Security models and most distance-bounding schemes designed so far are static, i.e. the used secret key is never updated. The scenario considered by [13] features a single reader and a single tag. However, a crucial topic in RFID authentication is privacy, as formalized by Vaudenay [32]. Adversaries against privacy can corrupt tags and learn the secret keys; in this scenario, key updates ensure better privacy. In this paper we extend distance-bounding security to include key updates, and show a compiler that preserves mafi a, distance, and impersonation security, and turns a narrow-weak private distance-bounding protocol into a narrow-destructive private distance-bounding protocol as in [32]. We discuss why it is much harder to attain terrorist fraud resistance, for both stateless and stateful scenarios. We optimize our compiler for cases where (i) the underlying distance-bounding protocol does not have reader authentication; (ii) impersonation security is achieved (by using a pseudorandom function) before the distance-bounding phase; or (iii) the prover ends by sending a MAC of the transcript. We also use our compiler on the enhanced construction in [13].
Category / Keywords: secret-key cryptography / stateful distance bounding, denial of service, privacy, RFID Date: received 26 Mar 2012, last revised 4 Apr 2012 Contact author: cristina onete at gmail com Available format(s): PDF | BibTeX Citation Note: Updated version/constructions. More efficient compiler. Version: 20120404:142348 (All versions of this report) Short URL: ia.cr/2012/165 Discussion forum: Show discussion | Start new discussion