Thesis

More documents

Recommendations

Info

2. PRIVATE AUTHENTICATION Some years ago, Molnar and Wagner proposed an elegant approach to privacy protecting authentication [Molnar and Wagner, 2004] that is based on symmetric key cryptography while still ensuring short authentication delays. More precisely, the complexity of the authentication procedure in the Molnar-Wagner scheme is logarithmic in the number of potential provers, in contrast with the linear complexity of the naïve key search approach. The main idea of Molnar and Wagner is to use key-trees (see Figure 2.1 for illustration). A key-tree is a tree where a unique key is assigned to each edge. The leaves of the tree represent the potential provers, which is called members in the sequel. Each member possesses the keys assigned to the edges of the path starting from the root and ending in the leaf that corresponds to the given member. The verifier knows all keys in the tree. In order to authenticate itself, a member uses all of its keys, one after the other, starting from the first level of the tree and proceeding towards lower levels. The verifier first determines which first level key has been used. For this, it needs to search through the first level keys only. Once the first key is identified, the verifier continues by determining which second level key has been used. However, for this, it needs to search through those second level keys only that reside below the already identified first level key in the tree. This process is continued until all keys are identified, which at the end, identify the authenticating member. The key point is that the verifier can reduce the search space considerably each time a key is identified, because it should consider only the subtree below the recently identified key. k111 k11 k1 Figure 2.1: Illustration of a key-tree. There is a unique key assigned to each edge. Each leaf represents a member of the system that possesses the keys assigned to the edges of the path starting from the root and ending in the given leaf. For instance, the member that belongs to the leftmost leaf in the figure possesses the keys k1, k11, and k111. The problem of the above described tree-based approach is that upper level keys in the tree are used by many members, and therefore, if a member is compromised and its keys become known to the adversary, then the adversary gains partial knowledge of the key of other members too [Avoine et al., 2005]. This obviously reduces the privacy provided by the system to its members, since by observing the authentication of an uncompromised member, the adversary can recognize the usage of some compromised keys, and therefore its uncertainty regarding the identity of the authenticating member is reduced (it may be able to determine which subtree the member belongs to). One interesting observation is that the naïve, linear key search approach can be viewed as a special case of the key-tree based approach, where the key-tree has a single level and each member has a single key. Regarding the above described problem of compromised members, the naïve approach is in fact optimal, because compromising a member does not reveal any key information of other members. At the same time, as described above, the authentication delay is the worst in this case. On the other hand, in case of a binary key-tree, it can be observed that the compromise of a single member strongly 2 affects the privacy of the other members, while at the same time, the binary tree is very advantageous in terms of authentication delay. Thus, there seems to be a trade-off between the level of privacy provided by the system and the authentication delay, which depends on the parameters of the key-tree, but it is far from obvious to see how the optimal 2 The precise quantification of this effect is the topic of this chapter and will be presented later. 10
2.2. Resistance to single member compromise key-tree should look like. In this chapter, I address this problem, and I show how to find optimal key-trees. In this chapter, after finding the optimal key-tree, I go further and I present a novel symmetrickey private authentication scheme that provides a higher level of privacy and achieves better efficiency than the key-tree based approach. This approach is called the group based approach. More precisely, the complexity of the group based scheme for the reader can be set to be O(log N) (i.e., the same as in the key-tree based approach), while the complexity for the tags is always a constant (in contrast to O(log N) of the key-tree based approach). Hence, the group based scheme is better than the key-tree based scheme both in terms of privacy and efficiency, and therefore, it is a serious alternative to the key-tree based scheme to be considered by the RFID community. More precisely, the main contributions are the following: I propose a benchmark metric for measuring the resistance of the system to a single compromised member based on the concept of anonymity sets. To the best of my knowledge, anonymity sets have not been used in the context of private authentication yet. I prove that this simply defined metric is equivalent to a metric widely used in cryptography with a much more complex definition. The real contribution of the metric, is that its definition simplifies the usage of the metric without losing any details of the more complex metric. I introduce the idea of using different branching factors at different levels of the key-tree; the advantage is that the system’s resistance to single member compromise can be increased while still keeping the authentication delay short. To the best of my knowledge, key-trees with variable branching factors have not been proposed yet for private authentication. I present an algorithm for determining the optimal parameters of the key-tree, where optimal means that resistance to single member compromise is maximized, while the authentication delay is kept below a predefined threshold. In the general case, when any member can be compromised, I give a lower bound on the level of privacy provided by the system, and present some simulation results that show that this lower bound is quite sharp. This allows me to compare different systems based on their lower bounds. I introduce a group based approach, which is superior to the tree-based approach in many properties. In summary, I propose practically usable techniques for designers of RFID based authentication systems. The outline of the chapter is the following: in Section 2.2, I introduce my benchmark metric to measure the level of privacy provided by key-tree or group based authentication systems, and I illustrate, through an example, how this metric can be used to compare systems with different parameters. By the same token, I also show that key-trees with variable branching factors can be better than key-trees with a constant branching factor at every level. In Section 2.3, I formulate the problem of finding the best key-tree with respect to my benchmark metric as an optimization problem, and I present an algorithm that solves that optimization problem. In Section 2.4, I consider the general case, when any number of members can be compromised, and I derive a useful lower bound on the level of privacy provided by the system. After finding the optimal key-tree, I describe the operation of my group based scheme in Section 2.5, and I quantify the level of privacy that it provides in Section 2.6. I compare the group based scheme to the key-tree based approach in Section 2.7. Finally, in Section 2.8, I report on some related work, and in Section 2.9, I conclude the chapter. 2.2 Resistance to single member compromise There are different ways to measure the level of anonymity provided by a system [Diaz et al., 2002; Serjantov and Danezis, 2003]. Here the concept of anonymity sets [Chaum, 1988] is used. The 11
Page 1: Budapest University of Technology a
Page 5 and 6: Abstract Wireless networks are used
Page 7 and 8: Kivonat Vezeték nélküli hálóza
Page 9: Acknowledgement First of all, I wou
Page 12 and 13: CONTENTS 4 Anonymous Aggregator Ele
Page 15: List of Tables 2.1 Illustration of
Page 19 and 20: Chapter 1 Introduction In this diss
Page 21 and 22: 1.2. Introduction to Vehicular Ad H
Page 23 and 24: 1.3. Introduction to Wireless Senso
Page 25: 1.3. Introduction to Wireless Senso
Page 30 and 31: 2. PRIVATE AUTHENTICATION anonymity
Page 32 and 33: 2. PRIVATE AUTHENTICATION Obviously
Page 34 and 35: 2. PRIVATE AUTHENTICATION In order
Page 36 and 37: 2. PRIVATE AUTHENTICATION Proof. By
Page 38 and 39: 2. PRIVATE AUTHENTICATION 2.4 Analy
Page 40 and 41: 2. PRIVATE AUTHENTICATION For each
Page 42 and 43: 2. PRIVATE AUTHENTICATION Reader R
Page 44 and 45: 2. PRIVATE AUTHENTICATION P ( ( N
Page 46 and 47: 2. PRIVATE AUTHENTICATION Avoine et
Page 48 and 49: 3. LOCATION PRIVACY IN VANETS pseud
Page 50 and 51: 3. LOCATION PRIVACY IN VANETS Since
Page 52 and 53: 3. LOCATION PRIVACY IN VANETS This
Page 54 and 55: 3. LOCATION PRIVACY IN VANETS reach
Page 56 and 57: 3. LOCATION PRIVACY IN VANETS N5.1
Page 58 and 59: 3. LOCATION PRIVACY IN VANETS Succe
Page 60 and 61: 3. LOCATION PRIVACY IN VANETS Figur
Page 62 and 63: 3. LOCATION PRIVACY IN VANETS 3.7.2
Page 64 and 65: 3. LOCATION PRIVACY IN VANETS map,
Page 67 and 68: Chapter 4 Anonymous Aggregator Elec
Page 69 and 70: 4.2. System and attacker models res
Page 71 and 72: 4.3. Basic protocol The main differ
Page 73 and 74: Table 4.1: Estimated time of the bu
Page 75 and 76: Probability of being cluster aggreg
Page 77 and 78: − n∑ i=1 H = − n+1 ∑ 4.3. B
Page 79 and 80:
4.4. Advanced protocol Table 4.3: S
Page 81 and 82:
100 90 80 70 60 50 40 30 20 10 0 0
Page 83 and 84:
4.4. Advanced protocol If we consid
Page 85 and 86:
4.4.4 Query 4.4. Advanced protocol
Page 87 and 88:
L N D B NM < L N (4.5) A (4.7) (4.6
Page 89 and 90:
R ′ = R− N i=1 h(Q|ki) ÆÓ Å
Page 91:
4.7. Related publications systems w
Page 94 and 95:
5. APPLICATION OF NEW RESULTS an ap
Page 96 and 97:
6. CONCLUSION on this knowledge, sh
Page 99:
List of Acronyms CA Cluster Aggrega
Page 102 and 103:
LIST OF PUBLICATIONS [Holczer and B
Page 104 and 105:
BIBLIOGRAPHY [Beye and Veugen, 2011
Page 106 and 107:
BIBLIOGRAPHY [El Zarki et al., 2002
Page 108 and 109:
BIBLIOGRAPHY [Juels, 2005b] A. Juel
Page 110 and 111:
BIBLIOGRAPHY [Oliveira et al., 2008
Page 112:
BIBLIOGRAPHY [Wiedersheim et al., 2
show all

Thesis

Create successful ePaper yourself

Delete template?

Save as template?