ComputerNetworks54(2010)2744–2755 ContentslistsavailableatScienceDirect Computer Networks journal homepage: www.elsevier.com/locate/comnet REACT: An RFID-based privacy-preserving children tracking scheme for large amusement parks Xiaodong Lina, Rongxing Lub, Davis Kwana, Xuemin (Sherman) Shenb,* aFacultyofBusinessandInformationTechnology,UniversityofOntarioInstituteofTechnology,Oshawa,Ontario,CanadaL1H7K4 bDepartmentofElectricalandComputerEngineering,UniversityofWaterloo,Waterloo,Ontario,CanadaN2L3G1 a r t i c l e i n f o a b s t r a c t Articlehistory: In this paper, we propose an RFID-based privacy-preserving children tracking (REACT) Received15December2009 schemeforhelpinglocatemissingchildreninlargeamusementparksandotherpublicven- Receivedinrevisedform22April2010 ues.TheschemeischaracterizedbythecooperationamongRFIDreaders,storagenodes Accepted9May2010 andcontrolcenter,whicharestrategicallydeployedacrosstheamusementpark,aswell Availableonline20May2010 asemployeesandvisitorsinthepark.WhenapassiveRFIDtag,physicallyattachedona ResponsibleEditor:J.Misic child,approachesanRFIDreader,thereaderwillprocessthetaginformation.Thereader then forwards the information to a storage node through a pocket switched network Keywords: formed by employees and visitors in the park. When locating a lost child is requested, RFID the system isable to track the missing child by querying the tag information stored in Childrentracking Privacypreserving the storage nodes. Detailed security analysis shows that the proposed REACT scheme Pocketswitchednetwork achieveschild’sidentityprivacy,unlinkablelocationprivacyandforwardsecurity.Inaddi- tion, extensive simulations demonstrate that as more visitors participate in the pocket switched network, the performance of our proposed REACT scheme increases which directlyimprovestheefficiencyforthelocatinglostchildren. (cid:2)2010ElsevierB.V.Allrightsreserved. 1.Introduction er an area greater than one squared kilometer, e.g., the Canada’swonderland[2]. Oneofthegreatestfearsofparentsis,withoutadoubt, Onatypicaldayduringthehighseason,theremaybe losing sight of their children. Each year approximately tensofthousandsofvisitorsinthepark.Findingonesingle 65,000childrenarereportedmissinginCanada[1],leading childfromthiscrowdissometimesnexttoimpossible,like topeoplesufferingindifferentwayssuchasanguishand findinganeedleinahaystack.Itisnotunusualthatguest franticness of parents and the potential loss of children servicesatamusementparksconstantlyhavelonglineups lives. A fraction of these cases occur when the children and are busy trying to help anxious parents locate their areinpublicvenuessuchasshoppingmalls,playgrounds lostchildren.Ittakesatleastacoupleofhoursonaverage and amusement parks. In the worst case scenario, these tolocateachildintheparkandintheworstcase,theymay missing children are never reunited with their parents. neverbefoundastheyhavealreadyleftthepark.Thisisa Locatingachildinanamusementparkcanbeaverydiffi- majorsafetyissuethatisimportanttoboththeparkoper- culttask.Forexample,largeamusementparksusuallycov- ators and visitors. Unfortunately, there are currently no systemsinplacetoaidinthetrackingofmissingchildren inpublicvenues.Mostsearchesformissingchildrencases areperformedbyreviewingrecordedsecuritysurveillance * Correspondingauthor. tapesandrequestingthehelpofbystandersandwitnesses. E-mailaddresses:[email protected](X.Lin),[email protected]. Although there have been some success with this ap- ca (R. Lu), [email protected] (D. Kwan), [email protected] (Xuemin(Sherman)Shen). proach, any further methods to increase the success rate 1389-1286/$-seefrontmatter(cid:2)2010ElsevierB.V.Allrightsreserved. doi:10.1016/j.comnet.2010.05.005 X.Linetal./ComputerNetworks54(2010)2744–2755 2745 should be welcomed by the general public. Nowadays environment. In summary, the main contributions of this there are many existing location technologies (e.g., GPS, paperarethreefold. Satellite),whichcanbeusedtokeeptrackofthelocation ofachild.However,withthesetechnologies,thechildren (cid:2) Firstly, we study a hierarchical network framework beingtrackedmustcarryaGPSreceiverorcellularphone. composing of RFID readers, storage nodes and central GPS receivers and cellular phones are moderately sized control center to efficiently monitor a large-scale electronic devices that require extra care and protection amusement park, and propose an RFID-based children to prevent damage to the components. As a result, these tracking (REACT) scheme, where the tag information devices become very inconvenient to the children when can be forwarded from RFID readers to the storage playinginanamusementpark,especiallyduringwater-re- nodes with a pocket switched network [6] formed by latedactivities.Anotherapproachtopersonneltrackingis park employees and visitors who carry the wireless toimplantaspecialchipintoaperson,sothattheperson communication devices in the amusement park. With canbetrackedthroughcommunicationbetweenthechip theREACTscheme,thelocationofalostchildwithan and a satellite. However, it is extremely expensive to attached passive RFID tag can be effectively identified implement for the purpose of tracking in an amusement in a large amusement park. To the best of our knowl- park setting and requires a chip to be permanently im- edge, the proposed REACT scheme is the first RFID- plantedintothechildren.Thus,itishighlydesiredtohave based solution to effectively track children in a large- cost effective and efficient personnel tracking systems in scaleamusementpark. placetoprotectchildreninpublicvenues. (cid:2) Secondly, to prevent a privacy-curious attacker from Recently,RFIDtechnology[3–5]hasbeenemergingasa being able to track and/or control children in a large promising method for the purpose of identification and amusementpark,thechild’sprivacy(inparticular,iden- tracking using radio waves due to its low cost and broad tity privacy and unlinkablelocationprivacy [7–11]) in applicability. In this paper, we present a new RFID-based the proposed REACT scheme are concealed. Even privacy-preserving children tracking (REACT) scheme, though an attacker obtains the current position of a which utilizes RFID tags placed on children, for example, child,itstillcannotinferthepastlocationsofthechild, integratedtoawristbandwhichiswornbyachild,andwill alsoknownasforwardsecurity. track their movements throughout the park as they pass (cid:2) Thirdly,wedevelopacustomsimulatortodemonstrate throughthevariouscheckpointsequippedwithRFIDread- the effectiveness of the proposed REACT scheme. The ers. The data (also called tag information) collected from more visitors participating in the pocket switched net- these checkpoints will be relayed back to storage nodes work, the more quickly the proposed REACT scheme wirelessly where queries can be performed by the park can identify the locations of lost children in a large operators to locate a child in the park at the request of amusementpark. theparent.AlthoughtheproposedREACTschemewillbe based on an amusement park setting, the system should Theremainderofthispaperisorganizedasfollows.In beportabletofitanypublicvenue. Section2,weintroducethesystemmodel,communication However, there are several challenges facing RFID- model and design goal. Then, we present the REACT based personnel tracking system for amusement parks. scheme in Section 3, followed by the security analysis Firstly,withthelargephysicalareathatmustbecovered, and performance evaluation in Sections 4 and 5, respec- there will be a large number of RFID readers scattered tively.WealsoreviewsomerelatedworkinSection6.Fi- aroundtheparkinordertoeffectivelymonitortheentire nally,wedrawourconclusionsinSection7. park due to the limited coverage of RFID radio. It will be infeasible and inefficient to provide consistent network connections to all RFID readers with the backbone net- 2.Systemmodel,communicationmodelanddesigngoal work,wherestoragenodesarelocated,overawirelessor wiredlink.Whilesomereadersmayhaveconsistentcom- In this section, we formulate the system model, the municationlinkswiththebackbonenetwork,themajority communicationmodel,aswellasidentifythedesigngoal. of the readers have to relay information between them- selves and the storage nodes through the help of other 2.1.Systemmodel communicationdevicescarriedbyparkemployeesandvis- itors(orpatrons).Secondly,securityandprivacypreserva- WeconsideraheterogenousRFID-basedchildrentrack- tion is of importance to the success of such a tracking ingsystem,whichconsistsofacontrolcenter(CC),asmall system. It is crucial to prevent any adversary from being numberofresource-richstoragenodesS¼fs ;s ;...gand 1 2 able to track and/or control children, which could pose a large number of RFID readers R¼fr ;r ;...g, in a large 1 2 security threats to the general public and lead to child amusementpark,i.e.,Canada’sWonderland[2],asshown abduction. Finally, it is well known that RFID devices, in inFig.1. particular, RFID tags, lack computation, storage, energy, andcommunicationcapacitiesnecessaryformostcrypto- (cid:2) Controlcenter(CC):TheCCisatrustableandpowerful graphicschemesadoptedbymostofsecurityandprivacy entity and is usually located at the amusement park preservation protocols. As a result, it is critical to design entrance, for example, guest services room. The CC is an efficient and effective secure and privacy-preserving responsible for the management of the storage nodes protocol between a tag and a reader suitable for an RFID and RFID readers as well as the registration of chil- 2746 X.Linetal./ComputerNetworks54(2010)2744–2755 CC Storage node RFID reader Reliable Opportunistic Entrance Fig.1. Networkmodelunderconsiderationinalargeamusementpark. dren-carryingRFIDtags.Later,whenparentslosetheir setofedges.Ifthedistancejs (cid:3)sjislessthanorequalto i j childrenintheamusementpark,theCCcanhelpthem thetransmissionrangeR,e =1.Otherwise,e =0.Because ij ij queryandlocatethepreviousandcurrentpositionsof thestoragenodesS¼fs ;s ;...garewelldeployedinthe 1 2 the specific children via the deployed storage nodes amusementpark,itisreasonabletoassumethatG=(S,E) andRFIDreaders. isaconnectedgraph.Then,basedontheDijkstrashortest (cid:2) StoragenodesS:Storagenodeswiththeirhigh-storage- path algorithm [12], each storage node s 2S can find its i capacity play a vital role for the RFID-based children shortestreliablepathtotheCC. trackingsystem.Storagenodesareusuallydeployedat theintersectionsintheamusementpark.Themaintask 2.2.2.CommunicationbetweenstoragenodeandRFIDreaders ofthesestoragenodesisto(i)storethedatareportedby The RFID readers are usually deployed at on-demand theRFIDreadersand(ii)answerqueriesfromthepar- spots.WhenanRFIDreaderisveryclosetotheintersection entsatthecontrolcenter. in the amusement park, it could directly communicate (cid:2) RFID readers R: A large number of RFID readers are withthenearbystoragenode.However,iftheRFIDreader deployedatdifferentlocationsintheamusementpark. isfarawayfromthestoragenode,thecommunicationbe- EachRFIDreaderconsistsofanradiofrequencytrans- comesopportunistic.Inspecific,theRFIDreaderreportsthe mitter and receiver. Once a passive RFID tag attached taginformationbyapocketswitchednetwork[6],asshown on a child is within range of an RFID reader, the RFID in Fig. 2, where the pocket nodes (including the park’s reader can read the tag information. Because the RFID employeesandvisitors)carryingwirelessdevicesintheir readeris not rich in storage, it willperiodicallyreport pocketspullthecollectedtaginformationfromRFIDread- thecollectedtaginformationtothestoragenodes. ersandpushthemtothestoragenodesintheirtravelpath. 2.2.Communicationmodel 2.2.3.CommunicationbetweenRFIDreaderandtags Assume that the RFID tags attached to the children in 2.2.1.CommunicationbetweenCCandstoragenodes the amusement park are inexpensive passive tags, which We assume both the CC, denoted as s , and storage are powered by the signal of an interrogating reader. 0 nodesS¼fs ;s ;...gareequippedwithwirelesscommu- Therefore, the communication between the RFID readers 1 2 nicationdevices,e.g.,WiFiorcellularsystem.Atthesame andtagsonlyworkwithinshortranges.i.e.,afewmeters. time,thecommunicationsamong{s ,s ,s ,...}arebidirec- 0 1 2 tional, i.e., two nodes within their wireless transmission 2.3.Designgoal range R may communicate with each other. Therefore, if astoragenodes isclosetotheCCs ,itcandirectlycontact Before describing the design goal for the RFID-based i 0 with the CC. However, if a storage node is far from the childrentrackingsystem,wemakethefollowingassump- transmission range of the CC, it should resort to other tions in our system. First, all devices in the amusement nodes to establish a route and then communicate with park,includingthecontrolcenter,storagenodesandRFID theCC.Formally,thecommunicationbetweentheCCand readers, are in fixed positions. Once they are deployed in storagesnodescanberepresentedasanundirectedgraph theamusementpark,theirpositionscannotbeeasilydis- G=(S,E),whereS={s ,s ,s ,...} andE={e js,s 2S} isthe placed. In our system, we assume that the control center 0 1 2 ij i j X.Linetal./ComputerNetworks54(2010)2744–2755 2747 RFID Push tag reader Pull tag information Storage information Node Collect tag information Pocket switched network Fig.2. Pocketswitchednetworkinlargeamusementparks. is fully trustable, storage nodes are not compromised, Because a passive tag is typically inexpensive, it doesn’t while the RFID readers could be faked by some attackers containabatteryitself[3].Instead,thepowerissupplied used for collecting tag information. Concretely, we con- by the RFID reader. For example,whenradio wavesfrom sideraprivacy-curiousattackerinthethreatmodelasfol- anRFIDreaderareencounteredbyapassivetag,thecoiled lows: A privacy-curious attacker is a party that doesn’t antennawithinthetagformsamagneticfield,wherethe kidnap children at the amusement park, yet attempts to tag can draw the power and energize the circuits in the learnandtracethepositioninformationofaspecificchild. chip, and then use the energy to send the information specifically,torevealthelocationprivacyofachild,theat- storedonthetagtotheRFIDreader. tackercouldusefakeRFIDreaderstolinkthepositionsof The chip embedded in the tag is less complex, which thechild.Notethatanattackercanalsoperformadenial cannotsupportneitheratimer,arandomnumbergenera- ofservice(DoS)attacksuchthatalegitimateRFIDreader tor(RNG)[13]norhigh-costcryptographicalgorithms[14]. fails to read the normal RFID tags in a large amusement The only cryptographic algorithm that a passive tag can park. However, the DoS attack cannot compromise the supportistheLinearFeedbackShiftRegister(LFSR)based location privacy of child. Thus, how to defend against hash function [15], where the generation of hash is only DoSattacksarebeyondthescopeofthispaper. based on multiplications with random binary matrixes. Toresisttheprivacy-curiousattacker,ourdesigngoalin LetH:{0,1}m?{0,1}n,wheren<m,beanefficientkeyed thispaperistodevelopanRFID-basedprivacy-preserving LFSR based hash function, which can map any input childrentrackingsystemwhichcanachievethefollowing M=(M ,M ,...,M ) into a shorter hash value H(K;M)= 1 2 m requirements: (h ,h ,...,h )withakeyK={k ,k ,...,k }.LFSRbasedhash 1 2 n 1 2 n function is simple but keeps most of the strength of the (cid:2) R-1:Onceachildislostinalargeamusementpark,the Carter–Wegman hash family [16]. See the Appendix for proposed tracking system should be able to help the thedetailedLFSRbasedhashconstruction.Formally,ase- parenteffectivelylocatethepositionofthechild. cure hash function is called e-balanced if 8Me –0;h, the (cid:2) R-2: The proposed tracking system should also have probability Pr½HðMeÞ¼h(cid:4)6e. As proved in [15], we know abilitytoconcealthechild’sprivacyfromaprivacy-curi- the LFSR based hash function H: {0,1}m?{0,1}n is e-bal- ous attacker,even after theattacker has eavesdropped ance for e6 m . When n¼64; m¼128; e6 1, which 2n(cid:3)1 256 and collected many tag information using bogus RFID showsthatLFSRbasedhashfunctionachievesgoodsecu- readers. rity/cost ratio and can be securely applied in RFID-based (cid:2) R-3: TheRFID tags attachedon the childrenshouldbe childrentrackingsystem. very low cost such that parents are willing to accept thechildrentrackingserviceinalargeamusementpark. 3.2.DetailedprocedureoftheREACTscheme 3.ProposedRFID-basedprivacy-preservingchildren 3.2.1.Systeminitialization trackingscheme Basedonthesystemrequirements,thefollowingsteps are performed by the control center to bootstrap the Inthissection,wepresentourRFID-basedprivacy-pre- system: serving children tracking (REACT) scheme, which mainly Step1(Initializesystemparameters):LetGandG betwo T consistsofthefollowingparts:systeminitialization,child cyclicgroupsoflargeprimeorderq.SupposeGandG are T registration, privacy-preserving location information col- lection, opportunistic location information aggregation, and child location query. Before introducing our scheme, Antenna we first review the architecture of the low cost passive Chip RFID tag, which guides what security techniques can be • keys chosenandimplementedinthechildrentrackingsystem. • H(.) 3.1.PassiveRFIDtag’sarchitecture battery no timer RNG ThearchitectureofapassiveRFIDtagisshowninFig.3, whichincludesacoiledantennaandalesscomplexchip. Fig.3. ArchitectureofapassiveRFIDtagunderconsideration. 2748 X.Linetal./ComputerNetworks54(2010)2744–2755 equipped with a pairing, i.e., a non-degenerated and effi- cientlycomputablebilinearmape:G(cid:5)G!G suchthat T eðga;gbÞ¼eðg ;g Þab2G for all a;b2Z(cid:6) and any 1 2 1 2 T q ðg ;g Þ2G(cid:5)G[17].LetgbethegeneratorofG,thecontrol 1 2 centerchoosesarandoms2Z(cid:6)asthemasterkey,andcom- q putesthepublickeyP =gs.Inaddition,threesecurecrypto- cc graphic hash functions H , H , H are chosen, where 0 1 H :f0;1g(cid:6)!G; H :f0;1g(cid:6)!Z(cid:6) and H: {0,1}128? 0 1 q {0,1}64beaLSRFbasedhashfunctionconstructedfroman irreducible LFSR hash polynomial with degree 64 over GF(2), i.e., fðxÞ¼x64þP63c (cid:7)xi, for c 2{0,1}. In the end, i¼0 i i the control center sets the system parameters as params¼fG;G ;q;g;e;P ;H ;H ;H;fðxÞg. T cc 0 1 Step 2 (Deploy storage nodes): The control center pre- loads each storage node si2S¼fs1;s2;...g with Fig.4. Privacypreservinglocationinformationcollection. params¼fG;G ;q;g;e;P ;H ;H ;H;fðxÞg and a private T cc 0 1 key sk =H (s)s, where s is the identity of the ith storage istersimultaneously,instead,onlyonechildcanregisterat i 0 i i node,anddeployss atacriticalpointinthelargeamuse- onetime. i mentpark,forexample,anintersection.Becauseanytwo neighboringstoragenodess and s canderivetheirstatic 3.2.3.Privacypreservinglocationinformationcollection i j shared key k =H (e(sk,H (s)))=H (e(sk,H (s))), the Whenachildc attachedwithanRFIDtagpassesbyan ij 1 i 0 j 1 j 0 i i node-to-node authentication is achieved [17]. Sequen- RFID reader at some location L, where the length of the j tially, the authenticated transmission from any storage identifierL is64bits,inthelargeamusementparkattime j nodetothecontrolcenterisguaranteedaswell. slotT .AsshowninFig.4,theRFIDreadercandetectitand k Step3(DeployRFIDreaders):Thecontrolcenteralsode- read the tag information by performing the following ployseachRFIDreaderr 2R¼fr ;r ;...gatcriticalloca- interactivequeryprotocol. i 1 2 tions L in the large amusement park, then preloads the i reader r with params¼fG;G ;q;g;e;P ;H ;H ;H;fðxÞg Step1: TheRFIDreaderfirstgainsthecurrent64-bittime- i T cc 0 1 and a location-aware private key lk =H (L)s. Later, when stamp t0, then formats the time & location t0kL j 0 i c c j theRFIDreaderisreadytoreportthecollectedtaginfor- into 128 bits information, and finally sends t0kL c j mation,itcanusethelocation-awarekeylk tosignloca- totheRFIDtag. j tion-basedsignatureforauthentication. Step2: Upon receiving t0kL, the RFID tag first checks c j whethert0 (cid:3)t >0.Ifitistrue,theRFIDtaguses c c 3.2.2.Childregistration the key K available at time slot T to compute k k Assumethattheamusementparkopensattimet and t¼HðK ;t0kLÞ(cid:8)t;h¼HðK ;t kLÞ,andreturnsh, s k c j c k c j closesattimet everyday,andthecontrolcenterdivides t to the RFID reader. Otherwise, the RFID tag e the period t (cid:3)t into l time slots T ,T ,...,T, where each doesn’trespondthecurrentRFIDreader’squery. e s 1 2 l T 2{0,1}128. When parents decide to choose the children Step3: After receiving the returned values h, t, the RFID i tracking service for their child c in the large amusement readerformatstherecordt0kLkhktandtemporar- i c j parkatslotTaduringtheirvisittothepark,theyfirstmake ilystoresit.Notethat,eachrecordhereisonly256 aregistrationatthecontrolcenter.Then,thecontrolcenter bits. executesthefollowingsteps: 3.2.4.Opportunistictaginformationaggregation Step1: The control center assigns a 64-bit key Because the RFID reader is not rich in storage, each K ¼ðki;ki;...;ki Þ for each time slot T, where readerr atlocationL willperiodicallyreportthetaginfor- i 1 2 64 i j j Ta6Ti6Tl. Because the passive RFID tag is low- mation to the storage nodes in a batch manner. The de- storage and in order to achieve forward security, tailedstepsareexecutedasfollows. the key K ¼ðkiþ1;kiþ1;...;kiþ1Þ in slot T is iþ1 1 2 64 i+1 derived from K ¼ðki;ki;...;ki Þ in slot T by Step1: The RFID reader first aggregates several collected i 1 2 64 i applying the LSRF based hash function H, i.e., taginformationintoonerecordrec,andthenuses j K =H(K;T). thelocation-awarekeysk =H (L)stomakeasig- i+1 i i j 0 j Step2: The control center initializes a new passive RFID nature [18] on rec as r =(a,b), where j j j j tag and preloads the tag with the key Ka in slot aj¼H0ðLjÞr;bj¼skrjþH1ðrecj;ajÞ with some random Ta,theLSFRbasedhashfunctionH,andthecurrent numberr2Z(cid:6)q. timestampt. Step2: IftheRFIDreaderisclosetotheintersectionand c Step3: Thecontrolcenterattachesthetagonthechildc withinthetransmissionrangeofonenearbystor- i inareliableway.Insuchaway,thetagwon’teas- age node, the RFID reader will directly send ilydropwhenthechildisplaying. (rec,r) to the storage node. If the RFID reader is j j far away from the some storage nodes, it will Notethat,forthereasonofsecurity,thecontrolcenter resort to the pocket switched network formed by doesn’tdealwiththescenariowhenmultiplechildrenreg- selected visitors to carry the information (rec,r) j j X.Linetal./ComputerNetworks54(2010)2744–2755 2749 tothestoragenodesinanopportunisticmanner,as the secure channels have been established showninFig.5.Inordertoenhancethereliability amongstthecontrolcenterandallstoragenodes, in opportunistic transmission, Multi-Copy Multi- thequerywith(K,T)wouldn’tbedisclosed. s s Destination (MCMD) policy is adopted, in which Step2: After receiving (K,T), each storage node s 2S s s i multicopiesof(rec,r)willbecarriedbydifferent first computes the key set K¼fK ;K ;...;Kg j j s sþ1 l visitorstomultistoragenodes. with the LFSR based hash function H such that Itisworthnotingthatonlyacertainpercentageof K =H(K;T) where T 6T <T. Then, the storage i+1 i i s i l visitors are willing to register their own wireless node s invokes the Algorithm 1 to get the pri- i devices tohelp carry and forward aggregated tag vacy-preservingtrackingrecordsD0. information. However, it is mandatory for each park employee to carry a wireless device to help Algorithm1:PrivacyPreservingTrackingQuery withtaginformationforwarding. 1:ProcedurePrivacyPreservingTrackingQuery Step3: Whenastoragenodereceivesacopyof(rec,r),it first uses the location L to verify the locjatijon- Input:K¼fKs;Ksþ1;...;Klgandcollectedtag based signature r by chjecking eðg;bÞ¼? eðP ;a(cid:7) informationD¼ft0ckLjkhktjt0c2½Ts;Tl(cid:4):g H0ðLjÞH1ðrecj;ajÞÞ. If itj holds, the tag infojrmatiocnc inj 2: OusteptuDt:0D¼0null rec isauthenticatedandwillbestoredinthestor- j 3: foreachrecordðt0kLkhktÞ2D agenode;otherwise,recjwillberejected.Thecor- c j rectnessisshownasfollows: 4: ift0c2timeslotTi; whereTs6Ti6Tl 5: computetc¼HðKi;t0ckLjÞ(cid:8)t eðg;bÞ¼e(cid:2)g;skrþH1ðrecj;ajÞ(cid:3) 6: ifh==H(Ki,tckLj) j j 7: setD0¼D0[fðt0kLkhktÞg (cid:2) (cid:3) c j ¼e g;H ðLÞsðrþH1ðrecj;ajÞÞ 8: endif 0 j (cid:2) (cid:3) 9: endif ¼e gs;H0ðLjÞrþH1ðrecj;ajÞ 10: endfor ¼e(cid:2)P ;a (cid:7)H ðLÞH1ðrecj;ajÞ(cid:3): ð1Þ 11: returnD0 cc j 0 j 12:endProcedure Batch verification. When several records (re- c ,r ),...,(rec ,r ) from different locations (L ,...,L ) ar- 1 1 n n 1 n rive at the storage node simultaneously, the following Step3: Each storage node returns its records D0 to the batch verification is adopted to improve the verification controlcenterviaapredefinedshortestpath.Since efficiency, i.e., eðg;Qni¼1biÞ¼eðPcc;Qni¼1ai(cid:7)H0ðLiÞH1ðreci;aiÞÞ. the MCMD policy is adopted in the opportunistic Thecorrectnessofthebatchsignatureverificationcanbe tag information aggregation, the redundant derived from Eq. (1), and werefer readers to [19] for the recordsmayproduceinsomedownstreamnodes efficiencyandsecurityanalysis. when being forwarded to the control center. Therefore, before further forwarding the records, 3.2.5.Childlocationquery each downstream node should aggregate those Whenparentscannotfindtheirchildc fromtimeslot recordscomingfromitsupstreamnodestoelimi- i T, they can report to the park authority and request the natetheredundancy. s controlcentertohelplocatethechild.Then,thechildloca- Step4: After receiving all records related to the specific tionqueryisexecutedinthefollowingsteps. childc,thecontrolcentercanconstructthetracking i information,asshowninFig.6.Inaddition,because Step1: LetK bethekeyofthepassiveRFIDtagattached achildusuallystaysatsomeamusementspotfor s on the child c at time slot T. The control center sometime,thecurrentpositionofthechildcanbe i s firstbroadcaststheK toallstoragenodes.Because identifiedbasedonthesetrackinformation. s (rec,δ) (rec,δ) (rec,δ) Opportunistic with the help of visitors Storage node RFID reader Reliable Opportunistic Fig.5. OpportunistictaginformationaggregationinMCMDpolicy. 2750 X.Linetal./ComputerNetworks54(2010)2744–2755 t1 t2 ti-1 ti information t0ckLjkhkt. However, even though no RNG and timer are implemented in the passive RFID tag L1 L2 Li-1 Li (duetoitscostlimitation),theRFIDtagcanstillresist h1 h2 hi-1 hi this kind of attack. Because each tag stores the last- t0 t1 ti-2 ti-1 access timestamp tc, once a timestamp t0cð<tcÞ is Ts Tl replayed,thejudgeconditiont0c(cid:3)tc>0cannotpassin manyRFIDtags.Thus,theprivacy-curiousattackerhas Fig.6. Trackinginformationreconstructedatcontrolcenter. no idea to link a tag information with a specific child, andthelocation-linkprivacyisachieved. Correctness. Because of the one-wayness of the LSFR (cid:2) Forwardsecurity.Forwardsecuritymeans,eventhough basedhashfunction,onlytheauthenticRFIDtagattached anRFIDtagiscompromisedattimeslotTs,theattacker, onthechildcicancomputetherealhashvalue.Thus,the withthekeyKsatTs, cannottrackthelocationsinthe storagenodesScanidentifyitoncegrantedwiththecor- pasttimeslots(<Ts).Inthefollowing,weformallyprove respondingkey.Sinceaprevioustimestampt canbecom- thatthepassiveRFIDtagcanachievetheforwardsecu- c puted from each tag current information t0kLkhkt, the rity.Beforeproceedingwiththeproof,wefirstformal- c j child’strackinginformationcanbeplottedbasedonsuch ize the forward security model by the challenge- linkability.Notethatthetrackinginformationiscondition- responsegamebelow. allyrevealed.WithoutknowingthekeyK ,t cannotbede- k c rivedfromt¼HðK ;t0kLÞ(cid:8)t andh=H(K ,tkL). k c j c k c j 4.Securityanalysis ForwardSecurityGame. In the game,the interaction betweenanattackerAandthepassiveRFIDtagsonly Inthissection,weanalyzethesecurityoftheproposed occurs via oracle queries, which model the attacker RFID-basedprivacy-preservingchildrentrackingscheme. capabilities in the real RFID attack scenarios. During Followingthesystemmodeldiscussedearlier,weknow thegame,theattackmayquerydifferentRFIDtagsat thattheweakestpartintheRFID-basedtrackingsystemis any given time slot Ts. Let Tsi denote the instance i of thepassiveRFIDtag.Accordingtotheprinciplethatsecu- apassiveRFIDtagatTsandletbbeabitchosenuni- rity relies essentially on the strength of the weakest link formly at random. The query types available to the [20], the privacy preservation in RFID-based system de- attackerareasfollows: pendsprimarilyonthesecurityofpassiveRFIDtag.Because thepassiveRFIDtagislessexpensiveand,atthesametime, (cid:2) Execute ðTs;Ts;...;TsÞ: This query models the pri- 1 2 n supports less complexity cryptographic algorithms than vacy-curious attacker A passively eavesdrops on otherhigh-trustabledevices,theperfectsecurityinthepas- honest executions among the RFID tags Ts;...;Ts 1 n siveRFIDtagdoesnotexistandwouldprobablybeineffec- andRFIDreaders.Itreturnsthetaginformationthat tiveandprohibitivelyexpensiveifitdoesexist.Therefore,a wereexchangedduringanhonestexecution. reasonablemetrictomeasuretheprivacypreservationpro- (cid:2) SendðTsi;t0ckLjÞ:Thisquerymodelsanactiveattack, videdbythepassiveRFIDtagistheprivacy/costratio(PCR). in which the privacy-curious attacker A actively GivensomePCR,theprivacythatneedstobeprotectedisin uses an illegal RFID reader to obtain the tag infor- directproportiontothecostsassociatedwithprivacypres- mation that an RFID tag Ts would generate upon i ervation.Thus,forlowcostpassiveRFIDtag,theprovided receiptofthequeryt0ckLj. privacyisobviouslylimited.Becausethelargeamusement (cid:2) CorruptðTsÞ:Thisquerymodelstheprivacy-curious i parkisnotashostileasotherscenarios,weonlyfocuson attackerAobtainsthekeyKsbycompromisingTsi. theprivacypreservationagainstaprivacy-curiousattacker (cid:2) Test ðTs(cid:3)1;Is(cid:3)1;Is(cid:3)1Þ: This query tries to capture the i 0 1 intheamusementpark.Specifically,thefollowingsecurity attacker’sabilitytolinkataginformationofthecor- requirementscanbeachieved. rupted instance i in time slot Ts(cid:3)1. The challenger runs the follows steps: (1) Flip a coin and get (cid:2) Identityprivacy:Duringthechildregistrationphase,itis b2{0,1};(2)SetIs(cid:3)1 betherealtaginformationof b thecontrolcenterthatrandomlychoosesakeyKafora instance i, and Is1(cid:3)(cid:3)1b be a tag information of other specificchildc,andnooneelsecanlinkakeytothereal instance–i;(3)SendIs(cid:3)1;Is(cid:3)1totheprivacy-curious i 0 1 child’sidentity,i.e.,Ka;ci.Therefore,theidentitypri- attacker A; (4) Obtain the guessing bit b0 returned vacy is ensured, even when a privacy-curious attacker fromA. obtainsthekeybycompromisingthepassiveRFIDtag attachedonthechild. Wedenotetheadvantageoftheprivacy-curiousat- (cid:2) Unlinkable location privacy: Given two tag information tackerAastheprobabilitythatAcorrectlyguessesthe t kL kh kt and t kL kh kt. Because of the one-wayness valueofb;morepreciselywedefineAdvðAÞ¼2Pr½b¼ 1 1 1 2 2 2 b0(cid:4)(cid:3)1,wheretheprobabilityspaceisoveralltheran- of the LSFR based hash functionH(), a privacy-curious domcoinsoftheattackerandalltheoracles.TheRFID attacker cannot extract the keys from h and h , and 1 2 tagissaidtobeforwardsecurityifA’sadvantageisneg- thus cannot judge whether or not they are produced ligibleinthesecurityparameters. bythesameRFIDtag.Aprivacy-curiousattackercould replay an RFID query with t0kL once it obtains a tag c j X.Linetal./ComputerNetworks54(2010)2744–2755 2751 Theorem 1 (Forward security). The passive RFID tag can inJavatodemonstratetheperformanceoftheopportunis- achieve the forward security provided that the LSFR hash tictaginformationaggregation. function H: {0,1}128?{0,1}64 is one-day securein the RFID tag, where one-day secure means that the inverting of the 5.1.Simulationsetup hashHcannotbesuccessfulinone-day.1 Bystatistics,alargeramusementparkcouldaveragely Proof. TheresultcomesfromthefactthattheattackerA attract 1000 children everyday. To model such a large cannot invert the LSFR based hash function. More pre- amusementpark,24storagenodeswithpropertransmis- cisely, suppose that, after a huge number of Execute and sion radius are first deployed in a restricted Send queries and obtaining the key K by CorruptðTsÞ in 1200(cid:5)1200m2 area to establish a connected network s i time slot T, the attacker A can win the above forward with the control center, as shown in Fig. 1. Assume that s security game with a non-negligible advantage there are total n=150 amusement spots (attractions) in AdvðAÞ¼e.Thatis,theattackerAcandistinguishavalid thearea,and150RFIDreadersareuniformlydeployedin tag information t0kLkhkt at time slot T , where thesespots.Inaddition,anumberofpocketdevicescarried c j s(cid:3)1 t0 2T . By observing t¼HðK ;t0kLÞ(cid:8)t;h¼HðK ; bythevisitors,whichformthepocketswitchednetwork, c s(cid:3)1 s(cid:3)1 c j c s(cid:3)1 tkLÞ, we know that the attacker A can correctly guess arealsoramblinginthelargeamusementpark.Concretely, c j b=b0 by only two ways: (1) directly guessing b with 1/2 thedetailedparametersettingsusedinthesimulationsare probability, denoted as the event E ; (2) obtaining the summarized in Table 1. In order to achieve more stable 1 key K from K, where K =H(K ,T ), denoted as the simulationresults,weseta60-minwarm-uptimeduring s(cid:3)1 s s s(cid:3)1 s(cid:3)1 event E . Then, Pr½b¼b0(cid:4)¼Pr½E (cid:4)þPr½E (cid:4)¼1þPr½E (cid:4). By whichresultsarenotcollected.Wealsovarythenumber combini2ng the definition AdvðA1Þ¼e¼22Pr½b2¼b0(cid:4)(cid:3)21 in ofreplicatedtaginformationfrom1to3tocheckthereli- thegame,wehavePr½E (cid:4)¼e.Becauseeisanon-negligible abilityinMCMDpolicy. advantage, then Pr½E (cid:4)¼2 e s2hows that the attacker A can Mobilitymodel.Inthepocketswitchednetwork,theper- invert the LSFR base2d ha2sh with another non-negligible formance of networking applications is highly contingent probability,butitcontradictswiththeLSFRhashfunction uponthemobilityofpocketdeviceholders.Aspocketde- H()isone-daysecureintheRFIDtag.Therefore,thepassive vices are mostly carried by the adult visitors in the large RFIDtagcanachievetheforwardsecurity. h amusement park, modeling the mobility patterns of visi- tors(includingchildren)canachievearelativelyaccurate Note.DuetothelowcostofthepassiveRFIDtag,anat- performanceevaluation.Letstatest bewhenavisitoren- tacker A could use the close time t to query the passive 0 e RFIDtag.Then,anyquerywithnormaltimestampt0,where ters/exitstheamusementpark,andstidenotesthatthevis- t0 <t ,willberejected,asshowninFig.4.Thisisocnekind itorhasvisitediamusementspotsintheamusementpark. c e Ifthe visitorjustenters theamusementpark,he/shewill ofDoSattacks.Asdiscussedintheearlierattackmodel,the gotoanunvisitedspotwiththeprobabilityp=1.Ifthevis- DoSattacksarenotconsideredinthecurrentsystem.Nev- itor has visited i spots, he/she goes to an unvisited spot ertheless,ifweincreasethecostofthepassiveRFIDtagby with the probability p=q, and rambles in visited spots adding a timer, this kind of DoS attack can be easily re- sistedbycheckingthevalidityofthecurrenttimestampt0. with1(cid:3)q.Afterhavingvisitedallspots,thevisitorleaves c the amusement park with the probability p=q. On aver- age,thevisitorwillstayateachamusementspotwithT . 5.Performanceevaluation avg However, if some event is trigged, e.g., the amusement parkclosuretimeapproachingortourist’semergencecall Inthissection,weevaluatetheperformanceofthepro- incoming with the probability 0.01, the visitor directly posedREACTscheme.BecausetheprimarygoaloftheRE- leaves the amusement park with the probability 1. Fig. 7 ACTschemeistohelpparentsidentifythelocationoftheir showssuchvisitormobilitymodel. lostchildrenasquicklyaspossible,thehighreliabilityand low latency are desirable. Recall that the tag information aggregation is based on pocket switched network, thus Table1 SimulationSettings. theopportunisticaggregationbecomesthedominantfac- tor affecting the reliability and the latency of the whole Parameter Setting scheme.(Notethat,thecommunicationsbetweenthecon- Simulationarea 1200m(cid:5)1200m trolcenterandstoragenodesarereliableasdiscussedear- Simulationwarm-uptime 60min lier,whichthusdonotincurhighlatencyinthesystem.)In Simulationdurationtime 120min Storagenodes’snumber 24 thefollowing,takingthedeliveryratio(definedasthefrac- Storagenode’stransmissionrange 200m tion of tag information that are correctly delivered from RFIDreaders’number 150 theRFIDreaderstosomestoragenodeswithinagiventime RFIDreader’stransmissionrange 50m period)anddeliverylatency(definedasthetimebetween Children’snumber 1000 Child’svelocity 1.8–2.0m/s when a tag information is collected at some RFID reader TransmissionrangeofRFIDtags 5m and when it is aggregated at some storage node) as the NumberofpocketdevicesNp [20,40,...,200] performance metrics, we use our custom simulator built Pocketdevice’stransmissionrange 80 m Pocketdevice’svelocity 1.0–2.0m/s 1 Ifthe64-bithashlengthisnotenoughtoachievetheone-daysecure, ANvuem.bstearyoinfgretpimliceaaotfetaacghinspfoo.tNTcavg [[110,2,2,30],30]min thehashlengthcanbeadaptivelyextended. 2752 X.Linetal./ComputerNetworks54(2010)2744–2755 Inthefollowing,wesettheparameterqas0.85±0.08, becarried from RFID readers to storage nodes withmore andsimulatethepocketswitchednetworkbasedtaginfor- chances, when large numbers of pocket devices are in- mationaggregationwithdifferentparametersN ,T and volved in the opportunistic tag information aggregation. p avg N.Thedurationforeachsimulationis120min,andallre- Inaddition,withthedecreaseoftheaveragestayingtime c sultsareaveragedover10runs. T ,thedeliveryratiocanbeimprovedaswell.Comparing avg allsubfigures(a)–(c),wecanalsovalidatethedeliveryratio 5.2.Simulationresults isimprovedwhentheNcincreases. Wefurtherevaluatetheeffectofthenumberofpocket Fig. 8 presents the delivery ratio versus the number of devicesNpontheaveragedelay,withresultsillustratedin pocket devices carried by the visitors N , under different Fig. 9. From the figure, we can see that, with (1) the in- p TavgandNc.Ineachsubfigure,itisobservedthatthedeliv- creaseofNp;(2)theincreaseofNc;or(3)thedecreaseof eryratioimproveswiththeincreaseofthenumberofpock- Tavg, the average delay will be reduced. However, in real etdevicesN .Themorethepocketdevices,thebetterthe amusementparkscenarios,thecondition(3)isimpractical p delivery ratio. The reason is that the tag information can to decrease Tavg. Therefore,by (1) encouragingmore visi- Enter/Exit 1-ρ 1-ρ 1-ρ p=1 ρ ρ st0 st1 st2 stn ρ p=1 Fig.7. Visitormobilitymodelconsideredinthelargeamusementpark. 1 TTTaaavvvggg=== 123000 mmmiiinnnuuuttteeesss 1 TTTaaavvvggg=== 123000 mmmiiinnnuuuttteeesss 1 TTTaaavvvggg=== 123000 mmmiiinnnuuuttteeesss 0.95 0.95 0.95 0.9 0.9 0.9 Delivery ratio0.08.58 Delivery ratio00.8.85 Delivery ratio00.8.58 0.75 0.75 0.75 0.7 0.7 0.7 0.65 0.65 0.65 20 40 60 80 100 120 140 160 180 200 20 40 60 80 100 120 140 160 180 200 20 40 60 80 100 120 140 160 180 200 Np Np Np (a) Nc=1 (b) Nc=2 (c) Nc=3 Fig.8. Deliveryratioversusvaryingnumberofpocketdevices. 30 30 30 minutes)2205 TTTaaavvvggg=== 123000 mmmiiinnnuuuttteeesss minutes)2205 TTTaaavvvggg=== 123000 mmmiiinnnuuuttteeesss minutes)2205 TTTaaavvvggg=== 123000 mmmiiinnnuuuttteeesss Delay (15 Delay (15 Delay (15 Average 150 Average 105 Average 150 0 0 0 20 40 60 80 100 120 140 160 180 200 20 40 60 80 100 120 140 160 180 200 20 40 60 80 100 120 140 160 180 200 Np Np Np (a) Nc=1 (b) Nc=2 (c) Nc=3 Fig.9. Averagedelayversusvaryingnumberofpocketdevices. X.Linetal./ComputerNetworks54(2010)2744–2755 2753 torsactasthepocketnodesplus(2)MCMDpolicy,thelost vacy-preserving children tracking scheme based on RFID child can be quickly located by the proposed REACT technology.Theproposedscheme,namedREACT,ischar- scheme.Nowadays,missingchildrenisaveryseriousissue acterizedbythecooperationamongRFIDreaders,storage facing our society. Various public campaigns can be nodesandcontrolcenteraswellastheemployeesandvis- launched to create awareness of missing children issues. itorsoftheparksinalargeamusementpark,andusingthe Asaresult,webelievethatmoreandmorepublicarewill- pocketswitchednetworkformedbythevisitorstoforward ing to serve as the pocket nodes during their visit to the thechildren,stag information fromRFID readers tosome parkandthusmaketheproposedschemeverysuccessful. storagenodesforcontrolcenter’squery.Bysecurityanaly- sis,theproposedREACTschemeachieveschildren’siden- tity privacy, unlinkable location privacy and forward 6.Relatedwork security. In addition, through extensive simulations we demonstrate the proposed REACT scheme can quickly lo- RFID-based personnel tracking is a major application cate the lost children’s position, when more visitors are andhasattractedalotofinterestinrecentyears.Several willing to patriciate in the pocket switched network in a efficient RFID-based personnel tracking schemes closely largeamusementpark. relatedtotheproposedREACTschemehavebeenproposed [21–25].However,thepersonnel’sprivacy-preservingdur- ing the tracking and positioning is not welladdressed. In Acknowledgement [21], Zhang et al. propose a general algorithm for RFID- based tracking and locating the persons in underground TheresearchisfinanciallysupportedbytheNaturalSci- mine environments to help with management of mines ences and Engineering Research Council of Canada and avoid enormous losses. However, due to the unique (NSERC). featuresofundergroundminescenarios,thealgorithmjust investigatestheoptimaldeploymentofRFIDreaders,and AppendixA leaves the person’s privacy issues unconsidered. In [22], Huangetal.proposeapsychiatricpatienttrackingsystem In the appendix, we will show how to construct LFSR basedonRFIDtechnology.Inthesystem,thecollaboration based hash function H: {0,1}m?{0,1}n, where n is the among field generators, RFID readers and tags accom- security parameter indicating the hash length, and m de- plishestherequiredfunctionsinusingRFIDinpsychiatric notesthelengthoftheinputmessageM=(M ,M ,...,M ). 1 2 m patienttracking.Specifically,thefieldgeneratorconstantly Letf(x)beanirreducibleLFSRhashpolynomialwithde- broadcastsignalswithinits transmission range.Whenan gree n over GF(2), i.e., fðxÞ¼xnþPn(cid:3)1c (cid:7)xi, where i¼0 i RFIDtagattachedonthepatientreceivesthetriggersignal, c 2{0,1}.LetK=(k ,k ,...,k )2{0,1}nbeakey,andsetit i 1 2 n itrespondstoareaderwiththeidentifierofthefieldgen- as theinitial state of LFSRhash. Then,LFSR outputsa se- erator.Thus,thelocationofthepatientassociatedwiththe quence (k ,k ,...,k ,k ,..., k ) with total n+m(cid:3)1 1 2 n n+1 n+m(cid:3)1 tagcanbeapproximatelyestimated.However,thesystem bits,andthesequenceisusedtoconstructaToeplitzMa- onlyaimstoimprovethetrackingreliability,thepatient’s trixas privacy is also not addressed. In [23], Satoh presents a frameworkforprovidingdynamicallydeployablesettings. 0kn knþ1 ... knþm(cid:3)11 UsingRFID-basedtrackingsystem,theframeworkcande- B .. .. .. C B . . ... . C tdercetsstehsetpheeopselec’usriltoycaatinodn.pArilvthaocyugihsstuhees,frtahmeyewaorerkvaedry- TM¼BB@k2 k3 ... kmþ1 CCA: sketchy. We have noticed that several detailed privacy- k1 k2 ... km preserving RFID authentication schemes have been pro- In the end, the hash value H(K;M)=(h ,h ,...,h ) on posed,yettheprivacyisonlydiscussedatalgorithm-level 1 2 n messageM=(M ,M ,...,M )canbecalculatedas [26]. In [24,25], RFID-based children tracking has been 1 2 m studied, however the children privacy-preserving is not 0M 1 astprcdrahedcDserkemeiisrsntvesgiiennddcigen.tviinafsretolesamrramgnets-RhsoFecfIaDbale-obbtoahavrseeaealdg,woparorniritvdkha,mdctyi-hs-lceepuvrseepslsreeaosrnpvdtoihnsseegydscpthreRiimvlEdaA-rclCeyenT-- [email protected]¼TM(cid:7)[email protected]: M vel. In addition, since neither timer nor RNG is required, m the architecture of the passive RFID tag employed in the Because of its simple construction, LFSR based hash REACTschemeismuchsimplerandlessexpensive,which functionissuitableforthelesscomplexhardwareimple- attractsparentstoacceptthechildrentrackingserviceina mentationinlowcostpassiveRFIDtag. largeamusementpark. References 7.Conclusions [1] Missing Children Society of Canada, Website, <http://www.mcsc. ca/>. Tohelpparentsidentifythelocationsoftheirlostchil- [2] Canada’s Wonderland, Website, <http://www.canadaswonderland. dreninlargeamusementparks,wehavepresentedapri- com/>.
Description: