Journal of Computational and Applied Mathematics Cryptanalysis of the Cho Et Al. Protocol: a Hash-based Rfid Tag Mutual Authentication Protocol

Radio frequency identification systems need secure protocols to provide confidentiality, privacy protection, mutual authentication, etc. These protocols should resist active and passive attacks such as forgery, traceability, replay and de-synchronization attacks. Cho et al. recently proposed a hash-based mutual authentication protocol (Cho et al., 2012) and claimed that their scheme addresses all privacy (Juels, 2006) and forgery concerns (Dimitriou, 2005; Yang et al., 2005) linked to RFID technology. However, we show in the following that the protocol fails to bear out many of the authors' security claims, which renders the protocol useless. More precisely, we present the following attacks on this protocol:1.De-synchronization attack: the success probability of the attack is 1 while the attack complexity is one run of the protocol. 2.Tag impersonation attack: the success probability of the attack is 14 for two runs of the protocol. 3.Reader impersonation attack: the success probability of the attack is 18 for two runs of the protocol. We also show an additional and more general attack, which is still possible when the conditions needed for the ones above do not hold, and that highlights the poor design of the group ID (RID"i^t). Additionally we show how all the above mentioned attacks are applicable against another protocol, highly reminiscent of that of Cho et al. (2012) and designed in Cho et al. (2011), and also against an enhanced version of the Cho et al. protocol proposed by Kim (2012). Finally we end up by showing how slight modifications in the original protocol can prevent the aforementioned security faults.

[1]  Raphael C.-W. Phan,et al.  Cryptanalysis of a New Ultralightweight RFID Authentication Protocol—SASI , 2009, IEEE Transactions on Dependable and Secure Computing.

[2]  Masoumeh Safkhani,et al.  Cryptanalysis of Cho et al.'s Protocol, A Hash-Based Mutual Authentication Protocol for RFID Systems , 2011, IACR Cryptol. ePrint Arch..

[3]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[4]  Yu-Yi Chen,et al.  The design of RFID access control protocol using the strategy of indefinite-index and challenge-response , 2011, Comput. Commun..

[5]  Kwangjo Kim,et al.  Defending RFID authentication protocols against DoS attacks , 2011, Comput. Commun..

[6]  Hung-Yu Chien,et al.  SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity , 2007, IEEE Transactions on Dependable and Secure Computing.

[7]  Tao Chen,et al.  Intelligent fault prediction system based on internet of things , 2012, Comput. Math. Appl..

[8]  Tai-hoon Kim,et al.  Computer Applications for Security, Control and System Engineering , 2012, Communications in Computer and Information Science.

[9]  Zhuzhong Qian,et al.  ACSP: A Novel Security Protocol against Counting Attack for UHF RFID Systems , 2011, 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[10]  Elisa Bertino,et al.  Security Analysis of the SASI Protocol , 2009, IEEE Transactions on Dependable and Secure Computing.

[11]  Juan E. Tapiador,et al.  Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations , 2008, ArXiv.

[12]  Jean Arlat,et al.  IEEE Transactions on Dependable and Secure Computing , 2006 .

[13]  Samar K. Mukhopadhyay,et al.  A review of RFID technology and its managerial applications in different industries , 2012 .

[14]  Young-Sik Jeong,et al.  Consideration on the brute-force attack cost and retrieval cost: A hash-based radio-frequency identification (RFID) tag mutual authentication protocol , 2015, Comput. Math. Appl..

[15]  Robert H. Deng,et al.  Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[16]  Sang-Soo Yeo,et al.  Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value , 2011, Comput. Commun..

[17]  Peng Xu,et al.  Practical Frameworks For h-Out-Of-n Oblivious Transfer With Security Against Covert and Malicious Adversaries , 2011, IACR Cryptol. ePrint Arch..

[18]  Chien-Hung Wu,et al.  Improvement of the RFID authentication scheme based on quadratic residues , 2011, Comput. Commun..

[19]  Fu Chun-chang Hash-based RFID mutual authentication protocol , 2012 .

[20]  Kwangjo Kim,et al.  Mutual Authentication Protocol for Low-cost RFID , 2005, CRYPTO 2005.

[21]  Wen-Tsai Sung,et al.  Data fusion of multi-sensor for IOT precise measurement based on improved PSO algorithms , 2012, Comput. Math. Appl..

[22]  Hyunsung Kim Enhanced Hash-Based RFID Mutual Authentication Protocol , 2012 .

[23]  Yong Guan,et al.  Lightweight Mutual Authentication and Ownership Transfer for RFID Systems , 2010, 2010 Proceedings IEEE INFOCOM.

[24]  Bo Sheng,et al.  Secure and Serverless RFID Authentication and Search Protocols , 2008, IEEE Transactions on Wireless Communications.

[25]  Tassos Dimitriou,et al.  A Lightweight RFID Protocol to protect against Traceability and Cloning attacks , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[26]  M. Bárász Passive Attack Against the M 2 AP Mutual Authentication Protocol for RFID Tags ∗ , 2007 .