Abstract
Given the value of imported counterfeit and pirated goods, the need for secure supply chain management is pertinent. Maleki et al. (HOST 2017) propose a new management scheme based on RFID tags (with 2–3K bits NVM) which, if compared to other schemes, is competitive on several performance and security metrics. Its main idea is to have each RFID tag stores its reader events in its own NVM while moving through the supply chain. In order to bind a tag’s identity to each event such that an adversary is not able to impersonate the tag’s identity on another duplicate tag, a function with a weak form of unforgeability is needed. In this paper, we formally define this security property, present three constructions (MULTIPLY-ADD, ADD-XOR, and S-Box-CBC) having this security property, and show how to bound the probability of successful impersonation in concrete parameter settings. Finally, we compare our constructions with the light-weight hash function PHOTON used by Maleki et al. in terms of security and circuit area needed. We conclude that our ADD-XOR and S-Box-CBC constructions have approximately \(1/4-1/3\) of PHOTON’s total circuit area (this also includes the control circuitry besides PHOTON) while maintaining an appropriate security level which takes care of economically motivated adversaries.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
GE is a metric for comparing the size of hardware implementation regardless of the manufacturing technology.
- 2.
[2] states 64 bits collision resistance, but this is incorrect.
References
OECD/EUIPO: Trade in counterfeit and pirated goods: mapping the economic impact. https://doi.org/10.1787/9789264252653-en
Maleki, H., Rahaeimehr, R., Jin, C., van Dijk, M.: New clone-detection approach for RFID-based supply chains. In: Hardware Oriented Security and Trust. IEEE (2017)
Shen, J., Choi, D., Moh, S., Chung, I.: A novel anonymous RFID authentication protocol providing strong privacy and security. In: Multimedia Information Networking and Security (MINES), pp. 584–588. IEEE (2010)
Ilic, A., Lehtonen, M., Michahelles, F., Fleisch, E.: Synchronized secrets approach for RFID-enabled anti-counterfeiting. In: Demo at Internet of Things Conference (2008)
Dimitriou, T.: A lightweight RFID protocol to protect against traceability and cloning attacks. In: Security and Privacy for Emerging Areas in Communications Networks, pp. 59–66. IEEE (2005)
Bu, K., Xu, M., Liu, X., Luo, J., Zhang, S.: Toward fast and deterministic clone detection for large anonymous rfid systems. In: Mobile Ad Hoc and Sensor Systems (MASS), pp. 416–424. IEEE (2014)
Hsu, C.-H., Wang, S., Zhang, D., Chu, H.-C., Lu, N.: Efficient identity authentication and encryption technique for high throughput RFID system. Secur. Commun. Netw. 9(15), 2581–2591 (2016)
Zanetti, D., Capkun, S., Juels, A.: Tailing RFID tags for clone detection. In: NDSS (2013)
Zanetti, D., Fellmann, L., Capkun, S., et al.: Privacy-preserving clone detection for RFID-enabled supply chains. In: RFID, pp. 37–44. IEEE (2010)
Kerschbaum, F., Oertel, N.: Privacy-preserving pattern matching for anomaly detection in RFID anti-counterfeiting. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 124–137. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16822-2_12
Koh, R., Schuster, E.W., Chackrabarti, I., Bellman, A.: Securing the pharmaceutical supply chain. White Paper, pp. 1–19. Auto-ID Labs. Massachusetts Institute of Technology (2003)
EPCglobal: EPC radio-frequency identity protocols generation-2 UHF RFID; specification for RFID air interface protocol for communications at 860 MHZ-960 MHZ. EPCglobal Inc., November 2013
Juels, A., Weis, S.A.: Authenticating pervasive devices with human protocols. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 293–308. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_18
Simmons, G.J.: Authentication theory/coding theory. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 411–431. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_32
van Dijk, M., Jin, C., Maleki, H., Nguyen, P.H., Rahaeimehr, R.: Weak-unforgeable tags for secure supply chain management. IACR Cryptology ePrint Archive: Report 2017/1221 (2017)
Dworkin, M.J.: Recommendation for block cipher modes of operation: the CMAC mode for authentication. Special Publication (NIST SP)-800-38B (2016)
Guo, J., Peyrin, T., Poschmann, A.: The PHOTON family of lightweight hash functions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 222–239. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_13
Maleki, H., Rahaeimehr, R., van Dijk, M.: SoK: RFID-based clone detection mechanisms for supply chains. In: Proceedings of the Workshop on Attacks and Solutions in Hardware Security(ASHES), pp. 33–41. ACM (2017)
Devadas, S., Suh, E., Paral, S., Sowell, R., Ziola, T., Khandelwal, V.: Design and implementation of PUF-based unclonable RFID ICs for anti-counterfeiting and security applications. In: RFID, pp. 58–64. IEEE (2008)
Tuyls, P., Batina, L.: RFID-tags for anti-counterfeiting. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 115–131. Springer, Heidelberg (2006). https://doi.org/10.1007/11605805_8
Ranasinghe, D., Engels, D., Cole, P.: Security and privacy: modest proposals for low-cost RFID systems. In: Auto-ID Labs Research Workshop (2004)
Tajik, S., et al.: Physical characterization of arbiter PUFs. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 493–509. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44709-3_27
Becker, G.T.: The gap between promise and reality: on the insecurity of XOR arbiter PUFs. In: Güneysu, T., Handschuh, H. (eds.) CHES 2015. LNCS, vol. 9293, pp. 535–555. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48324-4_27
Rührmair, U., Sehnke, F., Sölter, J., Dror, G., Devadas, S., Schmidhuber, J.: Modeling attacks on physical unclonable functions. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 237–249 (2010)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A NVM-Based RFID Scheme
A NVM-Based RFID Scheme
The NVM-based scheme of Maleki et al. [2] implements the following steps:
- Initialization RFID tag.:
-
The NVM of the RFID tag is initialized with a sequence of keys \((k^1,k^2,\ldots , k^u)\) and a pointer \(p=1\). The back-end server stores the RFID identity ID together with the sequence of keys.
- Initialization Reader.:
-
Each RFID tag reader is initialized with its own key K. The back-end server stores the reader identity together with K.
- Reader Event.:
-
The RFID tag is read out by a reader of a supply chain partner:
- 1.:
-
The RFID tage transmits its ID to the reader.
- 2.:
-
The reader creates a message m which has the reader identity and time stamp of the event.
- 3.:
-
The reader computes \(x=MAC_K(m, ID)\). This binds the reader to the event.
- 4.:
-
The reader transmits (m, x) to the RFID tag.
- 5.:
-
The RFID tag receives (m, x). This triggers the RFID tag to read a next key \(k^p\) from its NVM and to increment pointer p by 1. Key \(k^p\) is large enough in order to be split up into a first part \(k^{p,0}\) and a second part \(k^{p,1}\). The tag computes the pair \(y^p= (m\oplus k^{p,0}, F_{k^{p,1}}(x))\), where F is a software unclonable function. Since \(k^p\) is unique to the RFID tag, the use of function F binds the RFID tag to the event. The key part \(k^{p,0}\) serves as a one time pad which prevents traceability.
- 6.:
-
The RFID tag stores \(y^p\) at the spot where \(k^p\) was stored in NVM.
- Exit.:
-
When the tag exits the supply chain, its NVM is read out and communicated to the back-end server. I.e., the internal logic only allows NVM to be read out up to but not including the address pointed at by pointer p. This means that the back-end server receives ID together with \((y^1, \ldots , y^{p-1})\). The ID is used to look up the sequence of keys corresponding to the tag. For each y, this allows the server to first reconstruct the messages m, second to extract the corresponding reader identity with key K from its database, third to compute the mac value \(x=MAC_K(m,ID)\), fourth to evaluate F on x with the appropriate key, and finally verify that this is part of y. If all checks pass, then the recorded reader events were not impersonated and they can be verified to correspond to a legitimate path through the supply chain. The server will invalidate the tag for future use in its database.
A detailed explanation, security analysis, and discussion around how to make the scheme reliable with respect to miss reads and miss writes can be found in [2].
A comparison of state-of-the-art schemes over a range of metrics can be found in [18]. Besides being unique in that, unlike any other scheme, the need for persistent online communication or local databases is avoided, the NVM-based scheme also compares well with most competitive other schemes. The only dimension on which the NVM-based scheme scores negatively is its lack of being able to resist physical attack (where a strong adversary attempts to circumvent the read and write interface in order to clone all the keys stored in NVM). We notice that even though the trace based scheme [8] can withstand physical attacks, the scheme cannot distinguish between a fake and legitimate tag which possibly results in significant financial loss. Current PUF based schemes [19,20,21] are not secure against physical attack because of recent machine learning modeling attacks [22,23,24] – however, as soon as improved PUF designs will resist these modeling attacks, PUF based schemes will resist physical attacks as opposed to the NVM-based scheme. Inherent to current PUF-based schemes, they do need persistent online communication. Also an improved PUF design will likely lead to a higher gate count than the 500–1000 GE for current PUF-based schemes – and this is where the NVM based scheme performs better as well.
As a final note, Sect. 6 discusses several upper bounds on the collision resistance. Obviously, if the resistance is set to \(2^{-32}\) or \(2^{-64}\), then creating a cloned or fake RFID tag which successfully passes the supply chain becomes very unlikely. In fact too many counterfeit products labelled with fake RFID tags are needed in order to be successful and this makes such an attack economically infeasible. In the introduction we state “An adversary who can circumvent the interface circuitry by means of a physical attack is not considered.” Clearly, the weak link in the NVM-based scheme for high collision resistance will now be its lack of resistance against physical attack.
Rights and permissions
Copyright information
© 2018 International Financial Cryptography Association
About this paper
Cite this paper
van Dijk, M., Jin, C., Maleki, H., Ha Nguyen, P., Rahaeimehr, R. (2018). Weak-Unforgeable Tags for Secure Supply Chain Management. In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-662-58387-6_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-58386-9
Online ISBN: 978-3-662-58387-6
eBook Packages: Computer ScienceComputer Science (R0)