Security of an RFID Protocol for Supply Chains

We report on the security claims of an RFID authentication protocol by Li and Ding which was specifically designed for use in supply chains. We show how the protocol's vulnerabilities can be used to track products, relate incoming and outgoing products, and extort supply chain partners. Starting from a discussion of the relevant security requirements for RFID protocols in supply chains, we proceed to illustrate several shortcomings in the protocol with respect to mutual authentication, unlinkability, and desynchronization resistance. We investigate the use of the XOR operator in the protocol, suggest possible improvements, and point out flaws in the proofs of the security claims.

[1]  David A. Wagner,et al.  A Scalable, Delegatable Pseudonym Protocol Enabling Ownership Transfer of RFID Tags , 2005, IACR Cryptol. ePrint Arch..

[2]  Basel Alomair,et al.  Passive Attacks on a Class of Authentication Protocols for RFID , 2007, ICISC.

[3]  Kouichi Sakurai,et al.  Reassignment Scheme of an RFID Tag's Key for Owner Transfer , 2005, EUC Workshops.

[4]  Chris J. Mitchell,et al.  RFID authentication protocol for low-cost tags , 2008, WiSec '08.

[5]  Birgit Pfitzmann,et al.  Limits of the Cryptographic Realization of Dolev-Yao-Style XOR , 2005, ESORICS.

[6]  Sjouke Mauw,et al.  Untraceability of RFID Protocols , 2008, WISTP.

[7]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, PerCom Workshops.

[8]  Gildas Avoine Radio Frequency Identification: Adversary Model and Attacks on Existing Protocols , 2005 .

[9]  Kwangjo Kim,et al.  Mutual Authentication Protocol for Low-cost RFID , 2005, CRYPTO 2005.

[10]  JaeCheol Ha,et al.  Security Analysis and Enhancement of One-Way Hash Based Low-Cost Authentication Protocol (OHLCAP) , 2007, PAKDD Workshops.

[11]  JaeCheol Ha,et al.  Low-Cost and Strong-Security RFID Authentication Protocol , 2007, EUC Workshops.

[12]  Tsuyoshi Takagi,et al.  An Efficient and Secure RFID Security Method with Ownership Transfer , 2006, 2006 International Conference on Computational Intelligence and Security.

[13]  Yingjiu Li,et al.  Protecting RFID communications in supply chains , 2007, ASIACCS '07.

[14]  Sasa Radomirovic,et al.  Attacks on RFID Protocols , 2008, IACR Cryptol. ePrint Arch..

[15]  Hung-Yu Chien,et al.  Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards , 2007, Comput. Stand. Interfaces.

[16]  Roberto Di Pietro,et al.  Information Confinement, Privacy, and Security in RFID Systems , 2007, ESORICS.

[17]  Dong Hoon Lee,et al.  Secure Mobile RFID system against privacy and security problems , 2007, Third International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (SecPerU 2007).

[18]  Juan E. Tapiador,et al.  Cryptanalysis of a novel authentication protocol conforming to EPC-C1G2 standard , 2009, Comput. Stand. Interfaces.

[19]  Tieyan Li,et al.  Security Analysis of Two Ultra-Lightweight RFID Authentication Protocols , 2007, SEC.

[20]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[21]  Hung-Yu Chien,et al.  A Lightweight RFID Protocol Using Substring , 2007, EUC.

[22]  Kevin Fu,et al.  Cryptanalysis of Two Lightweight RFID Authentication Schemes , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).