Neural Cryptography Applied to Key Management Protocol with Mutual Authentication in RFID Systems Macedo Firmino, Gl´aucio B. Brandao, Ana M. G. Guerreiro Department of Computer Engineering and Automation Federal University of Rio Grande do Norte Natal, Brazil [email protected], [email protected], [email protected] Ricardo A. de M. Valentim Federal Institute of Rio Grande do Norte Natal, Brazil [email protected] Abstract sponsible to get tags data and make it available in grapHical interface or data processing systems. Additionally, there RFID (Radio Frequency Identication) is an emerging is usually a back-end database that collects information re- technology, for automatic identication and tracking, to lated to the pHysically tagged objects. provide increased efciency and decrease operating costs in RFID systems are subject to privacy and secure tHreats. industry and supply chain. However, existing international Privacy tHreats occur because tags respond to reader inter- standards not include security specications, which resulted rogation without alerting their owner. Unfortunately, this in appearance of security threats. Many efforts have Been lets unauthorized readers scan tags data, generating two done in this area. However, the key management protocols attacks: snifng and clandestine tracking. Snifng attack proposed are unsafe or impractical for most RFID systems. is when unauthorized readers intercept RFID data. Unre- This paper presents a novel approach of a key management stricted access to tags data can Have serious implications if protocol with mutual authentication for RFID systems. This this data reveal users personal information. Attackers can protocol is an extension of RFID systems for the protocol record tags unique responses, which can be associated witH proposed by Kinzel and Kanter [6], adding to the origi- persons information, and can be use to clandestine tracking nal protocol: a mutual authentication and the denition of attack [9]. frames. Through simulations it was possible to oBserve that Spoong and replay attack are examples of secure the security level of the proposed protocol is a function only threats. Spoong attack is when attackers mimics authen- of the computational resources of the entities in the RFID tic RFID tags by writing appropriately formatted data on system. blank RFID tags. Tag cloning is another kind of spoong attack, which produces unautHorized copies of legitimate RFID tags. WHile, replay attack is when devices intercept 1Introduction and retransmit RFID queries [9]. CryptograpHy witH dynamic keys and autHentication can RFID is a tecHnology for storing, reading, writing and solve these threats. However, eXisting protocols do not managing remote identication data using electromagnetic include cryptograpHic authentication and key management elds. RFID systems are composed by electronic devices mechanisms. Nowadays, there are a number of challenges formed, basically, by an integrated circuit (for signal de- in designing efcient new security mechanisms for RFID modulation and modulation, storage and information pro- systems. First, data transferred over tHe air could be subject cessing) and antenna for signal reception and transmission. to eavesdropping if the transaction is unencrypted. Second, These systems comprise of tags and readers. A tag is re- the demand for low cost tags result in limited resources, sponsible for storage of identication data. It can be in- such as, computing capabilities, storage space and electric corporated in products, animals or people. A reader is re- power supply. Copyright © 2009 by the Institute of Electrical and Electronics Engineers, Inc. All rights reserved. There are two types of cryptography: secret-key cryp- The remainder of the paper is structured as follows. In tograpHy (or symmetric) and public-key cryptograpHy (or section 2 tHe arcHitecture of neural network used in key asymmetric). The secret-key cryptography require less management protocol is explained. The learning process computational resources [11]. By this reason the secret-key and simulations results, necessary to evaluate of neural net- are more suitable for embedded systems such as RFID sys- work performance, can be found tHere, too. THe new key tems. THere are efcient and appropriate secret-key ciphers management protocol is presented in section 3. Finally, sec- for RFID [2] [5]. However, key management is one prob- tion 4 presents the conclusions and future works. lem in tHese systems. In secret-key systems, to make the system safe, eacH pair reader/tag should share a different 2NeuralCryptography secret key. THen, reader needs to keep all tHese different keys for all tags. Moreover, tHe fact tHat tHis key is specic An articial neural network (ANN) is formed by a par- for each tag leads to a paradox. The tag should inform to the allel distributed processor made up of simple processing reader an identier, so the reader can get the encryption key. units, called neurons. The ANNs have a function of stor- The privacy in this case is unachievable, because attackers ing eXperimental knowledge acquired in its environment may also obtain this identier, and use in clandestine track- througH a learning process [3]. ing or replay attacks. On the other Hand, if the reader does The manner which the neurons of a neural network are not know the tag, it cannot nd tHe encryption key. structured, called architecture, is linked with the learning In the work of Avoine and Castelluccia [1], a key eX- algoritHm used to train tHe network. There is one type of change protocol is presented. The usage of tHis protocol is architecture, called multilayer feedforward, where tHe neu- based on the use of special tags called noisy tag. These tags rons are organized in several layers. This architecture is generate noise on tHe public channel between tHe reader and composed of an input layer responsible to provide data, one the queried tag, sucH that an eavesdropper cannot differenti- or more hidden layers that are used to eXtract high-order ate the messages sent by the queried tag from the ones sent statistics and the output layer tHat constitutes tHe overall re- by tHe noisy tag, but the reader could subtract tHe noise and sponse of tHe network. Kinzel and Kanter [6] dened an ar- recover tHe signal. In this solution is necessary to insert a chitecture for multilayer feedforward neural network called new component in tHe system and procedures to ensure tHat tree parity macHine, sHown in Figure 1. THe use of this neu- attackers do not nd tHe noise. Moreover, if tHe noise is ral network in the process of generating the key is called constant tHis approach does not prevent replay attacks and neural cryptography. clandestine tracking. If tHe system uses dynamic noises, tHe management is eXtremely compleX. Jeng et al. [4] proposed a novel protocol for tHe distribu- tion of keys based on generic binary tree. THe components excHangeindex for a data structuretHat contains secret keys. The problem with this approach is the difculty in manage- ment wHen used witH dynamic keys. Lei et al. [7] proposed anewprotocolforautHenticationwitHdistributionofkeys, using: autHentication identier for each tag, sHared keys, function XOR and Hash. However, tHis technique does not use dynamic keys. Figure 1. The tree parity machine architec- Kinzel and Kanter [6] sHowed that two neural networks ture. could be trained mutually until their weigHts become iden- tical. THis syncHronization ability of neural networks can be used in key management protocols. Wallner and Volk- Kinzel and Kanter [6] sHowed how two tree parity ma- mer [12] investigated a solution in Hardware using tHis neu- chines can produce a common secret key by exchanging bits ral structure in establishment of keys and cipHer algorithm over a public cHannel. For tHis, consider two partners tree in RFID. But authors did not create any key management parity machines (A and B), that are trained, received iden- and autHentication protocol, which could lead to security tical input vector and the output of their partner. At the end threats. of synchronization process, tHe synaptic weights of the two In tHis paper we propose a new key management proto- networks are identical. col with mutual authentication for RFID systems. This pro- In each instant of time they receive common inputs and tocol is an eXtension for the protocol proposed by Kinzel excHange tHeir outputs. Using discrete weigHts and inputs, and Kanter [6], adding to tHe original protocol: a mutual the learning rule leads to syncHronization in a nite num- authentication and the denition of frames. ber of steps and stay synchronized although tHey change in 2 time. Algorithm 1 Neural cryptograpHy learning process The Hidden layer consists of k neurons. Each one has n 1: The network weights are initialized randomly; inputs. All input values are binary, 2: repeat 3: Inputs are generated; xi,j ∈{−1, 1}, (1) 4: The networks output are calculated; 5: The networks output are exchanged; and the weights, wHicH denes the mapping from input to 6: if outputs of botH networks are equal then output, are discrete numbers between −l and +l, 7: The weights of Hidden neurons tHat have σi = τ are modied using the learning rule; w l, l ,...,l , (2) i,j ∈{− − +1 } 8: end if where tHe indeX i =1,...,kdenotes tHe i-tH Hidden unit and 9: until the weigHts are syncHronized j =1,...,nthe elements of input vector. The number of weights is Various attacks on key eXcHange protocol based on syn- Nw = kn. (3) chronization of tree parity machine were analyzed in Mis- lovaty et al. [8] and Ruttor [10]. The protocol was sHown to The output (σi)oftHei-tH Hidden unit is the dene, be secure against them. Furthermore, Ruttor [10] shows tHat k =3is the optimal cHoice for cryptograpHic application of n neural synchronization. Thus tHe partners can archive any σi = sgn # wi,j xj , (4) desired level of security by changing l.THesystemisse- j=1 cure when l →∞[10].