FIG. 1 shows an RF identification system comprising an RF label reader 101 that can communicate by radio with a plurality of RF labels 102. An RF label generally consists of a paper or plastic support, an integrated circuit and an antenna. Such RF labels are activated on reception of an activation signal sent by the RF label reader Such RF identification systems can work with low-frequency signals or with high-frequency signals.
In such RF identification systems, an identifier that is unique in the system is associated with each RF label. The reader is then in a position to identify a label on the basis of information sent from said label and as a function of a list of identifiers of the RF labels 102 of the system.
For such an RF identification system to be reliable, each of the identifiers 102 of the RF system must be kept secret between the reader and the respective RF labels. Now, in such a system, the identifier of a label is exchanged between the label and the reader. The reliability of such identification systems then relies in particular on the means of protecting the respective identifiers of the RF labels during certain of these exchanges between the label reader and the RF labels.
Accordingly, to prevent another entity from being able to usurp the identifier associated with a label of the system and then defraud this kind of RF identification system, these exchanges of data may be encrypted.
After being activated by an activation RF signal, an RF label is able to communicate with the RF label reader in accordance with various communication protocols available to the person skilled in the art. For example, an HB (standing for ‘Hopper, Blum’) protocol enables such communication between a reader and an RF label. According to this protocol, a secret identifier x is known only by the reader and by the RF label. FIG. 2 shows communication between the reader and the RF label in accordance with the HB protocol.
Note that in the examples described hereinafter, the numbers ai and x used are binary numbers of k bits, k being an integer.
According to the HB protocol, the reader identifies the label by repeating N times a step of encryption of the identifier of the label concerned. During an encryption step of this kind, step i, where i is an integer from 1 to N, the reader sends a message 103 to the RF label indicating a random number ai in the set denoted {0, 1}k of the binary numbers of k bits. The RF label then encrypts its secret identifier using the random number as sent by the reader.
To carry out this kind of encryption, the label generates a random number vi and obtains a value of the identifier encrypted in accordance with the following equation:zi=ai·x⊕vi  (1)wherein vi is generated so that it is part of the set {0, 1}, with a determined probability η that vi is equal to 1.
Note that the symbol ‘⊕’ indicates an ‘exclusive-OR’ operation and that the symbol ″ indicates an ‘exclusive-OR’ operation on the various results of the ‘AND’ operations effected bit by bit on the two numbers ai and x.
This step is therefore repeated N times. Consequently, the RF label reader receives N values zi for each of which the values of the random number ai and the random number vi vary.
The RF label reader knows the determined probability value η characterizing the generation of the random number vi. Consequently, from the N values zi of the encrypted identifier received in the messages 104 and on the basis of the list of secret identifiers associated with the respective RF labels of the system and the N first and second random numbers, the RF label reader is in a position to determine the secret identifier x of the label concerned, on verifying that the equation (1) is false at most a number of times corresponding to η.N.
However, an active attack on this kind of HB protocol is able to determine the secret identifier x associated with the label concerned. In fact, if an entity inserts itself between the label reader and the RF label, so as to supply to the RF label the same number in place of the random numbers ai supplied by the reader, that entity is in a position to determine the information on x.
A communication protocol denoted HB+ for an RF identification system offers protection against this kind of active attack by introducing an additional random value during the encryption of the secret identifier of the RF label FIG. 3 shows this kind of HB+ protocol, based on repetition of an encryption step, only one step i being represented.
According to this HB+ protocol, a secret identifier of the label concerned, known to the leader and to said label, is denoted (x, y), where x and y are binary numbers of k bits. In each of the steps i described above, the label sends the RF label leader a message 201 containing a first random number bi. On reception of this first random number bi, the RF label reader sends the label a message 202 containing a second random number ai Then, on the basis of the first and second random numbers, the RF label sends the label leader a message 203 that indicates a value of its encrypted secret identifier that satisfies the following equation:zi=ai·x⊕bi·y⊕vi  (2)wherein vi is in the set {0,1}, with a determined probability η that vi is equal to 1, said probability η being known to the reader and to the RF label.
During the N repetitions of this encryption step, the label supplies to the label reader N values zi of the encrypted secret identifier.
Communication under this kind of HB+ protocol is undoubtedly better protected against certain attacks than communication under the HB protocol. However, an active attack wherein an entity inserts itself between the reader and the RF label and, during sending of the message 201, sends a message 202 modified to replace the second random number ai, generated by the reader, with a number ai′ satisfying the following equation:ai′=ai⊕δ  (3)wherein δ is a number on k bits, which has a constant value throughout the N repetitions of the encryption step, step i.
In this case, the message 203 transmits a number zi satisfying the following equation:zi=ai′·x⊕bi·y⊕vi=(ai⊕δ)·x⊕bi·y⊕vi  (4)
In this kind of, context, if the reader is in a position to identify the label, it is deduced, with a high probability, that δx is equal to 0. In the contrary situation, it is deduced that δ·x is equal to 1. Accordingly, as a function of whether it is impossible or possible for the reader to identify the RF label, the information on the secret identifier x can be deduced. This kind of deductive method can then be transposed to the numbers bi and y.
There is therefore an active attack that can discover the secret identifier (x,y) of the RF label during communication between the reader and the label under the HB+ protocol. This kind of attack is described in the document ‘An active attack against HB+’ by Henri Gilbert, Matthew Robshaw and Herveé Sibert.
The present invention aims to improve the protection of communication in an RF identification system against attacks seeking to discover the secret identifiers of the RF labels.