On Ultralightweight RFID Authentication Protocols

A recent research trend, motivated by the massive deployment of RFID technology, looks at cryptographic protocols for securing communication between entities in which some of the parties have very limited computing capabilities. In this paper, we focus our attention on SASI, a new RFID authentication protocol, designed for providing Strong Authentication and Strong Integrity. SASI is a good representative of a family of RFID authentication protocols, referred to as Ultralightweight RFID authentication protocols. These protocols, suitable for passive Tags with limited computational power and storage, involve simple bitwise operations such as and, or, exclusive or, modular addition, and cyclic shift operations. They are efficient, fit the hardware constraints, and can be seen as an example of the above research trend. However, the main concern is the real security of these protocols, which are often supported only by apparently reasonable and intuitive arguments. The contribution we provide with this work is the following: we start by showing some weaknesses in the SASI protocol, and then, we describe how such weaknesses, through a sequence of simple steps, can be used to compute in an efficient way all secret data used for the authentication process. Specifically, we describe three attacks: 1) a desynchronization attack, through which an adversary can break the synchronization between the RFID Reader and the Tag; 2) an identity disclosure attack, through which an adversary can compute the identity of the Tag; and 3) a full disclosure attack, which enables an adversary to retrieve all secret data stored in the Tag. Then, we present some experimental results, obtained by running several tests on an implementation of the protocol, in order to evaluate the performance of the proposed attacks, which confirm that the attacks are effective and efficient. It comes out that an active adversary by interacting with a Tag more or less three hundred times, makes the authentication protocol completely useless. Finally, we close the paper with some observations. The cryptoanalysis of SASI gets some new light on the ultralightweight approach, and can also serve as a warning to researchers working on the field and tempted to apply these techniques. Indeed, the results of this work, rise serious questions regarding the limits of the ultralightweight family of protocols, and on the benefits of these ad hoc protocol design strategies and informal security analysis.

[1]  Simson L. Garfinkel,et al.  RFID privacy: an overview of problems and proposed solutions , 2005, IEEE Security & Privacy Magazine.

[2]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[3]  Robert H. Deng,et al.  Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[4]  Gildas Avoine Adversarial Model for Radio Frequency Identification , 2005, IACR Cryptol. ePrint Arch..

[5]  Juan E. Tapiador,et al.  Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations , 2008, ArXiv.

[6]  Hung-Yu Chien,et al.  SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity , 2007, IEEE Transactions on Dependable and Secure Computing.

[7]  Yi Mu,et al.  RFID Privacy Models Revisited , 2008, ESORICS.

[8]  Serge Vaudenay,et al.  Mutual authentication in RFID: security and privacy , 2008, ASIACCS '08.

[9]  Serge Vaudenay,et al.  On the Security of HB# against a Man-in-the-Middle Attack , 2008, ASIACRYPT.

[10]  Yannick Seurin,et al.  Good Variants of HB+ Are Hard to Find , 2008, Financial Cryptography.

[11]  李南逸,et al.  Mutual authentication protocol for low cost RFID tags , 2012 .

[12]  Serge Vaudenay,et al.  Smashing SQUASH-0 , 2009, EUROCRYPT.

[13]  Raphael C.-W. Phan,et al.  Cryptanalysis of a New Ultralightweight RFID Authentication Protocol—SASI , 2009, IEEE Transactions on Dependable and Secure Computing.

[14]  Juan E. Tapiador,et al.  M2AP: A Minimalist Mutual-Authentication Protocol for Low-Cost RFID Tags , 2006, UIC.

[15]  Mike Burmester,et al.  Provably Secure Ubiquitous Systems: Universally Composable RFID Authentication Protocols , 2006, 2006 Securecomm and Workshops.

[16]  Adi Shamir SQUASH - A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags , 2008, FSE.

[17]  Hung-Min Sun,et al.  On the Security of Chien's Ultralightweight RFID Authentication Protocol , 2011, IEEE Transactions on Dependable and Secure Computing.

[18]  Juan E. Tapiador,et al.  Advances in Ultralightweight Cryptography for Low-Cost RFID Tags: Gossamer Protocol , 2009, WISA.

[19]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[20]  Sasa Radomirovic,et al.  On a new formal proof model for RFID location privacy , 2009, Inf. Process. Lett..

[21]  Hung-Yu Chien,et al.  Security of ultra-lightweight RFID authentication protocols and its improvements , 2007, OPSR.

[22]  Tieyan Li,et al.  Security Analysis of Two Ultra-Lightweight RFID Authentication Protocols , 2007, SEC.

[23]  Ari Juels The Vision of Secure RFID , 2007 .

[24]  Matthew J. B. Robshaw,et al.  An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .

[25]  Serge Vaudenay,et al.  On Privacy Models for RFID , 2007, ASIACRYPT.

[26]  Elisa Bertino,et al.  Security Analysis of the SASI Protocol , 2009, IEEE Transactions on Dependable and Secure Computing.

[27]  Juan E. Tapiador,et al.  EMAP: An Efficient Mutual-Authentication Protocol for Low-Cost RFID Tags , 2006, OTM Workshops.

[28]  Pedro Peris-López,et al.  LMAP : A Real Lightweight Mutual Authentication Protocol for Low-cost RFID tags , 2006 .

[29]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[30]  Ivan Damgård,et al.  RFID Security: Tradeoffs between Security and Efficiency , 2008, CT-RSA.

[31]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[32]  Yannick Seurin,et al.  HB#: Increasing the Security and Efficiency of HB+ , 2008, EUROCRYPT.