Privacy Properties

Here, the privacy properties of the proposed scheme are studied using Avoine’s adver-sarial model [4] by applying the oracles Query (Q) (π_Tⁱ, m₁, m₃), Send (S)(π_R^j, m₂),

Table 4.6: GNY Logic - Security Correctness Goals about the adversarial model, please refer to Section 3.2.2.

Theorem 1: The proposed grouping proof protocol P is Existential-UNT-QSE.

Proof: Consider that an adversary has access to the Q-oracle such that ω_i(T₁) ∈ {Query(πTⁱ₁,∗)} and ωi(T₂) ∈ {Query(πⁱT₂,∗)}. For any protocol interaction Ii whose length is ≤ Pchal, based on the output m₂{(M1, β1, Y 1, Rc)} of the Q-oracle, M1 is guaranteed to be not connected since M 1 = P RN G(T_id⊕Ts⊕V Ts⊕RTs)⊕P RNG(T Sr⊕ T S_c⊕ T 1r), where T 1_r is a freshly generated pseudo-random number (hidden during transmission), Ts is the tag secret, RTs and V Ts are updated after each run, and the XOR operation between T_id, T_s, V T_s and RT_s is further randomized using the P RN G function (also with T S_r, T S_c, T 1_r). By a similar argument, Y 1 is also not connected since Y 1 = Gid⊕P RNG(T Gs⊕Vr)⊕P RNG(RTs⊕Rr) where Vr, Rrare freshly gener-ated pseudo-random numbers (hidden during transmission), RT_s is updated after each run, and T G_s is a shared-secret. The same principle applies to β1 and R_c. As seen, T ID, RID are not sent during the communication. Tid and Rid are well enciphered in the messages. R_id cannot be obtained from δ1, δ2, R1 without the knowledge of RT_s and R_r. T_id cannot be obtained from V 1₁, μ₁, T S_v, M 1, β1 without the knowledge of T_sand RT_s, R_r, V T_s, V_r, T 1_r which change during each protocol run. Thus, the protocol guarantees tag/reader anonymity and tag/reader location privacy. In the forward chan-nel, an adversary cannot impersonate the reader without the knowledge of RT_s and R_r which serve as challenges to the tag so it can authenticate the reader. If the verification R_id = R1⊕ P RNG(T Sv⊕ T Sc⊕ Rr) is successful, the tag confirms that the reader is

4.3. SECURITY ANALYSIS 73

Table 4.7: GNY Logic - Security Correctness Proof

No Proof Notation GNY Postulate

legitimate since only an entity with the knowledge of RTs and Rr can compute a valid R1. In a similar fashion, in the backward channel, the tag challenges the reader by using RT_s and R_r in R_c. The reader confirms that the tag is legitimate since only an entity with the knowledge of RTs and Rr can compute a valid Rc. Hence, the protocol

is resistent to both tag and reader impersonation attacks. Therefore, with the Q-oracle, the advantage of the adversary is negligible as the adversary does not learn any useful information. Hence the protocol is Existential-UNT-Q.

Now, consider that the adversary has access to QS-Oracle such that ω_i(T₁)∈ {Query(π_Tⁱ₁,

∗), Send(π_Tⁱ₁, m¹₂)} and ωi(T₂) ∈ {Query(πⁱ_T2,∗), Send(π_Tⁱ₂, m²₂)} where m₂{(M1, β1, Y 1, R_c)}. The adversary on sending m2 as a response to the reader, does not receive anything back from the reader. Hence the adversary is not presented with any additional advantage. Thus the protocol is Existential-UNT-QS.

Finally, consider the adversary having access to QSE-Oracle such that ωi(T₁)∈ {Query(

π_Tⁱ

1,∗), Send(π_Tⁱ₁, m₂), Execute (π_Tⁱ

1, π_R^j)} and ωi(T₂)∈ {Query(πⁱ_T2,∗), Send(πⁱ_T2, m₂), Execute(πⁱ_T

2, π^j_R)}. The use of RTs, T_s, V T_s, V_r and R_r, T 1_r (both hidden during trans-mission), and the further randomization of the XOR operation guarantees that the messages are unique each time the protocol is run. Also, V Ts is pre-computed during the initialization step, it would be different for each round. Hence V Ts or V T_s^ cannot be reused several times and if the attacker replayed the previously captured messages, the protocol will fail in the tag ID verification step due to a mismatch in V T_s. If the adversary were to replay the message from the reader, from the previous round, the tag would know that the messages are not fresh when it extracts the pseudo-random number R_rand checks if R_r= R⁻¹_r . If they are the same, the tag does not respond and the protocol aborts. An attacker cannot try this attack using the messages from the rounds before that, since the R_id is matched only using RT_sor RT_sⁿand everything else will fail. Thus, by eavesdropping on multiple instances of the protocol the adversary is not presented with any advantage over the QSE-oracle, thereby being resistent to re-play attacks. Thus the protocol is Existential-UNT-QSE which is the strongest security requirement when the attacker cannot tamper the tag.

Theorem 2: The proposed grouping proof protocol P is Forward-UNT-QSER.

Proof: In addition to the QSE-oracles, consider that the adversary also has access to the R-oracle such that, ωi(T₁) ∈ {Query(π_Tⁱ₁,∗), Send(π_Tⁱ₁, m₂), Execute(π_Tⁱ constant. Hence, by using them, if the adversary can link with previous communications of the tag, then the protocol is not Forward-UNT-QSER. It is now shown that, though the tag stores the current and previous secrets V T_s and V T_s^, an adversary still cannot trace the previous communications of the tag. The messages M 1, β1, Y 1 and R_c are computed using a freshly generated pseudo-random number T 1r which is not a resident data on the tag. In order to obtain T 1_r from β1, the adversary would have to know RT_s (from the previous run) which is also not a resident data on the tag. The tag only stores the current RTs and is updated after each protocol run. Hence, without these two unknowns, the attacker cannot decipher any of the contents of M 1, β1, Y 1 and R_c. The freshness guarantees that the messages are unique each time and the further randomization of the XOR operation in all these messages provides additional security.

Hence, an adversary cannot trace the previous communications of the tag using the current resident data on the tag.

Now, assume that an adversary executes the R-oracle on the reader and he gets{Rid, RV_s} and{Gid, T S_r, T S_v, V 1_1..m, V 2, μ_1..m, RT_s1..m, RT_sⁿ

1..m}. It is important to note that Gid

and Rid are already in a pre-computed encrypted form using S₁, S₃ respectively, which

4.3. SECURITY ANALYSIS 75

are known only to the verifier. RVsis used only during the initialization phase and not during the protocol run. R_id is well enciphered in δ1, δ2 and R1 using RT_s, R_r where both RT_s, R_r change for every protocol run and they are not sent in the clear. Also, R_r is not a resident data on the reader. V 1_1..m contains T_id1..m which cannot be deciphered without knowing T_s, V T_s and V_r which are not resident data in the reader. Also, V T_s and V_r change for every protocol run and they are not sent in the clear. Hence, without the knowledge of these secrets/pseudo-random numbers, an attacker cannot decipher the tag ID from V 1_1..m. Similarly, Tag ID is well-protected in μ_1..m using V T_s and V_r. G_id is not sent directly during the protocol run and is well protected in V 2 using T G_s and Vr. Both are not resident data in the reader and Vr changes for every protocol run.

The unencrypted timestamp T S_r acts as a scheduler for the reader so it can start the protocol run at appropriate times and is not transmitted during the protocol run. T S_v contains the timestamp T Srbut is well protected using V Tsand Vr. RTs_1..m, RT_sⁿ

1..m are different for each tag and they are also updated after each protocol run. Hence, all the information stored in the reader are well protected and an adversary cannot use them to decipher any information about any of the tags or trace the previous communications of the reader using the current resident data on the reader. Note: The same principles can be applied to ensure security, if the attacker were to capture these messages by eavesdropping the forward channel, when the reader sends them to the tags (instead of executing the R-oracle on the reader).

Therefore the advantage presented to the adversary by using the R-oracle on the tag or the reader is negligible and the protocol is Forward-UNT-QSER.

Theorem 3: The proposed grouping proof protocol P is resistant to desynchronization attacks.

Proof: An adversary can cause Denial of Service (DoS) attack by desynchronizing RT_s between the reader and the tags, by blocking certain messages. Consider that the adver-sary has access to QS-Oracle such that ω_i(T₁)∈ {Query(π_Tⁱ₁,∗), Send(π_Tⁱ₁, m¹₂)} where m₂{(M1, β1, Y 1, Rc)}. The adversary, on blocking m₂ from reaching the reader, would cause the tag to update its secret RTs but the reader would not, causing desynchro-nization of keys. When the protocol is run the next time, the tag would first use δ1 in order to authenticate the reader, which would not result in a match since the keys are different. This would prompt the tag to authenticate the reader using the δ2 which would result in a match. In the last step, the tag updates the secret RTs only if the match was made using the δ1. If the reader did not receive m2, it would retry the step using the same RT_s, RT_sⁿ in δ1, δ2. When the reader receives the response from the tag, it updates the secret on its end, thereby synchronizing the key. Therefore, by blocking m₂, the adversary cannot cause a DoS attack. Finally, if a protocol run were to abort halfway for any reason, some tags would have updated RT_s but not all.

The proposed protocol is resilient to incomplete runs. If the reader had to restart the same run, the tags that had already updated RT_s will not update again because now the ID will be matched using RT_sⁿ. Only the tags that missed the run will perform this update. Same principle is applied for the secret V Ts to prevent desynchronization between the server and the tag. Also, from Theorem 1, it is seen that the protocol achieves the strongest security requirement of Existential-UNT-QSE which proves that an attacker cannot successfully complete a protocol run. Using these principles both DoS and de-synchronization attacks are completely prevented.

Theorem 4: The proposed grouping proof protocol P is resistant to active-attacks.

Consider that the adversary has access to QS-Oracle such that ω_i(T₁)∈ {Query(πⁱ_T1, m¹₁), Send(πⁱ_T

1, m¹₂)}. Assume that the adversary with the ability to modify messages changes

the Q-Oracle m¹₁ to m^1₁ by introducing some random message denoted by γ, to one or more of the messages in m¹₁ {V 1₁, V 2, μ₁, R1, δ1, δ2, T S_v, T S_c} (e.g., V 1₁ ← V 1₁⊕ γ).

When the tag receives m^1₁, it will not be able to authenticate the reader when it verifies if R_id = R1⊕ P RNG(T Sv ⊕ T Sc⊕ Rr)) using its stored R_id, RTs. A valid reader ID will not be returned if the attacker were to modify even any one of the messages in {R1, δ1, δ2, T Sc, T S_v}. In a similar fashion, a valid Group ID/Tag ID will not be re-turned if the attacker were to modify even any one of the messages in{V 1₁, V 2, μ₁} when the tag verifies if (G_id= V 2⊕P RNG(T Gs⊕Vr) and T_id= V 1₁⊕Ts⊕P RNG(V Ts⊕Vr)), using its stored IDs and secrets. The protocol will abort in either case. Thus, the in-tegrity of all the incoming messages are verified by the tag and an attacker cannot successfully run the protocol by modifying the messages in the Q-Oracle in the forward channel. In the backward channel, assume the attacker modifies m¹₂{M1, β1, Y 1, Rc} to m^1₂. The reader verifies the integrity of the incoming messages using its own reader ID and the R_r that was sent to the tag. If the attacker were to tamper even any one of the messages {M1, β1, Y 1, Rc} it will not return a valid Rid when the reader verifies if Rid = Rc⊕ P RNG(M1 ⊕ β1 ⊕ Y 1 ⊕ RTs⊕ Rr). These checks are performed by each en-tity every time a message is received during the entire protocol run. Hence the attacker cannot successfully run the protocol by modifying the messages in the QS-Oracle. An adversary with access to QSE-Oracle does not gain anything by repeatedly executing multiple instances of the protocol by tampering the messages each time. Thus, the protocol is completely resistent to active-attacks.