Weaknesses in Two Recent Lightweight RFID Authentication Protocols

The design of secure authentication solutions for low-cost RFID tags is still an open and quite challenging problem, though many algorithms have been published lately. In this paper, we analyze two recent proposals in this research area. First, Mitra's scheme is scrutinized, revealing its vulnerability to cloning and traceability attacks, which are among the security objectives pursued in the protocol definition [1]. Later, we show how the protocol is vulnerable against a full disclosure attack after eavesdropping a small number of sessions. Then, we analyze a new EPC-friendly scheme conforming to EPC Class-1 Generation-2 specification (ISO/IEC 180006-C), introduced by Qingling and Yiju [2]. This proposal attempts to correct many of the well known security shortcomings of the standard, and even includes a BAN logic based formal security proof. However, notwithstanding this formal security analysis, we show that Qingling et al.'s protocol offers roughly the same security as the standard they try to improve, is vulnerable to tag and reader impersonation attacks, and allows tag traceability.

[1]  Hung-Yu Chien,et al.  Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards , 2007, Comput. Stand. Interfaces.

[2]  Damith C. Ranasinghe,et al.  Networked RFID Systems and Lightweight Cryptography , 2008 .

[3]  Raphael C.-W. Phan,et al.  Cryptanalysis of a New Ultralightweight RFID Authentication Protocol—SASI , 2009, IEEE Transactions on Dependable and Secure Computing.

[4]  Kwangjo Kim,et al.  Mutual Authentication Protocol for Low-cost RFID , 2005, CRYPTO 2005.

[5]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[6]  HanDaewan,et al.  Vulnerability of an RFID authentication protocol conforming to EPC Class 1 Generation 2 Standards , 2009 .

[7]  Tieyan Li,et al.  Addressing the Weakness in a Lightweight RFID Tag-Reader Mutual Authentication Scheme , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[8]  Mala Mitra,et al.  Privacy for RFID Systems to Prevent Tracking and Cloning , 2008 .

[9]  Dong Hoon Lee,et al.  Efficient RFID Authentication Protocol for Ubiquitous Computing Environment , 2005, EUC Workshops.

[10]  Juan E. Tapiador,et al.  Advances in Ultralightweight Cryptography for Low-Cost RFID Tags: Gossamer Protocol , 2009, WISA.

[11]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[12]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[13]  Daesung Kwon,et al.  Vulnerability of an RFID authentication protocol conforming to EPC Class 1 Generation 2 Standards , 2009, Comput. Stand. Interfaces.

[14]  Paul Müller,et al.  Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[15]  Zhan Yiju,et al.  A Minimalist Mutual Authentication Protocol for RFID System & BAN Logic Analysis , 2008, 2008 ISECS International Colloquium on Computing, Communication, Control, and Management.

[16]  R. Goodstein,et al.  An introduction to the theory of numbers , 1961 .

[17]  Juan E. Tapiador,et al.  Cryptanalysis of a novel authentication protocol conforming to EPC-C1G2 standard , 2009, Comput. Stand. Interfaces.

[18]  Damith C. Ranasinghe Lightweight cryptography for low cost RFID , 2008 .

[19]  Koutarou Suzuki,et al.  Cryptographic Approach to “Privacy-Friendly” Tags , 2003 .

[20]  Hung-Yu Chien,et al.  SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity , 2007, IEEE Transactions on Dependable and Secure Computing.

[21]  E. Wright,et al.  An Introduction to the Theory of Numbers , 1939 .

[22]  Ronald L. Rivest,et al.  Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems , 2003, SPC.

[23]  Manuel Blum,et al.  Secure Human Identification Protocols , 2001, ASIACRYPT.

[24]  Ari Juels,et al.  Authenticating Pervasive Devices with Human Protocols , 2005, CRYPTO.

[25]  Dong Hoon Lee,et al.  Efficient Authentication for Low-Cost RFID Systems , 2005, ICCSA.