CN105847009A - RFID bidirectional authentication method meeting requirement on backward security - Google Patents

Abstract

The invention discloses a RFID bidirectional authentication method meeting a requirement on backward security. The method comprises the steps that a reader generates a random number R1 and a random number R2 of which the lengths are both L bits, works out an A value and a B value according to identifiers ID_L and ID_R, and sends the A and B values together with an authentication request command to a label; the label works out R1_T and R2_T according to the A and B values, establishes a label authenticity authentication formula by using a key KEY_T, R1_T and R2_T, works out a label authenticity authentication value C_T, and transfers the C_T value to a reader-writer; and the reader-writer puts a self-stored KEY and the generated R1 and R2 into the label authenticity authentication formula for authenticating the authenticity of the label. If the label is legal, the reader-writer works out a reader-writer authenticity authentication value D by using the current KEY and the generated random number R2, transfers the D value to the label, and updates the key. After receiving the D value transferred from the reader-writer, the label authenticates the authenticity of the reader-writer. If the legality of the reader-writer is authenticated, the label updates the self-stored key.

Description

A kind of RFID mutual authentication method meeting backward security

Technical field

The present invention relates to RF identification research field, particularly to label and read write line in a kind of rfid system it Between meet the RFID mutual authentication method of backward security.

Background technology

Radio RF recognition technology (radio frequency identification, RFID) is that one utilizes radio frequency Signal realizes the transmission of contactless information, and passes through the technology that transmitted information reaches the purpose of identification. Owing to RFID technique is to utilize wireless radio frequency channel to exchange data, therefore it is highly susceptible to external environment condition Interference and the malicious attack of assailant.If the personal information deposited in RFID label tag or business intelligence Illegally obtained Deng by the assailant of malice, huge loss can be brought to user.

For overcoming the problems referred to above, research worker proposes many authentication protocols based on PRNG, This quasi-protocol can realize security and privacy protection；It is also proposed some based on bit arithmetic and HASH letter simultaneously The lightweight RFID authentication protocol of number, but all there is potential safety hazard in these agreements or authentication efficiency is low etc. Problem.Such as, the certificate scheme that Godor G et al. proposes can not resist desynchronization attack, and assailant is permissible By playback message, make read write line and label key between the two inconsistent, thus destroy between the two Subsequent authentication (Godor G, Imre S.Hash-based mutual authentication protocol for low-cost RFID systems[C]//Proc of the 18th EUNICE Conf on Information and Communications Technologies.Berlin:Springer,2012:76-87.)；Miyaji A et al. proposes Certificate scheme its essence is a search protocol, can not calculate a bidirectional identification protocol (Miyaji A, Rahman M S.KIMAP:Key-insulated mutual authentication protocol for RFID[J]. Int Journal of Automated Identification Technology,2011,3(2):61-74.)；Mamun M The certificate scheme that SI et al. proposes can not resist active attack, and assailant, by constantly inquiring label, divides The return information of analysis label, it is possible to derive all key informations (the Mamun M S deposited in label completely I,Miyaji A,Rahman M S.A secure and private RFID authentication protocol under SLPN problem[C]//Proc of the 6th Int Conf on Network and System Security. Berlin:Springer,2012:476-489.)；The certificate scheme that Alomair B et al. proposes is not provided that backward Personal secrets (Alomair B, Cuellar J, Poovendran R.Scalable RFID systems:A privacy-preserving protocol with constant time identification[J].IEEE Trans on Parallel and Distributed Systems,2012,23(8):1-10.)；Du Zongyin et al. is according to genetic algorithm Relevant knowledge proposes intersection bit arithmetic, and combines XOR, Rot computing and propose CURAP agreement, but Being that CURAP is excessively simple in terms of computing, safety shows slightly not enough, and this agreement is complete in each certification simultaneously After one-tenth, label and the renewal process of read write line key between the two are excessively complicated and amount of calculation is relatively large (shuts out Zong Yin, Zhang Guoan, Yuan Honglin. ultralight amount RFID authentication protocol [J] based on intersection bit arithmetic. computer section Learn, 2013,40 (11): 35-37.)；The scheme that Wang Shaohui et al. proposes can not be resisted Brute Force and be attacked, because R1 and r2 uses plaintext transmission, and therefore assailant is easy to obtain r1 and r2, uses the method for exhaustion to derive The key information deposited in outgoing label (Wang Shaohui, Liu Sujuan, Chen Danwei. meet the expansible of backward privacy RFID mutual authentication schemes [J]. Journal of Computer Research and Development, 2013,50 (6): 1276-1284.).Based on above Narration, design one safety bidirectional identification protocol there is important Research Significance and practical value.

Summary of the invention

It is an object of the invention to overcome the shortcoming of prior art with not enough, it is provided that a kind of to meet backward security RFID mutual authentication method, this method solves in current rfid system certification between label and read write line and deposits In the problem of safety defect, there is safety height, authentication efficiency height, the advantage of label low cost.

The purpose of the present invention is realized by following technical scheme: a kind of RFID meeting backward security is two-way to be recognized Card method, including step:

(1) unique identifier of the label of read write line reading storage inside, is divided into two parts, is designated as ID_L, ID_R, length is L position；Read write line generates two length and is the random number R 1 and R2 of L position； Read write line utilizes ID_L and R1 to carry out XOR to obtain A, utilize ID_R and R2 to carry out XOR and obtain To B, then A, B and certification request command are sent to label in the lump；

(2), after label receives read write line transmission next A, B and certification request command, self is first taken out ID_LT and ID_RT stored, then carries out XOR by ID_LT and the A received and obtains R1_T, ID_RT and the B received is carried out XOR and obtains R2_T, then according to label self storage close Key KEY_T and calculated R1_T, R2_T set up a label authenticity verification formula, calculate To label authenticity verification value C_T；Finally, C_T value is passed to read write line；

(3) read write line is after receiving the information that label transmission comes, and self is stored by first read write line The random number R 1 and R2 of key KEY and generation substitutes into above-mentioned label authenticity verification formula, is tested Card value C, if C with C_T is unequal, then care label is to forge, and certification terminates at once；If phase Deng, then perform step (4)；

(4) random number R 2 of read write line current key KEY and generation is set up a read write line true and false and is tested Card formula, is calculated read write line authenticity verification value D, D value is passed to label；Read write line is according to default Key updating formula more new key；

(5) label is after receiving the D that read write line transmits, the key KEY_T self deposited and meter The R2_T that obtains substitutes into above-mentioned read write line authenticity verification formula, is verified value D_T, if D and D_T is unequal, then explanation read write line is to forge, and certification terminates at once；If equal, then label according to The key updating formula preset updates the key self deposited.

Preferably, in described step (2), the computing formula of label authenticity verification value C_T is as follows:

C_T=[(KEY_T&R2_T&R1_T)²mod M]_L；

Wherein, KEY_T represents the key that label self stores, []_LTake the front L position of operation result；& represents With computing, M represents modulus, M=2^L-1；

In like manner, the computing formula of validation value C is as follows:

C=[(KEY&R2&R1)²mod M]_L。

Further, in described step (3), the key KEY of read write line self storage is divided into two kinds, A kind of is current key K_new, another kind be history used key K_old, K_old be a number Group；After receiving the C_T value that label transmits, read write line first obtains first according to K_new, R1 and R2 Validation value C`, and C` with C_T is compared,

If the two is equal, then makes KEY be equal to K_new, perform step (4)；

If the two is unequal, obtaining the second validation value C`` further according to K_old, R1 and R2, C`` is a number Group, compares value all of in C`` with C_T, if the most unequal, care label is to forge, and recognizes Card terminates at once, if one of them value C``_i in C`` is equal with C_T, then makes KEY be equal to and this Key K_old_i corresponding for C``_i, performs step (4).

Preferably, in step (4), the computing formula of read write line authenticity verification value D is as follows:

D=[KEY²mod M]_L&R2；

Wherein, []_LTake the front L position of operation result；& represents and computing, and M represents modulus, M=2^L-1；

In like manner, the computing formula of validation value D_T is as follows:

D_T=[KEY_T²mod M]_L&R2_T。

Preferably, in step (4), the formula of read write line more new key is:

KEY_new=[KEY²mod M]_L；

Wherein, []_LTake the front L position of operation result；M represents modulus, M=2^L-1；

In like manner, in step (5), the formula of the key that tag update self is deposited is:

KEY_T_new=[KEY_T²mod M]_L。

The RFID mutual authentication method of the present invention has the advantage that and beneficial effect:

(1) method of the Hash computing encrypted transmission that the present invention discards tradition, uses and has ad eundem safety Modular arithmetic encryption method the information of transmission is encrypted, thus reduce tab end and the computing of read write line end Amount, makes the inventive method can reach the rank of lightweight；

(2) present invention abandons tab end and produces the way of random number, selects to be produced random number by read write line end, Thus reduce the target of label cost；

(3) present invention makes full use of the letter of the unique identifier ID of label shared between label and read write line Breath, reduces the introducing of information and deposits, the identifier ID of label being divided into ID_L and ID_R two parts and enters Row encrypted transmission, as the authority of two-way authentication, thus reduces the carrying cost of tab end；

(4) all of information that between label of the present invention and read write line, mutual authentication process is transmitted be all through Transmit again after encryption, safer compared with traditional transmission means, simultaneously in the information of transmitting procedure The most plural variable is unknown for assailant, thus thoroughly avoids assailant and adopt Potential safety hazard with method of exhaustion breaking cryptographic keys.

Accompanying drawing explanation

Fig. 1 is the schematic flow sheet of method described in the present embodiment.

Fig. 2 is each parameter transmittance process schematic diagram in the present embodiment mutual authentication process.

Detailed description of the invention

Below in conjunction with embodiment and accompanying drawing, the present invention is described in further detail, but the embodiment party of the present invention Formula is not limited to this.

Embodiment 1

See Fig. 1,2, first provide the implication of each symbol related in method described in the present embodiment:

R: read write line；

T: label；

KEY: the key (a length of L position) shared between read write line and label；

The unique identifier (a length of 2L position) of ID: label；

The left-half (the L position on the left side) of ID_L: tag ID；

The right half part (the L position on the right) of ID_R: tag ID；

The shared key (a length of L position) of K_new: this certification；

The shared key (a length of L position) of K_old: history certification several times；

The length of L: key；

M: modulus, M=2^L-1；

Two randoms number (length is all L position) that R1 and R2: read write line produces；

: XOR；

&: with computing.

Carried out the biography of information between read write line and back-end data base by wire transmission mode in rfid system Defeated, it is considered that transmission between the two is safe, therefore regard back-end data base and read write line as one Overall.Two-way authentication detailed process between read write line and label as it is shown in figure 1, in its verification process each Parameter transmittance process sees Fig. 2, in fig. 2, and A=ID_L R1；B=ID_R R2；C= [(KEY&R2&R1)²mod M]_L, represent the front L position taking operation result；D=[KEY²mod M]_L &R2, represents the front L position first taking [] operation result, carries out and computing with R2.

Verification process in conjunction with Fig. 1,2 pairs of the present embodiment is described as follows:

1. read write line reads the unique identifier of label of storage inside, is divided into two parts, be designated as ID_L, ID_R, length is L position.Read write line generates two length and is the random number R 1 and R2 of L position.

Read write line utilizes ID_L and R1 to carry out XOR to obtain A, i.e. A=ID_L R1, then profit Carry out XOR with ID_R and R2 and obtain B, i.e. B=ID_R R2.

Finally A, B and certification request command Query are sent to label in the lump.

2., after label receives the information that read write line transmission comes, the Information ID _ LT self stored first is taken out And ID_RT, if read write line and label are not forgery, then ID_LT and ID_RT should wait respectively In ID_L, ID_R.

Then ID_LT and the A received is carried out XOR and obtain R1_T, i.e. R1_T=ID_L A, ID_RT and the B received is carried out XOR and obtains R2_T, i.e. R2_T=ID_R B.If Read write line and label are not forgery, then R1_T and R2_T should be respectively equal in read write line generation R1、R2。

Then label sets up one according to the key KEY_T self stored, calculated R1_T, R2_T Label authenticity verification formula, calculating label authenticity verification value C_T:

C_T=[(KEY_T&R2_T&R1_T)²mod M]_L；

Wherein, KEY_T represents the key that label self stores, []_LTake the front L position of operation result；& represents With computing, M represents modulus, M=2^L-1；

Finally, C_T value is passed to read write line.

3. after read write line receives the information that label transmission comes, the key that first self is stored by read write line R1 and R2 of KEY and generation substitutes into above-mentioned label authenticity verification formula, is verified value C:

C=[(KEY&R2&R1)²mod M]_L；

If C with C_T is unequal, then showing that label is to forge, certification terminates at once；If it is equal, Then continue below step.

4. the random number R 2 of read write line current key KEY and generation sets up a read write line authenticity verification Formula, is calculated read write line authenticity verification value D:

D=[KEY²mod M]_L&R2；

D value is passed to label；Read write line is according to default key updating formula KEY_new=[KEY²mod M]_L, more new key.

5. label is after receiving the D that read write line transmits, the key KEY_T self deposited and calculating The R2_T that obtains substitutes into above-mentioned read write line authenticity verification formula, is verified value D_T:

D_T=[KEY_T²mod M]_L&R2_T。

If D with D_T is unequal, then showing that read write line is to forge, certification terminates at once；If it is equal, Then label is according to default key updating formula KEY_T_new=[KEY_T²mod M]_L, update self The key deposited.If read write line and label are not forgery, then the key after tag update Key KEY_new after KEY_T_new should update with read write line is identical.

In actual applications, it is possible to label is not updated in verification process several times above, if Only with the up-to-date key of read write line as certification key, then this kind of label just can not get certification, for understanding Certainly this problem, 3. can improve step, and the process of improvement is as follows:

(3-1) the key KEY that read write line self stores being divided into two kinds, a kind of is current key K_new, Another kind be history used key K_old, K_old be an array, it is used that the inside includes that history is adopted All keys or part of key.

(3-2) after receiving the C_T value that label transmits, read write line is first according to K_new, R1 and R2 Obtain the first validation value C`:

C`=[(K_new&R2&R1)²mod M]_L

(3-3) judge that C` with C_T is the most equal, if equal, perform step (3-4)；Otherwise, perform Step (3-5).

(3-4) make KEY be equal to K_new, perform step 4..

(3-5) the second validation value C`` is obtained according to K_old, R1 and R2:

C``=[(K_old&R2&R1)²mod M]_L

Here C`` is an array, if all of value is the most unequal with C_T in this array, then mark is described Label are to forge, and certification terminates at once.If there being C``_i with C_T equal, then make KEY be equal to 4. key K_old_i corresponding for this C``_i, perform step.

The BAN logical form fractional analysis of authentication protocol is given below, is proved by BAN formalization analysis The safety of mutual authentication method and correctness, it was demonstrated that process is as follows: (for the change of word segment above, Have also been made certain change below, please audit, the formula trouble amendment referred here to)

First the idealized model of agreement is given:

Message 1. R → T:Query, A, B

Message 2. T → R:C_T

Message 3. R → T:D

The original hypothesis of agreement be given below:

P1:R believes R and T shared key value KEY.

P2:T-phase letter R and T shared key value KEY_T, KEY with KEY_T is equal.

P3:R believes that R and T shares identifier ID _ L.

P4:It is equal that T-phase letter R and T shares identifier ID _ LT, ID_LT and ID_L.

P5:R believes that R and T shares identifier ID _ R.

P6:It is equal that T-phase letter R and T shares identifier ID _ RT, ID_RT and ID_R.

P7:R | ≡ # (R1), R believe the freshness of random number R 1.

P8:T | ≡ # (R1), the freshness of T-phase letter random number R 1.

P9:R | ≡ # (R2), R believe the freshness of random number R 2.

P10:T | ≡ # (R2), the freshness of T-phase letter random number R 2.

P11:The T-phase letter R jurisdiction to A.

P12:The T-phase letter R jurisdiction to B.

P13:R believes the T jurisdiction to C_T.

P14:The T-phase letter R jurisdiction to D.

Security Target:

G1:T | ≡ A, T-phase letter A.G2:T | ≡ B, T-phase letter B.

G3:R | ≡ C, R believe C_T.G4:T | ≡ D, T-phase letter D.

Analysis ratiocination:

1. obtained by message(T once received message A), and by original hypothesis P1 and message implication method ThenIf (main body P believes shared key K of main body P and Q, and P once received and uses K Ciphertext X of encryption, then P believes message X that main body Q sends over), obtain

By assuming P7, P9 and message freshness ruleIf (part for a message is fresh , the most whole message is also fresh), obtain T | ≡ # (A).By derivedT | ≡ # (A) and with Machine number checking rule| ≡ T | the ≡ A that obtains R.

| ≡ T | ≡ A, initial state assumption P11 and administration rule by RT can be obtained | ≡ A.Therefore, mesh Mark G1 must demonstrate,prove.

Using above-mentioned condition and rule, proving by the same methods obtains G2, G3 and G4.Here is omitted.

Above-described embodiment is the present invention preferably embodiment, but embodiments of the present invention are not by above-mentioned reality Execute the restriction of example, the change made under other any spirit without departing from the present invention and principle, modification, Substitute, combine, simplify, all should be the substitute mode of equivalence, within being included in protection scope of the present invention.

Claims (5)

1. the RFID mutual authentication method meeting backward security, it is characterised in that include step:

(1) unique identifier of the label of read write line reading storage inside, is divided into two parts, is designated as ID_L, ID_R, length is L position；Read write line generates two length and is the random number R 1 and R2 of L position； Read write line utilizes ID_L and R1 to carry out XOR to obtain A, utilize ID_R and R2 to carry out XOR and obtain To B, then A, B and certification request command are sent to label in the lump；

(2), after label receives read write line transmission next A, B and certification request command, self is first taken out ID_LT and ID_RT stored, then carries out XOR by ID_LT and the A received and obtains R1_T, ID_RT and the B received is carried out XOR and obtains R2_T, then according to label self storage close Key KEY_T and calculated R1_T, R2_T set up a label authenticity verification formula, calculate To label authenticity verification value C_T；Finally, C_T value is passed to read write line；

(3) read write line is after receiving the information that label transmission comes, and self is stored by first read write line The random number R 1 and R2 of key KEY and generation substitutes into above-mentioned label authenticity verification formula, is tested Card value C, if C with C_T is unequal, then care label is to forge, and certification terminates at once；If phase Deng, then perform step (4)；

(4) random number R 2 of read write line current key KEY and generation is set up a read write line true and false and is tested Card formula, is calculated read write line authenticity verification value D, D value is passed to label；Read write line is according to default Key updating formula more new key；

(5) label is after receiving the D that read write line transmits, the key KEY_T self deposited and meter The R2_T that obtains substitutes into above-mentioned read write line authenticity verification formula, is verified value D_T, if D and D_T is unequal, then explanation read write line is to forge, and certification terminates at once；If equal, then label according to The key updating formula preset updates the key self deposited.

RFID mutual authentication method the most according to claim 1, it is characterised in that described step (2) The computing formula of middle label authenticity verification value C_T is as follows:

C_T=[(KEY_T&R2_T&R1_T)²mod M]_L；

Wherein, KEY_T represents the key that label self stores, []_LTake the front L position of operation result；& represents With computing, M represents modulus, M=2^L-1；

In like manner, the computing formula of validation value C is as follows:

C=[(KEY&R2&R1)²mod M]_L。

RFID mutual authentication method the most according to claim 2, it is characterised in that described step (3) In, the key KEY of read write line self storage is divided into two kinds, and a kind of is current key K_new, another Kind be history used key K_old, K_old be an array；Receiving the C_T value that label transmits After, read write line first obtains the first validation value C` according to K_new, R1 and R2, and is carried out by C` with C_T Relatively,

If the two is equal, then makes KEY be equal to K_new, perform step (4)；

If the two is unequal, obtaining the second validation value C`` further according to K_old, R1 and R2, C`` is a number Group, compares value all of in C`` with C_T, if the most unequal, care label is to forge, and recognizes Card terminates at once, if one of them value C``_i in C`` is equal with C_T, then makes KEY be equal to and this Key K_old_i corresponding for C``_i, performs step (4).

RFID mutual authentication method the most according to claim 1, it is characterised in that in step (4) The computing formula of read write line authenticity verification value D is as follows:

D=[KEY²mod M]_L& R2；

Wherein, []_LTake the front L position of operation result；& represents and computing, and M represents modulus, M=2^L-1；

In like manner, the computing formula of validation value D_T is as follows:

D_T=[KEY_T²mod M]_L&R2_T。

RFID mutual authentication method the most according to claim 1, it is characterised in that in step (4), The formula of read write line more new key is:

KEY_new=[KEY²mod M]_L；

Wherein, []_LTake the front L position of operation result；M represents modulus, M=2^L-1；

In like manner, in step (5), the formula of the key that tag update self is deposited is:

KEY_T_new=[KEY_T²mod M]_L。