Addressing Flaws in RFID Authentication Protocols

The development of RFID systems in sensitive applications like e-passport, e-health, credit cards, and personal devices, makes it necessary to consider the related security and privacy issues in great detail. Among other security characteristic of an RFID authentication protocol, untraceability and synchronization are the most important attributes. The former is strongly related to the privacy of tags and their holders, while the latter has a significant role in the security and availability parameters. In this paper, we investigate three RFID authentication protocols proposed by Duc and Kim, Song and Mitchell, and Cho, Yeo and Kim in terms of privacy and security. We analyze the protocol proposed by Duc and Kim and present desynchronization and traceability attacks. By initiating traceability, backward traceability and desynchronization attacks, we show that the protocol proposed by Song and Mitchell lacks location privacy and availability. In addition, we study the weaknesses in Cho et al.'s protocol and address its defects by applying desynchronization, traceability and backward traceability attacks. We also propose revisions to secure the Cho et al.'s protocol against the cited attacks.

[1]  Stefanos Gritzalis,et al.  Security analysis of the song-mitchell authentication protocol for low-cost RFID tags , 2009, IEEE Communications Letters.

[2]  Sjouke Mauw,et al.  Untraceability of RFID Protocols , 2008, WISTP.

[3]  Gene Tsudik,et al.  Universally Composable RFID Identification and Authentication Protocols , 2009, TSEC.

[4]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, PerCom Workshops.

[5]  Yi Mu,et al.  New Privacy Results on Synchronized RFID Authentication Protocols against Tag Tracing , 2009, ESORICS.

[6]  Ari Juels,et al.  Strengthening EPC tags against cloning , 2005, WiSe '05.

[7]  Chris J. Mitchell,et al.  RFID authentication protocol for low-cost tags , 2008, WiSec '08.

[8]  Jiang Wu,et al.  Privacy Analysis of Forward and Backward Untraceable RFID Authentication Schemes , 2011, Wirel. Pers. Commun..

[9]  JaeCheol Ha,et al.  A New Formal Proof Model for RFID Location Privacy , 2008, ESORICS.

[10]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[11]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[12]  Philippe Oechslin,et al.  Reducing Time Complexity in RFID Systems , 2005, Selected Areas in Cryptography.

[13]  Gildas Avoine Cryptography in radio frequency identification and fair exchange protocols , 2005 .

[14]  Tassos Dimitriou,et al.  A Lightweight RFID Protocol to protect against Traceability and Cloning attacks , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[15]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[16]  Sasa Radomirovic,et al.  Algebraic Attacks on RFID Protocols , 2009, WISTP.

[17]  Chris J. Mitchell,et al.  Scalable RFID security protocols supporting tag ownership transfer , 2011, Comput. Commun..

[18]  Robert H. Deng,et al.  RFID privacy: relation between two notions, minimal condition, and efficient construction , 2009, CCS.

[19]  Gene Tsudik,et al.  YA-TRAP: yet another trivial RFID authentication protocol , 2006, Fourth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOMW'06).

[20]  Gildas Avoine Adversarial Model for Radio Frequency Identification , 2005, IACR Cryptol. ePrint Arch..

[21]  Raphael C.-W. Phan,et al.  Traceable Privacy of Recent Provably-Secure RFID Protocols , 2008, ACNS.

[22]  Yunlei Zhao,et al.  A New Framework for RFID Privacy , 2010, ESORICS.

[23]  Serge Vaudenay,et al.  On Privacy Models for RFID , 2007, ASIACRYPT.

[24]  Juan E. Tapiador,et al.  Vulnerability analysis of RFID protocols for tag ownership transfer , 2010, Comput. Networks.

[25]  Peng Ning,et al.  Computer Security - ESORICS 2009, 14th European Symposium on Research in Computer Security, Saint-Malo, France, September 21-23, 2009. Proceedings , 2009, ESORICS.

[26]  Kil-Hyun Nam,et al.  Information Security and Cryptology - ICISC 2007, 10th International Conference, Seoul, Korea, November 29-30, 2007, Proceedings , 2007, ICISC.

[27]  Patel,et al.  Information Security: Theory and Practice , 2008 .

[28]  Ted Taekyoung Kwon,et al.  Strong and Robust RFID Authentication Enabling Perfect Ownership Transfer , 2006, ICICS.

[29]  Kaoru Kurosawa,et al.  Advances in Cryptology - ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2-6, 2007, Proceedings , 2007, International Conference on the Theory and Application of Cryptology and Information Security.

[30]  Sang-Soo Yeo,et al.  Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value , 2011, Comput. Commun..

[31]  Robert H. Deng,et al.  Security Analysis on a Family of Ultra-lightweight RFID Authentication Protocols , 2008, J. Softw..

[32]  Sasa Radomirovic,et al.  Attacks on RFID Protocols , 2008, IACR Cryptol. ePrint Arch..

[33]  Robert H. Deng,et al.  Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[34]  Jerry Banks,et al.  RFID Applied , 2007 .

[35]  Kwangjo Kim,et al.  Defending RFID authentication protocols against DoS attacks , 2011, Comput. Commun..

[36]  Juan E. Tapiador,et al.  Cryptanalysis of the David-Prasad RFID Ultralightweight Authentication Protocol , 2010, RFIDSec.

[37]  Jianying Zhou,et al.  Information and Communications Security , 2013, Lecture Notes in Computer Science.

[38]  Mike Burmester,et al.  Universally composable and forward-secure RFID authentication and authenticated key exchange , 2007, ASIACCS '07.

[39]  Philippe Oechslin,et al.  RFID Traceability: A Multilayer Problem , 2005, Financial Cryptography.

[40]  Aikaterini Mitrokotsa,et al.  Classifying RFID attacks and defenses , 2010, Inf. Syst. Frontiers.

[41]  Chris J. Mitchell,et al.  Scalable RFID Pseudonym Protocol , 2009, 2009 Third International Conference on Network and System Security.

[42]  Basel Alomair,et al.  Passive Attacks on a Class of Authentication Protocols for RFID , 2007, ICISC.

[43]  Bart Preneel,et al.  Computer Security - ESORICS 2010, 15th European Symposium on Research in Computer Security, Athens, Greece, September 20-22, 2010. Proceedings , 2010, ESORICS.

[44]  Matthew J. B. Robshaw,et al.  An Active Attack Against HB +-A Provably Secure Lightweight Authentication Protocol , 2022 .

[45]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[46]  Ors Yalcin,et al.  Radio Frequency Identification: Security and Privacy Issues - 6th International Workshop, RFIDSec 2010, Istanbul, Turkey, June 8-9, 2010, Revised Selected Papers , 2010, RFIDSec.

[47]  Raphael C.-W. Phan,et al.  Privacy of Recent RFID Authentication Protocols , 2008, ISPEC.