a, x - kaist
advertisement
PhD Dissertation Defense
A Study on Cryptographic
Protocols for RFID Tags
PhD candidate: Dang Nguyen Duc
Advisor: Prof. Kwangjo Kim
Information and Communications Engineering
KAIST
1st December, 2009
Cryptography and Information Security Lab @ KAIST
Contents
I. Introduction
1.1.
1.2.
1.3.
1.4.
1.5.
Overview
What is RFID?
RFID: Security Threats & Requirements
Cryptographic Primitives
What Do Cryptographers Do?
II. HB*: Lightweight Authentication
Protocol Secure Against MIM
2.1.
2.2.
2.3.
2.4.
2.5.
LPN Problem
HB Protocol
HB+ Protocol
Man-in-the-middle Attack on HB+
HB* Protocol
III. Preventing DoS Attacks in RFID
Authentication Protocols
3.1.
3.2.
3.3.
3.4.
3.5.
IV. Scalable Grouping-Proof Protocol
for RFID Tag
5.1.
5.2.
5.3.
5.4.
Previous Grouping-Proof Protocols
Scalability Issues of Previous Protocols
Security Definition
Scalable Construction from (n, n)Secret Sharing
V. Conclusion
VI. Future Work
Publications
Privacy vs Performance
OSK Protocol
O-FRAP and O-RAP Protocols
DoS Attack on O-FRAP and O-RAP
O-FRAP+ and O-RAP+ Protocols
2
I. Introduction - Overview
• The contribution of this thesis is three-fold:
– HB*: a lightweight authentication protocol
• Secure against man-in-the-middle attack.
– Defending some RFID authentication
protocols against DoS attack
• Two-phase Authentication
– Grouping-proof protocol for RFID tags
• Scalability issues of previous protocols
• Proper security definition
• A scalable construction based on (n, n)-secret
sharing
3
I. Introduction – What is RFID? (1/2)
Ti
T1
T2
Tn
Reader
T3
T6
T4
T7
T5
RFID – Radio Frequency Identification
Backend Database
Each RFID tag emits an unique number (EPC) serving
as identity of tagged item whose information is stored
in back-end database
4
I. Introduction – What is RFID? (2/2)
A typical application of RFID: Automatic supply chain
management
A typical RFID tag
costs about 5 cents
5
I. Introduction – RFID Security Threats (1/3)
Ti
T1
T2
Malicious
Reader
Tn
T3
T6
T4
T7
T5
Malicious readers scan legitimate tags to collect EPC
numbers to make cloned tags
Cloned tags can be placed on counterfeiting items
(goods, passport, driving license, etc)
6
I. Introduction – RFID Security Threats (2/3)
@ Ari Juels
Privacy invasion #1: malicious readers can scan
tagged items carried by end-users.
Privacy invasion #1: malicious can used the unique
EPC to track user’s movement / build preferences
7
I. Introduction – RFID Security Threats (3/3)
cloned tag
T4
T2
legitimate tag
T4
T1
T2
Reader
Ti
Tn
T3
T3
T3
T5
T3
T4
T4
T5
Tn
T4
T6
Large scale deployment of legitimate & cloned tags
can overwhelm/abuse server’s computational
resources
8
Backend Database
I. Introduction – RFID Security Requirements
• A secure RFID system should provide:
– Mutual authentication between tag and reader
• Prevent EPC harvesting & cloned tags
– Privacy protection of end-users
• No tracking possible
– Resistant against DoS
• Filter out unwanted data as early as possible
– Key Exchange
• Share session key to securely transmit data (EPC) between
tag and reader
We need to integrate cryptographic protocols into
RFID (especially, between tag and reader)
9
I. Introduction – Cryptographic Primitives (1/4)
• All of security threats to RFID are wellstudied issues in cryptography. Why new?
– Computational functionalities of RFID tag is
extremely limited.
– Public-key cryptography and block ciphers are
beyond the capacity of low-cost tags (passive
tags).
– Pseudo-random number generators,
pseudorandom function and hash function
(lightweight primitives) are our main tools.
10
I. Introduction – Cryptographic Primitives (2/4)
• Cryptographic hash function h(.):
– Compression:
h : {0, 1}* {0, 1}n, n = 128 or more.
– Pre-image resistance:
Given h(x), hard to find x
– Second pre-image resistance:
Given x1, find x2 such that h(x1) = h(x2)
– Collision resistance:
Hard to find any pair (x1, x2) such that h(x1) = h(x2)
• Practical cryptographic hash function
– SHA-1, MD5 (Soon to be replaced by SHA-3)
– Most hash functions are easy to implement on low-cost
hardware
11
I. Introduction – Cryptographic Primitives (3/4)
• Pseudorandom Number Generator (PRNG):
– Random expansion: from random seed to a longer random string
PRNG : {0, 1}n {0, 1}n+m
– Lightweight Implementation by using LFSR or block ciphers.
• Pseudorandom function (PRF)
– No random seed needed: take anything and output a random
string
PRF : {0, 1}* {0, 1}n
– Lightweight Implementation by using PRNG, block ciphers, etc.
12
I. Introduction – Cryptographic Primitives (4/4)
• Message Authentication Code (MAC):
– Require a secret key shared between sender and receiver:
MAC : K M
– Origin of message can be verified:
Compute MAC, and compare with received one
– Lightweight Implementation
• Adding secret key to hash function (HMAC)
@ Wikipedia
13
I. Introduction – Cryptographer’s Job (1/2)
• Two jobs of a cryptographer:
– Designing secure systems.
– Verifying security properties of claim-to-be-secure
systems.
• Verification of security properties:
Scheme A is secure
We need to define what we
means by “secure” (security
definition)
We need to quantify
“secure” (security analysis)
14
I. Introduction – Cryptographer’s Job (2/2)
• Provable Security and Reductionism:
– Hard to measure “security quantity” directly
• Reducing breaking security to doing something
else that is believed to be hard
Breaking
Security of A
Polynomial-time Reduction
Solving Hard
Problem
Breaking
Security of A
Polynomial-time Reduction
Breaking
Security of B
15
I. Introduction – Authentication Protocol
• Authentication
– Process of verifying object’s identity
• Authentication factors
– Something object knows: pre-shared secret
– Something object has: digital certificate
Prover
Verifier
Random challenge
Response
Challenge-response Authentication Protocol
16
I. Introduction – Notation
17
II. HB* Protocol – LPN Problem (1/2)
• Binary inner-product between two k-bit
values a and x:
B(a, x) = a x = (a0 x0) (a1 x1) … (ak-1 xk-1)
– Very easy to implement on low-cost hardware
– 4-bit buffer memory is sufficient
• Is it useful for cryptography?
• Maybe, it has been used to construct
(theoretical) PRNG (hard-core bit)
• For more cryptographic applications, where is
the hard problem?
18
II. HB* Protocol – LPN Problem (2/2)
• LPN (Learning Parity with noise) problem:
• Well-known problem1 in machine learning
a x
a2 x
a3 x
a4 x
a5 x
Hidden
Value x
LPN: Compute x from noisy
sampled data?
NP-Complete problem: best
algorithm takes 2O(k/logk)
a6 x
…
an-1 x
LPN problem implies
pseudo-randomness: (a, B(a,
x) v)) appears as (k+1)-bit
random string
an x
Noisy data
Noise-free data
19
II. HB* Protocol – HB Protocol (1/2)
• HB Human Authentication Protocol:
– Secure against passive adversary, i.e., one that only eavesdrops
communication channel between Human and Computer.
H (k-bit secret x, )
{0, 1|Prob[ =1] = }
z = (a x)
C (k-bit secret x, , )
a
z
a R {0, 1}k
Check if z = a x
Repeat above step q times (possibly concurrently).
Accept only if C receives about q incorrect responses from H
A collection of (a, z) forms an instance of LPN problem
HB suffers so-called incompleteness problem as the criteria
“about q incorrect responses ” is not well defined
20
II. HB* Protocol – HB Protocol (2/2)
• Is HB suitable for RFID Tags?
– No, secret key is leaked if C is malicious (no problem if H is
human but an-autonomous device).
Tag (k-bit secret x, )
i {0, 1|Prob[ =1] = }
Malicious Reader
a=a1=a2=…=ak
z1 = (a x) 1
z2 = (a x) 2
…
z1 = (a x) k
z1, z2,…, zk
As there are more correct responses than incorrect ones, C’
can easily obtain error-free equation a x = z
21
II. HB* Protocol – HB+ Protocol
• HB+ by Juels and Weis
– Secure against active adversaries, i.e., adversary can pretend to
be a reader.
Tag (k-bit secret x and y , )
b R {0, 1}k
{0, 1|Prob[ =1] = }
z = (a x) (b y)
Reader (k-bit secret x and y; )
b
a
z
a R {0, 1}k
Verify z = (a x) (b y)
Repeat above step q times (possibly concurrently).
Accept only if about q responses of Tag are incorrect
HB+ also has incompleteness problem
22
II. HB* Protocol – GRS MIM Attack on HB+
• HB+ is insecure against man-in-the-middle attack
Tag (k-bit secret x, y; )
Reader (k-bit secret x, y)
b R {0, 1}k
{0, 1|Prob[ =1] = }
z’ = (a’ x) (b y)
b
a’ = a
……..
a
a R {0, 1}k
z’
Check if
z’ = (a x) (b y)
If authentication succeeds, it is likely that (a’ x) (b y) = (a x) (b y)
, but (a’ x) = (a ) x = (a x) ( x), therefore x = 0.
Otherwise, x = 1
Attacker uses k linear independent ’s, it can calculate x using Gaussian
elimination
23
II. HB* Protocol – HB* Protocol (1/4)
• HB-protocol family is one of the most interesting
protocols for low-cost devices
Very efficient (no hash, no block cipher)
Security is based on a well-studied hard problem
(LPN problem)
• In this thesis, I propose HB*
• A variant of HB+ secure against MIM attack.
• Can be used to exchange session key.
• 2-round (challenger-response) instead of 3-round in
case of HB+
• Twice the size of secret keys.
24
II. HB* Protocol – HB* Protocol (1/4)
• Why man-in-the-middle attack work on HB+
– Binary inner-product is linear
– x is always associated with challenge a (and y with b)
for no particular reason.
• My approach to prevent GRS MIM attack:
• Secretly swap the role of x and y when computing the
response z.
• Introduce two new secret keys r and t to decide how
the response z should be (secretly) computed and
verified.
25
II. HB* Protocol – HB* Protocol (2/4)
Tag (k-bit secret x, y, r, t)
b R {0, 1}k
’ R{0, 1}
w' = (b t) ’
If ’ = (a r) w
z = (a x) (b y)
Otherwise,
z = (b x) (a y)
Reader (k-bit secret x, y, r, t)
a, w
b, w’, z
a R {0, 1}k
R {0, 1}
w = (a r)
If = (b t) w’
Check if z = (a x) (b y)
Otherwise,
Check if z = (a y) (b x)
Repeat above step q times
Accept only if all responses from Tag are correct
No noise applied to z
26
II. HB* Protocol – HB* Protocol (3/4)
• HB* is secure against generalized GRS man-in-themiddle attack if secret keys are chosen carefully
• Observe that, under assumption LPN is hard :
– Tag and Reader securely exchange two bits via (b, w’) and (a, w)
– Furthermore, (b, w) and (a, w’) come from single entity, therefore
inherently secure against man-in-the-middle attack
– Original GRS attack does not work since, attacker does not know
which secret keys (x or y) is associated with a.
• Observe that, attacker can only learn useful information about
bits of x and y by modifying bits at the same position of a and b:
•
•
Attacker learns useful information only when xi = yi = ri = ti = 0.
We can prevent the attack by choosing secret keys so that the
above case is avoided.
27
II. HB* Protocol – HB* Protocol (4/4)
• Comparison
HB* can be used as an implicit key exchange
protocol such that each round the tag and
reader shares 1 secret bit ( ’).
28
III. RFID and DoS Attack – Privacy vs Performance
• No privacy protection (Class-1 Gen-2
Spec) – except kill tags
• Tag always backscatter its unique EPC number
• Good for performance: easy to look up the tag
in DB
• Privacy protection (many protocols, not HB+ and
HB*):
• Tag backscatters different EPC (pseudonym) for
every session.
• Bad for performance: how to look up the tag if
the EPC always change?
29
III. RFID and DoS Attack – OSK Protocol
• OSK Protocol
• Authentication Token = Hash(Current EPC)
• Next EPC = Hash(Current EPC)
• Server scan through the whole DB to identify
a tag
30
III. RFID and DoS Attack – O-FRAP and O-RAP (1/4)
• Optimistic Behavior:
– Performance is optimal if there is no attack.
• Anonymity:
– Tag should use a randomly chosen Pseudonym for
each authentication session. Pseudonym is used to
index tag database (index is updated regularly)
• Forward-security:
– Refreshing secret key after every successful
authentication session.
– But, this often leads to de-synchronization of secret
• Attacker can block/alternate the message so that only either
tag or reader authenticates successfully.
31
III. RFID and DoS Attack – O-FRAP and O-RAP (2/4)
• How to defeat de-synchronization attack?
– Server keeps track of two versions of secret
for each Tag {Kold, Kcurrent}
– In an authentication session, if Tag uses
Kcurrent,
Kold = Kcurrent
Kcurrent = Knew
– If Tag uses Kold, then preserve Kold and let
Kcurrent = Knew
• Why don’t we update Kold = Kcurrent?
– Because attacker can prevent tag from updating its key
for two successive sessions to cause de-synchronization. 32
III. RFID and DoS Attack – O-FRAP and O-RAP (3/4)
O-FRAP Protocol
Prevj = (Secret Key, Pseudonym) of Tag Tj in previous session
Curj = (Secret Key, Pseudonym) of Tag Tj in current session
33
III. RFID and DoS Attack – O-FRAP and O-RAP (4/4)
O-RAP Protocol (O-FRAP without updating secret key: no
forward security)
34
III. RFID and DoS Attack – DoS Attack on O-RAP
• Attacker can cause Server to search its whole
database by sending any invalid pseudonym
35
III. RFID and DoS Attack – O-RAP+ and O-FRAP+ (1/4)
• Key idea: Two-phase authentication
– Reader authenticates tag’s pseudonym first
• We can use a fixed key to this.
• The tag can also uses this key to verify the sever
at first and updates its secret key and pseudonym
(no more de-synchronization)
• Only tags pass this first round of verification can be
passed to the server.
– Tags authenticated in the first round are then
identified again at back-end server
36
III. RFID and DoS Attack – O-RAP+ and O-FRAP+ (2/4)
O-RAP+ Protocol (O-FRAP+ without key updating)
37
III. RFID and DoS Attack – O-RAP+ and O-FRAP+ (3/4)
• Reducing O-FRAP+ and O-RAP+ to 3round protocol:
– O-FRAP+ can be 3-round protocol:
• Tag initiates protocol first (sending tsys) but this is
usually not case in practice.
– Indeed, the first message by server is usually
a broadcast message, any tag in range will
response with tsys
• Once a tag is isolated, reader can send rsys to start
an authentication session.
• Therefore, O-FRAP+ and O-RAP+ are essentially
a 3-round protocol.
38
III. RFID and DoS Attack – O-RAP+ and O-FRAP+ (4/4)
• Security:
– O-FRAP+ and O-FRAP+ are at least as
secure as O-FRAP and O-RAP
• Comparison
39
IV. Grouping-Proof Protocol – Previous Protocols (1/6)
• Grouping-proof Protocols for RFID tags :
– Generate a proof that multiple tags are
present at the time of scanning.
– For example, tags attached on different parts
of a car should stay together.
• Previous protocols:
– Yoking-Proof and variants
– Timestamp-based Yoking-Proof
– Saitoh-Sakurai’s Grouping-Proof
40
IV. Grouping-Proof Protocol – Previous Protocols (2/6)
• Yoking-Proof:
Verifier
(6) P
Tag T1
(1) “left proof”
Choose r1 at random
(2) T1, r1
Reader
Tag T2
(3)“right proof”, r1
Choose r2 at random
m2 = MACK2[r1]
(4) T2, r2, m2
(4) r2
m1 = MACK1[r2]
(5) m1
P = (T1, r1, m1, T2,
r2, m2)
41
IV. Grouping-Proof Protocol – Previous Protocols (3/6)
• Timestamp-based Yoking-Proof
Verifier
(1)TS
Tag T1
(2) TS
Choose r1 at random
(3) T1, r1
(8) P
Reader
Tag T2
(4) TS, r1
Choose r2 at random
m2 = MACK2[TS, r1]
(5) T2, r2, m2
(6) r2
m1 = MACK1[TS, r2]
(7) m1
P = (TS, T1, r1, m1,
T2, r2, m2)
42
IV. Grouping-Proof Protocol – Previous Protocols (4/6)
• Piramuthu’s protocol
Verifier
(7) P
Tag T1
Choose r1 at
random
(1) r
(2) T1, r1
Tag T2
Reader
Choose r at
random
(3) r, r1
Choose r2 at
random
(4) T2, r2, m2
m2 = MACK2[r, r1]
(5) m2
m1 = MACK1[r1,
m2]
(6) m1
P = (r, r1, r2,
T1, m1, T2,
m2)
43
IV. Grouping-Proof Protocol – Previous Protocols (5/6)
• Lin et. al’s protocol
Online Verifier
(1) S = SKx[r, TS]
Tag T1
m1 = MACK1[S]
(2) S
(6) P
Tag T2
Reader
(3) T1, m1
(4) S, m1
(5) T2, m2
m2 = MACK2[S,
m1]
P = (S, T1,
m1, T2, m2)
44
IV. Grouping-Proof Protocol – Previous Protocols (6/6)
• Saitoh-Sakurai’s Protocol
Verifier
(1) TS
Tag Ti
mi = MACKi[TS]
(2) TS
(6) P
Reader
(4)TS
Pallet Tag
m1
.
.
.
mn
(3) mi
(5) Ti, mi
CP = SKK[TS,
m1,…, mn]
P = (TS, CP)
45
IV. Grouping-Proof Protocol – Security Issue
• No security model for multiple tag scanning
protocol so far.
– No security proof for previous protocols.
• Mafia Fraud Attack (Distance fraud)
Tag T1
Challeng
e
Respons
e
Attacker
Reader
Challenge
Relayed
Response
Tag T2
Relayed
Challenge
Response
Communication range of the reader
46
IV. Grouping-Proof Protocol – Scalability Issue
• Poor Scalability:
– Reader has to relay messages from one tag
to another one.
– If there are n tags, a reader needs to replay at
least n(n-1) messages.
– Saitoh’s grouping-proof protocol requires an
additional entity (pallet tag) and the reader
needs to relay n messages to the pallet tag.
47
IV. Grouping-Proof Protocol – Security Definition (1/2)
• The goal of adversary:
– Inject/replace/remove a tag into/from a valid proof.
But the tag is not actually in the communication range
of the reader.
• An adversary is active:
– Access to both tag and reader oracle.
• Reader can be malicious:
– But it is trusted to execute the protocol correctly.
– Malicious readers may try to replace a tag in a proof
with a different one before reporting the proof to the
verifier.
48
IV. Grouping-Proof Protocol – Security Definition (2/2)
• Experiment for adding a tag into a valid proof:
– Setup.
– Adversary queries tag and reader oracles.
– Adversary can corrupt reader after a protocol session is
terminated.
– Challenge: n tags (T1, T2, …, Tn) and the corresponding valid coexistence proof .
– Adversary output (T*, *) such that T* is not among (T1, T2, …,
Tn) and * is a valid co-existence proof of n+1 tags (T*, T1, T2,
…, Tn)
• Adversary can add one tag to the original proof bur the tag not in
the communication range of the reader.
A grouping-proof protocol is said to be secure if the success
probability of the adversary in the above experiment is
negligible
49
IV. Grouping-Proof Protocol – Proposed Protocol (1/5)
• (n, n)-secret sharing scheme: a dealer splits a secret x
into n shared secrets:
– x can only be recovered if all of n shared secrets are provided.
• Applying to grouping-proof:
– Each tags signs a shared secret (not other tags’ random
numbers to avoid relaying).
– If shared secrets can be used to recover a random challenge
chosen by the verifier, then proof is verified.
• A (n, n) trivial secret sharing scheme:
– A dealer chooses (n-1) random numbers for first (n-1) shared
secrets, y1, y2, …, yn-1.
– The last shared secret yn = x y1 y2 …yn-1.
50
IV. Grouping-Proof Protocol – Proposed Protocol (2/5)
Verifier: x at random
x
P
x,y1
Tag T1
m1 = MACK1[x, y1]
T1, m1
x, y2
Tag T2
m2 = MACK2[x, y2]
T2, m2
x, yi+1
Reader
Ti+1, mi+1
Pick y0, y1, y2, …
mi+1 =
and yn-1 at random.
x, yi+2
Compute yn = y0
y1 y2 … yn-1 Ti+2, mi+2
mi+2 =
Tag Ti+1
MACKi+1[x, yi+1]
Tag Ti+2
MACKi+2[x, yi+2]
…
Tag Ti
mi = MACKi[x, yi]
…
x, yi
x, yn
Ti, m1
Tn, mn
P = (y0, T1, y1, m1,
…, Tn, yn, mn)
Tag Tn
mn = MACKn[x, yn]
Verifier accepts proof P if MAC is verified x can be
reconstructed from y0, y1, y2, …, yn
51
IV. Grouping-Proof Protocol – Proposed Protocol (3/5)
• No scalability problem.
– Reader does not relay any messages
– Verifier maintain time-to-live on x (instead of sending
timestamp to reader)
• Comparison
52
IV. Grouping-Proof Protocol – Proposed Protocol (4/5)
Theorem: Let be success probability
adversary attacking the MAC scheme,
success probability of adversary attacking
proposed protocol, and l be bit length of x,
have:
= O( + 2-l/2)
of
be
the
We
– If MAC scheme is secure and l is long enough, our
proposed grouping-proof scheme is secure.
53
IV. Grouping-Proof Protocol – Proposed Protocol (5/5)
Proof: distinguish three types of adversary:
– Type-I adversary: replace a tag in a valid proof with
another tag.
– Type-II adversary: remove a tag from a valid proof.
– Type-III adversary: add a tag to a valid proof.
For Type-I adversary, let (T*, y*, m*) be target tag, there
are two case:
– y* has not been queried to tag oracle: MAC forger.
– y* has been queried to tag oracle: bounded by
birthday paradox w.r.t bit length of x, l.
54
V. Conclusion
• RFID faces serious security threats:
– Tag cloning.
– Privacy invasion.
– DoS attacks.
• I propose three new cryptographic protocols to
counter threats:
– HB*: lightweight authentication protocol secure against
MIM.
– Two-phase authentication to counter DoS attacks
(applied to O-FRAP and O-RAP).
– Scalable grouping-proof protocol with sound security
treatment.
55
VI. Future Work
• Sound security model for RFID protocols
– Current models (Veudenay’s, UC-based) treat reader
and server as one entity.
– Real-world security depends heavily on how much you
trust the reader.
– Reader has to be treated as an indispensable entity in
a RFID system, even in a security analysis.
• Impossibility of certain cryptographic tasks
for RFID:
– Grouping-proof protocols with offline server?
– Robust interactive key updating?
56
Publications (1/3)
I. Whitepaper
(1) “Enhancing Security of Class I Generation 2 RFID against Traceability and Cloning”, Dang
Nguyen Duc, Hyunrok Lee, and Kwangjo Kim, In Auto-ID Lab Whitepaper Series: Networked
RFID Systems and Lightweight Cryptography, Springer Berlin Heidelberg, ISBN 978-3-540-7164
0-2, pp. 269-277, Nov. 08, 2007.
(2) “Toward Designing Provably Secure Cryptographic Protocols for RFID Tags”, Dang Nguyen Duc,
Hyunrok Lee, and Kwangjo Kim, Auto-ID Lab Whitepaper Series, Available at
http://www.autoidlabs.org/rssdetail/dir/article/1/322/.
II. Journal
(1) “On the Security of RFID Group Scanning Protocols”, Dang Nguyen Duc and Kwangjo Kim,
IEICE Transaction on Information and Communications Systems, Vol. E93-D, No. 3, Mar.
2010.
(2) “Defending RFID Authentication Protocols against DoS Attacks”, Dang Nguyen Duc and Kwangjo
Kim, Elsevier’s Journal of Computer Communications (Under Review).
(3) “Security Analysis of A Remote User Authentication Protocol by Liao and Wang”, Dang Nguyen
Duc and Kwangjo Kim, Elsevier’s Journal of Computer Standards & Interfaces (Under
Review).
(4) “A Secure Lightweight Authentication Protocol Based on Hard Learning Problem”, Dang Nguyen
Duc and Kwangjo Kim, Elsevier’s Journal of Computer Standards & Interfaces (Under
Review).
57
Publications (2/3)
II. International Conferences
(1) [SCI-E] "A Forward-Secure Blind Signature Scheme Based on the Strong RSA Assumption", Dang
Nguyen Duc, Jung-Hee Cheon ,and Kwangjo Kim, In Proc. of ICICS’03, Springer-Verlag LNCS
2836, pp.11-21, Oct.10~13, 2003.
(2) “A New Provably Secure Transitive Signature Scheme”, Dang Nguyen Duc, Zeen Kim and
Kwangjo Kim, In the Proceedings of SCIS’05, Jan.25~28, 2005.
(3) “A New Transitive Signature Scheme based on RSA-based Security Assumptions”, Dang Nguyen
Duc, Kyusuk Han, Zeen Kim, and Kwangjo Kim, In Proc. of ACNS’05 (Industrial and ShortPapers Track), pp.165-175, Jun. 10, 2005.
(4) “Enhancing Security of EPCglobal Gen-2 RFID Tag against Traceability and Cloning”, Dang
Nguyen Duc, Jaemin Park, Hyunrok Lee, and Kwangjo Kim, In the Proceedings of SCIS’06,
Abstract pp.97, Jan. 17~20, 2006.
(5) “Human Authentication Protocol for Distributed Computing Environment”, Dang Nguyen Duc, and
Kwangjo Kim, In the Pre-Proceedings of WISA’06, pp.367-372, Aug. 28-30, 2006.
(6) “A Capability-based Privacy-preserving Scheme for Pervasive Computing Environments”, Divyan
M. Konidala, Dang Nguyen Duc, Dong-man Lee and Kwangjo Kim, In Proc. of IEEE PerSec’05,
pp.136-140, Mar. 8~12, 2005.
(7) “Securing HB+ against GRS Man-in-the-Middle Attack”, Dang Nguyen Duc, and Kwangjo Kim, In
the Proceedings of SCIS’07, Abstracts pp.123, Jan. 23-26, 2007.
58
Publications (3/3)
II. International Conferences
(8) “How to Exchange Secret on Low-cost Devices”, Dang Nguyen Duc, and Kwangjo Kim, In the
Proceedings of TriSAI’08, 2008.
(8) “Security and User Privacy for Mobile-RFID Applications in Public Zone”, Divyan M. Konidala,
Dang Nguyen Duc, and Kwangjo Kim, In the Proceedings of TriSAI’08, 2008.
(9) “Open Issues in RFID Security”, Dang Nguyen Duc, Divyan M. Konidala, Hyunrok Lee and
Kwangjo Kim, RFID Security and Cryptography 2009 (Invited Paper).
(10) “Grouping-Proof Protocol for RFID Tags: Security Definition and Scalable Construction”, Dang
Nguyen Duc and Kwangjo Kim, ACM AsiaCCS’2010 (Under Review).
III. Domestic Conferences
(1) “A Lightweight Key Agreement Protocol Based on LPN Problem”, Dang Nguyen Duc and
Kwangjo Kim, In Proc. Of CISC-W'07, Vol.17, no.2, pp.709-712, 2007.
(2) “Secure HB+ against Man-in-the-middle Attacks”, Dang Nguyen Duc, and Kwangjo Kim, 2006년
도 정보보호학회 동계학술대회, pp. 265-272, 2006.
(3) “2 세대 EPCglobal RFID 규격의 보안 취약성 검토 및 개선 방안 연구”, 박재민, Dang Nguyen
Duc, Vo Duc Liem, 서영준, 김광조, 2005년도 충청지부 학술대회 논문집, pp.207~220, 2005.
(4) “A Simple Secure Communication Protocol for RFID Devices”, Dang Nguyen Duc, 박재민, 이현
록, 김광조, 2005년 한국정보보호학회 동계정보보호학술대회 논문집, pp.254-259, 2005.
59
THE END
Thank you!
60
