A Study on Cryptographic Protocols for RFID Tags

A Study on Cryptographic Protocols for RFID Tags

PhD candidate: Dang Nguyen DucAdvisor: Prof. Kwangjo Kim

PhD Dissertation Defense

Information and Communications EngineeringKAIST

1st December, 2009Cryptography and Information Security Lab @ KAIST

2

1.1. Overview1.2. What is RFID?1.3. RFID: Security Threats & Requirements1.4. Cryptographic Primitives1.5. What Do Cryptographers Do?

I. Introduction

III. Preventing DoS Attacks in RFID Authentication Protocols

II. HB*: Lightweight Authentication Protocol Secure Against MIM

IV. Scalable Grouping-Proof Protocol for RFID Tag

5.1. Previous Grouping-Proof Protocols 5.2. Scalability Issues of Previous Protocols 5.3. Security Definition 5.4. Scalable Construction from (n, n)-

Secret Sharing

VI. Future Work

V. Conclusion2.1. LPN Problem2.2. HB Protocol2.3. HB+ Protocol2.4. Man-in-the-middle Attack on HB+2.5. HB* Protocol

3.1. Privacy vs Performance3.2. OSK Protocol3.3. O-FRAP and O-RAP Protocols3.4. DoS Attack on O-FRAP and O-RAP3.5. O-FRAP+ and O-RAP+ Protocols

Publications

Contents

3

• The contribution of this thesis is three-fold:– HB*: a lightweight authentication protocol

• Secure against man-in-the-middle attack.– Defending some RFID authentication

protocols against DoS attack• Two-phase Authentication

– Grouping-proof protocol for RFID tags• Scalability issues of previous protocols• Proper security definition• A scalable construction based on (n, n)-secret

sharing

I. Introduction - Overview

4

T2

Tn

T3

T6

T7

T4

TiT1

T5

Reader

RFID – Radio Frequency Identification

Backend Database

Each RFID tag emits an unique number (EPC) serving as identity of tagged item whose information is stored

in back-end database

I. Introduction – What is RFID? (1/2)

5

A typical application of RFID: Automatic supply chain management

A typical RFID tag costs about 5 cents

I. Introduction – What is RFID? (2/2)

6

T2

Tn

T3

T6

T7

T4

TiT1

T5

Malicious Reader

Malicious readers scan legitimate tags to collect EPC numbers to make cloned tags

I. Introduction – RFID Security Threats (1/3)

Cloned tags can be placed on counterfeiting items (goods, passport, driving license, etc)

7


Privacy invasion #1: malicious readers can scan tagged items carried by end-users.

Privacy invasion #1: malicious can used the unique EPC to track user’s movement / build preferences

@ Ari Juels

8

T2

Ti

T3

T5

T4T6

T1

Tn

Reader

T3

T4

Large scale deployment of legitimate & cloned tags can overwhelm/abuse server’s computational

resources

Backend Database


T3

T3

T2

T5

T4

Tn

T4

T4

cloned tag

legitimate tag

9

• A secure RFID system should provide:– Mutual authentication between tag and reader

• Prevent EPC harvesting & cloned tags– Privacy protection of end-users

• No tracking possible– Resistant against DoS

• Filter out unwanted data as early as possible– Key Exchange

• Share session key to securely transmit data (EPC) between tag and reader

I. Introduction – RFID Security Requirements

We need to integrate cryptographic protocols into RFID (especially, between tag and reader)

10

• All of security threats to RFID are well-studied issues in cryptography. Why new?– Computational functionalities of RFID tag is

extremely limited.– Public-key cryptography and block ciphers are

beyond the capacity of low-cost tags (passive tags).

– Pseudo-random number generators, pseudorandom function and hash function (lightweight primitives) are our main tools.

I. Introduction – Cryptographic Primitives (1/4)

11

• Cryptographic hash function h(.):– Compression:

h : {0, 1}* {0, 1}n, n = 128 or more.– Pre-image resistance:

Given h(x), hard to find x– Second pre-image resistance:

Given x1, find x2 such that h(x1) = h(x2)– Collision resistance:

Hard to find any pair (x1, x2) such that h(x1) = h(x2)

• Practical cryptographic hash function– SHA-1, MD5 (Soon to be replaced by SHA-3)– Most hash functions are easy to implement on low-cost

hardware


12

• Pseudorandom Number Generator (PRNG):– Random expansion: from random seed to a longer random string

PRNG : {0, 1}n {0, 1}n+m

– Lightweight Implementation by using LFSR or block ciphers.

• Pseudorandom function (PRF)– No random seed needed: take anything and output a random

stringPRF : {0, 1}* {0, 1}n

– Lightweight Implementation by using PRNG, block ciphers, etc.


13

• Message Authentication Code (MAC):– Require a secret key shared between sender and receiver:

MAC : K M – Origin of message can be verified:

Compute MAC, and compare with received one– Lightweight Implementation

• Adding secret key to hash function (HMAC)


@ Wikipedia

14

• Two jobs of a cryptographer:– Designing secure systems.– Verifying security properties of claim-to-be-secure

systems.• Verification of security properties:

Scheme A is secure

I. Introduction – Cryptographer’s Job (1/2)

We need to define what we means by “secure” (security

definition)

We need to quantify “secure” (security analysis)

15

• Provable Security and Reductionism:– Hard to measure “security quantity” directly

• Reducing breaking security to doing something else that is believed to be hard

I. Introduction – Cryptographer’s Job (2/2)

Breaking Security of A

Solving Hard Problem

Polynomial-time Reduction

Breaking Security of A

Breaking Security of B

Polynomial-time Reduction

16

I. Introduction – Authentication Protocol

• Authentication– Process of verifying object’s identity

• Authentication factors– Something object knows: pre-shared secret– Something object has: digital certificate

Prover Verifier

Random challenge

Response

Challenge-response Authentication Protocol

17

I. Introduction – Notation

18

• Binary inner-product between two k-bit values a and x:B(a, x) = a x = (a0 x0) (a1 x1) … (ak-1 xk-1)– Very easy to implement on low-cost hardware– 4-bit buffer memory is sufficient

• Is it useful for cryptography?• Maybe, it has been used to construct

(theoretical) PRNG (hard-core bit)• For more cryptographic applications, where is

the hard problem?

II. HB* Protocol – LPN Problem (1/2)

19

• LPN (Learning Parity with noise) problem:• Well-known problem in machine learning

II. HB* Protocol – LPN Problem (2/2)

Hidden Value x

a1 x

a2 xa3 x

a4 x

a5 x

a6 x

…

an-1 x

an x

LPN: Compute x from noisy sampled data?

NP-Complete problem: best algorithm takes 2O(k/logk)

LPN problem implies pseudo-randomness: (a, B(a,

x) v)) appears as (k+1)-bit random string

Noisy dataNoise-free data

20

• HB Human Authentication Protocol:– Secure against passive adversary, i.e., one that only eavesdrops

communication channel between Human and Computer.

H (k-bit secret x, ) C (k-bit secret x, , )

a

z = (a x)

zCheck if z = a x

Repeat above step q times (possibly concurrently). Accept only if C receives about q incorrect responses from H A collection of (a, z) forms an instance of

LPN problem

{0, 1|Prob[ =1] = }

HB suffers so-called incompleteness problem as the criteria “about q incorrect responses ” is not well defined

II. HB* Protocol – HB Protocol (1/2)

a R {0, 1}k

21

• Is HB suitable for RFID Tags?– No, secret key is leaked if C is malicious (no problem if H is

human but an-autonomous device).

As there are more correct responses than incorrect ones, C’ can easily obtain error-free equation a x = z

Tag (k-bit secret x, ) Malicious Reader

a=a1=a2=…=ak

z1 = (a x) 1

z2 = (a x) 2

…z1 = (a x) k z1, z2,…, zk

i {0, 1|Prob[ =1] = }

II. HB* Protocol – HB Protocol (2/2)

22

• HB+ by Juels and Weis– Secure against active adversaries, i.e., adversary can pretend to

be a reader.

Tag (k-bit secret x and y , ) Reader (k-bit secret x and y; )

a R {0, 1}k

a

z = (a x) (b y) z

{0, 1|Prob[ =1] = }

b R {0, 1}k

b

Repeat above step q times (possibly concurrently). Accept only if about q responses of Tag

are incorrect

Verify z = (a x) (b y)

HB+ also has incompleteness problem

II. HB* Protocol – HB+ Protocol

23

• HB+ is insecure against man-in-the-middle attackTag (k-bit secret x, y; ) Reader (k-bit secret x, y)

a R {0, 1}k

a

z’ = (a’ x) (b y)

z’ {0, 1|Prob[ =1] =

}

b R {0, 1}k

b

……..

a’ = a

If authentication succeeds, it is likely that (a’ x) (b y) = (a x) (b y) , but (a’ x) = (a ) x = (a x) ( x), therefore x = 0.

Otherwise, x = 1

Attacker uses k linear independent ’s, it can calculate x using Gaussian elimination

Check if z’ = (a x) (b y)

II. HB* Protocol – GRS MIM Attack on HB+

24

• HB-protocol family is one of the most interesting protocols for low-cost devices Very efficient (no hash, no block cipher) Security is based on a well-studied hard problem

(LPN problem)• In this thesis, I propose HB*

• A variant of HB+ secure against MIM attack.• Can be used to exchange session key.• 2-round (challenger-response) instead of 3-round in

case of HB+• Twice the size of secret keys.

II. HB* Protocol – HB* Protocol (1/4)

25

• Why man-in-the-middle attack work on HB+– Binary inner-product is linear– x is always associated with challenge a (and y with b)

for no particular reason.

• My approach to prevent GRS MIM attack:• Secretly swap the role of x and y when computing the

response z.• Introduce two new secret keys r and t to decide how

the response z should be (secretly) computed and verified.


26

Tag (k-bit secret x, y, r, t) Reader (k-bit secret x, y, r, t)

w = (a r) a, w

If = (b t) w’ Check if z = (a x) (b y) Otherwise, Check if z = (a y) (b x)

b R {0, 1}k

’ R{0, 1}w' = (b t) ’

b, w’, z

Repeat above step q times Accept only if all responses from Tag are correct

a R {0, 1}k

R {0, 1}

If ’ = (a r) wz = (a x) (b y)

Otherwise,z = (b x) (a y)

No noise applied to z


27

• HB* is secure against generalized GRS man-in-the-middle attack if secret keys are chosen carefully• Observe that, under assumption LPN is hard :

– Tag and Reader securely exchange two bits via (b, w’) and (a, w)– Furthermore, (b, w) and (a, w’) come from single entity, therefore

inherently secure against man-in-the-middle attack– Original GRS attack does not work since, attacker does not know

which secret keys (x or y) is associated with a.

• Observe that, attacker can only learn useful information about bits of x and y by modifying bits at the same position of a and b:• Attacker learns useful information only when xi = yi = ri = ti = 0.• We can prevent the attack by choosing secret keys so that the

above case is avoided.


28

• Comparison

HB* can be used as an implicit key exchange protocol such that each round the tag and reader shares 1 secret bit ( ’).


29

• No privacy protection (Class-1 Gen-2 Spec) – except kill tags• Tag always backscatter its unique EPC number

• Good for performance: easy to look up the tag in DB

• Privacy protection (many protocols, not HB+ and HB*):• Tag backscatters different EPC (pseudonym) for

every session.• Bad for performance: how to look up the tag if

the EPC always change?

III. RFID and DoS Attack – Privacy vs Performance

30

• OSK Protocol• Authentication Token = Hash(Current EPC)• Next EPC = Hash(Current EPC)• Server scan through the whole DB to identify

a tag

III. RFID and DoS Attack – OSK Protocol

31

III. RFID and DoS Attack – O-FRAP and O-RAP (1/4)

• Optimistic Behavior:– Performance is optimal if there is no attack.

• Anonymity:– Tag should use a randomly chosen Pseudonym for

each authentication session. Pseudonym is used to index tag database (index is updated regularly)

• Forward-security:– Refreshing secret key after every successful

authentication session.– But, this often leads to de-synchronization of secret

• Attacker can block/alternate the message so that only either tag or reader authenticates successfully.

32


• How to defeat de-synchronization attack?– Server keeps track of two versions of secret

for each Tag {Kold, Kcurrent}– In an authentication session, if Tag uses

Kcurrent, Kold = Kcurrent

Kcurrent = Knew

– If Tag uses Kold, then preserve Kold and let Kcurrent = Knew

• Why don’t we update Kold = Kcurrent?– Because attacker can prevent tag from updating its key

for two successive sessions to cause de-synchronization.

33


O-FRAP ProtocolPrevj = (Secret Key, Pseudonym) of Tag Tj in previous session

Curj = (Secret Key, Pseudonym) of Tag Tj in current session

34


O-RAP Protocol (O-FRAP without updating secret key: no forward security)

35

III. RFID and DoS Attack – DoS Attack on O-RAP

• Attacker can cause Server to search its whole database by sending any invalid pseudonym

36

III. RFID and DoS Attack – O-RAP+ and O-FRAP+ (1/4)

• Key idea: Two-phase authentication– Reader authenticates tag’s pseudonym first

• We can use a fixed key to this.• The tag can also uses this key to verify the sever

at first and updates its secret key and pseudonym (no more de-synchronization)

• Only tags pass this first round of verification can be passed to the server.

– Tags authenticated in the first round are then identified again at back-end server

37


O-RAP+ Protocol (O-FRAP+ without key updating)

38


• Reducing O-FRAP+ and O-RAP+ to 3-round protocol:– O-FRAP+ can be 3-round protocol:

• Tag initiates protocol first (sending tsys) but this is usually not case in practice.

– Indeed, the first message by server is usually a broadcast message, any tag in range will response with tsys

• Once a tag is isolated, reader can send rsys to start an authentication session.

• Therefore, O-FRAP+ and O-RAP+ are essentially a 3-round protocol.

39


• Security:– O-FRAP+ and O-FRAP+ are at least as

secure as O-FRAP and O-RAP• Comparison

40

IV. Grouping-Proof Protocol – Previous Protocols (1/6)

• Grouping-proof Protocols for RFID tags :– Generate a proof that multiple tags are

present at the time of scanning.– For example, tags attached on different parts

of a car should stay together.• Previous protocols:

– Yoking-Proof and variants– Timestamp-based Yoking-Proof– Saitoh-Sakurai’s Grouping-Proof

41


• Yoking-Proof:Verifier

Reader

P = (T1, r1, m1, T2, r2, m2)

Tag T1

Choose r1 at random

m1 = MACK1[r2]

(1) “left proof”

(2) T1, r1

Tag T2

Choose r2 at randomm2 = MACK2[r1](3)“right proof”, r1

(6) P

(4) T2, r2, m2

(4) r2

(5) m1

42


• Timestamp-based Yoking-Proof

Verifier

Reader

P = (TS, T1, r1, m1, T2, r2, m2)

Tag T1

Choose r1 at random

m1 = MACK1[TS, r2]

(2) TS

(3) T1, r1

Tag T2

Choose r2 at randomm2 = MACK2[TS, r1]

(4) TS, r1

(8) P

(5) T2, r2, m2(6) r2

(7) m1

(1)TS


• Piramuthu’s protocol

Verifier

Reader Choose r at

random

P = (r, r1, r2, T1, m1, T2,

m2)

Tag T1

Choose r1 at random

m1 = MACK1[r1, m2]

(1) r

(2) T1, r1

Tag T2

Choose r2 at random

m2 = MACK2[r, r1]

(3) r, r1

(7) P

(4) T2, r2, m2

(5) m2

(6) m1

43


• Lin et. al’s protocol

Online Verifier

Reader

P = (S, T1, m1, T2, m2)

Tag T1

m1 = MACK1[S]

(2) S

(3) T1, m1

Tag T2

m2 = MACK2[S, m1]

(4) S, m1

(6) P

(5) T2, m2

(1) S = SKx[r, TS]

44


• Saitoh-Sakurai’s Protocol

Verifier

Reader

P = (TS, CP)

(1) TS

Tag Ti

mi = MACKi[TS](2) TS

(3) mi

Pallet Tag

CP = SKK[TS, m1,…, mn]

(4)TS

(5) Ti, mi

(6) P

m1

mn

.

.

.

45

IV. Grouping-Proof Protocol – Security Issue

• No security model for multiple tag scanning protocol so far.– No security proof for previous protocols.

• Mafia Fraud Attack (Distance fraud)

Reader Tag T1 Challenge

Response

Attacker

Challenge

RelayedResponse

Tag T2

Relayed Challenge

Response

Communication range of the reader46

IV. Grouping-Proof Protocol – Scalability Issue

• Poor Scalability:– Reader has to relay messages from one tag

to another one.– If there are n tags, a reader needs to replay at

least n(n-1) messages.– Saitoh’s grouping-proof protocol requires an

additional entity (pallet tag) and the reader needs to relay n messages to the pallet tag.

47

IV. Grouping-Proof Protocol – Security Definition (1/2)

• The goal of adversary:– Inject/replace/remove a tag into/from a valid proof.

But the tag is not actually in the communication range of the reader.

• An adversary is active:– Access to both tag and reader oracle.

• Reader can be malicious:– But it is trusted to execute the protocol correctly.– Malicious readers may try to replace a tag in a proof

with a different one before reporting the proof to the verifier.

48

IV. Grouping-Proof Protocol – Security Definition (2/2)

• Experiment for adding a tag into a valid proof:– Setup.– Adversary queries tag and reader oracles.– Adversary can corrupt reader after a protocol session is

terminated.– Challenge: n tags (T1, T2, …, Tn) and the corresponding valid co-

existence proof .– Adversary output (T*, *) such that T* is not among (T1, T2, …,

Tn) and * is a valid co-existence proof of n+1 tags (T*, T1, T2, …, Tn)

• Adversary can add one tag to the original proof bur the tag not in the communication range of the reader.

49

A grouping-proof protocol is said to be secure if the success probability of the adversary in the above experiment is

negligible

IV. Grouping-Proof Protocol – Proposed Protocol (1/5)

50

• (n, n)-secret sharing scheme: a dealer splits a secret x into n shared secrets:– x can only be recovered if all of n shared secrets are provided.

• Applying to grouping-proof:– Each tags signs a shared secret (not other tags’ random

numbers to avoid relaying).– If shared secrets can be used to recover a random challenge

chosen by the verifier, then proof is verified.• A (n, n) trivial secret sharing scheme:

– A dealer chooses (n-1) random numbers for first (n-1) shared secrets, y1, y2, …, yn-1.

– The last shared secret yn = x y1 y2 …yn-1.


51

Verifier: x at random

Reader Pick y0, y1, y2, …

and yn-1 at random. Compute yn = y0 y1 y2 … yn-1

P = (y0, T1, y1, m1, …, Tn, yn, mn)

x

Tag T1

m1 = MACK1[x, y1]

x,y1

T1, m1Tag Ti+1

mi+1 = MACKi+1[x, yi+1]

x, yi+1

Ti+1, mi+1

P

Verifier accepts proof P if MAC is verified x can be reconstructed from y0, y1, y2, …, yn

Tag T2

m2 = MACK2[x, y2]

x, y2

T2, m2

Tag Ti

mi = MACKi[x, yi]

x, yi

Ti, m1

…

Tag Ti+2

mi+2 = MACKi+2[x, yi+2]

x, yi+2

Ti+2, mi+2

Tag Tn

mn = MACKn[x, yn]

x, yn

Tn, mn

…


52

• No scalability problem.– Reader does not relay any messages– Verifier maintain time-to-live on x (instead of sending

timestamp to reader)• Comparison


53

Theorem: Let be success probability of adversary attacking the MAC scheme, be success probability of adversary attacking the proposed protocol, and l be bit length of x, We have:

e = O( + 2-l/2)– If MAC scheme is secure and l is long enough, our

proposed grouping-proof scheme is secure.


54

Proof: distinguish three types of adversary:– Type-I adversary: replace a tag in a valid proof with

another tag.– Type-II adversary: remove a tag from a valid proof.– Type-III adversary: add a tag to a valid proof.For Type-I adversary, let (T*, y*, m*) be target tag, there

are two case:– y* has not been queried to tag oracle: MAC forger.– y* has been queried to tag oracle: bounded by

birthday paradox w.r.t bit length of x, l.

55

• RFID faces serious security threats:– Tag cloning. – Privacy invasion.– DoS attacks.

• I propose three new cryptographic protocols to counter threats:– HB*: lightweight authentication protocol secure against

MIM.– Two-phase authentication to counter DoS attacks

(applied to O-FRAP and O-RAP).– Scalable grouping-proof protocol with sound security

treatment.

V. Conclusion

56

• Sound security model for RFID protocols– Current models (Veudenay’s, UC-based) treat reader

and server as one entity.– Real-world security depends heavily on how much you

trust the reader.– Reader has to be treated as an indispensable entity in

a RFID system, even in a security analysis.• Impossibility of certain cryptographic tasks

for RFID:– Grouping-proof protocols with offline server?– Robust interactive key updating?

VI. Future Work

57

Publications (1/3)

I. Whitepaper(1) “Enhancing Security of Class I Generation 2 RFID against Traceability and Cloning”, Dang

Nguyen Duc, Hyunrok Lee, and Kwangjo Kim, In Auto-ID Lab Whitepaper Series: Networked RFID Systems and Lightweight Cryptography, Springer Berlin Heidelberg, ISBN 978-3-540-71640-2, pp. 269-277, Nov. 08, 2007.

(2) “Toward Designing Provably Secure Cryptographic Protocols for RFID Tags”, Dang Nguyen Duc, Hyunrok Lee, and Kwangjo Kim, Auto-ID Lab Whitepaper Series, Available at http://www.autoidlabs.org/rssdetail/dir/article/1/322/.

II. Journal(3) “On the Security of RFID Group Scanning Protocols”, Dang Nguyen Duc and Kwangjo Kim, IE-

ICE Transaction on Information and Communications Systems, Vol. E93-D, No. 3, Mar. 2010.(4) “Defending RFID Authentication Protocols against DoS Attacks”, Dang Nguyen Duc and Kwangjo

Kim, Elsevier’s Journal of Computer Communications (Under Review).(5) “Security Analysis of A Remote User Authentication Protocol by Liao and Wang”, Dang Nguyen

Duc and Kwangjo Kim, Elsevier’s Journal of Computer Standards & Interfaces (Under Re-view).

(6) “A Secure Lightweight Authentication Protocol Based on Hard Learning Problem”, Dang Nguyen Duc and Kwangjo Kim, Elsevier’s Journal of Computer Standards & Interfaces (Under Re-view).

http://www.autoidlabs.org/rssdetail/dir/article/1/322/

58

II. International Conferences(1) [SCI-E] "A Forward-Secure Blind Signature Scheme Based on the Strong RSA Assumption", Dang

Nguyen Duc, Jung-Hee Cheon ,and Kwangjo Kim, In Proc. of ICICS’03, Springer-Verlag LNCS 2836, pp.11-21, Oct.10~13, 2003.

(2) “A New Provably Secure Transitive Signature Scheme”, Dang Nguyen Duc, Zeen Kim and Kwangjo Kim, In the Proceedings of SCIS’05, Jan.25~28, 2005.

(3) “A New Transitive Signature Scheme based on RSA-based Security Assumptions”, Dang Nguyen Duc, Kyusuk Han, Zeen Kim, and Kwangjo Kim, In Proc. of ACNS’05 (Industrial and Short-Papers Track), pp.165-175, Jun. 10, 2005.

(4) “Enhancing Security of EPCglobal Gen-2 RFID Tag against Traceability and Cloning”, Dang Nguyen Duc, Jaemin Park, Hyunrok Lee, and Kwangjo Kim, In the Proceedings of SCIS’06, Ab-stract pp.97, Jan. 17~20, 2006.

(5) “Human Authentication Protocol for Distributed Computing Environment”, Dang Nguyen Duc, and Kwangjo Kim, In the Pre-Proceedings of WISA’06, pp.367-372, Aug. 28-30, 2006.

(6) “A Capability-based Privacy-preserving Scheme for Pervasive Computing Environments”, Divyan M. Konidala, Dang Nguyen Duc, Dong-man Lee and Kwangjo Kim, In Proc. of IEEE PerSec’05, pp.136-140, Mar. 8~12, 2005.

(7) “Securing HB+ against GRS Man-in-the-Middle Attack”, Dang Nguyen Duc, and Kwangjo Kim, In the Proceedings of SCIS’07, Abstracts pp.123, Jan. 23-26, 2007.

Publications (2/3)

59

III. Domestic Conferences(1) “A Lightweight Key Agreement Protocol Based on LPN Problem”, Dang Nguyen Duc and

Kwangjo Kim, In Proc. Of CISC-W'07, Vol.17, no.2, pp.709-712, 2007.(2) “Secure HB+ against Man-in-the-middle Attacks”, Dang Nguyen Duc, and Kwangjo Kim, 2006

년도 정보보호학회 동계학술대회 , pp. 265-272, 2006.(3) “2 세대 EPCglobal RFID 규격의 보안 취약성 검토 및 개선 방안 연구” , 박재민 , Dang

Nguyen Duc, Vo Duc Liem, 서영준 , 김광조 , 2005 년도 충청지부 학술대회 논문집 , pp.207~220, 2005.

(4) “A Simple Secure Communication Protocol for RFID Devices”, Dang Nguyen Duc, 박재민 , 이현록 , 김광조 , 2005 년 한국정보보호학회 동계정보보호학술대회 논문집 , pp.254-259, 2005.

II. International Conferences(8) “How to Exchange Secret on Low-cost Devices”, Dang Nguyen Duc, and Kwangjo Kim, In the

Proceedings of TriSAI’08, 2008.(8) “Security and User Privacy for Mobile-RFID Applications in Public Zone”, Divyan M. Konidala,

Dang Nguyen Duc, and Kwangjo Kim, In the Proceedings of TriSAI’08, 2008.(9) “Open Issues in RFID Security”, Dang Nguyen Duc, Divyan M. Konidala, Hyunrok Lee and

Kwangjo Kim, RFID Security and Cryptography 2009 (Invited Paper).(10) “Grouping-Proof Protocol for RFID Tags: Security Definition and Scalable Construction”, Dang

Nguyen Duc and Kwangjo Kim, ACM AsiaCCS’2010 (Under Review).

Publications (3/3)

60

THE END

Thank you!

Documents

A Study on Cryptographic Protocols for RFID Tags