RFID Ownership Transfer with Positive Secrecy Capacity Channels

Abstract

RFID ownership transfer protocols (OTPs) transfer tag ownership rights. Recently, there has been considerable interest in such protocols; however, guaranteeing privacy for symmetric-key settings without trusted third parties (TTPs) is a challenge still unresolved. In this paper, we address this issue and show that it can be solved by using channels with positive secrecy capacity. We implement these channels with noisy tags and provide practical values, thus proving that perfect secrecy is theoretically possible. We then define a communication model that captures spatiotemporal events and describe a first example of symmetric-key based OTP that: (i) is formally secure in the proposed communication model and (ii) achieves privacy with a noisy tag wiretap channel without TTPs.

1. Introduction

Radio frequency identification (RFID) is a widely-deployed technology for supply-chain and inventory management, retail operations and more generally automatic identification. Most of these applications need to be secured.

Ownership transfer protocols (OTPs) allow the secure transfer of tag ownership from a current owner to a new owner. Three different entities are present in an OTP: the tag $\mathcal{T}$ whose rights are being transferred, the current owner who has the initial control of $\mathcal{T}$ and the new owner who will take control of $\mathcal{T}$ when the protocol is completed. OTPs must incorporate security requirements that protect the privacy of both the new and the previous owner of the tag. For RFID applications privacy addresses anonymity that protects the identity of tags and untraceability that prevents interrogations (partial or completed) of a tag being linked. Formal definitions for secure ownership and ownership transfer are provided by van Deursen et al. [1], while several theoretical models have been proposed in the literature that address the privacy of RFID systems [2,3,4,5].

Several OTPs that address security issues have been proposed. However, preventing a previous owner from accessing the key(s) of a tag whose ownership was transferred is still an unsolved problem when symmetric-key techniques are used [6,7]. The current approach for privacy is to either employ a trusted third party (TTP) to break the trust link between a tag and its owner (e.g., [8,9]), or an isolated environment (ISE) (e.g., [10,11]) without any adversarial interference. The first approach is centralized and not appropriate when tags belong to different authorities/companies. In fact, the TTP can be considered as the real holder of the tag’s rights, while the different owners have simply delegated ownership. The second approach assumes a weak threat model and, as claimed in [7]: if such protection is adequate, then there is no need for security. Our main contributions in this paper are to:

(1)

Define a communication model for ownership transfer that addresses spatiotemporal connectivity (Section 3). Many OTPs do not specify the communication setup and assume channels that are impractical for RFID settings.

(2)

Provide a theoretical analysis of wiretaps with noisy tags (Section 4), show how these could be implemented and prove that perfect secrecy is achievable.

(3)

Present an OTP that is provably secure in this communication model and that uses a wiretap channel with noisy tags to achieve privacy (Section 5). This is the first example of symmetric-key-based OTP that does not require TTPs or an ISE. GNYlogic and strand spaces [12,13,14,15] are used in the Appendix A for the security analysis.

2. Background

2.1. Definition and Security Requirements

Tag ownership can be defined as the ability to identify and/or access the tag, which in turn usually implies knowledge of private keys stored on the tag. Ownership transfer protocols enable the transfer of ownership rights of a tag $\mathcal{T}$ from the current owner ${\mathit{Own}}_c$, or seller, to a new owner ${\mathit{Own}}_n$ or buyer. At the beginning of the OTP, the seller is the only entity that can identify and trace $\mathcal{T}$, while when the OTP is completed, $\mathcal{T}$ can only be identified and/or traced by the buyer. A TTP is usually deployed to manage this ownership transfer.

We next list some specific security requirements for OTPs:

Unlinkability or untraceability. An adversary that physically tracks tags can easily determine which executions are linked. This cannot be prevented. Unlinkability is related to the capability of linking interrogations after this physical tracking is temporarily interrupted. Different formal models can be found in the literature (e.g., [2,3,4]). Intuitively, a protocol guarantees unlinkability or privacy if no adversary can decide with advantage better than negligible whether two messages taken from different protocol executions belong to the same tag or not.

Privacy of ${\mathit{Own}}_n$ (backward secrecy): The current owner ${\mathit{Own}}_c$ cannot identify $\mathcal{T}$ once ownership rights are transferred to the new owner ${\mathit{Own}}_n$.

Privacy of ${\mathit{Own}}_c$ (forward secrecy): Once ownership rights of $\mathcal{T}$ are transferred to the new owner ${\mathit{Own}}_{\mathit{n}}$, past communications between $\mathcal{T}$ and previous owners cannot be traced by an adversary (or subsequent owners), even if the current private information stored on $\mathcal{T}$ is revealed (e.g., by physical attacks).

OTPs are sometimes designed [10,16,17] to provide extended capabilities such as: tag assurance, undeniable ownership transfer, current ownership proof, ownership delegation and authorized recovery.

2.2. Related Work

We only review the most relevant symmetric-key-based OTPs for RFID. Saito et al. [18] and Molnar et al. [16] presented in 2005 the first OTPs for RFID applications. Saito et al. proposed two protocols: one with and one without TTP. The security of the latter is based on the short range of the backward channel and assumes that it is hard for adversaries to eavesdrop on this channel. Molnar et al. proposed a scheme with TTP to manage tag keys by using a tree structure. Some vulnerabilities of this scheme are discussed in [19]. Soppera and Burbridge [20] modified Molnar et al.’s scheme by replacing the TTP with distributed local devices called RFID acceptor tags. Osaka et al. [21] used a kind of TTP with hash values to protect messages and a keyed encryption function for ownership transfer. Chen et al. [22] and Japinnen and Hamalainen [23] modified Osaka et al.’s scheme to prevent DoS attacks. Yoon and Yoo [24] also modified Osaka et al.’s scheme, by assuming that owners are able to change the tag’s key in an ISE. Their scheme had some vulnerabilities described in [25]. Dimitriou [26] proposed RFIDdot, an ownership transfer scheme based on random nonces and a keyed encryption function, making the assumption that key updates are performed in a private environment. More recently, Song and Mitchell [27,28] also assumed an ISE, but used keyed hash functions and one-time tag identifiers with hash chains. Kapoor and Piramuthu proposed two new schemes [7] based on a TTP and ISE respectively for the transfer of single tags, while a variant of these protocols for multiple tags has also been published [29]. Finally, several schemes have recently been proposed that comply with the EPCGen2 [30] standard for low-cost tags in the UHF band. These again assume TTPs or ISE and combine simple XOR operations, Cyclic Redundancy Codes (CRC16) and/or use the on-board PRNG as the security primitive (e.g., [9,31,32,33]). The security problems of some of these have been described recently [34].

Motivation: Comparison with Previous Works

As observed, the ownership transfer protocols proposed in the literature rely either on the use of TTPs or the assumption of an ISE. Typically, TTPs have a centralized management that may not be compatible with the distributed management of RFID systems. For example, the RFID parties (the owners) with possibly conflicting interests must trust the TTP that manages their tags. On the other hand, the assumption of ISEs where no adversary can interfere is an assumption of a weak adversary model: if such an environment were available, then no other security protection would be needed [7]. This paper proposes a key exchange protocol that addresses the new owner’s privacy concerns without resorting to either TTPs or an ISE.

The discussed protocols also use communication models that are sometimes impractical for real-life scenarios. To illustrate this, let us consider the two protocols proposed in [7]: one with TTP, the other without TTP (but with an ISE), whose flows are shown in Figure 1. In the first, Figure 1a, the TTP does not use a reader to communicate with tag $\mathcal{T}$, but communicates directly (Flows 1–2). This begs the question: if such a TTP were installed in the buyer’s or seller’s location, what trust issues would arise if the transferred goods belong to different authorities. In the second protocol, Figure 1b, $\mathcal{T}$ interacts first with the current owner (the seller, Flow 2) and then with the new owner (the buyer, Flows 3–6). However if something goes wrong (Flow 6 is not received correctly), then the process must be repeated from the beginning. This implies that the buyer and the seller must be available during the transaction, which restricts the possible transaction scenarios to one location (e.g., to a shop). In this paper, we define a communication model where tags can only communicate through readers. This leads to designs of protocols with, if deployed, centralized TTP infrastructures and, in contrast to the examples described above, that allow the seller and buyer to be in different physical locations.

3. A Communication Model for RFID Ownership Transfer

3.1. Entity Capabilities

High-level entities include RFID readers, servers and TTPs. In general, these are able to perform complex cryptographic operations, such as asymmetric encryption/decryption and digital signatures/verification.

RFID tags: In this paper, we are only concerned with UHF passive tags that operate in the far field [35], which are the most common for supply chain applications. These work at higher distances than tags with inductive coupling, but the delivered power is low; therefore, not too complex (lightweight) cryptographic tools should be used [36]. Low price is also a common requirement, and therefore, tamper-resistant shielding and on-board clocks cannot be usually assumed.

3.2. Communication Model

This is defined in terms of its channels with security features, such as privacy and integrity, and connectivity (availability).

3.2.1. Privacy/Integrity Channels

Between high-level entities (readers, servers or TTPs): These can be considered secure, since fully-fledged cryptographic techniques can be used.

Between readers and tags: By contrast, these are particularly vulnerable; they are wireless (the adversary can eavesdrop and block/modify/inject messages), and tags can only implement lightweight cryptographic mechanisms. Passive tags can only communicate with active entities that are physically close and provide them with energy: i.e., RFID readers.

3.2.2. Connectivity

Connectivity is a function of space and time. As far as we know, OTPs proposed in the literature do not discuss spatiotemporal connectivity issues, though several ( e.g., [7,9,17]) assume channels that allow high-level parties, including a TTP (e.g., [7]), to communicate with a tag $\mathcal{T}$ in real time during the execution of the OTP: for example, to restart the protocol if it fails. This implies that $\mathcal{T}$ must be physically close to the corresponding high-level parties during the execution of the protocol, which in many practical scenarios may not be the case. Suppose for example that a client purchases RFID-tagged items for tracking and counterfeit prevention via the Internet. The seller dispatches the items, and when these reach the destination, the client requests the transfer of ownership rights. In this case, ownership transfer takes place in a different location from the seller’s location, and a different connectivity model is needed, where the seller cannot communicate with the tags at this stage (likewise, buyers cannot communicate with tags at the beginning of the transaction). We also need a spatiotemporal TTP network infrastructure in which TTPs may have to communicate in real time (as in [7]). Figure 2 illustrates the differences between the traditional and the extended communication model.

Let $\mathcal{R}1$, $\mathcal{R}2$, TTP be the readers of ${\mathit{Own}}_c$, ${\mathit{Own}}_n$, TTP, $\mathcal{T}$ a tag, $a,b$ be OTP parties and $\exists \left(a\stackrel{t}{\leftrightarrow }b\right)$, $\exists \left(a\stackrel{t}{\iff }b\right)$ stand for “there exists a channel at time t between $a,b$”, “there exists a secure channel at time t between $a,b$”, respectively. When t is not indicated, continuous connectivity is assumed. We formally define the connectivity requirements of the OTP model by the relations:

• $\exists (\mathcal{R}1\iff \mathcal{R}2)\wedge \exists (\mathcal{R}1\iff \mathit{TTP})\wedge \exists (\mathcal{R}2\iff \mathit{TTP})$,
• $\left.\begin{array}{c}\exists \left(\mathcal{R}1\stackrel{t}{\leftrightarrow }\mathcal{T}\right)\mathrm{for}{t}_0\le t<t_1\\ \exists \left(\mathcal{R}2\stackrel{t}{\leftrightarrow }\mathcal{T}\right)\mathrm{for}{t}_2\le t<t_3\end{array}\right\}\mathrm{with}{\mathrm{t}}_1\le {\mathrm{t}}_2$.

Thus, a TTP, if deployed, can only communicate with tags $\mathcal{T}$ via readers $\mathcal{R}1$, $\mathcal{R}2$.

4. A Wiretap Channel with Positive Secrecy Capacity

To guarantee the privacy of a new owner ${\mathit{Own}}_n$ of a tag $\mathcal{T}$ and prevent the previous owner ${\mathit{Own}}_c$ from accessing $\mathcal{T}$, ${\mathit{Own}}_n$ and $\mathcal{T}$ must agree on a fresh key in the presence of ${\mathit{Own}}_c$: that is, with ${\mathit{Own}}_c$ a potential eavesdropper. Note that ${\mathit{Own}}_c$ has full knowledge of the private keys of $\mathcal{T}$. We shall show that by using Wyner’s wiretap channel [37] with noisy tags, we can achieve positive secrecy.

The fundamental property of the superposition of the wireless medium can be pitted against eavesdropping by using interference at the physical layer to degrade communication. Degrading is implemented via reader-controlled interferers called noisy tags. Noisy tags were first used by Juels et al. [38] to protect consumers from unwanted RFID scanning. Later, Castellucia and Avoine [39] used noisy tags for sharing secret keys, which however only addresses passive adversaries since authentication is not ensured. We shall assume that noisy tags do not present any special features, so any tag can become a noisy tag. If more sophisticated noisy tags are available, then implementations with better performance can obviously be achieved.

We use the following notation: $X,Y,N$ are random variables taking values $x,y,n$ in the alphabets $\mathcal{X},\mathcal{Y},\mathcal{N}$, respectively. Figure 3 depicts our model of a wiretap channel with input alphabets $\mathcal{X},{\mathcal{N}}_1,\dots ,{\mathcal{N}}_{n_T}$, output alphabet $\mathcal{Y}$ and transition probabilities $p\left(y\right|x,n_1,\dots ,n_{n_T})$.

Tag $\mathcal{T}$ transmits the message S (coded as X) to the new owner ${\mathit{Own}}_n$ (the intended receiver) with the help of $n_T$ noisy tags, in the presence of the current owner ${\mathit{Own}}_c$, who acts as a passive eavesdropper. The wiretap channel can be seen as a stochastic encoder of X with output alphabet $\mathcal{Y}$. The variable Y is input to the maximum a posteriori probability (MAP) estimators of ${\mathit{Own}}_n$ and ${\mathit{Own}}_c$, but while ${\mathit{Own}}_c$ only knows the value of Y, ${\mathit{Own}}_n$ also knows the values of the inputs $N_1,\dots ,N_{n_T}$. Thus, if we assume the wireless medium is noiseless, then the estimate $S=s$ of ${\mathit{Own}}_n$ is correct, while the estimate $\overline{S}=\overline{s}$ of ${\mathit{Own}}_c$ is degraded by the stochastic encoder. This degradation can be quantified by the conditional entropy $H\left(X\right|Y)$.

$$H\left(X\right|Y)=\sum _{j=0}^{\left|\mathcal{X}\right|-1}\sum _{k=0}^{\left|\mathcal{Y}\right|-1}-p(x_j,y_k)·{log}_{2}p\left(x_j\right|y_k)$$

(1)

The capacity of the eavesdropper channel (${\mathit{Own}}_c$’s) is defined as $C_{eav}=H\left(X\right)-H\left(X\right|Y)$. The secrecy capacity for the wiretap model is $C_s=C_{\mathit{main}}-C_{eav}$, where $C_{\mathit{main}}$ is the capacity of the main channel (${\mathit{Own}}_n$’s). In the noiseless case, we have $C_{\mathit{main}}=H\left(X\right)$, and therefore, the secrecy capacity coincides with the conditional entropy of the eavesdropper $C_s=H\left(X\right|Y)$, while the analysis of secrecy reduces to the eavesdropper’s channel. In general, the more degraded the wiretap channel, the higher the secrecy capacity. We assume for this analysis that the adversary cannot identify the source of each message via signal characteristics (fingerprints, level power, phase shifts, etc.). This implies that tags should be close and implement the same modulation alphabet; i.e., ${\mathcal{N}}_j=\mathcal{X}$, $1\le j\le n_T$. Possible implementation imperfections, such as delays, signal levels, frequency deviations, etc., should not reveal their origin; i.e., be insignificant or have sufficient randomness. Note that this assumption is implicit in the RFID literature in protocols that address privacy issues: traceability cannot be prevented if tags are physically identified. In this particular case, to prevent an adversary from identifying the target tag, we should guarantee that the tag is close enough to the noisy tags and that it does not present distinguishable imperfections; i.e., insignificant or significant, but changing in every execution. In practice, fortunately, although it is true that no two tags have identical signals, the differences are typically insignificant, making it hard to disambiguate them. As a consequence of the superposition property of the wireless channel, from a theoretical point of view, any modulation can be used (with initial calibration if required), but in practice, some modulations have better features than others. Figure 4 shows a simplified example that uses PPM (pulse position modulation). A bit is encoded by transmitting a pulse in one of two possible time slots. Synchronization between tags is helped by the fact that they share the same reference (reader’s) signal. Perfect synchronization is not necessary: tags may have different delays provided there is no pattern that can be exploited to identify a tag.

If noise and imperfection implementations are not considered, the security of the system relies exclusively on the stochastic encoder. For r-ary input alphabets $\mathcal{X}=\{x_0,x_1,...,x_{r-1}\}$, with $p\left(x_i\right)=1/r$, $0\le i\le r-1$, the output alphabet is $\mathcal{Y}={\left\{y_i\right\}}_{i=0}^{\left|\mathcal{Y}\right|-1}$, and the cardinality of $\mathcal{Y}$ (combinations with repetition of r elements taken $n_T+1$ at a time) and the transition probabilities can be computed as follows:

$$\left|\mathcal{Y}\right|=\left(\begin{array}{c}{n}_T+r\\ r-1\end{array}\right)=\left(\begin{array}{c}{n}_T+r\\ n_T+1\end{array}\right),$$

(2)

$$p\left(y_{m_0{m}_1...m_{r-1}}\right|x_i)=\frac{1}{r^{n_T}}\left(\begin{array}{c}{n}_T\\ m_0{m}_1...m_{r-1}\end{array}\right)$$

(3)

where $y_{m_0{m}_1...m_{r-1}}$ is the output symbol resulting from the combination of $m_0$ symbols $x_0$, $m_1$ symbols $x_1$, and so on, until $m_{r-1}$ symbols $x_{r-1}$, with $m_0+m_1+...+m_{r-1}=n_T$.

Particularizing for binary input alphabets ($r=2$), $\mathcal{X}=\{x_0,x_1\}$, with $p\left(x_0\right)=p\left(x_1\right)=0.5$ ($H\left(X\right)=1$), the output alphabet is $\mathcal{Y}={\left\{y_i\right\}}_{i=0}^{n_T+1}$, where $y_i$ is the combination of i symbols $x_0$ and $(n_T+1-i)$ symbols $x_1$. The transition probabilities $p\left(y_i\right|x_j)$ are given by:

$$p\left(y_i\right|x_0)=p\left(y_{N+1-i}\right|x_1)=2^{-n_T}\left(\genfrac{}{}{0pt}{}{n_T}{i}\right),i=0,\dots ,n_T+1.$$

(4)

${\mathit{Own}}_c$’s detector receives $y_i$ and applies the decoding specified by:

$$\begin{array}{cc}{n}_T\mathrm{even},\overline{s}=\hfill & \left\{\begin{array}{c}g\left(x_0\right)\mathrm{if}i<{\displaystyle \frac{n_T+1}{2}}\hfill \\ g\left(x_1\right)\mathrm{otherwise}\hfill \end{array}\right.\hfill \\ n_T\mathrm{odd},\overline{s}=\hfill & \left\{\begin{array}{c}g\left(x_0\right)\mathrm{if}i<{\displaystyle \frac{n_T+1}{2}}\hfill \\ g\left(x_1\right)\mathrm{if}i>{\displaystyle \frac{n_T+1}{2}}\hfill \\ \mathrm{otherwise},\mathrm{choose\; at\; random}g\left(x_0\right)\mathrm{or}g\left(x_1\right)\hfill \end{array}\right.\hfill \end{array}$$

(5)

with g the mapping function $g:X\to S$.

The error probability, defined as $p_e=Pr[\overline{s}\ne s]$, is computed as:

$$p_e=2^{-n_T}\left(\sum _{i=0}^{⌊\frac{n_T}{2}-1⌋}\left(\genfrac{}{}{0pt}{}{n_T}{i}\right)+\frac{1}{2}\left(\genfrac{}{}{0pt}{}{n_T}{\frac{n_T+1}{2}}\right)\right),$$

(6)

where the last summand is zero when $n_T$ is even. Figure 5 plots the secrecy capacity $C_s$ of the wiretap channel, the error probability and Fano’s bound, against the number of noisy tags. Secrecy increases sharply until $n_T\approx 5$; as $n_T\to \infty$, the equivocation of the eavesdropper approaches the unconditional source entropy, and we get perfect secrecy: ${lim}_{n_T\to \infty }H\left(X\right|Y^{\left(n_T\right)})=H\left(X\right)=1$. For $n_T=3$, the secrecy capacity $C_s=H\left(X\right|Y)=0.78$ offers a good compromise between features and ease of implementation. The capacity of ${\mathit{Own}}_c$’s channel is just $C_{eav}=0.22$ bits.

5. An Ownership Transfer Protocol

We next present an example of an OTP that: (i) works according to the communication model defined in Section 3.2 and (ii) uses a channel with positive secrecy capacity, implemented with noisy tags, to guarantee the privacy of the new owner.

The protocol addresses practical design features, such as (secure) singulation of tags and the interrogator-talks-first requirement (communication must be initiated by the reader), and guarantees that the information stored on the tag coincides with that provided to the new owner (tag assurance [17]). Note also that it complies with the restrictions in Section 3.1 regarding entities’ capabilities. That is, while RFID readers can implement fully-fledged cryptographic tools, RFID tags are restricted to a pseudorandom number generator (PRNG) and a cryptographic (one-way, collision-resistant) hash function $F:{\{0,1\}}^{\ast }\to {\{0,1\}}^n$. The number of inputs is, however, designed to be intentionally low so that it can be more easily adapted to other possible primitives. We assume that identifiers, random numbers and keys all have the same (bit) length n, which is the security parameter of the protocol. We introduce our notation.

$$\begin{array}{cc}\mathit{ID}\hfill & \text{identifying information of }\mathcal{T}.\hfill \\ {\mathit{Info}}_{\mathit{ID}}\hfill & \mathrm{hash\; of\; the\; manufacturer\; information}.\hfill \\ \mathcal{R}1,\mathcal{R}2\hfill & \text{readers of }{\mathit{Own}}_c\mathrm{ and }{\mathit{Own}}_n\mathrm{ respectively}.\hfill \\ \mathit{IDR}1,\mathit{IDR}2\hfill & \mathrm{identifiers\; for }\mathcal{R}1\mathrm{ and }\mathcal{R}2\mathrm{ respectively}.\hfill \\ s_1\hfill & \mathrm{key\; that }\mathcal{T}\mathrm{ shares\; with }\mathcal{R}1.\hfill \\ s_2\hfill & \mathrm{key\; that}\mathcal{T}\mathrm{ shares\; with }\mathcal{R}2.\hfill \\ \overline{s_2}\hfill & \mathrm{key\; that }\mathcal{T}\mathrm{ eventually\; shares\; with }\mathcal{R}2.\hfill \\ N_{\mathcal{T}},N_{\mathcal{T}}^{\prime }\hfill & \mathrm{random\; numbers\; generated\; by }\mathcal{T}.\hfill \\ N_{\mathcal{R}1}\hfill & \mathrm{random\; number\; generated\; by }\mathcal{R}1.\hfill \\ N_{\mathcal{R}2},N_{\mathcal{R}2}^{\prime }\hfill & \mathrm{random\; numbers\; generated\; by }\mathcal{R}2.\hfill \\ {\mathcal{T}}_t^{\ast }\hfill & \mathrm{the }t\mathrm{ noisy\; tag},\mathrm{with }1\le t\le n_T.\hfill \\ s_t^{\ast }\hfill & \mathrm{the\; key\; that\; the }{\mathcal{T}}_t^{\ast }\mathrm{ shares\; with }\mathcal{R}2.\hfill \end{array}$$

5.1. The Ownership Transfer Protocol, Figure 6

Initialization

1.

Initially, each owner knows for each tag $\mathit{ID}$ its information and private key $s_1$. Likewise, each tag stores, along with its identifier $\mathit{ID}$ and ${\mathit{Info}}_{\mathit{ID}}$, the identifier of its owner $\mathit{IDR}1$ and the private key. $\mathcal{R}1,\mathcal{R}2$ agree to transfer ownership of tag $\mathcal{T}$ with identifier $\mathit{ID}$. $\mathcal{R}1$ sends (secure channel) $\mathcal{R}2$ manufacturer information about the tag (${\mathit{Info}}_{\mathit{ID}}$ when hashed).

$$\mathcal{R}1\Rightarrow \mathcal{R}2:\mathit{ID},\mathrm{manufacturer\; information}$$

Setup for Ownership Transfer

2.

$\mathcal{R}1$ regularly broadcasts $Query$ messages to detect the presence of tags.

$$\mathcal{R}1\to \mathrm{tags}:Query$$

3.

When $\mathcal{T}$ receives a $Query$ (presumably because it is within the range of $\mathcal{R}1$), it selects a random nonce $N_{\mathcal{T}}$ and sends:

$$\mathcal{T}\to \mathcal{R}1:F(N_{\mathcal{T}},s_1),N_{\mathcal{T}}$$

4.

$\mathcal{R}1$ searches for a pair $(ID,s)$ in its database to get a match. If there is no match, then the process is repeated from Step 2. Otherwise, $\mathcal{T}$ is singulated: $\mathcal{R}1$ selects a random nonce $N_{\mathcal{R}1}$ and a request OTR and sends:

$$\mathcal{R}1\to \mathcal{T}:\mathit{OTR},\mathit{IDR}1,\mathit{IDR}2,F(s_1,N_{\mathcal{T}}),N_{\mathcal{R}1}$$

5.

$\mathcal{T}$ checks $F(s_1,N_{\mathcal{T}})$ to authenticate $\mathcal{R}1$. $\mathcal{T}$ does not reply if there is no match. Otherwise, it computes $s^{\prime }=F(N_{\mathcal{T}},N_{\mathcal{R}1},s_1)$, saves $[\mathit{IDR}2$, $s^{\prime }]$, until the protocol completes or a new command from $\mathcal{R}1$ is received and replies with:

$$\mathcal{T}\to \mathcal{R}1:F(N_{\mathcal{R}1},s_1)$$

6.

If this message is not received correctly by $\mathcal{R}1$ after a period of time, the protocol is repeated from Step 2 ($\mathcal{T}$ will replace the stored values $\mathit{IDR}2,s^{\prime }$). Otherwise, $\mathcal{R}1$ computes $s^{\prime }=F(N_{\mathcal{T}},N_{\mathcal{R}1},s_1)$ and confirms (secure channel) to $\mathcal{R}2$ that $\mathcal{T}$ is ready to be transferred:

$$\mathcal{R}1\Rightarrow \mathcal{R}2:\mathit{ID}\mathrm{is}\mathrm{ready},s^{\prime }$$

Ownership Transfer

7.

If $\mathcal{R}2$ receives $\mathcal{R}1$’s confirmation, then it is ready to take ownership of $\mathcal{T}$. $\mathcal{R}2$ computes $s_2=F(s^{\prime },{\mathit{Info}}_{\mathit{ID}})$ and broadcasts regularly $Query$ messages.

$$\mathcal{R}2\to \mathrm{tags}:Query$$

8.

When $\mathcal{T}$ receives a $Query$, it selects a random nonce $N_{\mathcal{T}}^{\prime }$ and sends:

$$\mathcal{T}\to \mathcal{R}2:F(N_{\mathcal{T}}^{\prime },s_2),N_{\mathcal{T}}^{\prime }$$

9.

If $\mathcal{T}$ is singulated, then $\mathcal{R}2$ selects a fresh random number $N_{\mathcal{R}2}$ and sends:

$$\mathcal{R}2\to \mathcal{T}:F(s_2,N_{\mathcal{T}}^{\prime }),N_{\mathcal{R}2}$$

10.

$\mathcal{T}$ checks this message for $s_2$, and if not correct, for $s_1$ (and waits for new commands). It does not reply if this is not correct. If $\mathcal{R}2$ is authenticated, $\mathcal{T}$ updates the stored values $(\mathit{IDR}1,s_1)$ to $(\mathit{IDR}2,s_2)$. These values determine tag ownership. $\mathcal{T}$ acknowledges this by sending:

$$\mathcal{T}\to \mathcal{R}2:F(N_{\mathcal{R}2},s_2)$$

11.

If the received message is not correct, the protocol is repeated from Step 7. Otherwise, $\mathcal{R}2$ executes the key update protocol in Section 5.2 to prevent $\mathcal{R}1$ from accessing $\mathcal{T}$.

5.1.1. Analysis

In the Appendix A, we shall use GNY logic [12], which extends the Burrows–Abadi–Needham (BAN) logic (overcoming some of its problems [13,14]), to show the consistency of the assumptions with respect to the source message, as well as the beliefs of the sender and receiver of messages. Principals can only advance their beliefs and increase their possessions based on the physical content of the messages they receive. We use strand spaces [15] to show correctness by excluding vulnerabilities based on the structure of the protocol. Strand spaces use free encryption algebra to detect faults that exploit relations in this algebra. Below, we discuss the most important security properties informally.

1

Untraceable singulation: Replies to $Query$’s (Step 2, Step 7) have the same format and include a nonce selected by the tag. This prevents tag tracing, since messages look random to anyone who does not know the secret key.

2

The privacy of ${\mathit{Own}}_c$ is guaranteed because the key $s_1$ remains unknown to the new owner ${\mathit{Own}}_n$. Indeed, if ${\mathit{Own}}_n$ can compute $s_1$ given the values: $s^{\prime }$, $N_{\mathcal{T}}$ and $N_{\mathcal{R}1}$, then ${\mathit{Own}}_n$ can also find the F-preimage of $s^{\prime }$, which contradicts the assumption that F is one-way.

3

Forward secrecy: Suppose the adversary succeeds in getting the new key $s_2$ of a tag. The privacy of the prior communications is guaranteed, as in the previous case, because to get $s_1$ from $s_2$, one has to invert F.

4

The privacy of ${\mathit{Own}}_n$ is achieved by using the key update protocol in Section 5.2.

5

Tag assurance: ${\mathit{Info}}_{\mathit{ID}}$ is the hash of manufacturer information about the tag. The collision resistance of hash functions prevents the adversary from finding another message (pre-image) ${\mathit{Info}}_{\mathit{ID}}^{\prime }$ with the same hash to forge the information given by the manufacturer. The use of ${\mathit{Info}}_{\mathit{ID}}$ to compute $s_2$ guarantees that the information provided by ${\mathit{Own}}_c$ to ${\mathit{Own}}_n$ matches with the information stored by $\mathcal{T}$. Note, however, that cloned tags and corruptible memories are beyond this security feature (cf. [17]).

5.2. A Key Update Protocol, Figure 7

The parties are: the reader $\mathcal{R}2$, tag $\mathcal{T}$ and $n_T$ noisy tags ${\mathcal{T}}_t^{\ast }$, $1\le t\le n_T$. $\mathcal{R}2$ shares with $\mathcal{T}$ a private key $s_2$ and with each ${\mathcal{T}}_t^{\ast }$ a private key $s_t^{\ast }$. In this protocol, $\mathcal{T}$ updates privately the key $s_2$ with a fresh key ${\overline{s}}_2$.

1

$\mathcal{R}2$ broadcasts a key change request (KCR) with a random nonce $N_{\mathcal{R}2}^{\prime }$.

$$\mathcal{R}2\to \mathcal{T},{\left\{{\mathcal{T}}_t^{\ast }\right\}}_{t=1}^{n_T}:\mathit{KCR},N_{\mathcal{R}2}^{\prime }$$

2

Upon receiving this, $\mathcal{T}$ and ${\mathcal{T}}_t^{\ast }$ generate bitstrings S and $S_t^{\ast }$ of length $n/C_s$ and broadcast these simultaneously (as specified in Section 4): S is a random number, and $S_t^{\ast }=F^{\ast }(N_{\mathcal{R}2}^{\prime },s_t^{\ast })$, where $F^{\ast }$ is a cryptographic hash function of length $n/C_s$. Note that $F^{\ast }$ could be built from F; for example, for $C_s=0.5$, $F^{\ast }(A,B)=F(A,B)\left|\right|F(A+1,B)$, where $\left|\right|$ denotes concatenation.

$$\mathcal{T},{\left\{{\mathcal{T}}_t^{\ast }\right\}}_{t=1}^{n_T}\to \mathcal{R}2:S\mathrm{and}{\left\{S_t^{\ast }\right\}}_{t=1}^{n_T}$$

3

$\mathcal{R}2$ receives the added signals of S and ${\left\{S_t^{\ast }\right\}}_{t=1}^{n_T}$, extracts S, computes ${\overline{s}}_2=F(N_{\mathcal{R}2}^{\prime },S,s_2)$ and broadcasts $F(S,{\overline{s}}_2)$.

$$\mathcal{R}2\to \mathcal{T},{\left\{{\mathcal{T}}_t^{\ast }\right\}}_{t=1}^{n_T}:F(S,{\overline{s}}_2)$$

4

$\mathcal{T}$ computes ${\overline{s}}_2=F(N_{\mathcal{R}2}^{\prime },S,s_2)$ and checks that the message from $\mathcal{R}2$ is correct. If so, $\mathcal{T}$ updates its private key $s_2$ to ${\overline{s}}_2$.

$$\mathcal{T}\to \mathcal{R}2:F(N_{\mathcal{R}2}^{\prime },{\overline{s}}_2)$$

5

$\mathcal{R}2$ checks the received message. If correct, the key update protocol (KUP) is completed, and $\mathcal{R}2$ informs $\mathcal{R}1$. Otherwise, $\mathcal{R}2$ sends a new $Query$ and checks if $\mathcal{T}$ has updated its key. If not, the KUP is repeated.

$$\mathcal{R}2\Rightarrow \mathcal{R}1:\mathrm{Ownership}\mathrm{is}\mathrm{transferred}.$$

5.3. Analysis

Attacks by external adversaries on the KUP can target privacy (traceability) or availability (de-synchronization). These are prevented by the wiretap channel with positive secrecy and a cryptographic hash function that authenticates messages. More specifically:

Traceability: $\mathcal{T}$ remains untraceable because the exchanged messages look random to anyone who does not know $s_2$.

De-synchronization: The adversary cannot compute $F(N_{\mathcal{R}2}^{\prime },{\overline{s}}_s)$ or $F(S,{\overline{s}}_2)$, that are required by parties to update their keys, without knowing $s_2$.

The protection extends to threats from past and future owners of $\mathcal{T}$. For example, even if $\mathcal{R}1$ knows $s_1$ and can get $s_2$, $\mathcal{R}1$ does not know the keys $s_t^{\ast }$ of the noisy tags and, therefore, cannot filter out $S_t^{\ast }$ to get S and compute ${\overline{s}}_2$. In particular, $\mathcal{R}1$ knows $C_{eav}·n/C_s=(1-C_s)·n/C_s$ bits of S, but the remaining n bits remain unknown. Thus, once the KUP is completed, $\mathcal{R}1$ has no control over the tag $\mathcal{T}$ and cannot trace it.

6. Conclusions

Cryptographic protection is usually handled at the application layer and cannot exploit signal features at the physical layer, which restricts its scope. We have shown in this paper that backward privacy of an OTP can be guaranteed with the use of channels with positive secrecy capacity. The implementation of such channels with noisy tags has been analyzed and the value $n_T=3$, for which the capacity of the eavesdropper’s channel is only $C_{eav}=0.22$ bits, provides a good compromise between performances and the ease of implementation. We also defined a communication model for RFID ownership transfer that captures spatiotemporal requirements. Protocols defined in this model can be applied to a wider range of practical scenarios. Finally, we have presented the first example of a symmetric-key OTP that does not require a TTP or ISE and formally proved that it is correct and secure in this model.