Neural Cryptography Applied to Key Management Protocol with Mutual Authentication in RFID Systems
Macedo Firmino, Gl´aucio B. Brandao, Ana M. G. Guerreiro Department of Computer Engineering and Automation Federal University of Rio Grande do Norte Natal, Brazil macedo[email protected], [email protected], [email protected] Ricardo A. de M. Valentim Federal Institute of Rio Grande do Norte Natal, Brazil [email protected]
Abstract sponsible to get tags data and make it available in graphical interface or data processing systems. Additionally, there RFID (Radio Frequency Identication) is an emerging is usually a back-end database that collects information re- technology, for automatic identication and tracking, to lated to the physically tagged objects. provide increased efciency and decrease operating costs in RFID systems are subject to privacy and secure threats. industry and supply chain. However, existing international Privacy threats occur because tags respond to reader inter- standards not include security specications, which resulted rogation without alerting their owner. Unfortunately, this in appearance of security threats. Many efforts have been lets unauthorized readers scan tags data, generating two done in this area. However, the key management protocols attacks: snifng and clandestine tracking. Snifng attack proposed are unsafe or impractical for most RFID systems. is when unauthorized readers intercept RFID data. Unre- This paper presents a novel approach of a key management stricted access to tags data can have serious implications if protocol with mutual authentication for RFID systems. This this data reveal users personal information. Attackers can protocol is an extension of RFID systems for the protocol record tags unique responses, which can be associated with proposed by Kinzel and Kanter [6], adding to the origi- persons information, and can be use to clandestine tracking nal protocol: a mutual authentication and the denition of attack [9]. frames. Through simulations it was possible to observe that Spoong and replay attack are examples of secure the security level of the proposed protocol is a function only threats. Spoong attack is when attackers mimics authen- of the computational resources of the entities in the RFID tic RFID tags by writing appropriately formatted data on system. blank RFID tags. Tag cloning is another kind of spoong attack, which produces unauthorized copies of legitimate RFID tags. While, replay attack is when devices intercept 1Introduction and retransmit RFID queries [9]. Cryptography with dynamic keys and authentication can RFID is a technology for storing, reading, writing and solve these threats. However, existing protocols do not managing remote identication data using electromagnetic include cryptographic authentication and key management elds. RFID systems are composed by electronic devices mechanisms. Nowadays, there are a number of challenges formed, basically, by an integrated circuit (for signal de- in designing efcient new security mechanisms for RFID modulation and modulation, storage and information pro- systems. First, data transferred over the air could be subject cessing) and antenna for signal reception and transmission. to eavesdropping if the transaction is unencrypted. Second, These systems comprise of tags and readers. A tag is re- the demand for low cost tags result in limited resources, sponsible for storage of identication data. It can be in- such as, computing capabilities, storage space and electric corporated in products, animals or people. A reader is re- power supply.
Copyright © 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved. There are two types of cryptography: secret-key cryp- The remainder of the paper is structured as follows. In tography (or symmetric) and public-key cryptography (or section 2 the architecture of neural network used in key asymmetric). The secret-key cryptography require less management protocol is explained. The learning process computational resources [11]. By this reason the secret-key and simulations results, necessary to evaluate of neural net- are more suitable for embedded systems such as RFID sys- work performance, can be found there, too. The new key tems. There are efcient and appropriate secret-key ciphers management protocol is presented in section 3. Finally, sec- for RFID [2] [5]. However, key management is one prob- tion 4 presents the conclusions and future works. lem in these systems. In secret-key systems, to make the system safe, each pair reader/tag should share a different 2NeuralCryptography secret key. Then, reader needs to keep all these different keys for all tags. Moreover, the fact that this key is specic An articial neural network (ANN) is formed by a par- for each tag leads to a paradox. The tag should inform to the allel distributed processor made up of simple processing reader an identier, so the reader can get the encryption key. units, called neurons. The ANNs have a function of stor- The privacy in this case is unachievable, because attackers ing experimental knowledge acquired in its environment may also obtain this identier, and use in clandestine track- through a learning process [3]. ing or replay attacks. On the other hand, if the reader does The manner which the neurons of a neural network are not know the tag, it cannot nd the encryption key. structured, called architecture, is linked with the learning In the work of Avoine and Castelluccia [1], a key ex- algorithm used to train the network. There is one type of change protocol is presented. The usage of this protocol is architecture, called multilayer feedforward, where the neu- based on the use of special tags called noisy tag. These tags rons are organized in several layers. This architecture is generate noise on the public channel between the reader and composed of an input layer responsible to provide data, one the queried tag, such that an eavesdropper cannot differenti- or more hidden layers that are used to extract high-order ate the messages sent by the queried tag from the ones sent statistics and the output layer that constitutes the overall re- by the noisy tag, but the reader could subtract the noise and sponse of the network. Kinzel and Kanter [6] dened an ar- recover the signal. In this solution is necessary to insert a chitecture for multilayer feedforward neural network called new component in the system and procedures to ensure that tree parity machine, shown in Figure 1. The use of this neu- attackers do not nd the noise. Moreover, if the noise is ral network in the process of generating the key is called constant this approach does not prevent replay attacks and neural cryptography. clandestine tracking. If the system uses dynamic noises, the management is extremely complex. Jeng et al. [4] proposed a novel protocol for the distribu- tion of keys based on generic binary tree. The components exchangeindex for a data structurethat contains secret keys. The problem with this approach is the difculty in manage- ment when used with dynamic keys. Lei et al. [7] proposed anewprotocolforauthenticationwithdistributionofkeys, using: authentication identier for each tag, shared keys, function XOR and Hash. However, this technique does not use dynamic keys. Figure 1. The tree parity machine architec- Kinzel and Kanter [6] showed that two neural networks ture. could be trained mutually until their weights become iden- tical. This synchronization ability of neural networks can be used in key management protocols. Wallner and Volk- Kinzel and Kanter [6] showed how two tree parity ma- mer [12] investigated a solution in hardware using this neu- chines can produce a common secret key by exchanging bits ral structure in establishment of keys and cipher algorithm over a public channel. For this, consider two partners tree in RFID. But authors did not create any key management parity machines (A and B), that are trained, received iden- and authentication protocol, which could lead to security tical input vector and the output of their partner. At the end threats. of synchronization process, the synaptic weights of the two In this paper we propose a new key management proto- networks are identical. col with mutual authentication for RFID systems. This pro- In each instant of time they receive common inputs and tocol is an extension for the protocol proposed by Kinzel exchange their outputs. Using discrete weights and inputs, and Kanter [6], adding to the original protocol: a mutual the learning rule leads to synchronization in a nite num- authentication and the denition of frames. ber of steps and stay synchronized although they change in
2 time. Algorithm 1 Neural cryptography learning process The hidden layer consists of k neurons. Each one has n 1: The network weights are initialized randomly; inputs. All input values are binary, 2: repeat 3: Inputs are generated; xi,j ∈{−1, 1}, (1) 4: The networks output are calculated; 5: The networks output are exchanged; and the weights, which denes the mapping from input to 6: if outputs of both networks are equal then output, are discrete numbers between −l and +l, 7: The weights of hidden neurons that have σi = τ are modied using the learning rule; w l, l ,...,l , (2) i,j ∈{− − +1 } 8: end if where the index i =1,...,kdenotes the i-th hidden unit and 9: until the weights are synchronized j =1,...,nthe elements of input vector. The number of weights is Various attacks on key exchange protocol based on syn- Nw = kn. (3) chronization of tree parity machine were analyzed in Mis- lovaty et al. [8] and Ruttor [10]. The protocol was shown to The output (σi)ofthei-th hidden unit is the dene, be secure against them. Furthermore, Ruttor [10] shows that k =3is the optimal choice for cryptographic application of n neural synchronization. Thus the partners can archive any σi = sgn # wi,j xj , (4) desired level of security by changing l.Thesystemisse- j=1 cure when l →∞[10]. In practice, the any desired level of security can be reach by just increasing l. where, To evaluate of neural networks performance were per- &1 if ζ ≥ 0 sgn(ζ)= (5) formed computational simulations. For this, the Algorithm −1 otherwise. 1wasimplemented,withtheprogramminglanguageCand GCC compiler. Then the total output τ of a tree parity machine is given The average of synchronization times with respect to the by the product of the hidden neurons, variable l are shown in Figure 2. In the graphic, we can k observe that the increase in safety level (i.e., the increase in the variable l)impliesinanexponentialincreaseofitera- τ = ' σi. (6) i=1 tions needed for synchronization. In the training process, both partners A and B initialize their weights vector with random numbers. At each time step, a public input vector is generated and the bits τ A and τ B are exchanged over public channel. Only if the output bits are identical, τ A = τ B ,theweightscanbeupdated.In this case, only the hidden neuron σi,whichisidenticaltoτ, updates its weights using the learning rule:
wi,j = g(wi,j + xj ), (7) where:
&sgn(ζ)l if |ζ| >l g(ζ)= (8) ζ otherwise. Figure 2. Average of synchronization time as The synchronization is due to existence of the absorbing afunctionofl for k =3and n =32,obtained boundaries −l and l.Ifanyweightisoutofrange[−l, l]the in 1000 runs. weight is replace by limit value ±l through g(ζ) function. After some time the two partners are synchronized, W A = W B,andthetrainingisstopped.Thenthecommon While the parameter l inuence directly in the safety weights can be used as a key to encrypt secret messages. level, the variable n determines the number of generated Algorithm 1 summarizes the learning process. keys. Figure 3 shows the relationship between the average
3 synchronization times as a function of n in 1000 samples. Atreeparitymachineusedhasthreeneuronsinhidden The graphic shown that the increase of n (i.e., larger number layer, each neuron has 32 inputs and weights limit equal of generated keys) implies a small increase in the average ±127,resultsingenerationof96weights.Intherepresen- time needed to obtain synchronization. tation of each weight is used 8 bits, where the MSB (Most Signicant Bit) represents the signal:
&1 if wi,j < 1 MSB = (9) 0 otherwise, and others 7 bits representing the absolute value of the weight. The neural network creates, in synchronizing pro- cess, a set of 768 bits (6 groups of 128 bits). To use the proposed protocol was necessary to create control frames, these frames are shown in Figure 4. The Ta- ble 1 shows the frames and their respective command codes.
Figure 3. Average of time synchronization as afunctionofn for k =3and l =5,foundfrom 1000 runs.
Based on data (Figures 2 and 3) and depending on the level of security and computational resources of the system, the use of neural networks in RFID systems may not be the best solution. The increase in security level results in an in- crease of iterations needed for synchronization, making this Figure 4. Frames used by security proto- protocol slow. Depending on the restriction of the system, col: (a) SYNC, (b) FIN SYNC, (c) ACK SYNC this solution can be adopted. NACK SYNC and (d) AUTH.
3KeyManagementProtocolwithMutual Authentication Table 1. Frames and their command codes The security protocol proposed is for RFID systems with used in the proposed security protocol. the following features: tag access is restricted to authorized readers, tags with reading/writing memory, reader and tag Frame Command Code with the same random number generator (based on seeds) and the use of symmetric encryption algorithm. The encryp- SYNC 0000 tion algorithm can be DES (Data Encryption Standard), 3- ACK SYNC 0001 DES or AES (Advanced Encryption Standard). The choice NACK SYNC 0010 of encryption algorithm is related to processing and mem- FIN SYNC 0011 ory capacity. AUTH 0100 The following protocols can be used in conjunction with Reserved 0101 1111 the access protocols, physical interfaces, CRC (Cyclic Re- dundancy Check) and data format described in ISO or EPC- The operation of protocol is divided in two phases: keys Global standards. generation and authentication. The key generation phase is The key management protocol denes messages and data shown in Figure 5. It begins with the assignment of ran- necessary for cryptographic keys managementwithauthen- dom values to weights. The input vector (X)iscreatedby tication in RFID systems. Both tag and reader use one tree the reader at each step, through a seed of 128 bits. The parity machine with the same structure. The parameters k, reader uses the frame ACK SYNC to notify the tag: seed l and n are public. value (S), its output (τ R), an encrypted sequence of bits
4 (Ek(ST))andanidentier (ID). The encrypted sequence receives the frame FIN ACK, it must extract the keys of the is obtained encrypting a variable known, called ST.Thisis neural network according to the Index Vector informed by necessary for the synchronization test. The identier is the the tag. function of informing the reader and tag where the message At the end of the synchronization,both networks provide is a recent message. The variable ID starts with zero and is the same key for encryption. However, only the process of incremented every time that the reader send a synchroniza- generating keys does not guarantee the information security. tion frame. Therefore, any attacker can also synchronize with an autho- rized device, because the protocol is a public knowledge. Thus, to ensure that only entities authorized have access to information is necessary authentication service. The function of the authentication service is to ensure the recipient that the message is from the source that it claims [11]. There are several authentication methods, differenti- ated mainly by the use of secret-keys or public-keys. Un- Figure 5. Messages used by the security pro- like encryption algorithms, in public-key authentication the tocol proposed in keys generation phase. user A send your message encrypted with As private-key. The recipient of the message uses the public-key to ver- ify the message, thus ensuring that only the owner of the private-key could have encrypted the message [11]. On se- After sending the frame SYNC, the reader triggers a cret keys authentication both entities must have a common timer and waits a response from the tag. If the tag does not secret code. In this paper two secret codes are used, called respond until a certain limit time and number of attempts TAK (Tag Authentication Key) and RAK (Reader Authen- has not exceeded a certain value, the reader restarts the syn- tication Key), as shown in the Figure 6. chronization process. When the tag receives the frame SYNC, the tag should perform integrity test. If the messages are received as sent (with no duplication, insertion, modication, reordering, or replay) the tag will perform the synchronization test. This test is accomplished through the following steps: tag use its 128 rst weights as key for decryption Ek(ST) that was re- ceived from the readers. If the result is equal to ST variable previously stored in its memory, the networks are synchro- nized. Finally, the tag should randomly chooses one of six Figure 6. Messages used by the security pro- positions of weights vector to create a key. Subsequently, it tocol proposed in authentication phase. should notify the reader who obtained the synchronization and which will be the IV (Index Vector) of weights that will be used to the generate key. The tag should send the frame The authentication start with both tree parity machines FIN SYNC to alert the reader. synchronized. The reader will use the neural network If decryption algorithm does not generates expected re- weights as key to encrypt the variable RAK. The reader sult, the tag should use the seed (S)initspseudo-random sends an authentication frame (AUTH) to tag. If the tag number generator to create the network inputs (X). With does not respond until a certain limit time, the reader in- this input vector the tag will compute its output (τ T ). If creases the number of attempts. If this number does not ex- network output is equal to reader output (τ T = τ R)then ceed a threshold, the reader sends again the AUTH frame. tag should adjust their weights. At the end of weights up- Otherwise, reader nalizes the authentication phase. date, the tag should notify the reader that outputs are the The tag should decrypt the key eld when the AUTH same. The tag uses the frame ACK SYNC to notify the frame is received. If the result is equal to tags RAK, the reader, with the same ID value received from reader. If the tag learns that the synchronized device is authorized. After tag and reader outputs are different, the tag should not ad- that, the tag must be authenticated. For this, the tag should just its weights and inform the reader its output. The tag use neural network weights to encrypt its Tag Authentica- sends the message NACK SYNC to notify the reader, with tion Key variable and send it toreader.Thereaderreceives the same ID value. the AUTH frame, decrypt the key eld and verify the tag au- If reader receives ACK SYNC it should update its thentication. If the received key is valid the tag is certied, weights. The reader will create new synchronization frame nishing the authentication phase. until receive the frame FIN ACK fromtag. When the reader In data transmission phase, the reader can continue to
5 generate random seeds, to feed the articial neural network, [6] W. Kinzel and I. Kanter. Neural cryptography. In in Proc. and get different keys for each frame transmitted. of the 9th International Conference on Neural Information Processing,pages1822,2002. [7] H. Lei, G. Yong, L. Na-Na, and C. Zeng-Yu. A Security- 4ConclusionsandFutureWorks Provable Authentication and Key Agreement Protocol in RFID System. IEEE - WiCom,pages20782080,2007. Although RFID technology can be applied in many [8] R. Mislovaty, Y. Perchenok, I. Kanter, and W. Kinzel. A elds, such as access control, track equipment, supply secure key-exchange protocol with an absence of injective functions, 2002. chain, identify passenger luggage, asset management and [9] M. Rieback, B. Crispo, and A. Tanenbaum. The Evolution automated payment. These applications may result in secu- of RFID Security. IEEE Pervasive Computing,5(1):6269, rity and privacy risks. Due the lack of international stan- 2006. dards for security in RFID systems, many researchers have [10] A. Ruttor. Neural Synchronization and Cryptography, 2007. been proposed solutions to solve these security and privacy [11] W. Stallings. Cryptography and Network Security (4th Edi- risks. However, key management protocols existing are in- tion).PrenticeHall,November2005. security or impractical. This paper presents a new approach [12] M. Volkmer and S. Wallner. Lightweight key exchange and to secure RFID systems, in which we proposed a new pro- stream cipher based solely on tree parity machines, 2005. tocol for keys management with mutual authentication. This new protocol uses neural cryptography technique. This technique uses one neural network, called tree parity machine, in generating cryptographic keys process. The use of neural cryptography is due to the existence of their safety analysis in the literature [8] [10]. This paper presents as contributions an extension of RFID systems for the proto- col proposed by Kinzel and Kanter [6], adding to the orig- inal protocol: a mutual authentication and the denition of frames. Computational simulations showed that the security of neural cryptography is a function only of computational re- sources. If there is a large capacity of memory and pro- cessing, it is possible create large keys and difcult to be broken. Therefore, depending on the level of security and computational resource this solution can be adopted. Future work will consist of power estimations, tempo- ral analysis, adapt our protocol to provide key exchanges in systems with multiple tags, and build a proof-of-concept implementation using an FPGA (Field Programmable Gate Array).
References
[1] G. Avoine and C. Castelluccia. Noisy Tags: A Pretty Good Key Exchange Protocol for RFID Tags. volume 3928, pages 289299. Springer-Verlag, 2006. [2] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer. Strong Authentication for RFID Systems Using the AES Algo- rithm. pages 357370. 2004. [3] S. Haykin. Neural Networks: A Comprehensive Foundation. Macmillan, NewYork,1994. [4] A. Jeng, L.-C. Chang, and S.-H. Chen. A Low Cost Key Agreement Protocol Based on Binary Tree for EPCglobal Class 1 Generation 2 RFID Protocol. IEICE Transactions, 91-D(5):14081415, 2008. [5] A. Juels. Minimalist Cryptography for Low-Cost RFID Tags. pages 149164. 2005.
6