Providing Resistance against Server Information Leakage in RFID Systems

RFID (Radio Frequency IDentification) technology has been widely used in daily life, such as in access control, electronic passports, contactless credit cards, transportation, and animal tracking. However, this technology may cause various security and privacy problems, e.g. traceability of tag owner, malicious eavesdropping of tags and cloning of tags. In order to thwart these security and privacy problems, a wide variety of authentication protocols have been proposed in the literature. All of these protocols assume that the server is secure, and it does not leak any information about the system. In this paper, we propose a novel attack on RFID systems, namely Server Information Leakage (SIL) attack. In this attack, an adversary illegally captures information from the server and sends this information to the reader in order to impersonate the tag. To the best of our knowledge, none of the existing protocols resist against this new attack. We also propose an RFID authentication protocol that provides resistance against SIL attack and other known attacks.

[1]  Mike Burmester,et al.  Provably Secure Ubiquitous Systems: Universally Composable RFID Authentication Protocols , 2006, 2006 Securecomm and Workshops.

[2]  Paul Müller,et al.  Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers , 2004, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second.

[3]  Sasa Radomirovic,et al.  Attacks on RFID Protocols , 2008, IACR Cryptol. ePrint Arch..

[4]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[5]  Flavio D. Garcia,et al.  Modeling Privacy for Off-Line RFID Systems , 2010, CARDIS.

[6]  T. Sejnowski,et al.  RFID authentication protocol for low-cost tags , 2001 .

[7]  Boyeon Song Server Impersonation Attacks on RFID Protocols , 2008, 2008 The Second International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies.

[8]  Emin Anarim,et al.  A new RFID authentication protocol with resistance to server impersonation , 2009, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[9]  David A. Wagner,et al.  Privacy and security in library RFID: issues, practices, and architectures , 2004, CCS '04.

[10]  Raphael C.-W. Phan,et al.  Traceable Privacy of Recent Provably-Secure RFID Protocols , 2008, ACNS.

[11]  Simson L. Garfinkel,et al.  RFID: Applications, Security, and Privacy , 2005 .

[12]  Damith C. Ranasinghe,et al.  Addressing Insecurities and Violations of Privacy , 2008 .

[13]  Dirk Henrici RFID Security and Privacy - Concepts, Protocols, and Architectures , 2008, Lecture Notes in Electrical Engineering.

[14]  M. Ilyas,et al.  RFID Handbook: Applications, Technology, Security, and Privacy , 2008 .

[15]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[16]  Cédric Lauradoux,et al.  When Compromised Readers Meet RFID , 2009, WISA.

[17]  Ari Juels,et al.  Minimalist Cryptography for Low-Cost RFID Tags , 2004, SCN.

[18]  Ted Taekyoung Kwon,et al.  Strong and Robust RFID Authentication Enabling Perfect Ownership Transfer , 2006, ICICS.

[19]  Tassos Dimitriou,et al.  A Lightweight RFID Protocol to protect against Traceability and Cloning attacks , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).