| dc.description.abstracteng | This dissertation tackles the problem of user privacy and security of transactions in the authentication protocols of the technology of Radio-frequency identification (RFID).
Radio-frequency identification is ubiquitously used for automatic identification of objects over the distance. Numerous applications include access control using contactless ID cards, contactless payments in the public transportation, payments using contactless credit cards, toll payments, etc. To identify an item, RFID tags are used. In several other applications, mostly for automatic checkout and fraud control, tags are embedded into books, clothes, packs of medicines, goods. Such a widespread of the technology caused that almost everyone carry an item with an RFID tag inside.
However, many users do not realize that those small chips can reveal valuable privacy information about them or break the security of the information system. From the privacy side, RFID-enabled objects make their owners vulnerable to illegal tracing. This is mainly possible due to eavesdropping and unauthorized querying, which allows attackers to monitor transactions and link them to objects and places. The current state-of-art suggests considering an assumption that attackers can compromise a tag, read its internal state, and use information stored on the tag's memory to link the tag with its previous and future transactions. Moreover, an insecure channel allows attackers to learn, what object one is carrying, thus breaking anonymity. From the security side, RFID communications are vulnerable to replay and desynchronization attacks. In the former attack, an adversary targets to reuse the tag's response in order to impersonate it and illegally obtain the benefits. In the latter attack, the adversary targets to desynchronize identification records between a tag and a valid server so that a valid tag cannot be identified anymore.
Existing RFID authentication protocols demonstrate a lot of progress covering the above-mentioned issues. However, they still suffer from limitations and are vulnerable to certain security and privacy attacks. Moreover, due to their complexity, most of the schemes do not conform to the EPC Class-1 Gen-2 (C1G2) Standard and thus cannot be implemented on passive low-cost RFID tags.
In this dissertation, we aim to comply with the EPC C1G2 Standard and present a minimalist RFID Authentication protocol based on the Rabin scheme. Through the detailed security and privacy analysis, we show that the presented scheme overcomes the flaws of the previous works, provides anonymity, location privacy, achieves both backward and forward untraceability, and is secure against impersonation and desynchronization attacks. The proposed protocol also supports ownership transfer that can be performed over the insecure environment for tags. The performance comparison shows that our scheme outperforms the existing works in the amount of communication rounds, calculations on tags and on the server, and achieves the complexity for database loading of O(1) in the worst case. The use of lightweight functions makes the scheme efficient, scalable, and feasible for implementation on simple low-cost tags. To the best of our knowledge, this is the first lightweight protocol that provides forward and backward untraceability at the same time, and is robust against security and privacy attacks generally considered in RFID systems. | de |