5.1.- Factores a considerar durante la selección del recubrimiento para el casco

Once the setup phase is complete, the connection to the verifier is not needed anymore.

The reader can function independently since it is equipped with all the necessary in-formation to gather grouping proofs whenever required. This makes the verifier totally

4.2. THE PROPOSED PROTOCOL 65

Table 4.3: Sample Dataset Stored in a Reader

GID T S_r T S_v V 1_1..m V 2 μ_1..m RT_s1..m RT_sⁿ

1..m

G_id1 T S_r1 T S_v1 .. .. .. .. ..

G_id1 T Sr₂ T Sv₂ .. .. .. .. ..

G_id1 T S_r3 T S_v3 .. .. .. .. ..

.. .. .. .. .. .. .. ..

.. .. .. .. .. .. .. ..

G_id1 T S_rn T S_vn .. .. .. .. ..

Gid₂ T Sr₁ T Sv₁ .. .. .. .. ..

G_id2 T S_r2 T S_v2 .. .. .. .. ..

.. .. .. .. .. .. .. ..

.. .. .. .. .. .. .. ..

G_idp T Sr₁ T Sv₁ .. .. .. .. ..

G_idp T S_r2 T S_v2 .. .. .. .. ..

.. .. .. .. .. .. .. ..

offline. As noted earlier, the collection phase has two parts. The details are presented below.

PART 1: Here, the reader collects partial-proofs from each tag for all m tags and is composed of 4 steps. Steps 1 and 2 are depicted in Figure 4.2, and Steps 3 and 4 are depicted in Figure 4.3.

Step 1: Reader computes its challenge, gets the current timestamp from T T S, and sends it along with the pre-computed server challenge to tag 1. This step is described below.

• Reader generates a fresh pseudo-random number Rr and computes δ1 = P RN G(

R_id⊕ RTs)⊕ Rr, δ2 = P RN G(R_id⊕ RTsⁿ)⊕ Rr.

• The pre-computed verifier messages V 1₁, V 2, μ₁, T Sv are randomized using Rr. As seen in the initialization phase, these messages are sufficiently randomized by the verifier and they would be significantly different for each tag and for each run.

But, if a protocol run was interrupted for some reason and the reader had to rerun it, it will use these same pre-computed messages for that run. But, as they are randomized again using the freshly generated R_r, an attacker won’t be able to distinguish the messages, even if they were sent again for the same run.

• The reader then requests a timestamp from the T T S. The T T S gets the current timestamp CT S, encrypts it using the secret key k_tv as T S_c= E_ktv(CT S). It then sends T S_c to the reader. As soon as T T S sends the first timestamp, it marks the beginning of the protocol run.

• The reader then computes R1 = Rid⊕ P RNG(T Sv⊕ T Sc⊕ Rr)

• It sends V 11, V 2, μ₁, R1, δ1, δ2, T Sv and T Sc to tag 1.

Step 2: Tag 1 validates the incoming messages, authenticates the reader, computes its partial-proof and sends it back to the reader. This step is described below.

Reader Step 1 Generate R_r for Tag 1; Using RT_s, RT_sⁿ of Tag 1 Compute:

δ1 = P RN G(Rid⊕ RTs)⊕ Rr; δ2 = P RN G(Rid⊕ RTsⁿ)⊕ Rr; V 1₁ = V 1₁⊕ Rr; V 2 = V 2⊕ Rr;

μ₁= μ₁⊕ Rr; T Sv = T Sv⊕ Rr;

Get T S_c from TTS (Marks the beginning of the protocol run) R1 = Rid⊕ P RNG(T Sv⊕ T Sc⊕ Rr)

Send V 1₁, V 2, μ₁, R1, δ1, δ2, T S_v, T S_c to Tag 1

Tag 1 Step 2

Extract: P RN G(R_id⊕ RTs)⊕ δ1 → Rr

If (Rid= R1⊕ P RNG(T Sv⊕ T Sc⊕ Rr)) Reader Authenticated

Message Integrity of R1, δ1, T Sv and T Sc Verified else

Use δ2 to extract R_r and try again. If unsuccessful, abort.

If R_r= R⁻¹_r then abort; else R_r⁻¹← Rr

Extract: V 1₁⊕ Rr→ V 1₁; V 2⊕ Rr→ V 2;

Extract: μ₁⊕ Rr→ μ1; T S_v⊕ Rr→ T Sv

Extract: Tid⊕ V Ts⊕ μ1→ Vr

If (G_id = V 2⊕ P RNG(T Gs⊕ Vr) and Tid = V 1₁⊕ Ts⊕ P RNG(V Ts⊕ Vr))

Group ID and Tag ID Authenticated

Message Integrity of V 1₁, V 2 and μ₁ Verified else

Use V T_s^ to extract Vr and try again. If unsuccessful, abort.

(Use V Ts or V T_s^ from here based on the match) Extract: P RN G(Tid⊕ V Ts)⊕ Vr⊕ T Sv → T Sr

Generate T 1_r

M 1 = P RN G(Tid⊕ Ts⊕ V Ts⊕ RTs)⊕ P RNG(T Sr⊕ T Sc⊕ T 1r) β1 = T 1_r⊕ P RNG(Tid⊕ V Ts⊕ RTs)

Y 1 = G_id⊕ P RNG(T Gs⊕ Vr)⊕ P RNG(RTs⊕ Rr) R_c= R_id⊕ P RNG(M1 ⊕ β1 ⊕ Y 1 ⊕ RTs⊕ Rr) If Tid matched using V Tsthen:

V T_s^ ← V Ts; V T_s← P RNG(V Ts);

If Rid matched using δ1 then RTs← P RNG(RTs) Send M 1, β1, Y 1, R_c to Reader

Figure 4.2: Proposed Offline Grouping Proof Protocol - Step 1 & Step 2

• Using stored {Rid, RT_s}, Rris extracted from δ1 as P RN G(R_id⊕RTs)⊕δ1 → Rr.

• Then, using Rr and other stored/received values, the tag verifies if R_id = R1⊕ P RN G(T Sv⊕T Sc⊕Rr). If successful, it authenticates the reader and also confirms the message integrity of R1, δ1, T S_v, T S_c. Otherwise, the above two steps are repeated using δ2. If either one results in a successful match for R_id, the protocol proceeds, otherwise it aborts.

4.2. THE PROPOSED PROTOCOL 67

• The tag then checks if Rr = R⁻¹_r . If yes, it does not respond and the protocol aborts. This is to make sure that an attacker is not replaying the message from the previous run. This attack cannot be attempted using the messages from the runs before that, since the R_id is matched only using RTs or RT_sⁿ and everything else will fail. Messages from a genuine reader will always be fresh since R_r is freshly generated every time. If it is not a replayed message, the tag updates R_r⁻¹ as R⁻¹_r ← Rr.

• The original pre-computed messages of the verifier are extracted by xor-ing Rr1

with V 1₁, V 2, μ₁, T Sv.

• The tag then extracts Vr from μ₁ as T_id⊕ V Ts⊕ μ1→ Vr.

• Now, the tag verifies if (Gid = V 2⊕ P RNG(T Gs⊕ Vr) and T_id = V 1₁ ⊕ Ts⊕ P RN G(V Ts⊕Vr)). If the verification fails, it uses V T_s^ and repeats the operation.

If either one results in a G_id, T_id match, it confirms that the messages are for this tag and also confirms the message integrity of V 1₁, V 2, μ₁. Otherwise the protocol aborts. Depending on whether V Ts or V T_s^ resulted in a match, the tag will use that when it continues the operation.

• The tag then extracts the Timestamp T Sras P RN G(Tid⊕V Ts)⊕Vr⊕T Sv→ T Sr.

• It then generates a pseudo-random number T 1r and computes M 1, β1, Y 1, R_c as:

– M 1 = P RN G(T_id⊕ Ts⊕ V Ts⊕ RTs)⊕ P RNG(T Sr⊕ T Sc⊕ T 1r) – β1 = T 1_r⊕ P RNG(Tid⊕ V Ts⊕ RTs)

– Y 1 = Gid⊕ P RNG(T Gs⊕ Vr)⊕ P RNG(RTs⊕ Rr) – R_c = R_id⊕ P RNG(M1 ⊕ β1 ⊕ Y 1 ⊕ RTs⊕ Rr)

• Finally, tag 1 updates V Ts^ ← V Ts and V Ts ← P RNG(V Ts). This is done only if T_id was matched using V T_s. If V T_s^ was used, this update is not performed. It also updates RT_s as RT_s ← P RNG(RTs) if R_id was matched using δ1.

• Finally, tag 1 sends M1, β1, Y 1 and Rc to the reader.

Step 3: Here, the reader validates the response from tag 1, computes the reader challenge, gets the current timestamp from T T S and sends them to tag 2 along with the pre-computed server challenge and the partial-proof from the first tag.

• Using the stored Rid, RT_s and the received values, the reader verifies if R_id = R_c ⊕ P RNG(M1 ⊕ β1 ⊕ Y 1 ⊕ RTs⊕ Rr). If successful, it authenticates the tag and also confirms the integrity of the messages M 1, β1, Y 1. Otherwise, the above step is repeated using RT_sⁿ. If either one results in a successful match for R_id, the protocol proceeds, otherwise it aborts.

• Using RTs or RT_sⁿ, the reader extracts Y 1 as Y 1 = Y 1⊕ P RNG(RTs ⊕ Rr).

This ensures that the tag group information is kept intact. Tag 2 will use Y 1 to authenticate tag group and also to ensure that its predecessor is from the same group.

• The reader then updates RTs← RTsⁿ and RT_sⁿ← P RNG(RTsⁿ).

Reader Step 3 If R_id= R_c⊕ P RNG(M1 ⊕ β1 ⊕ Y 1 ⊕ RTs⊕ Rr)

Tag Authenticated

Message Integrity of M 1, β1, Y 1 and R_c Verified else

Use RT_sⁿ above and try again. If unsuccessful, abort.

Y 1 = Y 1⊕ P RNG(RTs⊕ Rr) (Or use RT_sⁿ, based on match) RT_s← RTsⁿ; RT_sⁿ← P RNG(RTsⁿ);

Generate R_r for Tag 2; Using RT_s, RT_sⁿ of Tag 2 Compute:

δ1 = P RN G(R_id⊕ RTs)⊕ Rr; δ2 = P RN G(R_id⊕ RTsⁿ)⊕ Rr; V 1₂= V 1₂⊕ Rr; μ₂= μ₂⊕ Rr;

Get T S_cfrom TTS

R1 = R_id⊕ P RNG(M1 ⊕ T Sc⊕ Rr)

Send V 1₂, μ₂, M 1, Y 1, R1, δ1, δ2, T S_cto Tag 2

Tag 2 Step 4

Extract: P RN G(R_id⊕ RTs)⊕ δ1 → Rr

If (R_id= R1⊕ P RNG(M1 ⊕ T Sc⊕ Rr)) Reader Authenticated

Message Integrity of M 1, R1, δ1 and T S_c Verified else

Use δ2 to extract R_r and try again. If unsuccessful, abort.

If R_r= R_r⁻¹then abort; else R⁻¹_r ← Rr

Extract: V 1₂⊕ Rr → V 1₂; μ₂⊕ Rr → μ₂;

Extract T_id⊕ V Ts⊕ μ₂→ Vr

If (G_id= Y 1⊕ P RNG(T Gs⊕ Vr) and T_id= V 1₂⊕ Ts⊕ P RNG(V Ts⊕ Vr))

Group ID and Tag ID Authenticated

Message Integrity of V 1₂, Y 1 and μ₂Verified else

Use V T_s^ to extract V_r and try again. If unsuccessful, abort.

(Use V T_s or V T_s^ from here based on the match) Generate T 2_r

M 2 = P RN G(T_id⊕ Ts⊕ V Ts⊕ RTs)⊕ P RNG(M1 ⊕ T Sc⊕ T 2r) β2 = T 2_r⊕ P RNG(Tid⊕ V Ts⊕ RTs)

Y 2 = G_id⊕ P RNG(T Gs⊕ Vr)⊕ P RNG(RTs⊕ Rr) R_c= R_id⊕ P RNG(M2 ⊕ β2 ⊕ Y 2 ⊕ RTs⊕ Rr)

If T_id matched using V T_s then:

V T_s^ ← V Ts; V T_s← P RNG(V Ts);

If R_id matched using δ1 then RT_s← P RNG(RTs) Send M 2, β2, Y 2, R_c to Reader

Figure 4.3: Proposed Offline Grouping Proof Protocol - Step 3 & Step 4

• For the next tag, the reader generates a fresh Rr. This is done for each tag to prevent tag impersonation attacks. Then, using RT_s, RT_sⁿof tag 2, the reader per-forms similar operations as in Step 1. Finally, it sends V 1₂, μ₂, M 1, Y 1, R1, δ1, δ2 and T Sc to tag 2.

4.2. THE PROPOSED PROTOCOL 69

Step 4: Tag 2 validates the incoming messages, authenticates the reader, computes its partial-proof using the partial-proof from tag 1 and sends it back to the reader. As the operations are similar to tag 1, only the minor variations are pointed out below.

• Reader authentication and message integrity check is accomplished using M1 by verifying if R_id= R1⊕ P RNG(M1 ⊕ T Sc⊕ Rr).

• To verify group, tag 2 uses Y 1 instead of V 2, as in: if (Gid= Y 1⊕P RNG(T Gs⊕Vr) and T_id= V 1₂⊕ Ts⊕ P RNG(V Ts⊕ Vr)). This way, tag 2 ensures that the other participant belongs to the same group.

• After generating a pseudo-random number T 2r, it computes M 2 = P RN G(T_id⊕ Ts⊕ V Ts⊕ RTs)⊕ P RNG(M1 ⊕ T Sc⊕ T 2r). Note that M 2 uses M 1 of tag 1, thereby satisfying the dependency property.

• Tag 2 then updates V Ts, RT_susing the same principles described in Step 2. Finally, it sends M 2, β2, Y 2 and Rc to the reader.

The same procedure is repeated for the remaining tags, with the m^th tag taking inputs V 1_m, μ_m, M (m−1), Y (m−1), R1, δ, T Sc. After receiving the messages from the last tag M_m, β_m, Y_m and R_c, the reader gets the final timestamp T S_c from TTS which marks the end of the protocol run.

PART 2: The reader compiles all the partial-proofs to form the grouping proof and encrypts them. The proof is sent to the verifier either immediately or when more proofs have been generated at a later time.

• The reader compiles the proof P as P = {Gid, R_id, (M 1, β1, R_r, RT_s, RT_sⁿ, T S_c, R_c), (M 2, β2, Rr, RTs, RT_sⁿ, T Sc, Rc), ...(Mm, βm, Rr, RTs, RT_sⁿ, T Sc, Rc).

• The proof P is then encrypted as Ek_rv(P ) using the secret key k_rv that it shares with the verifier.

In document Patología estructural y del casco : métodos de protección, inspección, mantenimiento y reparación (página 61-66)