, especially as an EPC classes. So for the EPC class, it definitely not
possible.
Sometimes you read some paper, that said is for RFID. But I believe
[indiscernible] is nor the NFC. So [indiscernible] EPC basically is not
possible for the public key. So [indiscernible] is a symmetric key. Symmetric
key, so the lightweight cryptographic primitives. So which can perform strong
authentication and encryption for ultra low-power RFID. So recently, four or
five years, many, many work already conducted in this area, although some
[indiscernible] it's not lightweight. However, they're not all lightweight.
But at least people know you have to have lightweight for RFID application, at
least this is the signal everyone realize. You cannot use the standard crypto
primitives here.
So the symmetric key approach is the present. So it's the block cipher, which
has a 64-bit block. And they also implemented the DES and the KATAN, also
KATAN is two classes of the block cipher and the AES also implemented in the
optimization area. So [indiscernible] you know, you perform 16 S boxes, but
each of them are identical. So you only need to implement one inverse
function, which is the eight-bit finite field, the GF-228.
And the stream cipher, that's the WG families introduce, which is we propose
11
the several years before and the Grain and the Trivium and the Mickey. So this
is the E-stream, he call the stream cipher standard in tools on the fly.
Finally, they have three which they call the, I think that's the top three
candidates.
And the Hummingbird -- question?
>>:
[indiscernible].
>> Guang Gong: No, because this is symmetrical. Yeah, uh-huh. So then
Hummingbird is a combined design. So it's between the block cipher and the
stream cipher. And the hash, so it present based or AES-based. Basically, the
standard hash function [indiscernible] classes is not suitable. Because they
are hardware implementation [indiscernible].
And so those are the initial attempts for using lightweight identification
schemes based on the public key approach. For the general case, it's, as I
mentioned, not suitable. And reason is hardware implementation of public key
schemes usually requires many [indiscernible]. However, there's two types when
they implement, they think possibly is good. So it's one uses a variation of
the Rabin system, or called SQUASH that Shamir proposed, and the other is
called WIPR. So this is the Oren proposed.
And also, another group, [indiscernible] proposes a token-based approach using
the elliptical curve. Okay. So did -- so this is public key approach,
although those are much bigger than what the standard requested anyway. They
are in the research, they have those.
And I think I will just roughly introduce this. So the privacy-preserving RFID
authentication protocols can use a block cipher public key and also HB-family.
So you look at how -- if that's using AES as I mentioned, AES is 128-bit. But
this EPC tag only allow you accepted the 16 bit. So how do they adjust to the
pipeline?
So for example, you parallel reading multiple tags, then you schedule your
interleaving the transmission time for each of the tag. So you see what is the
[indiscernible] here, because you have to have scheduling here now, how you
read it to read, how you do the transmission, because they try to come out the
timing.
12
And the AES is very slow. This is best implementation, 1032 cycles per block.
Because they have 28 bit after computation, one to two years or 128 bit. So
that's why they're using the interleaving authentication method here.
So this one is based on the ECC, and what they try to play here is trying to
use the exponents has very small [indiscernible] weight. For example, timing
weight two, you just do two -- one multiplication. So that's what they play
here. Maybe the reader do more computation. I think this idea is also used in
the wireless communications, uses in mobile phone to a very small computation
and the [indiscernible] large computation. So this is in the same line.
Okay. So I will skip this one. Then I will introduce you the stream cipher WG
family. Also, the WG -- the stream cipher based privacy reserving
authentication. So the stream cipher will be different now. So I will show
you. So for the WG stream cipher family, basically the synchronous stream
cipher. Based on the Welch-Gong transformation sequences, which is well
studied in sequence design for communications.
So those sequences basically when I was in the University of Southern
California, I think more than 16 years ago, then we found those sequences, but
we couldn't prove that. It end up with two people, Stapleton, during that
time -- he passed away about four years ago, right. But during then, he was
working with German security agency.
Another guy is [indiscernible], national security agency of U.S. government.
So the two proved this -- those sequences has a two-level [indiscernible]. We
only found by computer search. We can't prove. But two proved that. So those
key stream possesses a cryptographic properties of WG sequences. And later on,
we figure out we could also output multiple bit instead of one bit. So that's
another class is multiple output WG.
So the stream cipher basically, based on what argument Shannon did in 1949.
Shannon said that one-time pad is unbreakable. What is one-time pad? Which
means every time you do the encryption, you will use different key stream than
that one-time pad. And he proved, he said it's unbreakable, if you can do
this.
Okay. Be then in general, in the design of the stream cipher, then you divide
it into the two phases. One, at first phase is the key initialization
algorithm. So then for the key initialization algorithm, you will have a two
13
input. One is IV, another is the key. Then you run multiple times. So the
goal of the KIA is to scramble key bits with the IV in order to get a bit
stream as random as possible.
Then after that, you put this as an internal state of the [indiscernible]
random sequence generating, this is where outer bit. So this bit exclusive
always a message bet, you get ciphertext bit.
So for the decryption, you do the same, but the [indiscernible] will be
exclusive always ciphertext and you recovered your message bit. So this is the
stream cipher mode. And what is the function used in the WG stream cipher
family?
So basically, we need the linear feedback shift register. So those are LFSR
sequences is not work on the binary field is that is in the extension field.
So usually, this extension field is the power of the two.
So we take the polynomial, which is a primitive polynomial over this extension
field, then we generate the linear recursive sequences called the AT. So it's
generally [indiscernible] recursive relation.
So the sequence generated by primitive polynomial has a [indiscernible] which
is a maximum Q to the N minus one. So this is -- those are LFSR.
Then what is WG permutation and the WG transform? So we learn that the HX has
the five term, then WG permutation, we basically do the transform X plus one.
Then you get this is a permutation. Then you add in the trees. So here is M
bit so you map to one bit we call the WG transform. So this four exponents
looks like this. It's a little bit magic. Basically, we found by computer
search. Then later on, [indiscernible] proved that.
Okay. So this is we called this one is the Welch-Gong transformation from the
GF 2 to the M to GF 2 and this one is the permutation. Then we can generate
the two sequences when we evaluate WG transform over a primitive element. Then
we get the two sequences. And those sequences has ideal two-level auto
correlation, which means they are -- so ideal two-level auto correlation. What
is correlation, is you measure the similarity between the sequences and its
shift [indiscernible].
So idea of two level is whatever which shift will have the same correlation
14
value, which means they are not giving out any information.
Okay. So this is the general WG generator. So you have LFSR over extension
field, then you apply the WG transform at last stage. If that's the
initialization phase, then this is feedback.
After finish the initialization, then you output to the key stream. So this is
the general role block for the WG general reader, and the M the is the size for
each entry. L is how many [indiscernible] block, okay.
So then this is how you corporate in K initialization phase and this is where
we feedback. If not in the running phase, then all output from WG function not
feedback.
So this is the architecture of the WG. And the WG stream cipher has all of the
design randomness property. For example, we can show the period is two to the
N minus one. So [indiscernible] is M times L and also the K stream bit is
[indiscernible] has a two-level auto correlation function.
And if you look at the T-tuple, which means the T bit together and this is the
appears the [indiscernible]. So the T [indiscernible]. And the linear span,
what's the linear span? It's you can, using the [indiscernible] algorithm,
then you can, given the K stream [indiscernible], you can find the LFSR, which
generate this key stream.
So what's that to the [indiscernible] of the LFSR, designed as a linear span.
So this linear span is exponentially increased with M. Also can be determined
exactly.
And also the cryptographic properties of WG transform has all of those good
properties. It is one-order resilient and the algebraic category is one third
and the nonlinearity can be determined and the additive correlation basically
prevent the differential crypto analysis, because you look at the correlation
this and this. Then this is also very good. So that's why WG stream cipher
process all of the desired randomly property.
And this is the hardware implementation amp texture. I think I will skip.
for the feature of the WG stream cipher. It has guaranteed key stream
randomness properties and also secure against time memory data trade-off
attacks, algebraic correlation attacks, also many new attacks like the
And
15
[indiscernible] attack.
We also gave analysis.
And the most importantly, can be implemented in hardware with low complexity
for some parameters. Not all, but we can pick up some. For example, as an
instance, I think I was [indiscernible] once so this is what is a good
correlation property which WG have.
Can provide certain countermeasure for different attacks. It is tamper
resistant and side channel attacks, those can be provided by the good
correlation property of the WG. So I think I will skip this one.
Now, I will give you the example.
>>: [indiscernible] is coming in and sorting in bit pieces.
problem algorithm matter?
So why is the
>> Guang Gong: Yes, because for example, if correlation is good, then your
poor spectrum is flat. So you do not know your device is doing things or not.
So that's why you cannot temper, because you do not realize they are doing
anything or not, yeah, in this sense.
So they this is the WG-8. So which we use 80-bit key and the 80-bit initial
vector. So the LFSR has 20 stages, and the finite field is F 28. So then this
is architecture. 28 stages over GF 228. Then this is WG 8 here, but we add in
one more function, which is the, we call the decimation is to the power of the
X. So this is to the power 19. Then those decimation identical for general
WG.
Then so for the initialization, basically, we need feedback from here before
the trees. And for the [indiscernible] by adding the trees function, okay. So
this is WG function for the parameter 8 case. They for this, what is the
period. Then we get to the period 2 to 160 minus one, and the key stream is
balanced, and because the [indiscernible] all properties of the WG family.
The linear span is about 2 to 33.32. So what's that mean? That you need to
know this many bits to reconstruct rest of the bit. However, this is RFID
application. You never have this many bit to be collected.
They we also did the cryptanalysis for all known crypto attacks. Algebraic
attack, correlation attack, differential attack, cube attack, and the
16
distinguishing attack, the discrete Fourier transform attack and the time
memory trade-off attack. So we did the solver analysis for different attacks
for WG-8.
Those part we have to do because the parameter is small now.
inherited the general WG stream cipher.
So those cannot
Then this is our implementation. So that's also the comparisons. I think at
first we implemented the WG server and so today I give you WG-8. Because
[indiscernible] we implemented as a [indiscernible] which use a different
measure. So year, we did a much, much better. So those performance for the
throughput generally is 2 to 15 times higher than the [indiscernible] crypto
ciphers and our energy consumption is 2 to 220 times smaller. So for the WG-8
implementation, okay. So if you're interested, so we have the full paper in
the NSERC technical report. So that's on the website. You can access that.
Okay. And then we can use it as privacy preserving authentication now. So how
we do this as a stream server now. So the reader first get the 80-bit IV. Or
could be the random number. Then this tag has SSID. Then we write as TI. And
the reader query the tag and he sends this information and the tag will choose
an 80-bit IV 2 and the C1 uses the TI plus IV2. So IV2 is [indiscernible]
although it's not the key stream.
So now we solve, this is the IV. This is as a key into the WG stream cipher.
Then we [indiscernible] WG stream cipher and then we get C2. So C2 because WG
output one pit. In the RFID application, you need 16 bit, so that's why we get
16 bit. So this is you can get as many bit as you wish block cipher. Then I
put 128 bit and then you have to throw out 94 bit because you only need 16 bit,
okay.
So now the privacy
not know which tag
Once he get match,
convinced this tag
preserving, what's that mean? So the reader basically does
responds. So he will search for the key. So he search.
he knows his key belongs to this tag. Then he will be
has been identified, okay.
Then the following -- then it's a mutual authentication, then you will continue
to run it.
Okay. So then they continue to do the authentication so because this is a
stream cipher, so we keep the internal state, not change it. Not every time
17
you are running the initialization phase. So ef time you continue your
process, and get your 16-bit output. So then your tag will be authenticated.
Also, the reader will be authenticated if you do the mutual authentication.
Then the last step, the command execution. So this is also specified in the
[indiscernible] then we also continue to run the WG stream cipher, then the -all of the command can be secure. So we have implemented the practical and the
four bit and the eight bit microprocessors, and the database, we use the
laptop. In fact, this is a very old one. And for both WG-7 and the WG-8.
And the protocol is meet the time constraint for EPC tag. And for the server,
basically could be much faster, because we used this Thinkpad, because my
student, because he just use his own laptop as a server.
So we execute our protocol, could be executed in less than three millisecond
when the tag population is 104, and in the standard request, you can execute
for the 103 tags per second. But we have that three minute, we can
authenticate 104 tags. So then we also implemented using the tag, which is
provided by the Intel. Also, the reader we're using a software defined radio.
So this is a tag, because the commercial tag cannot be -- cannot do the
programming. So this is [indiscernible] research we have those testing tag.
So they provided to us. This is software-defined radio so we can easily change
the frequencies. So this is a [indiscernible] reader so that's what our timing
regards there.
So this is -- I will conclude what I introduced. So this is RFID is one of the
most promising technologies in the field of ubiquitous and pervasive computing.
And the EPC standard has put forward the challenge for designing security
mechanisms for RFID systems. We will synching the lightweight crypto algorithm
and protocol are crucial for the RFID security. And the WG family is
guaranteed randomness property and provides a wide spectrum of possible levels
of trade-off between security and area and optimality in hardware
implementation.
This is references so that the WG material, I took from those papers. All
published. You can download from our website. And we also did work on the
RFID security not using crypto, but also using the physical near security to
secure the RFID [indiscernible] work using the frequency [indiscernible] and we
18
also found some new attack we use the active eavesdropping, not passive.
active.
It's
So in order to eavesdrop, you first need to send out something. So that's why
we called it active. So those are physically approach, not the crypto
approach.
And also, so that's our research supported by NSERC, also many companies, and
also this is different research activities conducted in the Communications
Security Lab so this is part of the Center of Applied Cryptographic Research in
Waterloo. I think I will stop here now. I don't know how many minutes I
should give the talk. But thank you. Any questions?
>>:
So can the tags generate random numbers?
>> Guang Gong: Right now, no. Right now, so like we did one work, that showed
a random number generator for the EPC tag. So they cannot. They cannot
currently. But a lot of research happen here is that you use [indiscernible]
random generator, but you do not have. Because [indiscernible] random number
generator will come from the [indiscernible] physically [indiscernible]
function. But that one is very, very expensive. So EPC tag cannot do that.
But how you can get the random [indiscernible], I believe that's very
challenging.
>>:
So does this cost one cent?
>> Guang Gong: Much more. Much more. So that's why I told them no, I cannot
do. You schedule basically ten percent of resource for security I believe is
too little. Too little. Ten percent of resource. Should have at least 20
percent. So here we're talking about the entire system now. Your entire
system cost is one, they should give the security 20 percent. Otherwise, you
cannot do. That's what I think. I don't know what you're thinking. You're
thinking you can do, ten percent of resource?
>>:
Are there any other questions?
Let's thank Guang.
Related documents
HOMEWORK#2: due on 4th April, 2009
HOMEWORK#2: due on 4th April, 2009
Springboard 1.13 Bharti Mukherjees personal essay Two
Springboard 1.13 Bharti Mukherjees personal essay Two
January 9, 2009 • Weir 107 • Podcasts
January 9, 2009 • Weir 107 • Podcasts
The Great Gatsby: Chapter 8 Name: Study Guide & Vocabulary
The Great Gatsby: Chapter 8 Name: Study Guide & Vocabulary
Lables Presentation - Reflected Learning
Lables Presentation - Reflected Learning
Download
advertisement