隨著「無線射頻辨識(Radio Frequency Identification)技術在實際應用面上的快速拓展」與「無線射頻標籤成本逐漸下滑之趨勢」下,無線射頻辨識之相關技術研究與實務開發逐漸被產、官、學界所重視,新型態之殺手級應用更為企業與消費者所引頸期盼。然而,當無線射頻辨識技術的應用益發普及於人們日常生活中後,其伴隨而來的系統安全威脅與個人隱私危機也悄悄地伺伏於我們四周。有鑑於此,本研究係針對無線射頻辨識系統上之資訊存取與身份鑑別機制提出新的設計,冀達成無線射頻辨識應用的系統安全與個體隱私防護之功效。

針對無線射頻辨識系統的後端通訊(讀取器擁有者與後端伺服器間),本研究提供了六套不同性質之安全存取與身分鑑別機制。第一套身份辨識機制採用橢圓曲線加密法(Elliptic Curve Cryptosystems)作為核心設計,該機制著重於讀取器使用者之隱私洩漏與行為軌跡追蹤等問題解析,流程中利用一合法假名(Legitimate Pseudonym)取代個體辨識碼(Identity),進而達到匿名通訊。第二套身份鑑別機制則採用了「低強度但易記憶」密碼作為加密金鑰基準,並利用一套交互身分鑑別(Mutual Authentication)機制產生所需的會議金鑰(Session Key),該金鑰安全強度植基於Diffie-Hellman離散對數問題。近年來,由於智慧卡(Smart Card)的高度安全性、應用普及性與技術實用性,智慧卡鑑別系統已被廣泛應用於網路安全傳輸與日常生活中。為強化無線射頻辨識系統上的後端通訊,本研究提出了兩套以智慧卡為基底的鑑別系統。首先,為追求較佳之系統效能,吾人利用雜湊函數與簡易位元模組來設計出一套輕量級的身份鑑別機制,該方案成功地達到適當且穩固的系統安全。再者,另一方案採用動態辨識碼(Dynamic Identity)機制來達成遠端使用者的隱私防護,根據所提出的安全與效能分析,該方法十分適用於無線射頻辨識應用與服務的後端通訊防護。最後,為求解決方案的完整性,本研究更針對了現今網路應用中的多伺服器傳輸架構與行動商務等兩大系統模型進行存取控制機制設計的可行性瞭解,並根據此二架構分別設計出一套安全身份鑑別機制。

於無線射頻辨識系統的前端通訊(讀取器與標籤間)上,本論文提出了四套性質相異之安全存取與身分鑑別機制。礙於標籤的低成本限制,吾人首先針對無線射頻辨識系統的前端通訊設計了兩套以低成本雜湊函數建構而成的身份鑑別協定,此一雜湊函數的安全性與運算效率已被證實於研究 [180],該二方法分別採用了金鑰自動更新(Key Auto-update)、金鑰冗餘設計(Key Redundancy Design)與流程導向設計(Process-oriented Design)來確保前向安全(Forward Security)與阻絕攻擊防護(Resistance to De-synchronization)之存在,文中提出的安全與效能分析更證實了提出方法的實用性。近來,無線射頻辨識安全社群逐漸將研究重心轉移到「輕量(lightweight)且安全」的身份鑑別機制設計,該概念主要採用具運算效率的安全防護模組來設計一套介於讀取器與標籤間的安全通訊。有鑑於此,本研究建議了一套符合EPCglobal組織標準 [47] 的資訊存取控制機制,冀提供目前實務界良好的規範參考。另一方面,吾人更設計了一套極輕量(Ultralightweight)身份鑑別機制,該機制中僅採用以位元為基準的運算模組,故其運算效率非常適用於低製造成本的無線射頻標籤。根據無線射頻技術實務上的特殊應用需求,本論文提出了兩套標籤共存證明(Coexistance Proof)機制,其產生之證明可提供各無線射頻技術應用中的標籤共存之證據,進而降低各應用中的貨物交易與商品往來爭議。最後,本研究提出了一套正式攻擊模組,用以分析目前已存在的無線射頻身分鑑別(RFID Authentication)協定,並發現金鑰冗餘設計與獨立性金鑰更新機制(Key Independent Update)的矛盾性。

The design of secure authentication protocol for Radio Frequency IDentification (RFID) systems has been extensively studied in recent years in view of the awareness of individual privacy and the requirement of robust system security. Most of previous works assume the communication channel between the RFID reader and the backend server is secure and only concentrate on authentication process design between the tags and the reader. However, the future communication environment for RFID sys-tems will be all wireless and inherently insecure. Meanwhile, a variety of security threats, privacy violation problems and heavy computation workload on authentica-tion process still exist in RFID system environment. It is more difficult to secure an RFID system than before without novel authentication protocols. In this dissertation, twelve mechanisms are introduced to support complex RFID environment in the fu-ture and provide more efficient and secure authentication process. In addition, we propose a formal analysis model to investigate the security of existing RFID authen-tication protocols.

The first part of this dissertation presents six authentication protocols which in-tend to secure the backend communication channel between the reader and the server in RFID systems against major security threats and user privacy disclosure. First, a mutual authentication scheme based on elliptic curve cryptosystems is proposed to defend against the privacy disclosure threat for the RFID reader and its owner. To the best of our knowledge, our scheme is the first RFID authentication protocol to handle reader owner privacy issue with a mutual agreement property. Secondly, in order to secure the legitimacy of accessed reader, we introduce three remote user authentica-tion schemes in sequence. The first one of these three proposals is password based and it can be utilized to secure the communication between the reader and the server within a hostile network. The other two schemes are built on the usage of smart card. For system efficiency, a lightweight authentication mechanism is firstly introduced which adopts only one-way hash function and exclusive-or operation to provide sys-tem security as well as computation efficiency. A dynamic ID based version is then derived to eliminate reader owner’s privacy threat and protect his/her authentication trajectories. This proposal is proved to be secure under the collision-resistance of hash function. Finally, in consideration of important and practical application scenarios on which RFID technology may be deployed in the future, two authentication schemes for multi-server architecture and mobile commerce are developed to support remote user authentication with access capability on multiple servers and mobile commerce transactions.

To secure the forward communication channel between the reader and the tags, four protocols are proposed to fit in different needs of RFID systems. Due to the na-ture of restricted computation ability and limited memory space of low-cost RFID tag, it is very difficult to implement a traditional, complicated but secure authentication cryptosystem. For this reason, two computation-efficient mechanisms with robust ac-cess control are proposed in which a low-cost hash function [180] is adopted as the underlying security operation module. The corresponding robustness and performance analyses show the practicality of these two schemes. As lightweight cryptosystem modules have been developed by research community in recent years, the design of lightweight authentication schemes for RFID systems is viewed as a must in the fu-ture. By following this trend, we introduce two authentication protocols in which one is compatible to EPCglobal Class 1 Generation 2 standards and the other one utilizes the ultralightweight computing operators. These two protocols are extremely compu-tation-efficient and suitable for very low-cost tags. In a RFID-tagged world, a mecha-nism that proves a group of objects with their corresponding RFID tags appeared at the same time and the same place can be very useful in various application scenarios. Two coexistence proofs protocols are proposed to produce robust evidences for the coexistence of multiple RFID tags. These evidences can be utilized to solve the con-troversy on tagged merchandise delivery. Finally, we study a general attack on current RFID authentication protocols. Our findings show that most of existing RFID authen-tication protocols cannot provide forward/backward security and resist to de-synchronization attack simultaneously.

中文摘要 I Abstract IV 誌 謝 VII Contents VIII List of Figures X List of Tables XI Chapter 1 Introduction 1 1.1 Background & Motivation 1 1.2 RFID System Model 5 1.3 Notations 7 1.4 Outline of this Dissertation 10 Chapter 2 Authentication on Backend Channel 11 2.1. General Solutions 11 2.1.1. An Elliptic Curve Cryptosystems (ECC) Based Mutual Agreement Protocol 11 2.1.2. A Three-party Password based Authenticated Key Exchange Protocol 24 2.2. SmartCard based Solutions 37 2.2.1. An Efficient Remote User Authentication Scheme with Smart Cards 37 2.2.2. A Dynamic ID based Remote User Authentication Protocol with Smart Cards 52 2.3. Solutions for Specific Environment 65 2.3.1. A Remote User Authentication Scheme for Multi-server Environment 65 2.3.2. A Novel Authentication Scheme for Mobile Commerce Transactions 77 Chapter 3. Authentication on Frontend Channel 87 3.1. General Solutions 87 3.1.1. Mutual RFID Authentication Scheme for Resource-constrained Tags 87 3.1.2. Novel RFID Authentication Scheme for Security Enhancement 105 3.2. Lightweight Solutions 113 3.2.1. An Efficient Mutual Authentication Scheme for EPCglobal Class-1 Generation-2 RFID System 113 3.2.2. An Efficient Ultralightweight Authentication Protocol for RFID Systems 127 3.3. Investigations for Specific Purposes 143 3.3.1. Anonymous Coexistence Proofs for RFID Tags 143 3.3.2. New Findings on existing RFID Authentication Schemes against De-synchronization Attack 161 Chapter 4 Conclusion and Future Work 183 Bibliography 189

