4.8.- Principales fallos de los recubrimientos en servicio

Avoine [4] proposes an adversarial model suitable for RFID environments. The security and privacy of the proposed schemes are studied using this model. The notations used below are based on this model and are used to prove the protocol meets the following security requirements: a) Existential-UNT-QSE - which means an adversary is never capable of tracking a tag by interacting with the tag and the reader or eavesdropping on the communications, and b) Forward-UNT-QSER - which means even by physically compromising a tag that reveals its internal secrets, an adversary is unable to track its communications from the past. Choice of this privacy model is motivated by the ﬂexibility of Avoine’s model and the drawbacks associated with more recent models, such as those proposed by Vaudney [157] and Hermans [64] as noted in [31].

In Avoine’s model, the notions of existential and universal untraceability are deﬁned, access to communication channels from a set of oracles are modeled and a formal analysis of the protocols in terms of traceability occurs. In this adversarial model, it is noted that more than anything else, an adversary has more to beneﬁt from the communication channel between the reader and the tag and also from the contents of the memory of the tag. This particular channel is subdivided into three as shown in Figure 3.1. These are the forward channel (reader→ tag), the backward channel (tag → reader) and the memory channel (memory of the tag). It is considered an adversary will be able to read the memory channel only once. Limiting access to the memory channel strongly relates to the notion of forward untraceability.

Figure 3.1: Information Channels of an RFID System [4]

Means of an Adversary - It is noted that formalization of the adversarial model is required in every security proof and that model consists of the means of an adversary ˆA and its goals. Means are represented using oracles, the tag is denoted by T , the reader is denoted by R and a protocol is denoted by P . The reader and the tag can run several instances of P . Tag instances are denoted by π_Tⁱ and reader instances are denoted by π_R^j, where (i, j = 1..n), where n indicates the number of instances of P . In the below oracles,the forward channel represents the transfer of messages from the reader to the tag, and the backward channel represents the transfer of messages from the tag to the reader.

• Query (Q) (π_Tⁱ, m₁, m₃) - This query models ˆA sending a request m₁to T through the forward channel, and subsequently sends m₃ after receiving its answer.

• Send (S)(π_R^j, m₂) - This query models ˆA sending the message m₂ to R through the backward channel.

• Execute (E) (πⁱ_T, π_R^j) - This query models ˆA running an instance of P between T and R, and obtaining the messages exchanged in both the forward and backward channels.

• Execute* (E*) (π_Tⁱ, π^j_R) - This query models ˆA running an instance of P between T and R, and obtaining the messages exchanged in the forward channel only.

• Reveal (R) (π_Tⁱ) - This query models ˆA obtaining the content of T’s memory channel which can be used only once so Query (Q), Send (S), Execute (E) and Execute* (E*) cannot be used any longer.

A protocol resistant to an attack A is denoted by A- ˆO when the adversary ˆA has access to the oracles of ˆO ⊂ {Q, S, E, E∗, R}. The result of an application of an oracle is denoted by ω_i(T ) so that ω_i(T ) ∈ {Query(πⁱ_T,∗), Execute(π_Tⁱ,∗), Execute ∗ (π_Tⁱ,∗), Reveal(πⁱ_T)}.

Goals of an Adversary - The notion of untraceability (UNT) is introduced and is characterized by two fundamental points.

• Interaction is deﬁned as a set of executions on the same tag at a time when the adversary is in a position to physically identify it. It is represented as: Ω_I(T ) = {ωi(T )| i ∈ I} ∪{Send(π_∗ⁱ,∗) | i ∈ J} where J ⊂ ℵ. By deﬁnition, the length of an interaction Ω_I(T ) is| T | where I is a sub-interval of ℵ

• An adversary in a position to trace a tag can do it in a temporary way or in a deﬁnitive way. These cases lead to the notions of Existential and Universal untraceability.

After having interacted with a target T and possibly some readers, thus obtaining an interaction Ω_I(T ) whose length is less than a given parameter Adversary l_ref, an adver-sary ˆA needs to find the target among the two tags T₁ and T₂. Adversary Â can query both the tags and obtain two interactions; Ω_I₁(T ) and Ω_I₂(T ), whose lengths are less than a given length l_chal. The manner in which I₁ and I₂ are defined differentiates ex-istential and universal traceability. If there exists I₁ and I₂ so that Â is able to succeed then it is existential traceability. If the adversary is able to win for all I₁ and I₂, then it is universal traceability.

3.2. FORMAL ANALYSIS MODELS 57

Existential Untraceability- Parameters: l_ref, l_chal, ˆO 1 ˆA requests Challenger thus receiving the target T

2 ˆA chooses I and calls Oracle(T, I, ˆO) where | I |≤ lref then receives Ω_I(T ) 3 ˆA requests the Challenger thus receiving her challenge T₁ and T₂

4 ˆA chooses I₁ and I₂ so that| I₁|≤ lchal,| I₁|≤ lchal and I₁∪ I₂)∩ I = ø 5 ˆA calls Oracle(T₁, I₁, ˆO) and Oracle(T₂, I₂, ˆO),and then receives Ω_I₁(T₁) and

Ω_I₂(T₂)

6 ˆA decides which T₁ or T₂ is T , then outputs her guess T

Universal Untraceability- P arameters : l_ref, l_chal, ˆO 1 ˆA requests Challenger thus receiving the target T

2 ˆA chooses I and calls Oracle(T, I, ˆO) where | I |≤ lref then receives ΩI(T ) 3 ˆA requests the Challenger thus receiving her challenge T₁, T₂, I₁ and I₂ 4 ˆA chooses I₁ and I₂ so| I₁ |≤ lchal,| I₁ |≤ lchal and I₁∪ I₂)∩ I = ø

5 ˆA calls Oracle(T₁, I₁, ˆO) and Oracle(T₂, I₂, ˆO), then receives Ω_I₁(T₁) and Ω_I₂(T₂) 6 ˆA decides which T₁ or T₂ is T , then outputs her guess T

As seen above, the diﬀerence between the two is in step 3. In the former, the adversary chooses I₁ and I₂ and in the latter, the challenger provides them. It is useful to restrict the choice of I₁ and I₂ made by an adversary (existential) or by a challenger (universal) so that I≤ I1, I₂ (resp. I > I₁, I₂) denoted by Existential⁺ (resp. Existential⁻) and U niversal⁺ (resp. U niversal⁻). U niversal⁻ is particularly relevant when the oracle R is used and it meets the notion of forward privacy referred to as Forward-UNT. The advantage of ˆA for a protocol P is given by Adv_P^{U N T}( ˆA) = 2P r(T= T )− 1, where the probability space is over all the random tags. If ˆA’s advantage is negligible with the parameters l_ref and l_chal and ˆO, P is said to be U N T - ˆO.

Implications and Separations- One can mix and match the goals Existential-UNT, Forward-UNT, Universal-UNT of an adversary and his means ˆO ⊂ {Q, S, E, E∗, R}.

The relations called implication and separation are given as follows: A → B: a proof that if protocol P meets the notion of security A then P also meets the notion of security B. A B: a protocol that provably meets the notion of security A but provably does not meet the notion of security B. The relations can be clearly deﬁned as: Existential-UNT

→ Forward-UNT → Universal-UNT.

The relationships between the means of the adversary is given as UNT-E → UNT-E* but UNT-E* UNT-E. Moreover, ∀A, B ∈ {Q, S, E, R}, UNT-A UNT-B. However, QS → E and E QS. The implication comes from the fact that when an adversary has access to Q and S oracles, E can be stimulated using a man-in-the-middle attack. The separation comes from the fact that an adversary is passive when using the E oracle and therefore cannot modify the messages to Q and S. Another important implication is: (∀ ˆO, ˆO’

⊂ {Q, S, E, E∗, R}, Ô’ ⊂ Ô) =⇒ (UNT- Ô → Ô’). If an adversary is not able to track

a tag with a set of oracles ˆO, then the adversary cannot succeed with a smaller set of oracles. Thus, the focus is only on UNT-E, UNT-Q, UNT-QSE and UNT-QSER. Thus, UNT-QSER → UNT-QSE → | UNT-E, UNT-Q.

It is clear that a protocol should be both UNT-Q and UNT-E, meaning an adversary should not be able to track a tag simply by querying it or by eavesdropping on the channels.

In practice, a protocol must be Existential-UNT-QSE and Forward-UNT-QSER. This means an adversary is never capable of tracking a tag when he can interact with both the target tag and the readers, or when he can eavesdrop executions between the tag and readers. Also, obtaining the content of a tag by tampering with it does not allow the adversary to track its past. In this thesis, it is shown that the proposed schemes are both Existential-UNT-QSE and Forward-UNT-QSER.

3.3 Summary

This chapter started with a discussion on the methods used in the design of the protocols that target passive tags to facilitate large-scale implementations. Highlights were then presented as to how the protocols meet EPC C1G2 compliance while meeting the security requirements of RFID. The discussion then focused on the industry accepted formal analysis models that are applied to the proposed protocols to prove the security and privacy claims. The ﬁrst of the two grouping proof protocols is presented in the next chapter.

Chapter 4

Grouping Proof - Protocol I

In this chapter, a Grouping Proof protocol is proposed based on simple XOR and 128bit PRNG operations. An overview of the unique design requirements of grouping proof is presented ﬁrst followed by the motivation for the work and a summary of the con-tributions. The workings of the protocol is then described at length, followed by the detailed security analysis using the formal analysis models described in Chapter 3. A discussion as to how the proposed protocol meets the design requirements of grouping proof is then presented, followed by a simulation study that shows the performance of the proposed protocol in a simulated environment. Finally, the chapter is concluded with the recommended parameter settings for the proposed scheme.

In document Patología estructural y del casco : métodos de protección, inspección, mantenimiento y reparación (página 49-57)