Extending an RFID Security and Privacy Model by Considering Forward Untraceability

There are numerous works on the privacy and the security problems for RFID systems. However, many of them have failed due to the lack of formal security proof. In the literature, there are a few formal models that consider forward untraceability. In ASIACRYPT 2007, Vaudenay presented an new security and privacy model for RFID that combines early models to more understandable one. In this paper, we revisit Vaudenay's model and modify it by considering the notion of forward untraceability. Our modification considers all message flows between RFID reader and tags before and after compromising secrets of tag. We analyze some RFID schemes claiming to provide forward untraceability and resistance to server impersonation. For each scheme, we exhibit attacks in which a strong adversary can trace the future interactions of the tag and impersonate the valid server to the tag. Further, we show that a previously proposed attack claiming to violate forward untraceability of an existing RFID scheme does not violate forward untraceability.

[1]  Chris J. Mitchell,et al.  RFID authentication protocol for low-cost tags , 2008, WiSec '08.

[2]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, PerCom Workshops.

[3]  Raphael C.-W. Phan,et al.  Traceable Privacy of Recent Provably-Secure RFID Protocols , 2008, ACNS.

[4]  Damith C. Ranasinghe,et al.  Networked RFID Systems and Lightweight Cryptography , 2008 .

[5]  Raphael C.-W. Phan,et al.  Privacy of Recent RFID Authentication Protocols , 2008, ISPEC.

[6]  Sasa Radomirovic,et al.  Attacks on RFID Protocols , 2008, IACR Cryptol. ePrint Arch..

[7]  Ted Taekyoung Kwon,et al.  Strong and Robust RFID Authentication Enabling Perfect Ownership Transfer , 2006, ICICS.

[8]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[9]  Damith C. Ranasinghe,et al.  Networked RFID Systems and Lightweight Cryptography: Raising Barriers to Product Counterfeiting , 2010 .

[10]  Serge Vaudenay,et al.  Mutual authentication in RFID: security and privacy , 2008, ASIACCS '08.

[11]  Simson L. Garfinkel,et al.  RFID: Applications, Security, and Privacy , 2005 .

[12]  Serge Vaudenay,et al.  On Privacy Models for RFID , 2007, ASIACRYPT.

[13]  Ors Yalcin,et al.  Radio Frequency Identification: Security and Privacy Issues - 6th International Workshop, RFIDSec 2010, Istanbul, Turkey, June 8-9, 2010, Revised Selected Papers , 2010, RFIDSec.

[14]  Robert H. Deng,et al.  Attacks and improvements to an RIFD mutual authentication protocol and its extensions , 2009, WiSec '09.

[15]  Hartmut Pohl,et al.  RFID security , 2004, Inf. Secur. Tech. Rep..

[16]  Gildas Avoine,et al.  Time Measurement Threatens Privacy-Friendly RFID Authentication Protocols , 2010, RFIDSec.

[17]  Gildas Avoine Adversarial Model for Radio Frequency Identification , 2005, IACR Cryptol. ePrint Arch..

[18]  S.A. Weis RFID privacy workshop , 2004, IEEE Security & Privacy Magazine.

[19]  M. Ilyas,et al.  RFID Handbook: Applications, Technology, Security, and Privacy , 2008 .