RFID Authentication Mini-Project report
Written by Roi Tzaig & Moria Damri
Introduction and theory
RFID – Radio Frequency Identification is a technology for tagging using radio waves.
A RFID tag is a small electronic device, supplemented with an
antenna that can transmit and receive data. The RFID
technology is designed for unique identification of different
kinds of objects.
RFID systems usually contain three parts:
1. Tag – a microchip that can send and receive data
(messages).
2. Verifier – interfacing with the Tag, the Verifier can
read/write data and sends messages to access the Tags data.
3. Data base – a small amount of memory that uses as a data base that can be
changed.
Limitations of RFID systems
Limits of RFID systems are very important. These systems were designed to be low
cost in order to enable mass production. Broadcast range is limited to a few meters,
therefore the Tag and the Verifier must be sufficiently close Due to their small size
the RFID systems have a limited computational power, and limited memory.
Hence, we can conclude that a "heavy" encryption algorithm can not be used by RFID
systems. There for we need a simple, low cost encryption protocol that is based on
hardware efficiency that will be embedded in the RFID existing systems.
The goal of this project is to show the efficiency and empirically prove the
theoretic claims upon the protocols AP1 Ungeleralized/Generalized,
AP 2 Ungeleralized/Generalized and AP 2 written by professor Shlomi Dolev
Typical scenario
Let us think of a typical scenario, in which an alarm car uses RFID system to
communicate between the remote control (the Tag) and the car alarm system (the
Verifier), farther more a thief (an Adversary) may or may not listen to the
communications.
The scenario is as follows:
The Tag (remote control) sends an encrypted request to the Verifier (car) to
open the car. The car processes and decrypts the request and composed an answer, if
the request is genuine then "Open" message is sent back. If it is not, a "DoNotOpen"
message is sent. The thief may or may not listen to the communications, and based on
them compose a false message that will be sent to the car in order to get an "Open"
message back.
The adversary model
The adversary has a few basic assumptions:
1. The adversary is weaker than the one in standard cryptography.
2. The adversary is Byzantine, it tries to harm the system as well as break in it.
3. One out of n consecutive communications the adversary does not listen.
Si The adversary does not listen
i 1  i  n 
S1 , Si 1 ,Si+1 , Sn The adversary listen
4. (Generalizing 3) k out of n consecutive communications the adversary does
not listen.
Every n consecutive communications are atomic, meaning, the adversary cannot
modify part of the communication in a session.
AP1 Ungeneralized Protocol
(Adversary does not listen to one out of n consecutive communications)
Protocol for RFID Tag Ungeneralized
Protocol for RFID Verifier Ungeneralized
1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon user request
5:
keyentry = n − (i − 1) mod n
6:
Create new random array LRV
7:
Send s = (ARV [keyentry], LRV)
8:
to Verifier
9:
If Open received
10:
Call Updating procedure
11: End user request
1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon reception of key message
5:
keyentry = n − (i − 1) mod n
6:
s = (X,LRV)
7:
if X = ARV [keyentry]
8:
Send Open and
9:
Call Updating procedure
10:
else Send DoNotOpen
11: End of key message reception
u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j =1 to n
u4:
ARV [j] = ARV [j] xor LRV [j]
u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j = 1 to n
u4:
ARV [j] = ARV [j] xor LRV [j]
Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and keyentry is
calculated in such a way that it is a legal index of ARV entry and with every
increment of i it is incremented as well with modulo n.
When the Tag sends a request, it composes a message form the current ARV entry
(ARV[keyentry]) concatenated with a pseudo random generated vector called LRV.
When the Verifier gets the message, it checks if the ARV[keyentry] in the message is
the same as its ARV[keyentry]. If so then an "Open" message is sent to the Tag and a
xor update is preformed on ARV using LRV (update procedure) to both the Tag and
the Verifier. If the ARV[keyentry] in the message is not the same as its
ARV[keyentry] the "DoNotOpen" message is sent and neither the Tag nor the Verifier
updates its ARV.
 Message length is n  1 which is O  n  , so for an entire session (n consecutive
communication) O  n 2  bytes will be transferred.
AP1 Generalized Protocol
(Adversary does not listen to k out of n consecutive communications)
Protocol for RFID Tag
Protocol for RFID Verifier
1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon user request
5: keyentry = n − (i − 1) mod n
6: Select random 2Log(n) indices
1: Initialization:
2: Create int array ARV [1..n]
3: int i := 1;
4: Upon reception of key message
5: keyentry = n − (i − 1) mod n
6: s = (X, Indices, reducedLRV)
7: if X = ARV [keyentry]
8:
Send Open and
9:
Call Updating procedure
10: else Send DoNotOpen
11: End of key message reception
7: Build reducedLRV form indices
8: Send s = (ARV[keyentry],
Indices, reducedLRV) to Verifier
9: If Open received
10:
Call Updating procedure
11: End user request
u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j =1 to 2Log(n)
u4:
ARV [reducedLRV[j]] =
ARV [reducedLRV[j]] xor LRV[j]
u1: Updating procedure
u2: ARV [keyentry] = 0
u3: for j =1 to 2Log(n)
u4:
ARV[reducedLRV[j]] =
ARV[reducedLRV[j]] xor LRV[j]
Overview:
Much like in AP1 Ungeneralized protocol this protocol has an ARV vector, i index
and keyentry that function the as before. The LRV vector is replaced by reducedLRV
and Indices which are both vectors with 2 log n entries.
In every request, the Tag randomly selects 2 log n indices of ARVs entries and stores
them in Indices vector, then builds the vector reducedLRV by randomly selecting
2 log n numbers. The tag then composes a message from ARV[Keyentry]
concatenated with Indices and reducedLRV and sets it to the Verifier.
When the Verifier get the message it checks if the ARV[keyentry] in the message is
genuine and if so update only the ARV entries that was selected by the Tag.
 Message length is 2 log n  1 which is O  log n  , so for an entire session (n
consecutive communication) O  n log n  bytes will be transferred.
What is the probability that all ARVs entries will be xored?
 The probability that a certain entry will be xored is equal to the probability that a
2 log n
n
certain entry will be selected, which is
 The probability that the a certain entry will not be selected is 1 
2 log n
n
 The probability that the a certain entry will not be selected for n consecutive
 2 log n 
communications is 1 

n 

n
 Limiting the above probability gives
 2 log n 
2log n
p  1 
 elog n
 e
n 

n


2
 n 2 
1
n2

p
1
n2
 Therefore the probability that at least one entry out of n will not be selected during
n consecutive communications is
1

n2

1
1 1
 n 2 
2
n
n
n
n times
 First conclusion: the probability that all n entries of ARV will be selected, and
therefore xored, is 1 
1
n
 Second conclusion: When increasing n, the probability for full refresh is
increasing.
Results
The following graphs present the result and curve fitting of the amount of full xor
coverage of ARV out of 100 sessions for 2, 4 and 6 bit. The curve fit is for the
B

function y  100  A   , which is the probability function as shown at the beginning
n

where A and B are parameters.
Amount of sessions with full coverage out of 100
number length is 6 bit
100
90
80
70
Data: Data1_bit6
Model: RFID
Chi^2 = 74.16455
A
1.11929
B
1.01851
60
±0.04837
±0.21341
50
40
2
4
6
8
10
12
n
Result summary
Length of
number
A value
A error
B value
B error
6
1.11929
0.04837
1.01851
0.21341
Summary and conclusions
1. Form the result, we can see that the values of A and B are much closed to
the theoretic ones 1.
2. The theoretic value of B, 1, is within the error range in all the experiments.
3. The theoretic value of A, 1, is not within the in error range in all the
experiments, however they are much closed.
4. So, it safe to conclude that the probability for full xor coverage is as
developed before P  1 
1
.
n
5. We can easily see form the graphs that even at n  3 there is a good
coverage, and a better in n  4 (no less the 95% and an average of
97.666%). For larger n 's there isn't any significant improvement.
AP2 Ungeneralized Protocol
Protocol for RFID Tag Ungeneralized
Initialization:
Create int vector array ARV [1..n]
int i := 1; seed := 0
int vector arrays keywords
Protocol for RFID Verifier
Initialization:
Create int vector array ARV [1..n]
int i := 1; seed := 0
int vector arrays keywords
Upon user request:
Create new random array LRV
keyentry = n − (i − 1)mod n
X[keyentry] = ARV [keyentry]
Create pseudo-random sequence
prs of length m from
seed = X[keyentry] xor seed
Y = (LRV ||keyword) xor prs
Send Y to Verifier
If Open received
Call Updating procedure
End user request
Upon key message Y reception
keyentry = n − (i − 1)mod n
Create pseudo-random sequence
prs of length m from
seed = X[keyentry] xor seed
Z = Y xor prs
if Z[(n + 1)..m] belong to keywords
Send Open and
Call Updating procedure
else
Send DoNotOpen
End of key message reception
Updating procedure
ARV[keyentry] = 0
for j = 1 to n
ARV[j] = ARV[j] xor LRV[j]
Updating procedure
ARV[keyentry] = 0
for j = 1 to n
ARV[j] = ARV[j] xor LRV[j[
Overview:
The vector ARV stands for accumulated random vector and it is known to both the
Tag and the Verifier. The integer i marks the current request index and the integer
seed is use for the generation of the prs, the initial seed value is initialized to zero.
The keyentry is calculated in such a way that it is a legal index of ARV entry and with
every increment of i it is incremented as well with modulo n.
When the Tag sends a request, it first create a pseudo random generated vector prs of
length m = n * l +k where k is the keyword length and l is the length in bits of each
ARV vector entry. The current ARV entry (ARV[keyentry]) xor with the old seed is
used as a seed for the generation of the pseudo random sequence prs. The old seed is
updated, (seed=ARV[keyentry] xor seed).
The Tag creates a new vector Y that should be send to the verifier. Y is equal to the
xor of the vector prs with the pseudo random generated vector called LRV
concatenated with the keyword. Y=prs xor (LRV||keyword). Y is then send to the
Verifier.
Because we assume that both the Tag and the Verifier know how to produce the prs
vector, when the Verifier gets the message, he can decrypt the it by calculating Y xor
prs (which is equal to LRV||keyword) and checks if the suffix of the string
(Y xor prs)[n+1..m], is equal to keyword. If yes the Verifier return the message
'Open' to the Tag, else he return the message 'DoNotOpen'.
If the authentication successes, the updating procedure is called, and an update is
preformed on the ARV vector using the LRV vector, in both, the Tag and the Verifier
sides.
The computational security of the AP2 protocol is provided by the random seed
generation in each session.
AP2 Protocol - Resistance against Intruder-in the Middle-Attack
This protocol is an upgrade of previously discussed protocol AP 2 . This protocol can
cope with an intruder in the middle of an attack (IIMA). The Intruder is able to
capture the message, sent by the tag to the verifier, and modify it. Moreover, it should
be stated that such an attack can drive the protocols AP1 and AP 2 to a deadlock!
We relax the assumption about the atomicity of each communication session. In order
to deal with IIMA the message is added with redundant bits and watermark bits while
no cryptographic hash function is used.
The protocol AP 2 - like in AP 2 the encryption key is derived from the basic vector
ARV (ARV[keyentry]). The seed X splits into four independent seeds X 1 , X 2 , X 3
and X 4 which will be used to create pseudo-random sequences.

c1 is used to create the sequence that encapsulates LRV.

c2 is used to create the sequence that encapsulates the redundant bits.

c3 is used to create the sequence that encapsulates the watermark bits.

c3 is used to create a permutation of the message bits -  X 4 .
The message is constructed as follows:

Y   X 4  LRV j || keyword   c1 sequence || r1 ,
, rq   c2 sequence ||  w1 ,
wv 

Let's explain the different parts of the message:
 LRV j || keyword  is generated as in AP 2 , a concatenation of pseudo-random vector
with a keyword. The LRV has n entries each have l bits and the keyword is of length
k . So the total length of this part is m  nl  k , as is c1 sequence so the xor of the
last two also gives m bits.
 r1 ,
, rq  is a sequence of q redundant bits generated as follows: looking at
 LRV j || keyword  as a log  m  dimensions hyper-cube, where every redundant bit
has the value of a parity check on one of the hyper-cube rows/columns.
Dimensions
Visualization
q – number of
parity checks
Calcuation
1
1
 2
4
2
 4
4
12
3
 8
 12
Parity
check
1
1
0
1
Parity checks
2
Parity
checks
3
2
3
1
2
Let us denote the number of dimensions as d  log  m , According to the above table
we get q  d 
 m
d
d 1
 d m
d 1
d
 log  m  
log  m 
m
log  m  1
.
Another way to get q is by considering the hyper-cube as a d dimensions array where
in order to calculate the parity bits we only need a one "running-index" and d 1
"fixed-indices". If the length of every row/column is 2 (indexed 0 or 1) then we have
1
i
d
0 /1
x
0 /1
fixed index
running -index
fixed index
We have d options to select the running-index and 2 options to select the index for
every row, moreover there are d 1 such entries in the array. So, in total, we have
q  d 2
d 1
 d 2
d

d 1
d
 log  m   m
A simpler expression is q 
log  m  1
log  m 
, which is the same as above expression.
1
m log m thus we see that q  O  m log m  .
2
The c2 sequence is of length q as well, and so is their xor result.
The last part is watermark bits  w1 ,
wv  with length of v .
Finally, the permutation generated by x4 seed does not add or remove bits. Thus the
total length of the message is Y  m  q  v .
What is the probability for adversarial success?
 The probability that the adversary will corrupt a watermark while changing the
bits of the original message is  
v
t
 The probability that the adversary will corrupt a bit from the original message
is 1   .
 In order to successfully change the part of the original message, the adversary
has to corrupt at least dmin bits, where dmin is the minimal humming distance
and is equal to log  m   1 .
 From the second and third observations we get that in order for the adversary
to successes, he must change at least dmin bits of the original message.
 So the probability for adversarial success is PA  1   
The above probability can manipulate as follows PA  1   
1      2log1  

log  m 
 1    mlog1  , thus for
1
1
1
3
, PA 
and for   , PA 
.
2m
4m0.415
2
4
d min
d min
.
 1   
log  m  1

Results
The following graphs present the result and curve fitting of the probability for
 A
adversarial success. The curve fit is for the function y 
A log2  B 
, which is the
m
B
probability function as developed above.
The empirical porobability for adversarial success, with alpha = 1/4
0.30
Probability upper bound
Empirical Probability
0.25
Data: Data1_UpperBound.,Data1_P.a.0.25
Model: RFID2
Chi^2 = 0.0001
A
2.97074
±1.73866
B
3.99292
±2.41715
Probability
0.20
0.15
0.10
0.05
0
100
200
300
400
m [bits], the length of the message
500
600
The empirical porobability for adversarial success, with alpha = 1/2
0.035
Probability upper bound
Empirical Probability
0.030
Data: Data1_UpBound.0.5
Model: RFID2
Chi^2 = 9.2925E-7
A
0.9941 ±1.1072
B
1.9963 ±2.28614
Probability
0.025
0.020
0.015
0.010
0.005
0.000
0
100
200
300
400
500
600
m [bits], the length of the message
Result summary

A value
A error
Expected
value
B value
B error
Expected
value
1
4
2.97074
1.73866
3
3.99292
2.41715
4
1
2
0.9941
1.1072
1
1.9963
2.28614
2
Summary and conclusions
1. Form the result, it is clear that PA is bounded by 1   
satisfies the relation PA  1   
d min
d min
, and therefore
.
2. Form the result, we can see that the A and B for both   1 and   1 are
4
2
in the range of the expected value, A  3, B  4 and A  1, B  2
respectively.
3. Therefore we may conclude that the expression for adversarial success is
PA  1   
d min
or as developed above PA  1    m
log 1 
changes dmin bits.
4. The error for   1 is greater then the error of   1 .
4
2
, when the adversary