[go: up one dir, main page]

CN102693438A - Privacy protection radio frequency identification password protocol method and system - Google Patents

Privacy protection radio frequency identification password protocol method and system Download PDF

Info

Publication number
CN102693438A
CN102693438A CN2012101130041A CN201210113004A CN102693438A CN 102693438 A CN102693438 A CN 102693438A CN 2012101130041 A CN2012101130041 A CN 2012101130041A CN 201210113004 A CN201210113004 A CN 201210113004A CN 102693438 A CN102693438 A CN 102693438A
Authority
CN
China
Prior art keywords
tag
pseudonym
value
label
counter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2012101130041A
Other languages
Chinese (zh)
Other versions
CN102693438B (en
Inventor
王良民
茅冬梅
熊书明
罗斌
毛启容
单田华
赵俊杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu University
Original Assignee
Jiangsu University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu University filed Critical Jiangsu University
Priority to CN201210113004.1A priority Critical patent/CN102693438B/en
Publication of CN102693438A publication Critical patent/CN102693438A/en
Application granted granted Critical
Publication of CN102693438B publication Critical patent/CN102693438B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明公开了一种隐私保护无线射频识别密码协议方法,包括:读写器产生随机数r1;标签产生随机数r2并计算h(Ψi x,c)以及a,连同c一同发给读写器;读写器根据c值查找h(Ψi x,c),根据h(Ψi x,c)获取标签假名Ψi x及密钥ki;计算a’,判断a’是否等于a,如果是则计算ki’,更新ki为ki’,Ψi,x为Ψi x-1,计算b和d,将b和d发送给标签;标签计算ki’、b’,判断b’是否等于b,如果是,计算更新标签假名为Ψi x-1、密钥为ki’,计数器值c增1。本发明能解决现有技术中隐私保护无线射频识别密码协议无法有效保护隐私的问题。

Figure 201210113004

The invention discloses a privacy protection radio frequency identification cryptographic protocol method, comprising: a reader generates a random number r 1 ; a tag generates a random number r 2 and calculates h(Ψ i , x , c) and a, and sends them together with c To the reader; the reader looks up h(Ψ i , x ,c) according to the value of c, and obtains the tag pseudonym Ψ i , x and key k i according to h(Ψ i , x , c); calculates a' and judges Is a' equal to a, if yes, calculate ki ', update ki to ki ', Ψ i, x is Ψ i , x-1 , calculate b and d, send b and d to the label; the label calculates k i ', b', judge whether b' is equal to b, if yes, calculate The pseudonym of the updated label is Ψ i , x-1 , the key is k i ', and the counter value c is incremented by 1. The invention can solve the problem that the privacy protection radio frequency identification encryption protocol in the prior art cannot effectively protect the privacy.

Figure 201210113004

Description

一种隐私保护无线射频识别密码协议方法及系统A privacy protection radio frequency identification cryptographic protocol method and system

技术领域 technical field

本发明涉及无线射频识别领域,特别涉及一种隐私保护无线射频识别密码协议方法及系统。The invention relates to the field of radio frequency identification, in particular to a privacy protection radio frequency identification cryptographic protocol method and system.

背景技术 Background technique

现有技术中,无线射频识别(RFID,Radio Frequency Identification)是众多自动识别技术的一种,其基本原理是利用射频信号和空间耦合(电感或电磁耦合)传输特性,实现对被识别物体的自动识别。基于RFID众多的优点,已经得到十分广泛的应用并且受到越来越多的关注。例如,在供应链中引入RFID技术,能够提高供应链的可视性,改善供应链的操作效率,为整个供应链提供高效的实时的信息,有效地预防偷盗、遗失和假冒的发生。In the prior art, radio frequency identification (RFID, Radio Frequency Identification) is one of many automatic identification technologies. Its basic principle is to use the transmission characteristics of radio frequency signals and space coupling (inductive or electromagnetic coupling) to realize automatic identification of identified objects. identify. Based on the many advantages of RFID, it has been widely used and attracted more and more attention. For example, the introduction of RFID technology in the supply chain can improve the visibility of the supply chain, improve the operational efficiency of the supply chain, provide efficient real-time information for the entire supply chain, and effectively prevent theft, loss and counterfeiting.

根据一般的供应链流程,一个供应链上有多个节点企业。每个基于RFID供应链的节点企业都控制着一组RFID读写器以及后端数据库。当物流到达时,供应链节点企业首先利用RFID读写器收集标签中包含的产品标记,然后通过搜寻后端数据库得到详细的产品信息,如果需要的话,还会更新标签的标记。系统模型如图1所示,其中,RFID系统主要分为两大部分,一个是读写器(Reader)与后端数据库(Backend Database)之间的部分,另一部分是标签(Tag)与读写器之间的部分。读写器和后端数据库具有较强的存储和计算能力,一般认为,读写器和后端数据库可以看作一个整体,可以假设它们之间的通信信道是安全的。According to the general supply chain process, there are multiple node enterprises in a supply chain. Each node enterprise based on RFID supply chain controls a group of RFID readers and back-end database. When the logistics arrives, the supply chain node enterprise first uses the RFID reader to collect the product marks contained in the label, and then obtains detailed product information by searching the back-end database, and updates the label mark if necessary. The system model is shown in Figure 1. Among them, the RFID system is mainly divided into two parts, one is the part between the reader (Reader) and the back-end database (Backend Database), and the other is the part between the tag (Tag) and the read-write between the parts. The reader and the back-end database have strong storage and computing capabilities. It is generally believed that the reader and the back-end database can be regarded as a whole, and the communication channel between them can be assumed to be safe.

在供应链系统中,带有标签的货物是成批处理的,读写器的处理量很大,因而对性能要求最高。如果读写器处理标签的速度很慢,则供应链的价值将不能很好的体现。因此,在供应链中识别一个标签的代价不能因为标签数量的增大而明显增大,即应该具备可扩展性要求。同时,在供应链中,由于人们不能感知射频信号的非法读取,隐私受到更多的关注。我们认为RFID系统中的隐私问题主要就是两类:一是电子标签信息的泄露;二是通过电子标签所发出的信息,攻击者可以对电子标签进行恶意跟踪。In the supply chain system, the goods with tags are processed in batches, and the processing volume of the reader is very large, so the performance requirements are the highest. If the reader is slow to process tags, the value of the supply chain will not be well reflected. Therefore, the cost of identifying a tag in the supply chain cannot increase significantly due to the increase in the number of tags, that is, it should have scalability requirements. At the same time, in the supply chain, privacy is more concerned because people cannot perceive the illegal reading of RF signals. We believe that there are two main types of privacy issues in RFID systems: one is the leakage of electronic tag information; the other is that attackers can maliciously track electronic tags through the information sent by electronic tags.

当前,实现RFID隐私保护所采用的方法主要有三大类:物理方法、密码机制以及二者的结合。采用密码机制进行智能标签的加密与认证,是研究者们更为关注的方法。近几年,为了保护RFID系统的安全与隐私,众多密码协议已经被提出,尽管协议的内容各不相同,但是他们可以根据认证标签的时间复杂度划分为三类:线性时间复杂度、对数级时间复杂度和常数级时间复杂度的协议。三类协议的优缺点比较见表1所示。由表一可见,只有常数级时间复杂度的协议能够满足供应链的需求。At present, the methods used to realize RFID privacy protection mainly fall into three categories: physical methods, cryptographic mechanisms, and a combination of the two. Using cryptographic mechanisms to encrypt and authenticate smart tags is a method that researchers are more concerned about. In recent years, in order to protect the security and privacy of RFID systems, many cryptographic protocols have been proposed. Although the contents of the protocols are different, they can be divided into three categories according to the time complexity of the authentication tag: linear time complexity, logarithmic A protocol with level time complexity and constant level time complexity. The advantages and disadvantages of the three types of protocols are compared in Table 1. It can be seen from Table 1 that only protocols with constant-level time complexity can meet the needs of the supply chain.

表一Table I

Figure BDA0000154243480000021
Figure BDA0000154243480000021

在实现本发明的过程中,发明人发现现有技术中的密码协议主要由常数级时间复杂度的协议组成,主要包括以下三种代表性的方法,各有优缺点,具体如下:In the process of realizing the present invention, the inventors found that the cryptographic protocols in the prior art are mainly composed of protocols with constant-level time complexity, mainly including the following three representative methods, each with advantages and disadvantages, as follows:

第一种方案是一种被称为LAST的方案,该方案是基于弱隐私模型提出来的挑战-响应机制,它声称能够保护用户的隐私并且具有较高的查询效率。其协议流程如图2所示。该协议的执行过程包括:The first scheme is a scheme called LAST, which is a challenge-response mechanism based on a weak privacy model, which claims to protect user privacy and has high query efficiency. The protocol flow is shown in Figure 2. The implementation process of the agreement includes:

1)读写器生成随机数r1,连同认证请求Request,发送给标签;1) The reader generates a random number r1, and sends it to the tag together with the authentication request Request;

2)标签生成随机数r2,计算V=H(r1,r2,ki),然后发送信息U=(r2,Indexi,V)给读写器。2) The tag generates a random number r2, calculates V=H(r1, r2, ki), and then sends information U=(r2, Indexi, V) to the reader.

3)读写器将(r1,U)转发给后端数据库。后端数据库查找Indexi,如果不存在,则输出false;否则根据(Ti,Indexi,ki)得到ki并计算V’=H(r1,r2,ki),如果V’≠V,则输出false;否则读写器认证标签的身份为Ti,并计算Indexi’=H(r1,r2,Indexi,ki),ki’=H(r1,r2,ki),更新数据库中的(Ti,Indexi,ki)为(Ti,Indexi’,ki’)。然后发送σ=H(r1,r2,ki’)给读写器。3) The reader forwards (r1, U) to the backend database. The back-end database searches Indexi, if it does not exist, then output false; otherwise, get ki according to (Ti, Indexi, ki) and calculate V'=H(r1, r2, ki), if V'≠V, output false; otherwise The identity of the reader authentication tag is Ti, and calculate Indexi'=H(r1, r2, Indexi, ki), ki'=H(r1, r2, ki), update (Ti, Indexi, ki) in the database as (Ti, Index i', ki'). Then send σ=H(r1, r2, ki') to the reader.

4)读写器发送σ给标签。标签首先计算ki’=H(r1,r2,ki)和σ’=H(r1,r2,ki’),如果σ=σ’,则标签更新(Indexi,ki)为(Indexi’,ki’);否则保持不变。4) The reader sends σ to the tag. The label first calculates ki'=H(r1,r2,ki) and σ'=H(r1,r2,ki'), if σ=σ', the label updates (Indexi,ki) to (Indexi',ki') ; otherwise remain unchanged.

在该技术中,虽然协议通过比对读写器返回的信息来验证读写器的身份,但是,读写器更新后的密钥信息即是标签上一步发送给读写器的信息,因此攻击者可以通过标签发送的信息来伪造合法读写器的返回信息,因此它没能真正认证读写器,同时标签下一次的密钥也被攻击者获知,因此也不能满足不可跟踪性及抵抗去同步攻击。In this technology, although the protocol verifies the identity of the reader by comparing the information returned by the reader, the updated key information of the reader is the information sent to the reader by the tag in the previous step, so the attack The attacker can forge the return information of the legal reader through the information sent by the tag, so it cannot really authenticate the reader, and the next key of the tag is also known by the attacker, so it cannot satisfy the untraceability and anti-resistance. Synchronous attack.

第二种方案是EA方案,EA方案的协议流程图如图3所示。该协议的执行过程如下:The second scheme is the EA scheme, and the protocol flowchart of the EA scheme is shown in FIG. 3 . The implementation of the protocol is as follows:

1)读写器生成随机数r1,并把它作为认证请求发送给标签;1) The reader generates a random number r1 and sends it to the tag as an authentication request;

2)标签生成另一个随机数r2,计算

Figure BDA0000154243480000031
M2=h(yi||r1||r2),然后发送{r2,M1,M2}给读写器。2) The label generates another random number r2, and calculates
Figure BDA0000154243480000031
M2=h(yi||r1||r2), and then send {r2, M1, M2} to the reader.

3)读写器将{r1,r2,M1,M2}转发给后端数据库。3) The reader forwards {r1, r2, M1, M2} to the backend database.

4)后端数据库计算并且搜索存储在数据库中的x和xold。如果匹配,则数据库使用表中相应的yi并检查M2是否等于h(yi||r1||r2)。如果相等,则数据库认证了标签Ti,否则发送错误信息给读写器来终止会话。读写器计算新的密钥

Figure BDA0000154243480000033
Figure BDA0000154243480000034
后端数据库计算
Figure BDA0000154243480000035
发送M3给读写器并且设置xold←xi,xi←xi*,yold←yi,yi←yi*。4) Back-end database calculation And search for x and xold stored in the database. If it matches, the database uses the corresponding yi in the table and checks if M2 is equal to h(yi||r1||r2). If they are equal, the database authenticates the tag Ti, otherwise an error message is sent to the reader to terminate the session. The reader calculates a new key
Figure BDA0000154243480000033
Figure BDA0000154243480000034
Back-end database computing
Figure BDA0000154243480000035
Send M3 to the reader and set xold←xi, xi←xi*, yold←yi, yi←yi*.

5)读写器把M3转发给标签。5) The reader forwards M3 to the tag.

6)标签检查M3是否等于

Figure BDA0000154243480000036
如果相等,则标签认证了读写器且设置xi*=M3,新密钥
Figure BDA0000154243480000037
并且xi←xi*,yi←yi*。否则xi,yi保持不变。6) The tag checks if M3 is equal to
Figure BDA0000154243480000036
If equal, the tag authenticated the reader and sets xi*=M3, the new key
Figure BDA0000154243480000037
And xi←xi*, yi←yi*. Otherwise xi, yi remain unchanged.

该方案中,为了缩短识别标签的时间,使识别标签的时间复杂度从线性变为常数级,所有标签共用一个密钥,因此,只要捕获一个标签,其他标签的密钥信息也就被攻击者知道,因此该协议也不能满足不可跟踪性。In this scheme, in order to shorten the time for identifying tags and change the time complexity of identifying tags from linear to constant level, all tags share a key. Therefore, as long as one tag is captured, the key information of other tags will also be captured by the attacker. Know, so this protocol also cannot satisfy untraceability.

第三种方案是ACJR方案,该方案中每个标签都有一个内部计数器c,并且预先存储一个秘密假名Ψ和一个密钥k。在一次成功的会话后,假名和密钥进行更新。然而,在每次认证失败后,计数器值增1。具体流程图如图4所示。该协议的执行过程如下:The third scheme is the ACJR scheme, in which each tag has an internal counter c, and a secret pseudonym Ψ and a key k are stored in advance. After a successful session, the pseudonym and key are updated. However, the counter value is incremented by 1 after each authentication failure. The specific flow chart is shown in Figure 4. The implementation of the protocol is as follows:

1)读写器生成随机数r,并把它作为认证请求发送给标签;1) The reader generates a random number r and sends it to the tag as an authentication request;

2)接收到r后,标签计算h(Ψ,c)和a=h(0,Ψ,c,k,r),然户计数器值加1。2) After receiving r, the tag calculates h(Ψ, c) and a=h(0, Ψ, c, k, r), and then adds 1 to the counter value.

3)根据h(Ψ,c),读写器访问后端数据库以识别标签,并获得标签的信息,包括假名Ψ,密钥k,以及新的假名Ψ’,根据a读写器认证标签。一旦标签被认证之后,读写器回复

Figure BDA0000154243480000038
Figure BDA0000154243480000039
和h(2Ψ’,k,a)。3) According to h(Ψ, c), the reader accesses the back-end database to identify the tag, and obtains the tag information, including pseudonym Ψ, key k, and new pseudonym Ψ', and authenticates the tag according to a. Once the tag is authenticated, the reader replies
Figure BDA0000154243480000038
Figure BDA0000154243480000039
and h(2Ψ', k, a).

4)通过标签提取出它新的假名Ψ’。通过h(2,Ψ’,k,a),标签认证读写器并且核实了收到的Ψ’。如果读写器被认证,标签把它的计数器归0并更新它的密钥k’=h(k)和假名Ψ’。否则协议终止。4) pass The label extracts its new pseudonym Ψ'. By h(2, Ψ', k, a), the tag authenticates the reader and verifies the received Ψ'. If the reader is authenticated, the tag resets its counter to 0 and updates its key k'=h(k) and pseudonym Ψ'. Otherwise the agreement is terminated.

该方案中,后端数据库还是需要根据标签返回的哈希值来识别标签的身份,但是它通过采用三层哈希表的数据结构,把识别标签的时间降为常数级。但是在该方案中,标签的假名与计数器的所有可能值都进行哈希,假名每次更新后还得重新计算新的假名与计数器的所有可能值的哈希值,所以后端数据库的计算量是相当大的。另外在该方案中,标签只要收到请求就增加计数器中c的值,为了能够抵抗去同步攻击,当c达到最大后,计数器重置为0,这样就引起了问题,攻击者可以根据前后相同的值来跟踪标签。In this solution, the back-end database still needs to identify the identity of the tag according to the hash value returned by the tag, but it reduces the time to identify the tag to a constant level by using a three-layer hash table data structure. However, in this scheme, the pseudonym of the label and all possible values of the counter are hashed, and the hash value of the new pseudonym and all possible values of the counter must be recalculated after each update of the pseudonym, so the calculation amount of the back-end database is quite large. In addition, in this scheme, as long as the tag receives a request, it increases the value of c in the counter. In order to resist desynchronization attacks, when c reaches the maximum value, the counter is reset to 0, which causes problems. Attackers can use the same value to track tags.

因而,现有技术中的采用密码机制进行智能标签的加密与认证来实现RFID隐私保护的方案中,均存在能被攻击者利用的漏洞,无法有效实现RFID隐私保护。Therefore, there are loopholes that can be exploited by attackers in the schemes in the prior art that implement RFID privacy protection by encrypting and authenticating smart tags using a cryptographic mechanism, and cannot effectively implement RFID privacy protection.

发明内容 Contents of the invention

为了解决现有技术中隐私保护无线射频识别密码协议存在可能被攻击者利用的漏洞,无法有效保护隐私的问题,本发明实施例提供了一种隐私保护无线射频识别密码协议方法及系统。所述技术方案如下:In order to solve the problem that the privacy protection radio frequency identification cryptographic protocol in the prior art has loopholes that may be exploited by attackers and cannot effectively protect privacy, the embodiment of the present invention provides a privacy protection radio frequency identification cryptographic protocol method and system. Described technical scheme is as follows:

一种隐私保护无线射频识别密码协议方法,该方法包括:A privacy protection radio frequency identification cryptographic protocol method, the method comprising:

读写器向标签发出认证请求,产生随机数r1并发送给标签;The reader sends an authentication request to the tag, generates a random number r 1 and sends it to the tag;

标签产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,连同c一同发给读写器;其中,所述Ψi,x为标签假名,c为计数器的值,ki为标签对应的密钥;The tag generates a random number r 2 and calculates the value of h(Ψ i, x , c) and a=h(r 1 , r 2 , k i ), and sends it to the reader along with c; wherein, the Ψ i, x is the pseudonym of the tag, c is the value of the counter, and k i is the key corresponding to the tag;

读写器根据c值在后端数据库中查找h(Ψi,x,c),如果后端数据库中不存在h(Ψi,x,c),则终止协议,流程结束;否则,根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥kiThe reader looks up h(Ψ i, x , c) in the back-end database according to the value of c, if h(Ψ i, x , c) does not exist in the back-end database, the protocol is terminated, and the process ends; otherwise, according to the search Get h(Ψ i, x , c) to get the corresponding tag pseudonym Ψ i, x and key k i ;

计算a’=h(r1,r2,ki),并判断a’是否等于a,如果否则终止协议,流程结束;否则,计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i,Ψi,x为Ψi,x-1,计算b=h(r1,r2,k’i)和

Figure BDA0000154243480000041
将b和d发送给标签;其中,所述Ψi,x=h(Ψi,x-1);Calculate a'=h(r 1 , r 2 , k i ), and judge whether a' is equal to a, if not, terminate the agreement and the process ends; otherwise, calculate k' i =h(r 1 , r 2 , Ψ i, x , k i ), update ki as k' i , Ψ i , x as Ψ i, x-1 , calculate b=h(r 1 , r 2 , k' i ) and
Figure BDA0000154243480000041
Send b and d to the tag; wherein, the Ψ i, x = h(Ψ i, x-1 );

标签计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),判断b’是否等于b,如果否,则终止协议,流程结束;否则,计算

Figure BDA0000154243480000042
更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。Label calculation k' i = h(r 1 , r 2 , Ψ i, x , ki ), b' = h(r 1 , r 2 , k' i ), judge whether b' is equal to b, if not, then Terminate the agreement, the process ends; otherwise, calculate
Figure BDA0000154243480000042
Update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1.

该方法还包括:The method also includes:

设定隐私保护系统中一共有n个标签,i每个标签的编号,其中1≤i≤n;Set a total of n tags in the privacy protection system, and the number of each tag i, where 1≤i≤n;

后端数据库为每个标签选择一个随机数Ψi,0,预先计算Ψi,1=h(Ψi,0),Ψi,2=h(Ψi,1),...,Ψi,m-1=h(Ψi,m-2);The backend database selects a random number Ψ i,0 for each label, and precomputes Ψ i ,1 = h(Ψ i,0 ), Ψ i,2 =h(Ψ i,1 ),...,Ψ i , m-1 = h(Ψ i, m-2 );

后端数据库保存每个标签的Ψi,x,这些值将按逆序依次分配给标签作为其假名。The backend database saves Ψ i,x for each tag, and these values will be assigned to tags in reverse order as their pseudonyms.

该方法还包括:The method also includes:

每个标签都有一个内部计数器,计数器的值为c,其中,0≤c≤m-1;Each label has an internal counter, and the value of the counter is c, where 0≤c≤m-1;

后端数据库预先计算标签假名与计数器的值c的哈希值h(Ψi,x,c);The back-end database pre-calculates the hash value h(Ψ i, x , c) of the tag pseudonym and the value c of the counter;

在认证标签时,标签假名从哈希链的最后一个值开始,计数器的值从0开始,其中,x+c=m-1,即需要计算的哈希值分别为:h(Ψi,0,m-1),h(Ψi,1,m-2),...,h(Ψi,x,m-1-x),...,h(Ψi,m-1,0)。When authenticating a tag, the pseudonym of the tag starts from the last value of the hash chain, and the value of the counter starts from 0, where x+c=m-1, that is, the hash values to be calculated are: h(Ψ i, 0 , m-1), h(Ψ i, 1 , m-2), ..., h(Ψ i, x , m-1-x), ..., h(Ψ i, m-1 , 0 ).

该方法还包括:The method also includes:

用计数器的值c作为索引,并对同一c值不同标签的h(Ψi,x,c)按大小进行排序,由此产生一张链表并保存在后端数据库;在查询标签对应的h(Ψi,x,c)时,对同一c值不同标签的h(Ψi,x,c)采用二分法查找。Use the value c of the counter as an index, and sort h(Ψ i, x , c) with the same c value and different labels according to size, thereby generating a linked list and saving it in the back-end database; when querying the label corresponding to h( Ψ i, x , c), use binary search for h(Ψ i, x , c) with the same c value and different labels.

该方法还包括:The method also includes:

每个标签的所有假名都对应相同的密钥及其它信息,当假名更新时,更新后的假名所指的标签密钥才更新,而先前的假名所指向标签密钥不改变。All pseudonyms of each label correspond to the same key and other information. When the pseudonym is updated, the key of the label pointed to by the updated pseudonym is updated, while the key of the label pointed to by the previous pseudonym remains unchanged.

该方法还包括:The method also includes:

当计数器的值c达到最大m-1时,后端数据库为标签选取另一随机数,产生另一哈希链作为标签下一轮的假名Ψi,x,同时c重置为0;When the value c of the counter reaches the maximum m-1, the backend database selects another random number for the tag, generates another hash chain as the pseudonym Ψ i, x for the next round of the tag, and resets c to 0;

后端数据库再预先计算标签假名与计数器值的哈希值h(Ψ’i,x,c)。The back-end database pre-calculates the hash value h(Ψ' i, x , c) of the tag pseudonym and the counter value.

该方法还包括:The method also includes:

每个标签中存储它当前的假名Ψi,x、计数器的值c以及密钥ki,其中1≤i≤n;Each tag stores its current pseudonym Ψ i, x , counter value c and key k i , where 1≤i≤n;

初始时c=0,标签假名为Ψi,m-1Initially, c=0, and the pseudonym of the label is Ψ i,m-1 .

一种隐私保护无线射频识别密码协议系统,该系统包括读写器和标签,其中,A privacy protection radio frequency identification cryptographic protocol system, the system includes a reader and a tag, wherein,

所述读写器,用于向标签发出认证请求,产生随机数r1并发送给标签;根据c值在后端数据库中查找h(Ψi,x,c);根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥ki;计算a’=h(r1,r2,ki),并判断a’是否等于a;计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i,Ψi,x为Ψi,x-1,计算b=h(r1,r2,k’i)和将b和d发送给标签;The reader is used to send an authentication request to the tag, generate a random number r 1 and send it to the tag; look up h(Ψ i, x , c) in the back-end database according to the c value; according to the found h(Ψ i, x , c) Obtain the corresponding tag pseudonym Ψ i, x and key k i ; calculate a'=h(r 1 , r 2 , k i ), and judge whether a' is equal to a; calculate k' i = h(r 1 , r 2 , Ψ i, x , k i ), update ki to k' i , Ψ i, x to Ψ i, x-1 , calculate b=h(r 1 , r 2 , k' i ) and send b and d to the label;

所述标签,用于产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,连同c一同发给读写器;计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),判断b’是否等于b;计算

Figure BDA0000154243480000052
更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。The tag is used to generate a random number r 2 and calculate the value of h(Ψ i, x , c) and a=h(r 1 , r 2 , k i ), and send it to the reader along with c; calculate k ' i =h(r 1 , r 2 , Ψ i, x , ki ) , b'=h(r 1 , r 2 , k' i ), judge whether b' is equal to b; calculate
Figure BDA0000154243480000052
Update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1.

所述读写器进一步包括认证单元、第一随机数单元、后端数据库、第一判断单元和第一计算单元,其中,The reader/writer further includes an authentication unit, a first random number unit, a backend database, a first judgment unit and a first calculation unit, wherein,

所述认证单元,用于向标签发出认证请求;The authentication unit is configured to send an authentication request to the tag;

所述第一随机数单元,用于产生随机数r1The first random number unit is used to generate a random number r 1 ;

所述后端数据库,用于存储和查询标签的假名、密钥、随机数以及计数器信息;The back-end database is used to store and query tag pseudonyms, keys, random numbers and counter information;

所述第一判断单元,用于判断后端数据库中是否存在h(Ψi,x,c);判断a’是否等于a;The first judging unit is used to judge whether h(Ψ i, x , c) exists in the back-end database; judge whether a' is equal to a;

所述第一计算单元,用于计算a’=h(r1,r2,ki)、k’i=h(r1,r2,Ψi,x,ki)、b=h(r1,r2,k’i)和 d = Ψ i , x ⊕ Ψ i , x - 1 . The first calculation unit is used to calculate a'=h(r 1 , r 2 , ki ), k' i =h(r 1 , r 2 , Ψ i, x , ki ), b=h( r 1 , r 2 , k' i ) and d = Ψ i , x ⊕ Ψ i , x - 1 .

所述标签进一步包括第二随机数单元、第二计算单元、计数器单元、假名密钥单元和第二判断单元,其中,The tag further includes a second random number unit, a second calculation unit, a counter unit, a pseudonym key unit and a second judging unit, wherein,

所述第二随机数单元,用于产生随机数r2The second random number unit is used to generate a random number r 2 ;

所述第二计算单元,用于计算h(Ψi,x,c)、a=h(r1,r2,ki)、k’i=h(r1,r2,Ψi,x,ki)和b’=h(r1,r2,k’i);The second calculation unit is used to calculate h(Ψ i, x , c), a=h(r 1 , r 2 , k i ), k' i =h(r 1 , r 2 , Ψ i, x , k i ) and b'=h(r 1 , r 2 , k' i );

所述计数器单元,用于产生和更新计数器的值c;The counter unit is used to generate and update the value c of the counter;

所述假名密钥单元,用于存储和更新标签的假名和密钥;The pseudonym key unit is used to store and update the pseudonym and key of the tag;

所述第二判断单元,用于判断b’是否等于b。The second judging unit is used to judge whether b' is equal to b.

本发明实施例提供的技术方案带来的有益效果是:The beneficial effects brought by the technical solution provided by the embodiments of the present invention are:

通过读写器与标签分别产生不同的随机数,标签根据自身的假名、计数器的值以及两个随机数经过哈希函数加密传送,读写器在后端数据库中查找相应的标签假名对应的信息并核对相关信息是否准确,读写器经过计算更新标签密钥和假名,并经过哈希函数加密传送给标签,标签验证后更新自身的假名和密钥,并更新计数器的值。本发明实施例提供的方案,标签的密钥每次都由哈希函数加密传送,且每次都由不同的随机数r1,r2对哈希函数进行混淆,每个标签的密钥信息都没有关联,攻击者很难得到标签的密钥信息,因而确保了信息安全。同时,标签的假名和密钥信息每次都以不同的值传送,因此即使攻击者对两个标签连续不断的发送请求,他也不能区别两个标签。每个标签只需要存储3个秘密信息,标签假名其实只与计数器的一个值进行哈希,都大大的提高了运算的效率。因而,本发明实施例提供的方案极大的提高了密码协议的安全性和快捷性,可以有效实现RFID隐私保护。Different random numbers are generated by the reader and the tag respectively, and the tag is encrypted and transmitted according to its own pseudonym, the value of the counter and two random numbers through a hash function, and the reader searches the back-end database for information corresponding to the corresponding tag pseudonym And check whether the relevant information is accurate, the reader updates the tag key and pseudonym through calculation, and encrypts and sends it to the tag through the hash function. After the tag is verified, it updates its own pseudonym and key, and updates the value of the counter. In the solution provided by the embodiment of the present invention, the key of the label is encrypted and transmitted by the hash function every time, and the hash function is confused by different random numbers r 1 and r 2 each time, and the key information of each label There is no correlation, and it is difficult for an attacker to obtain the key information of the tag, thus ensuring information security. At the same time, the tag's pseudonym and key information are transmitted with different values each time, so even if the attacker sends requests to the two tags continuously, he cannot distinguish the two tags. Each label only needs to store 3 secret information, and the pseudonym of the label is actually only hashed with a value of the counter, which greatly improves the efficiency of the operation. Therefore, the solution provided by the embodiment of the present invention greatly improves the security and quickness of the cryptographic protocol, and can effectively realize RFID privacy protection.

附图说明 Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1是现有技术中的隐私保护系统模型示意图;FIG. 1 is a schematic diagram of a privacy protection system model in the prior art;

图2是现有技术中LAST方案协议流程图;Fig. 2 is a flow chart of the LAST scheme protocol in the prior art;

图3是现有技术中EA方案协议流程图;Fig. 3 is the flow chart of EA scheme protocol in the prior art;

图4是现有技术中ACJR方案协议流程图;Fig. 4 is the ACJR scheme protocol flowchart in the prior art;

图5是本发明实施例1提供的隐私保护无线射频识别密码协议方法原理流程图;Fig. 5 is a flowchart of the principles of the privacy protection radio frequency identification cryptographic protocol method provided by Embodiment 1 of the present invention;

图6是本发明实施例中标签假名分配示意图;Fig. 6 is a schematic diagram of label pseudonym allocation in the embodiment of the present invention;

图7是本发明实施例2提供的密码协议方案流程示意图;FIG. 7 is a schematic flow diagram of a cryptographic protocol scheme provided by Embodiment 2 of the present invention;

图8是本发明实施例3提供的密码协议方案流程示意图;FIG. 8 is a schematic flow diagram of a cryptographic protocol scheme provided by Embodiment 3 of the present invention;

图9是本发明实施例5提供的读写器结构示意图;FIG. 9 is a schematic structural diagram of the reader/writer provided by Embodiment 5 of the present invention;

图10是本发明实施例6提供的标签结构示意图。Fig. 10 is a schematic diagram of the label structure provided by Embodiment 6 of the present invention.

具体实施方式 Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图对本发明实施方式作进一步地详细描述。In order to make the object, technical solution and advantages of the present invention clearer, the implementation manner of the present invention will be further described in detail below in conjunction with the accompanying drawings.

针对隐私保护RFID系统,本发明实施例设计了一个只需要执行异或和哈希操作的轻量级协议LSP,它的识别效率为O(1),满足供应链可扩展性需求,同时LSP协议能够很好的同时满足保密性、不可跟踪性、前向安全、认证读写器等四项隐私保护需求,并且能够抵抗去同步攻击。For the privacy protection RFID system, the embodiment of the present invention designs a lightweight protocol LSP that only needs to perform XOR and hash operations. Its recognition efficiency is O(1), which meets the scalability requirements of the supply chain. At the same time, the LSP protocol It can well meet the four privacy protection requirements of confidentiality, untraceability, forward security, and authenticated readers at the same time, and can resist desynchronization attacks.

为了防止背景技术中所述的现有技术一中所存在问题的出现,使攻击者不能通过标签所发送的信息来推断标签的秘密信息,在本方案中,我们严格注意读写器更新的标签密钥、假名信息以及读写器发送的信息与攻击者所能获得的标签发送的信息绝不相同,这样也杜绝了攻击者假冒读写器的情况发生。In order to prevent the problems existing in the prior art 1 described in the background technology, so that the attacker cannot infer the secret information of the tag through the information sent by the tag, in this solution, we strictly pay attention to the tag updated by the reader The key, pseudonym information, and the information sent by the reader are not the same as the information sent by the tag obtained by the attacker, which also prevents the attacker from counterfeiting the reader.

为了防止背景技术中所述的现有技术二中所存在问题的出现,本方案中所有标签没有共用一个密钥,但是我们识别标签的时间还是常数级。In order to prevent the problems existing in the second prior art described in the background art, all tags in this solution do not share a key, but the time for us to identify tags is still at a constant level.

为了防止去同步攻击,本方案在计数器的值达到最大时同样重置为0,但是与背景技术中所述的现有技术三所不同的是,在c重置为0时,后端数据库为标签选取另一随机数,产生另一哈希链作为标签下一轮的假名,即计数器与假名的哈希值与上一轮是不同的。In order to prevent desynchronization attacks, this solution also resets the value of the counter to 0 when the value of the counter reaches the maximum, but the difference from the prior art 3 described in the background technology is that when c is reset to 0, the backend database is The tag selects another random number and generates another hash chain as the pseudonym of the next round of the tag, that is, the hash value of the counter and pseudonym is different from the previous round.

本方案的标签假名其实只与计数器的一个值进行哈希,在本轮假名用完后才重新计算,这样大大减轻了后端数据库的计算量。In this solution, the label pseudonym is actually only hashed with a value of the counter, and it is recalculated after the current round of pseudonym is used up, which greatly reduces the calculation amount of the back-end database.

本发明实施例中,以供应链环境下的隐私保护密码协议为例,说明本发明实施例的原理和方案,实际上,本发明实施例提供的方案,可以应用于各种隐私保护的环境下,而不仅仅限制于供应链环境下。In the embodiments of the present invention, the principles and solutions of the embodiments of the present invention are described by taking the privacy protection encryption protocol in the supply chain environment as an example. In fact, the solutions provided by the embodiments of the present invention can be applied in various privacy protection environments , not limited to the supply chain environment.

实施例1Example 1

如图5所示,本发明实施例1提供一种隐私保护无线射频识别密码协议方法,具体包括以下步骤:As shown in Figure 5, Embodiment 1 of the present invention provides a privacy-protecting radio frequency identification cryptographic protocol method, which specifically includes the following steps:

步骤10,读写器向标签发出认证请求,产生随机数r1并发送给标签。Step 10, the reader sends an authentication request to the tag, generates a random number r 1 and sends it to the tag.

本发明实施例所指的读写器,其实包括了后端数据库,实际应用中,读写器与后端数据库并不相同,而是需要通过通信链路连接。由于连接的通信链路可以认为是安全的,因而为了叙述简便,本发明实施例中忽略了读写器与后端数据库的连接安全问题,将二者看作一个整体。The reader-writer referred to in the embodiment of the present invention actually includes a back-end database. In practical applications, the reader-writer and the back-end database are not the same, but need to be connected through a communication link. Since the connected communication link can be considered safe, for the sake of simplicity of description, the embodiment of the present invention ignores the problem of connection security between the reader-writer and the back-end database, and regards the two as a whole.

读写器向标签发出认证请求的时候,需要自身产生一个随机数r1,并将该随机数发送给标签。When the reader sends an authentication request to the tag, it needs to generate a random number r 1 by itself, and send the random number to the tag.

步骤20,标签产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,连同c一同发给读写器。Step 20, the tag generates a random number r 2 and calculates the value of h(Ψ i, x , c) and a=h(r 1 , r 2 , ki ) , and sends it to the reader along with c.

标签接收到认证请求后,产生随机数r2,根据自身的假名Ψi,x和计数器的值c进行哈希函数计算,得到哈希值。标签进一步结合自身的密钥ki、以及两个随机数r1,r2经过哈希计算得到a,a将用于后续的认证计算。After the tag receives the authentication request, it generates a random number r 2 , performs hash function calculation according to its own pseudonym Ψ i, x and the value c of the counter, and obtains the hash value. The tag further combines its own key ki and two random numbers r 1 and r 2 to obtain a through hash calculation, and a will be used for subsequent authentication calculations.

实际上,本发明实施例的设计原理中,首先假设隐私保护系统中一共有n个标签,其中1≤i≤n,i为每个标签的编号。后端数据库为每个标签选择一个随机数Ψi,0,预先计算Ψi,1=h(Ψi,0),Ψi,2=h(Ψi,1),...,Ψi,m-1=h(Ψi,m-2)。后端数据库保存每个标签的Ψi,x,这些值将按逆序依次分配给标签作为其假名,具体如图6所示。In fact, in the design principle of the embodiment of the present invention, it is first assumed that there are n tags in the privacy protection system, where 1≤i≤n, and i is the number of each tag. The backend database selects a random number Ψ i,0 for each label, and precomputes Ψ i ,1 = h(Ψ i,0 ), Ψ i,2 =h(Ψ i,1 ),...,Ψ i , m-1 = h(Ψ i, m-2 ). The back-end database saves the Ψ i,x of each tag, and these values will be assigned to the tags in reverse order as their pseudonyms, as shown in Figure 6.

同时,每个标签都有一个内部计数器,其中0≤c≤m-1。后端数据库预先计算标签假名与计数器的值c的哈希值h(Ψi,x,c)。这样能够大大缩短识别标签时间。因为在认证标签时,标签假名从哈希链的最后一个值开始,而计数器的值从0开始,因此这里x+c=m-1,即h(Ψi,0,m-1),h(Ψi,1,m-2),…,h(Ψi,x,m-1-x),…,h(Ψi,m-1,0)。后端数据库结构如下表2所示。Meanwhile, each tag has an internal counter where 0≤c≤m-1. The back-end database pre-calculates the hash value h(Ψ i, x , c) of the tag pseudonym and the value c of the counter. This can greatly reduce the time to identify tags. Because when authenticating a tag, the tag pseudonym starts from the last value of the hash chain, and the value of the counter starts from 0, so here x+c=m-1, namely h(Ψ i, 0 , m-1), h (Ψi ,1 ,m-2),...,h(Ψi ,x ,m-1-x),...,h(Ψi ,m-1,0 ). The backend database structure is shown in Table 2 below.

表二Table II

  h(Ψ1,0,m-1)h(Ψ 1 , 0 , m-1)   h(Ψi,0,m-1)h(Ψi ,0 ,m-1)   h(Ψn,0,m-1)h(Ψn ,0 ,m-1)   h(Ψ1,1,m-2)h(Ψ 1 , 1 , m-2)   h(Ψi,1,m-2)h(Ψi ,1 ,m-2)   h(Ψn,1,m-2)h(Ψn ,1 ,m-2)   … ...   … ...   … ...   h(Ψ1,m-1,0)h(Ψ 1, m-1 , 0)   h(Ψi,m-1,0)h(Ψi , m-1 , 0)   h(Ψn,m-1,0)h(Ψn , m-1 , 0)

为了更加加快识别标签的速度,我们把计数器的值c作为索引,并对同一c值不同标签的h(Ψi,x,c)按大小进行排序,由此产生一张链表,如图6所示。随后对同一c值不同标签的h(Ψi,x,c)采用二分法查找,这样可以进一步加快了识别标签的速度。In order to speed up the identification of labels, we use the value c of the counter as an index, and sort h(Ψ i, x , c) of different labels with the same c value according to the size, thus generating a linked list, as shown in Figure 6 Show. Then use binary search for h(Ψ i, x , c) of different labels with the same c value, which can further speed up the identification of labels.

这里需要说明的是,一开始,每个标签的所有假名都对应相同的密钥及其它信息,当假名更新时,更新后的假名所指的标签密钥才更新,而先前的假名所指向标签密钥不改变。What needs to be explained here is that at the beginning, all pseudonyms of each label correspond to the same key and other information. When the pseudonym is updated, the key of the label pointed to by the updated pseudonym is updated, while the previous pseudonym The key does not change.

当计数器的值c达到最大m-1时,后端数据库为标签选取另一随机数,产生另一哈希链作为标签下一轮的假名Ψ’i,x,同时c重置为0。后端数据库再预先计算标签假名与计数器值的哈希值h(Ψ’i,x,c),其他步骤同上。When the value c of the counter reaches the maximum m-1, the backend database selects another random number for the label, and generates another hash chain as the pseudonym Ψ' i, x for the next round of the label, and c is reset to 0 at the same time. The back-end database pre-calculates the hash value h(Ψ' i, x , c) of the tag pseudonym and the counter value, and the other steps are the same as above.

每个标签Ti中存储它当前的假名Ψi,x,计数器的值c以及密钥ki,其中1≤i≤n。初始时c=0,标签假名为Ψi,m-1Each tag T i stores its current pseudonym Ψ i, x , counter value c and key ki , where 1≤i≤n. Initially, c=0, and the pseudonym of the label is Ψ i,m-1 .

步骤30,读写器根据c值在后端数据库中查找h(Ψi,x,c),如果后端数据库中不存在h(Ψi,x,c),则终止协议,流程结束;否则,根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥kiStep 30, the reader searches for h(Ψ i, x , c) in the back-end database according to the value of c, if h(Ψ i, x , c) does not exist in the back-end database, the protocol is terminated, and the process ends; otherwise , obtain the corresponding tag pseudonym Ψ i, x and key k i according to the searched h(Ψ i, x , c).

读写器接收到标签发送的内容后,根据接收到的c值在后端数据库中查找h(Ψi,x,c)。实际上,后端数据库中包括所有标签的假名、相应的哈希值、密钥以及对应的计数器的值,这里,根据接收到的c值可以在后端数据库中查找,看是否能找到。如果能找到,说明该接收到的标签信息是正确的,没有受到攻击,否则,后端数据库中没有该标签的信息,则很可能是受到了攻击,因而,需要终止协议,流程结束。After the reader receives the content sent by the tag, it looks up h(Ψ i, x , c) in the back-end database according to the received c value. In fact, the back-end database includes the pseudonyms of all tags, corresponding hash values, keys, and corresponding counter values. Here, according to the received c value, you can search in the back-end database to see if you can find it. If it can be found, it means that the received tag information is correct and has not been attacked. Otherwise, if there is no information about the tag in the backend database, it is likely to be attacked. Therefore, the protocol needs to be terminated and the process ends.

如果可以查找到相同的c值,进一步读写器根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥ki。这里,就是从后端数据库中找到该标签的相应信息,以备后续的比较和认证使用。If the same value of c can be found, the reader further obtains the corresponding tag pseudonym Ψ i, x and key k i according to the found h(Ψ i, x , c). Here, the corresponding information of the tag is found from the back-end database for subsequent comparison and authentication.

步骤40,计算a’=h(r1,r2,ki),并判断a’是否等于a,如果否则终止协议,流程结束;否则,计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i,Ψi,x为Ψi,x-1,计算b=h(r1,r2,k’i)和

Figure BDA0000154243480000091
将b和d发送给标签;其中,所述Ψi,x=h(Ψi,x-1)。Step 40, calculate a'=h(r 1 , r 2 , k i ), and judge whether a' is equal to a, if not, terminate the agreement and the process ends; otherwise, calculate k' i =h(r 1 , r 2 , Ψ i, x , k i ), update ki to k' i , Ψ i, x to Ψ i, x-1 , calculate b=h(r 1 , r 2 , k' i ) and
Figure BDA0000154243480000091
Send b and d to the tag; where, the Ψ i,x =h(Ψ i,x-1 ).

读写器根据查找到的标签的信息,进一步计算a’=h(r1,r2,ki),将这个a’与接收到的标签发送的a相比较,判断是否相等。如果相等,说明信息无误,否则,说明接收到的标签的信息已经被更改过或者发生了错误,很可能是受到了攻击,因而,需要终止协议,流程结束。The reader/writer further calculates a'=h(r 1 , r 2 , ki ) according to the found tag information, and compares this a' with the a sent by the received tag to determine whether they are equal. If they are equal, it means that the information is correct; otherwise, it means that the information of the received tag has been changed or an error has occurred, and it is likely to be attacked. Therefore, the protocol needs to be terminated and the process ends.

读写器继续计算k’i=h(r1,r2,Ψi,x,ki),也就是根据后端数据库中存储的Ψi,x,ki以及接收到的标签发送的r1,r2经过哈希算法得到k’i,然后更新ki为k’i,Ψi,x为Ψi,x-1The reader continues to calculate k' i = h(r 1 , r 2 , Ψ i, x , ki ), that is, according to the Ψ i, x , ki stored in the back-end database and the r sent by the received tag 1 , r 2 get k' i through the hash algorithm, and then update k i to k' i , Ψ i, x to Ψ i, x-1 .

计算b=h(r1,r2,k’i)和

Figure BDA0000154243480000092
将k’i、Ψi,x-1、b和d发送给标签。Compute b=h(r 1 , r 2 , k' i ) and
Figure BDA0000154243480000092
Send k' i , Ψ i , x-1 , b and d to the label.

步骤50,标签计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),判断b’是否等于b,如果否,则终止协议,流程结束;否则,计算

Figure BDA0000154243480000093
更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。Step 50, the label calculates k' i = h(r 1 , r 2 , Ψ i, x , k i ), b' = h(r 1 , r 2 , k' i ), and judges whether b' is equal to b, if If not, the agreement is terminated and the process ends; otherwise, the calculation
Figure BDA0000154243480000093
Update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1.

标签在收到读写器发来的信息后,根据自身存储的r1,r2,Ψi,x,ki计算k’i=h(r1,r2,Ψi,x,ki),并计算b’=h(r1,r2,k’i)。然后,将b’与接收到的b相比较,看是否相等。如果相等,说明接收到的信息无误,否则,说明接收到的信息出现错误,可能受到了攻击,需要终止协议,流程结束。After receiving the information sent by the reader, the tag calculates k' i = h( r 1 , r 2 , Ψ i, x , ki ), and calculate b'=h(r 1 , r 2 , k' i ). Then, b' is compared with the received b to see if they are equal. If they are equal, it means that the received information is correct, otherwise, it means that the received information is wrong and may be attacked, the protocol needs to be terminated, and the process ends.

进一步,继续计算

Figure BDA0000154243480000101
然后更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。Further, continue to calculate
Figure BDA0000154243480000101
Then update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1.

这时,一个完整的密码协议过程就完成了。整个过程与现有的密码协议相比,有着以下几方面的特点:At this time, a complete cryptographic protocol process is completed. Compared with the existing cryptographic protocols, the whole process has the following characteristics:

保密性:在本发明实施例提供的协议中,标签的密钥每次都由哈希函数加密传送,且每次都由不同的随机数r1,r2对哈希函数进行混淆。由哈希函数的不可逆性,攻击者很难知道标签的密钥信息。同时,本协议中,每个标签的密钥信息都没有关联,因此,即使俘获了一个标签,攻击者也很难知道其他标签的信息。另外在成功认证标签后,标签的密钥信息还要进行更新。因此,标签的物品信息不会被非法读写器获知,满足了保密性。Confidentiality: In the protocol provided by the embodiment of the present invention, the key of the tag is encrypted and transmitted by the hash function each time, and the hash function is confused by different random numbers r 1 and r 2 each time. Due to the irreversibility of the hash function, it is difficult for an attacker to know the key information of the tag. At the same time, in this protocol, the key information of each tag is not associated, so even if a tag is captured, it is difficult for an attacker to know the information of other tags. In addition, after the tag is successfully authenticated, the key information of the tag needs to be updated. Therefore, the item information of the tag will not be known by the illegal reader, which satisfies the confidentiality.

不可跟踪性:在本发明实施例提供的协议中,标签的假名和密钥信息每次都以不同的值传送,因此即使攻击者对两个标签连续不断的发送请求,他也不能区别两个标签。所以攻击者不能根据标签的应答信息来跟踪标签,获得标签的位置信息。Untraceability: In the protocol provided by the embodiment of the present invention, the tag’s pseudonym and key information are transmitted with different values each time, so even if the attacker continuously sends requests to the two tags, he cannot distinguish between the two tags. Label. Therefore, the attacker cannot track the tag according to the response information of the tag and obtain the location information of the tag.

前向安全:假设攻击者知道了标签的当前密钥k’i,根据哈希函数的不可逆性,他也不能通过k’i=h(r1,r2,Ψi,x,ki)来获得标签的先前密钥ki。因此,攻击者永远无法将标签的现有状态与以前的状态联系起来。Forward security: Assuming that the attacker knows the current key k' i of the tag, according to the irreversibility of the hash function, he cannot pass k' i =h(r 1 , r 2 , Ψ i, x , k i ) to get the previous key ki of the tag. Therefore, an attacker can never link the label's existing state with its previous state.

认证读写器:标签在检查过b’=b的情况下,才会更新他的信息。由哈希函数的不可逆性,只有知道ki’才能计算出h(r1,r2,ki’),而只有知道Ψi,x及ki才能计算出ki’=h(r1,r2,Ψi,x,ki)。因为只有合法读写器才能知道Ψi,x及ki,因此标签认证了读写器。Authentication reader: the tag will update its information only after checking b'=b. Due to the irreversibility of the hash function, h(r 1 , r 2 , ki ') can only be calculated by knowing ki ', and ki '=h(r 1 can only be calculated by knowing Ψ i, x and ki , r 2 , Ψ i, x , k i ). Since only legitimate readers can know Ψ i , x and ki , the tag authenticates the reader.

在本发明实施例提供的协议中,每个标签只需要存储3个秘密信息,和同类协议相比没有增加额外的负担,但是和现存的其他识别时间不是常数级的众多的协议相比,标签的存储优势却是相当明显的。而后端数据库的存储量为O(mn),假设n=106,m=106,后端数据库所需的内存也不会超过12TB,随着电路制造工艺的不断提升,这也是很容易实现的。在该协议中最基本的操作是哈希函数,每一次认证,标签只需要进行4次哈希运算,读写器只需要3次哈希函数。和同类协议相比,LSP协议并没有增加标签的计算量,读写器的计算量也和其他同类协议相当。同时后端数据库识别标签的时间复杂度为O(1),满足隐私保护系统的可扩展性要求。In the protocol provided by the embodiment of the present invention, each tag only needs to store 3 secret information, and there is no additional burden compared with similar protocols, but compared with other existing protocols whose identification time is not constant, the tag The storage advantage is quite obvious. The storage capacity of the back-end database is O(mn). Assuming n=10 6 and m=10 6 , the memory required by the back-end database will not exceed 12TB. With the continuous improvement of the circuit manufacturing process, this is also very easy to achieve of. The most basic operation in this protocol is the hash function. For each authentication, the tag only needs to perform 4 hash operations, and the reader only needs 3 hash functions. Compared with similar protocols, the LSP protocol does not increase the calculation amount of the tag, and the calculation amount of the reader is also equivalent to other similar protocols. At the same time, the time complexity of identifying tags in the back-end database is O(1), which meets the scalability requirements of the privacy protection system.

在其他方案中,标签的假名与计数器的所有可能值都进行哈希,假名每次更新后还得重新计算新的假名与计数器的所有可能值的哈希值,所以后端数据库的计算量是相当大的。本方案的标签假名其实只与计数器的一个值进行哈希,在本轮假名用完后才重新计算,这样大大减轻了后端数据库的计算量。In other schemes, all possible values of the tag’s pseudonym and the counter are hashed, and the hash value of the new pseudonym and all possible values of the counter must be recalculated after each update, so the calculation amount of the back-end database is quite large. In this solution, the label pseudonym is actually only hashed with a value of the counter, and it is recalculated after the current round of pseudonym is used up, which greatly reduces the calculation amount of the back-end database.

实施例2Example 2

如图7所示,本发明实施例2提供的方案中,读写器向标签发出认证请求,产生随机数r1并发送给标签。标签产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,将这些值连同计数器的值c一同发给读写器。读写器在接受到标签发送的信息后,首先根据c值查找出h(Ψi,x,c),如果不存在则终止协议,否则得到标签相应的假名Ψi,x及密钥ki。计算a’=h(r1,r2,ki)是否与a相等,如果不相等则终止协议,否则计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i、Ψi,x为Ψi,x-1。计算b=h(r1,r2,k’i)和

Figure BDA0000154243480000111
并发送给标签。标签在接收到信息后,首先计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),如果b’≠b,则终止协议,否则计算
Figure BDA0000154243480000112
更新假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。As shown in FIG. 7 , in the solution provided by Embodiment 2 of the present invention, the reader/writer sends an authentication request to the tag, generates a random number r 1 and sends it to the tag. The tag generates a random number r 2 and calculates the values of h(Ψ i, x , c) and a=h(r 1 , r 2 , ki ) , and sends these values together with the value c of the counter to the reader. After receiving the information sent by the tag, the reader first finds out h(Ψ i, x , c) according to the value of c, and if it does not exist, the protocol is terminated; otherwise, the pseudonym Ψ i, x and key k i corresponding to the tag are obtained . Calculate whether a'=h(r 1 , r 2 , k i ) is equal to a, if not, terminate the protocol, otherwise calculate k' i =h(r 1 , r 2 , Ψ i, x , k i ), Update ki to k' i , Ψ i , and x to Ψ i, x-1 . Compute b=h(r 1 , r 2 , k' i ) and
Figure BDA0000154243480000111
and sent to the label. After the tag receives the information, it first calculates k'i=h(r 1 , r 2 , Ψ i, x , k i ), b'=h(r 1 , r 2 , k' i ), if b'≠ b, then terminate the agreement, otherwise calculate
Figure BDA0000154243480000112
Update pseudonym Ψ i , x is Ψ i , x-1 , key k i is k' i , and counter value c is incremented by 1.

实施例3Example 3

如图8所示,本发明实施例3提供的方案中,在成功完成一轮协议后第17步才对计数器的值做出改变。这样的好处是可以预防计数器值重置后与先前的值相同而引起的跟踪攻击。本方案中,采用反向哈希链给标签更新假名,这样由于后端数据库预先知道了标签的假名,标签假名可以只需与计数器的一个值进行哈希,在本轮假名用完后才重新计算,这样大大减轻了后端数据库的计算量。另外即使攻击者知道了标签当前的假名,他也不能知道标签下一次的假名。在第6步中,计数器的值c作为索引,并对同一c值不同标签的h(Ψi,x,c)按大小进行排序,由此产生一张链表。随后对同一c值不同标签的h(Ψi,x,c)采用二分法查找,这样可以进一步加快了识别标签的速度。在第10步中,当假名更新时,更新后的假名所指的标签密钥才更新,而先前的假名所指向标签密钥不改变。这样即使后端数据库更新完标签的假名以及密钥后,由于其它原因,标签自己却没有更新信息,我们的方案还是可以抵抗去同步攻击。因为假设标签没有接收到协议的第三步,即没有成功更新标签信息。那么在标签中存储的仍然是前一次的秘密信息(Ψi,x,c,ki),而在后端数据库中已经更新为(Ψi,x-1,c+1,ki‘)。在下一次运行协议时,标签产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,将这些值连同计数器的值c一同发给读写器。读写器接收到这些信息后,仍能从后端数据库中根据c值查找出h(Ψi,x,c),得到相应的假名Ψi,x,因为标签的所有假名都存储在后端数据库中。又因为前一次协议中假名更新时,只有新的假名才更新它所对应的密钥,因此仍能得到标签密钥ki。从以上分析可以看出,即使标签没有成功更新秘密信息,读写器和标签之间也不会出现去同步的问题。反过来,因为标签在成功认证读写器后才更新标签的状态,因此也不会出现标签更新了信息而后端数据库没有更新的状况。综上所述,我们的协议能够很好的抵抗去同步攻击。As shown in FIG. 8 , in the solution provided by Embodiment 3 of the present invention, the value of the counter is changed in step 17 only after a round of protocol is successfully completed. The advantage of this is that it can prevent tracking attacks caused by resetting the counter value to be the same as the previous value. In this solution, the reverse hash chain is used to update the pseudonym of the label, so that since the back-end database knows the pseudonym of the label in advance, the pseudonym of the label can only be hashed with a value of the counter, and it will be restarted after the pseudonym of the current round is used up. Calculation, which greatly reduces the calculation amount of the back-end database. In addition, even if the attacker knows the current pseudonym of the tag, he cannot know the next pseudonym of the tag. In step 6, the value c of the counter is used as an index, and h(Ψ i, x , c) with the same c value and different labels are sorted by size, thereby generating a linked list. Then use binary search for h(Ψ i, x , c) of different labels with the same c value, which can further speed up the identification of labels. In step 10, when the pseudonym is updated, the tag key pointed to by the updated pseudonym is updated, while the tag key pointed to by the previous pseudonym remains unchanged. In this way, even after the back-end database updates the pseudonym and key of the tag, the tag itself does not update the information due to other reasons, our scheme can still resist the desynchronization attack. Because it is assumed that the tag has not received the third step of the protocol, that is, the tag information has not been successfully updated. Then what is stored in the label is still the previous secret information (Ψ i, x , c, k i ), but it has been updated to (Ψ i, x-1 , c+1, k i ') in the back-end database . In the next run of the protocol, the tag generates a random number r 2 and calculates the values of h(Ψ i, x , c) and a=h(r 1 , r 2 , ki ) , and sends these values together with the value c of the counter to the reader. After receiving the information, the reader can still find out h(Ψ i, x , c) from the back-end database according to the value of c, and get the corresponding pseudonym Ψ i, x , because all the pseudonyms of the tag are stored in the back-end in the database. And because when the pseudonym is updated in the previous agreement, only the new pseudonym will update its corresponding key, so the label key k i can still be obtained. From the above analysis, it can be seen that even if the tag does not successfully update the secret information, there will be no desynchronization problem between the reader and the tag. Conversely, since the tag only updates the status of the tag after successfully authenticating the reader, there will be no situation where the tag has updated its information but the back-end database has not. In summary, our protocol can resist desynchronization attacks very well.

实施例4Example 4

本发明实施例4提供一种隐私保护无线射频识别密码协议系统,包括读写器100和标签200,其中,Embodiment 4 of the present invention provides a privacy protection radio frequency identification cryptographic protocol system, including a reader 100 and a tag 200, wherein,

读写器100,用于向标签200发出认证请求,产生随机数r1并发送给标签200;根据c值在后端数据库中查找h(Ψi,x,c);根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥ki;计算a’=h(r1,r2,ki),并判断a’是否等于a;计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i,Ψi,x为Ψi,x-1,计算b=h(r1,r2,k’i)和

Figure BDA0000154243480000121
将b和d发送给标签200。The reader 100 is used to send an authentication request to the tag 200, generate a random number r 1 and send it to the tag 200; look up h(Ψ i, x , c) in the back-end database according to the value of c; according to the found h( Ψ i, x , c) Obtain the corresponding tag pseudonym Ψ i, x and key k i ; calculate a'=h(r 1 , r 2 , k i ), and judge whether a' is equal to a; calculate k' i = h(r 1 , r 2 , Ψ i, x , k i ), update ki to k' i , Ψ i, x to Ψ i, x-1 , calculate b=h(r 1 , r 2 , k ' i ) and
Figure BDA0000154243480000121
Send b and d to tag 200 .

标签200,用于产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,连同c一同发给读写器100;计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),判断b’是否等于b;计算

Figure BDA0000154243480000122
更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。The tag 200 is used to generate a random number r 2 and calculate the value of h(Ψ i, x , c) and a=h(r 1 , r 2 , k i ), and send it to the reader 100 together with c; calculate k ' i =h(r 1 , r 2 , Ψ i, x , ki ) , b'=h(r 1 , r 2 , k' i ), judge whether b' is equal to b; calculate
Figure BDA0000154243480000122
Update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1.

实施例5Example 5

如图9所示,本发明实施例5提供的读写器100进一步包括认证单元101、第一随机数单元102、后端数据库103、第一判断单元104和第一计算单元105,其中,As shown in FIG. 9 , the reader/writer 100 provided by Embodiment 5 of the present invention further includes an authentication unit 101, a first random number unit 102, a backend database 103, a first judging unit 104, and a first computing unit 105, wherein,

认证单元101,用于向标签200发出认证请求;An authentication unit 101, configured to send an authentication request to the tag 200;

第一随机数单元102,用于产生随机数r1A first random number unit 102, configured to generate a random number r 1 ;

后端数据库103,用于存储和查询标签200的假名、密钥、随机数以及计数器信息;The back-end database 103 is used to store and query the pseudonym, key, random number and counter information of the tag 200;

第一判断单元104,用于判断后端数据库103中是否存在h(Ψi,x,c);判断a’是否等于a;The first judging unit 104 is used to judge whether h(ψi , x , c) exists in the back-end database 103; judge whether a' is equal to a;

第一计算单元105,用于计算a’=h(r1,r2,ki)、k’i=h(r1,r2,Ψi,x,ki)、b=h(r1,r2,k’i)和 The first calculation unit 105 is used to calculate a'=h(r 1 , r 2 , ki ), k' i =h(r 1 , r 2 , Ψ i, x , ki ), b=h(r 1 , r 2 , k' i ) and

实施例6Example 6

如图10所示,本发明实施例6提供的标签200进一步包括第二随机数单元201、第二计算单元202、计数器单元203、假名密钥单元204和第二判断单元205,其中,As shown in Figure 10, the tag 200 provided by Embodiment 6 of the present invention further includes a second random number unit 201, a second calculation unit 202, a counter unit 203, a pseudonym key unit 204, and a second judging unit 205, wherein,

第二随机数单元201,用于产生随机数r2The second random number unit 201 is used to generate a random number r 2 ;

第二计算单元202,用于计算h(Ψi,x,c)、a=h(r1,r2,ki)、k’i=h(r1,r2,Ψi,x,ki)和b’=h(r1,r2,k’i);The second calculation unit 202 is used to calculate h(Ψ i, x , c), a=h(r 1 , r 2 , k i ), k' i =h(r 1 , r 2 , Ψ i, x , k i ) and b'=h(r 1 , r 2 , k' i );

计数器单元203,用于产生和更新计数器的值c;The counter unit 203 is used to generate and update the value c of the counter;

假名密钥单元204,用于存储和更新标签200的假名和密钥;Pseudonym key unit 204, for storing and updating the pseudonym and key of tag 200;

第二判断单元205,用于判断b’是否等于b。The second judging unit 205 is used to judge whether b' is equal to b.

综上所述,本发明各个实施例提供的方案,通过读写器与标签分别产生不同的随机数,标签根据自身的假名、计数器的值以及两个随机数经过哈希函数加密传送,读写器在后端数据库中查找相应的标签假名对应的信息并核对相关信息是否准确,读写器经过计算更新标签密钥和假名,并经过哈希函数加密传送给标签,标签验证后更新自身的假名和密钥,并更新计数器的值。本发明实施例提供的方案,标签的密钥每次都由哈希函数加密传送,且每次都由不同的随机数r1,r2对哈希函数进行混淆,每个标签的密钥信息都没有关联,攻击者很难得到标签的密钥信息,因而确保了信息安全。同时,标签的假名和密钥信息每次都以不同的值传送,因此即使攻击者对两个标签连续不断的发送请求,他也不能区别两个标签。每个标签只需要存储3个秘密信息,标签假名其实只与计数器的一个值进行哈希,都大大的提高了运算的效率。因而,本发明实施例提供的方案极大的提高了密码协议的安全性和快捷性,可以有效实现RFID隐私保护。To sum up, in the solutions provided by the various embodiments of the present invention, different random numbers are generated by the reader-writer and the tag respectively, and the tag transmits the encryption according to its own pseudonym, the value of the counter, and two random numbers through a hash function, and reads and writes The reader searches the back-end database for the information corresponding to the tag pseudonym and checks whether the relevant information is accurate. The reader updates the tag key and pseudonym after calculation, and encrypts and transmits it to the tag through the hash function. After the tag is verified, it updates its own pseudonym and key, and update the value of the counter. In the solution provided by the embodiment of the present invention, the key of the label is encrypted and transmitted by the hash function every time, and the hash function is confused by different random numbers r 1 and r 2 each time, and the key information of each label There is no correlation, and it is difficult for an attacker to obtain the key information of the tag, thus ensuring information security. At the same time, the tag's pseudonym and key information are transmitted with different values each time, so even if the attacker sends requests to the two tags continuously, he cannot distinguish the two tags. Each label only needs to store 3 secret information, and the pseudonym of the label is actually only hashed with a value of the counter, which greatly improves the efficiency of the operation. Therefore, the solution provided by the embodiment of the present invention greatly improves the security and quickness of the cryptographic protocol, and can effectively realize RFID privacy protection.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

以上所述仅为本发明的较佳实施例,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the protection of the present invention. within range.

Claims (10)

1.一种隐私保护无线射频识别密码协议方法,其特征在于,该方法包括:1. A privacy protection radio frequency identification cryptographic protocol method, is characterized in that the method comprises: 读写器向标签发出认证请求,产生随机数r1并发送给标签;The reader sends an authentication request to the tag, generates a random number r 1 and sends it to the tag; 标签产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,连同c一同发给读写器;其中,所述Ψi,x为标签假名,c为计数器的值,ki为标签对应的密钥;The tag generates a random number r 2 and calculates the value of h(Ψ i, x , c) and a=h(r 1 , r 2 , k i ), and sends it to the reader along with c; wherein, the Ψ i, x is the pseudonym of the tag, c is the value of the counter, and k i is the key corresponding to the tag; 读写器根据c值在后端数据库中查找h(Ψi,x,c),如果后端数据库中不存在h(Ψi,x,c),则终止协议,流程结束;否则,根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥kiThe reader looks up h(Ψ i, x , c) in the back-end database according to the value of c, if h(Ψ i, x , c) does not exist in the back-end database, the protocol is terminated, and the process ends; otherwise, according to the search Get h(Ψ i, x , c) to get the corresponding tag pseudonym Ψ i, x and key k i ; 计算a’=h(r1,r2,ki),并判断a’是否等于a,如果否则终止协议,流程结束;否则,计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i,Ψi,x为Ψi,x-1,计算b=h(r1,r2,k’i)和
Figure FDA0000154243470000011
将b和d发送给标签;其中,所述Ψi,x=h(Ψi,x-1);Calculate a'=h(r 1 , r 2 , k i ), and judge whether a' is equal to a, if not, terminate the agreement and the process ends; otherwise, calculate k' i =h(r 1 , r 2 , Ψ i, x , k i ), update ki as k' i , Ψ i , x as Ψ i, x-1 , calculate b=h(r 1 , r 2 , k' i ) and
Figure FDA0000154243470000011
Send b and d to the tag; wherein, the Ψ i, x = h(Ψ i, x-1 ); 标签计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),判断b’是否等于b,如果否,则终止协议,流程结束;否则,计算
Figure FDA0000154243470000012
更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。Label calculation k' i = h(r 1 , r 2 , Ψ i, x , ki ), b' = h(r 1 , r 2 , k' i ), judge whether b' is equal to b, if not, then Terminate the agreement, the process ends; otherwise, calculate
Figure FDA0000154243470000012
Update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1. 2.如权利要求1所述的方法,其特征在于,该方法还包括:2. The method of claim 1, further comprising: 设定隐私保护系统中一共有n个标签,i每个标签的编号,其中1≤i≤n;Set a total of n tags in the privacy protection system, and the number of each tag i, where 1≤i≤n; 后端数据库为每个标签选择一个随机数Ψi,0,预先计算Ψi,1=h(Ψi,0),Ψi,2=h(Ψi,1),...,Ψi,m-1=h(Ψi,m-2);The backend database selects a random number Ψ i,0 for each label, and precomputes Ψ i ,1 = h(Ψ i,0 ), Ψ i,2 =h(Ψ i,1 ),...,Ψ i , m-1 = h(Ψ i, m-2 ); 后端数据库保存每个标签的Ψi,x,这些值将按逆序依次分配给标签作为其假名。The backend database saves Ψ i,x for each tag, and these values will be assigned to tags in reverse order as their pseudonyms. 3.如权利要求1所述的方法,其特征在于,该方法还包括:3. The method of claim 1, further comprising: 每个标签都有一个内部计数器,计数器的值为c,其中,0≤c≤m-1;Each label has an internal counter, and the value of the counter is c, where 0≤c≤m-1; 后端数据库预先计算标签假名与计数器的值c的哈希值h(Ψi,x,c);The back-end database pre-calculates the hash value h(Ψ i, x , c) of the tag pseudonym and the value c of the counter; 在认证标签时,标签假名从哈希链的最后一个值开始,计数器的值从0开始,其中,x+c=m-1,即需要计算的哈希值分别为:h(Ψi,0,m-1),h(Ψi,1,m-2),...,h(Ψi,x,m-1-x),...,h(Ψi,m-1,0)。When authenticating a tag, the pseudonym of the tag starts from the last value of the hash chain, and the value of the counter starts from 0, where x+c=m-1, that is, the hash values to be calculated are: h(Ψ i, 0 , m-1), h(Ψ i, 1 , m-2), ..., h(Ψ i, x , m-1-x), ..., h(Ψ i, m-1 , 0 ). 4.如权利要求3所述的方法,其特征在于,该方法还包括:4. The method of claim 3, further comprising: 用计数器的值c作为索引,并对同一c值不同标签的h(Ψi,x,c)按大小进行排序,由此产生一张链表并保存在后端数据库;在查询标签对应的h(Ψi,x,c)时,对同一c值不同标签的h(Ψi,x,c)采用二分法查找。Use the value c of the counter as an index, and sort h(Ψ i, x , c) with the same c value and different labels according to size, thereby generating a linked list and saving it in the back-end database; when querying the label corresponding to h( Ψ i, x , c), use binary search for h(Ψ i, x , c) with the same c value and different labels. 5.如权利要求1所述的方法,其特征在于,该方法还包括:5. The method of claim 1, further comprising: 每个标签的所有假名都对应相同的密钥及其它信息,当假名更新时,更新后的假名所指的标签密钥才更新,而先前的假名所指向标签密钥不改变。All the pseudonyms of each label correspond to the same key and other information. When the pseudonym is updated, the key of the label pointed to by the updated pseudonym is updated, while the key of the label pointed to by the previous pseudonym remains unchanged. 6.如权利要求1所述的方法,其特征在于,该方法还包括:6. The method of claim 1, further comprising: 当计数器的值c达到最大m-1时,后端数据库为标签选取另一随机数,产生另一哈希链作为标签下一轮的假名Ψ’i,x,同时c重置为0;When the value c of the counter reaches the maximum m-1, the backend database selects another random number for the label, and generates another hash chain as the pseudonym Ψ' i, x for the next round of the label, and c is reset to 0; 后端数据库再预先计算标签假名与计数器值的哈希值h(Ψ’i,x,c)。The back-end database pre-calculates the hash value h(Ψ' i, x , c) of the tag pseudonym and the counter value. 7.如权利要求1所述的方法,其特征在于,该方法还包括:7. The method of claim 1, further comprising: 每个标签中存储它当前的假名Ψi,x、计数器的值c以及密钥ki,其中1≤i≤n;Each tag stores its current pseudonym Ψ i, x , counter value c and key k i , where 1≤i≤n; 初始时c=0,标签假名为Ψi,m-1Initially, c=0, and the pseudonym of the label is Ψ i,m-1 . 8.一种隐私保护无线射频识别密码协议系统,其特征在于,该系统包括读写器和标签,其中,8. A privacy-protecting radio frequency identification cryptographic protocol system, characterized in that the system includes a reader-writer and a tag, wherein, 所述读写器,用于向标签发出认证请求,产生随机数r1并发送给标签;根据c值在后端数据库中查找h(Ψi,x,c);根据查找到的h(Ψi,x,c)获取对应的标签假名Ψi,x及密钥ki;计算a’=h(r1,r2,ki),并判断a’是否等于a;计算k’i=h(r1,r2,Ψi,x,ki),更新ki为k’i,Ψi,x为Ψi,x-1,计算b=h(r1,r2,k’i)和将b和d发送给标签;The reader is used to send an authentication request to the tag, generate a random number r 1 and send it to the tag; look up h(Ψ i, x , c) in the back-end database according to the c value; according to the found h(Ψ i, x , c) Obtain the corresponding tag pseudonym Ψ i, x and key k i ; calculate a'=h(r 1 , r 2 , k i ), and judge whether a' is equal to a; calculate k' i = h(r 1 , r 2 , Ψ i, x , k i ), update ki to k' i , Ψ i, x to Ψ i, x-1 , calculate b=h(r 1 , r 2 , k' i ) and send b and d to the label; 所述标签,用于产生随机数r2并计算h(Ψi,x,c)以及a=h(r1,r2,ki)的值,连同c一同发给读写器;计算k’i=h(r1,r2,Ψi,x,ki)、b’=h(r1,r2,k’i),判断b’是否等于b;计算
Figure FDA0000154243470000022
更新标签假名Ψi,x为Ψi,x-1、密钥ki为k’i,同时计数器值c增1。The tag is used to generate a random number r 2 and calculate the value of h(Ψ i, x , c) and a=h(r 1 , r 2 , k i ), and send it to the reader along with c; calculate k ' i =h(r 1 , r 2 , Ψ i, x , ki ) , b'=h(r 1 , r 2 , k' i ), judge whether b' is equal to b; calculate
Figure FDA0000154243470000022
Update the label pseudonym Ψ i , x to Ψ i , x-1 , key k i to k' i , and increase the counter value c by 1. 9.如权利要求8所述的系统,其特征在于,所述读写器进一步包括认证单元、第一随机数单元、后端数据库、第一判断单元和第一计算单元,其中,9. The system according to claim 8, wherein the reader/writer further comprises an authentication unit, a first random number unit, a backend database, a first judgment unit and a first calculation unit, wherein, 所述认证单元,用于向标签发出认证请求;The authentication unit is configured to send an authentication request to the label; 所述第一随机数单元,用于产生随机数r1The first random number unit is used to generate a random number r 1 ; 所述后端数据库,用于存储和查询标签的假名、密钥、随机数以及计数器信息;The back-end database is used to store and query tag pseudonyms, keys, random numbers and counter information; 所述第一判断单元,用于判断后端数据库中是否存在h(Ψi,x,c);判断a’是否等于a;The first judging unit is used to judge whether h(Ψ i, x , c) exists in the back-end database; judge whether a' is equal to a; 所述第一计算单元,用于计算a’=h(r1,r2,ki)、k’i=h(r1,r2,Ψi,x,ki)、b=h(r1,r2,k’i)和 d = Ψ i , x ⊕ Ψ i , x - 1 . The first calculation unit is used to calculate a'=h(r 1 , r 2 , ki ), k' i =h(r 1 , r 2 , Ψ i, x , ki ), b=h( r 1 , r 2 , k' i ) and d = Ψ i , x ⊕ Ψ i , x - 1 . 10.如权利要求8或9所述的系统,其特征在于,所述标签进一步包括第二随机数单元、第二计算单元、计数器单元、假名密钥单元和第二判断单元,其中,10. The system according to claim 8 or 9, wherein the tag further comprises a second random number unit, a second computing unit, a counter unit, a pseudonym key unit and a second judging unit, wherein, 所述第二随机数单元,用于产生随机数r2The second random number unit is used to generate a random number r 2 ; 所述第二计算单元,用于计算h(Ψi,x,c)、a=h(r1,r2,ki)、k’i=h(r1,r2,Ψi,x,ki)和b’=h(r1,r2,k’i);The second calculation unit is used to calculate h(Ψ i, x , c), a=h(r 1 , r 2 , k i ), k' i =h(r 1 , r 2 , Ψ i, x , k i ) and b'=h(r 1 , r 2 , k' i ); 所述计数器单元,用于产生和更新计数器的值c;The counter unit is used to generate and update the value c of the counter; 所述假名密钥单元,用于存储和更新标签的假名和密钥;The pseudonym key unit is used to store and update the pseudonym and key of the tag; 所述第二判断单元,用于判断b’是否等于b。The second judging unit is used to judge whether b' is equal to b.
CN201210113004.1A 2012-04-17 2012-04-17 Privacy protection radio frequency identification password protocol method and system Expired - Fee Related CN102693438B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210113004.1A CN102693438B (en) 2012-04-17 2012-04-17 Privacy protection radio frequency identification password protocol method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210113004.1A CN102693438B (en) 2012-04-17 2012-04-17 Privacy protection radio frequency identification password protocol method and system

Publications (2)

Publication Number Publication Date
CN102693438A true CN102693438A (en) 2012-09-26
CN102693438B CN102693438B (en) 2014-12-17

Family

ID=46858852

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210113004.1A Expired - Fee Related CN102693438B (en) 2012-04-17 2012-04-17 Privacy protection radio frequency identification password protocol method and system

Country Status (1)

Country Link
CN (1) CN102693438B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618995A (en) * 2013-12-04 2014-03-05 西安电子科技大学 Position privacy protection method based on dynamic pseudonyms
CN106534171A (en) * 2016-12-02 2017-03-22 全球能源互联网研究院 Security authentication method and device, and terminal
CN106603228A (en) * 2016-12-21 2017-04-26 广东工业大学 RFID key wireless generation method based on Rabin encryption
CN107294957A (en) * 2017-05-26 2017-10-24 华南师范大学 A kind of method of the search RF tag of highly effective and safe
CN109800831A (en) * 2018-12-21 2019-05-24 天津科技大学 A kind of crash protection method based on RFID food tracing
CN109861809A (en) * 2019-02-20 2019-06-07 中国电子科技集团公司第三十研究所 A Practical Randomized Encryption and Decryption Method for Packets
CN115169373A (en) * 2022-07-11 2022-10-11 中国科学院高能物理研究所 A low-cost RFID tag authentication method and system
CN118153599A (en) * 2024-02-21 2024-06-07 江苏稻源科技集团有限公司 High-frequency anti-counterfeiting method and system based on UID reading counting

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645138A (en) * 2009-09-14 2010-02-10 西安交通大学 Radio frequency identification (RFID) privacy authenticating method
CN102158494A (en) * 2011-04-18 2011-08-17 电子科技大学 Low-cost radio frequency identification (RFID) security authentication protocol capable of shielding illegal reader-writer
CN102394753A (en) * 2011-11-01 2012-03-28 西安电子科技大学 RFID (Radio Frequency Identification Device) mutual authentication method based on secret key and cache mechanism

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101645138A (en) * 2009-09-14 2010-02-10 西安交通大学 Radio frequency identification (RFID) privacy authenticating method
CN102158494A (en) * 2011-04-18 2011-08-17 电子科技大学 Low-cost radio frequency identification (RFID) security authentication protocol capable of shielding illegal reader-writer
CN102394753A (en) * 2011-11-01 2012-03-28 西安电子科技大学 RFID (Radio Frequency Identification Device) mutual authentication method based on secret key and cache mechanism

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王琼等: "基于EPC物联网的公安数据通信安全认证协议研究", 《信息网络安全》 *

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103618995B (en) * 2013-12-04 2017-01-18 西安电子科技大学 Position privacy protection method based on dynamic pseudonyms
CN103618995A (en) * 2013-12-04 2014-03-05 西安电子科技大学 Position privacy protection method based on dynamic pseudonyms
CN106534171A (en) * 2016-12-02 2017-03-22 全球能源互联网研究院 Security authentication method and device, and terminal
CN106534171B (en) * 2016-12-02 2020-03-10 全球能源互联网研究院有限公司 Security authentication method, device and terminal
CN106603228A (en) * 2016-12-21 2017-04-26 广东工业大学 RFID key wireless generation method based on Rabin encryption
CN107294957B (en) * 2017-05-26 2019-10-01 华南师范大学 A method for searching radio frequency tags
CN107294957A (en) * 2017-05-26 2017-10-24 华南师范大学 A kind of method of the search RF tag of highly effective and safe
CN109800831B (en) * 2018-12-21 2022-01-28 天津科技大学 Collision prevention method based on RFID food tracing
CN109800831A (en) * 2018-12-21 2019-05-24 天津科技大学 A kind of crash protection method based on RFID food tracing
CN109861809A (en) * 2019-02-20 2019-06-07 中国电子科技集团公司第三十研究所 A Practical Randomized Encryption and Decryption Method for Packets
CN109861809B (en) * 2019-02-20 2022-03-18 中国电子科技集团公司第三十研究所 Practical grouping random encryption and decryption method
CN115169373A (en) * 2022-07-11 2022-10-11 中国科学院高能物理研究所 A low-cost RFID tag authentication method and system
CN118153599A (en) * 2024-02-21 2024-06-07 江苏稻源科技集团有限公司 High-frequency anti-counterfeiting method and system based on UID reading counting

Also Published As

Publication number Publication date
CN102693438B (en) 2014-12-17

Similar Documents

Publication Publication Date Title
Sidorov et al. Ultralightweight mutual authentication RFID protocol for blockchain enabled supply chains
CN102693438B (en) Privacy protection radio frequency identification password protocol method and system
CN103020671B (en) A kind of radio frequency identification mutual authentication method based on hash function
CN108092774B (en) A bidirectional security authentication method for RFID system based on elliptic curve cryptography
CN104702604B (en) Mutual authentication method based on simple logic encryption and timestamp
CN101645138B (en) A radio frequency identification privacy authentication method
Jung et al. HRP: A HMAC-based RFID mutual authentication protocol using PUF
CN103699920A (en) Radio frequency identification two-way authentication method based on ellipse curve
CN106845304A (en) A kind of method and system for realizing reader and smart-tag authentication in rfid system
CN102497264A (en) RFID security authentication method based on EPC C-1G-2 standard
CN108304902A (en) A kind of mobile RFID system mutual authentication method of extra lightweight
Chen et al. An ownership transfer scheme using mobile RFIDs
CN110190965A (en) An RFID Group Tag Authentication Protocol Based on Hash Function
CN103532718A (en) Authentication method and authentication system
Zhou et al. A lightweight anti-desynchronization RFID authentication protocol
CN107040363B (en) Method and system for lightweight RFID ownership transfer based on chaotic encryption
CN108566385A (en) The mutual authentication method of efficient secret protection based on cloud
CN110650019A (en) RFID authentication method and system based on PUF and security sketch
Gui et al. A new authentication RFID protocol with ownership transfer
Huang et al. An ultralightweight mutual authentication protocol for EPC C1G2 RFID tags
Song et al. Scalable RFID pseudonym protocol
Shen et al. An Anti-counterfeit Complete RFID Tag Grouping Proof Generation Protocol.
Liu An efficient RFID authentication protocol for low-cost tags
KR20090005834A (en) Low cost RFID authentication protocol method suitable for distributed environment
KR100605138B1 (en) Authorization method in radio frequency identification system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20141217

Termination date: 20160417

CF01 Termination of patent right due to non-payment of annual fee