Cryptography Reference
In-Depth Information
5 On the Traceability of the UCS-RFID
In the previous section, we presented a probabilistic key recovery attack against
the UCS-RFID protocol. We mentioned that according to Figure 3, we need
to have about 90 runs of the protocol to be almost sure that our found keys
are correct. But with less number of protocol run outputs, we still can apply
an attack against the traceability of the protocol. In this section, we formally
investigate the untraceability of the UCS-RFID based on the formal description
in [12].
5.1 Adversarial Model
According to [12], the means that are accessible to an attacker are the following:
We denote a tag and a reader in i th run of the protocol by
T i and
R i , respectively.
- Query( T i ,m 1 ,m 3 ): This query models the attacker
sending a message m 1
to the tag and sending the m 3 after receiving the response.
- Send( R i ,m 2 ): This query models the attacker
A
A
sending a message m 2 to
the Reader and being acknowledged.
- Execute( T i ,R i ): This query models the attacker
executing a run of protocol
between the Tag and Reader to obtain the exchanged messages.
- Reveal( T i ): This query models the attacker
A
A
obtaining the information on
the Tag's memory.
A Passive Adversary ,
A P , is capable of eavesdropping all communications be-
tween a tag and a reader and accesses only to the Execute( T i ,
R i ): .
5.2 Attacking Untraceability
The result of application of an oracle for a passive attack
on
atag T in the run i is denoted by w i ( T ). Thus, a set of I protocol run outputs,
Ω I ( T ), is:
Ω I ( T )=
O P ⊆{
Execute ( . )
}
N ;( N denotes the total set of protocol runs).
The formal description of attacking scenario against untraceability of a protocol
is as following:
1. A P requests the Challenger to give her a target T .
2.
{
w i ( T )
|
i
I
}
; I
A P chooses I and calls Oracle ( T,I,
O P )where
|
I
|≤
l ref
receives Ω I ( T ).
3.
A P requests the Challenger thus receiving her challenge T 1 , T 2 , I 1 and I 2
4.
A P calls Oracle ( T 1 ,I 1 ,
O P ), Oracle ( T 2 ,I 2 ,
O P ) then receives Ω I 1 ( T 1 ), Ω I 2 ( T 2 ).
5.
A P decides which of T 1 or T 2 is T , then outputs her guess T ´.
For a security parameter, k ,if Adv UNT
A P
( k )=2 Pr ( T ´= T )
1 > then we
can say that the protocol is traceable.
For UCS-RFID case, as Figure 3 implies, an adversary
A P needs only to access
to about 40 and 65 consecutive runs of theprotocoltobeabletodetermine n ( j )
with a probability of more than 0.5 (e.g. 0.6) for k =128 and 256 respectively and
then according to section 4.3, she will be able to recover the keys of subsequent
 
Search WWH ::




Custom Search