Attacks and improvements on two new-found RFID authentication ...

2014 7th International Symposium on Telecommunications (IST'2014)

Attacks and Improvements on Two New-Found RFID Authentication Protocols Behzad Abdolmaleki ISSL Lab.

Karim Baghery ISSL Lab.

Bahareh Akhbari EE dept.

Sharif University of Technology Tehran, Iran [email protected]

Sharif University of Technology Tehran, Iran [email protected]

K. N. Toosi University of Technology Tehran, Iran [email protected]

Mohammad Reza Aref ISSL Lab., EE dept. Sharif University of Technology Tehran, Iran [email protected]

decryption functions to increase the security and the privacy of their protocol. They claimed that their protocol is strong and is secure against different attacks. In this paper, we show that their protocol is not secure and have some weaknesses. Actually, we show that their protocol suffers from back-end server/reader impersonation attack, traceability, backward traceability and forward traceability attacks. In [8], Liu et al. proposed a new hash-based RFID cryptographic protocol. They used hash function encryption, binary search algorithm and cyclic redundancy check code to increase the security of their protocol. Liu at al. claimed that the security and the privacy of their protocol are complete and their protocol is resistant against different attacks. In this paper, we show that the security and privacy of Liu et al.’s protocol have some weaknesses like back-end server impersonation, tag impersonation, Denial-of-Service (DoS) attack, traceability attack and backward traceability attack. In order to investigate the privacy of these two mentioned protocols we use privacy model of Ouafi and Phan that presented in [12]. Then, in order to increase the performance of these investigated protocols, we propose two improved version of Shi et al.’s and Liu et al.’s protocols that all mentioned weaknesses are eliminated. The rest of this paper is organized as follows: Section II, describes privacy model of Ouafi and Phan. Shi et al.’s protocol and its security and privacy analysis are provided in section III. In section IV, Liu et al.’s protocol and its weaknesses are given. Our improvement on Shi et al.’s protocol and Liu et al.’s protocol are presented in section V. Also in section V, the security and privacy of proposed protocols are compared with that of investigated protocols. Finally, the paper is concluded in Section VI.

Abstract—In recent years, in order to provide secure communication between Radio Frequency Identification (RFID) users different RFID authentication protocols have been proposed. In this paper, we investigate weaknesses of two newfound RFID authentication protocols that proposed by Shi et al. and Liu et al. in 2014. The Ouafi-Phan privacy model is used for privacy analysis. We show that these two protocols have some weaknesses and could not provide the security and the privacy of RFID users. Furthermore, two improved protocols are proposed that eliminate existing weaknesses in Shi et al.’s and Liu et al.’s protocols. Index Terms—RFID authentication protocols, security and privacy, CRC, NTRU, public-key, Hash function.

I. INTRODUCTION Nowadays, Radio Frequency Identification (RFID) technology is used in many applications such as retail and civil marketing, health care, defense industry and etc. [1]. Furthermore, RFID technology becomes an important part of Internet of Things (IoT) systems that are the next generation of internet. The IoT allows physical things and people to be connected anyplace and anytime via any service [2]. Generally, RFID systems consist of tag, reader and backend server. A tag can make a wireless connection with a backend server via a reader. Secret values and some needed data of tags are stored in the back-end server. The back-end server also can perform some logical process. It receives data from the readers, and after some certification and authentication processes, provides access to the data [3]. Due to wireless communication nature, transmitted data between the tag and the reader can be eavesdropped. In order to provide the security of communications and to provide privacy of RFID users, investigating RFID authentication protocols has been received more attention recently [3-9]. On the other hand, it is shown that using the Public-key Cryptography in RFID authentication protocols can improve the security of protocols significantly [10-11]. Recently, Shi et al. proposed a Number Theory Research Unit (NTRU) based RFID mutual authentication protocol [7]. NTRU is a lightweight public-key cryptosystem that can be used for data encryption and decryption [7]. They used encryption and

II. OUAFI AND PHAN PRIVACY MODEL In [12], Ouafi and Phan presented a privacy model to evaluate RFID protocols. In this section, we briefly describe Ouafi and Phan privacy model since we use this model to analyze the privacy of Shi et al. and Liu et al.’s protocols. In Ouafi and Phan privacy model, the attacker 𝒜 can eavesdrop all channels between tags and readers and also it can

This work was partially supported by Iran NSF (INSF) under grant number 92.32575.

978-1-4799-5359-2/14/$31.00 ©2014 IEEE 895

Fig. 1. The Shi et al.’s protocol [7].

attack them actively or passively. As well, the attacker 𝒜 has been allowed to run the following queries:  Execute query (𝑹, 𝑻, 𝒊): Passive attacks take place in this query. In other words, the attacker can eavesdrop all transmitted messages between the tag 𝑇 and the reader 𝑅 in 𝑖th session. As a result, the attacker obtains all exchanged data between the tag 𝑇 and the reader 𝑅.  Send query (𝑼, 𝑽, 𝒎, 𝒊): This query models the active attacks in RFID systems. In this query, the attacker 𝒜 has permission to impersonate a reader 𝑈 in the 𝑖th session, and forwards a message 𝑚 to a tag 𝑉. In addition, the attacker 𝒜 has permission to alert or block the exchanged message 𝑚 between the tag and the reader. Note that 𝑈 and 𝑉 are members of readers and tags sets, respectively.  Corrupt query (𝑻, 𝑲′ ): In this query, the attacker 𝒜 has permission to access secret keys of the tag. In fact, the attacker 𝒜 has physical access to the tag database. In addition, the attacker 𝒜 can set secret key to 𝐾 ′.  Test query (𝑻𝟎, 𝑻𝟏 , 𝒊): When this query is executed in the particular session 𝑖, after completing 𝑖th session, a random number bit 𝑏 𝜖 {0,1} is generated by challenger and delivered 𝑇𝑏 𝜖 {𝑇0 , 𝑇1 } to the attacker. Now, the attacker succeeds if he/she can guess the bit 𝑏 correctly. Untraceability privacy (UPriv): Untraceability privacy is defined by the game G that is played between an attacker 𝒜 and a set of the tag and the reader instances. In other words, an attacker 𝒜 plays game G using collected instances of the reader and the tag. The game G can be played using mentioned queries as follows [12].  Learning phase: The attacker 𝒜 has permission to send each one of the queries such as Execute, Send and Corrupt, and interact with the reader 𝑅 and 𝑇0, 𝑇1 that are chosen randomly.  Challenge phase: The attacker 𝒜 selects two tags T0 , T1 and forwards a 𝑇𝑒𝑠𝑡 𝑞𝑢𝑒𝑟𝑦(𝑇0, 𝑇1 , 𝑖) to the challenger. After that, the challenger selects 𝑏 𝜖 {0,1} randomly and the attacker 𝒜 determines a tag T𝑏 ∈ {T0 , T1 } using Execute and Send queries.



Guess phase: Eventually, the attacker 𝒜 finishes the game G and outputs a bit 𝑏 ′ 𝜖 {0,1} as guess of b. The success of attacker 𝒜 in game G and consequently breaking the notion of UPriv is quantified via 𝒜’s advantage in recognizing whether attacker 𝒜 received T0 or T1, and denoted 𝑈𝑃𝑟𝑖𝑣 by Adv𝒜 (𝑘) where 𝑘 is the security parameter: 𝑈𝑃𝑟𝑖𝑣 (𝑘) = |pr(𝑏′ = 𝑏) − pr(random coin flip)| Adv𝒜 1 = |pr(𝑏′ = 𝑏) − | 2 1

𝑈𝑃𝑟𝑖𝑣 𝑈𝑃𝑟𝑖𝑣 (𝑘) ≤ . Note that, if Adv𝒜 (𝑘) ≪ 𝜀(𝑘), where 0 ≤ Adv𝒜 2 the protocol is traceable with negligible probability. Now, using privacy model of Ouafi and Phan, the privacy of Shi et al. and Liu et al.’s protocols are investigated.

III. WEAKNESSES OF SHI ET AL.’S PROTOCOL In this section, we investigate the security and the privacy of Shi et al.’s protocol and we point out that their protocol is not secure against reader impersonation attack, traceability attack, backward and forward traceability attacks. To this aim, firstly we introduce Shi et al.’s protocol that proposed in [7]. A. Shi et al.’s Protocol In [7], Shi et al. proposed a RFID mutual authentication protocol based on a lightweight public-key cryptosystem. This protocol consists of three stages that are shown in Fig. 1. Table I shows the notations that are used in this paper. TABLE I.

THE NOTATIONS

Description The unique identification of a tag The secret value (Liu et al.’s protocol) The public key of NTRU 𝒌𝒑𝒓 The private key of NTRU 𝑬( ) The encryption function of NTRU 𝑫( ) The decryption function of NTRU 𝑹𝒓 A pseudorandom number generated by a reader 𝑹𝒕 A pseudorandom number generated by a tag 𝑷𝑹𝑵𝑮( ) A pseudorandom number generator 𝐇(. ) Hash function 𝐀⊕𝐁 Message A is XORed with message B Not. 𝑰𝑫 𝑺𝒊 𝒌𝒑𝒖

896

According to the randomly chosen bit 𝑏 𝜖 {0, 1}, the attacker is given a tag 𝑇𝑏 𝜖 {𝑇0 , 𝑇1 }. After that, the attacker 𝒜 sends an 𝑇𝑏 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 𝑞𝑢𝑒𝑟𝑦(𝑅, 𝑇𝑏 , 𝑖 + 1), and obtains 𝑚0,𝑖+1 , 𝑅𝑟,𝑖+1 and 𝑇𝑏 𝑚3,𝑖+1 .

B. Reader/Back-end Server Impersonation In this subsection, we aim to show that Shi et al.’s protocol is vulnerable to reader/back-end server impersonation attack. In this attack, the attacker tries to forge a legitimate reader/backend server. This attack can be performed in two phases as follows. Learning phase: In this phase, the attacker acts as an eavesdropper. After one successful run, he/she saves the exchanged data between the target tag and the reader/ back-end server including 𝑅𝑟 , 𝑚0 = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) 𝑚1 = (𝑚0 , 𝑅𝑡 , 𝑅𝑟 ) and 𝑚3 = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟 . Then he/she calculates 𝜃 = 𝑚0 ⊕ 𝑚3 ⊕ 𝑅𝑟 . Attack phase: The attacker acts as a forged reader/back-end server and performs following steps, 1) The forged reader starts a new session with the target tag by sending 𝑅𝑟′ as a random number. 2) The tag calculates message 𝑚0′ = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟′ ⊕ 𝑅𝑡′ ) and sends 𝑚1′ = (𝑚0′ , 𝑅𝑡′ , 𝑅𝑟′ ) to the forged reader/ back-end server. 3) Now the forged reader uses the received 𝑚1′ and calculates 𝑚3′ = 𝑚0′ ⊕ 𝜃 ⊕ 𝑅𝑟′ , and sends it to the target tag. 4) Now, in order to reader authentication, the target tag performs following operations, 𝑚4′ = 𝑚3′ ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟′ 𝐼𝑓(𝑚4′ == 𝑚0′ ) the reader is verified As a result, the target tag authenticates the forged reader as a legitimate reader. Proof: According to the structure of Shi et al.’s protocol following equations can be written, 𝑚4′

Guess phase: Eventually, the attacker 𝒜 stops the game G, and outputs a bit 𝑏 ′ 𝜖 {0, 1} as a guess of bit 𝑏 as follows. 𝑏′ = {

𝑢𝑝𝑟𝑖𝑣

𝐴𝑑𝑣𝐴

𝑇

(𝐾) = |𝑝𝑟(𝑏′ = 𝑏) − 𝑝𝑟(𝑟𝑎𝑛𝑑𝑜𝑚 𝑐𝑜𝑖𝑛 𝑓𝑙𝑖𝑝)| 1

1

1

2

2

2

= |𝑝𝑟(𝑏′ = 𝑏) − | = |1 − | =

≫𝜀

Proof: Since the tag’s identification number 𝐼𝐷 is fixed in all rounds, following equations can be written, 𝐼𝑓 𝑇𝑏 = 𝑇0 𝑇

𝑇

𝑏 𝑏 𝑚0,𝑖+1 ⊕ 𝑅𝑟,𝑖+1 ⊕ 𝑚3,𝑖+1 = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟,𝑖+1 ⊕ 𝑅𝑡,𝑖+1 ) ⊕ 𝑅𝑟,𝑖+1 ⊕ 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟,𝑖+1 ⊕ 𝑅𝑡,𝑖+1 ) ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟,𝑖+1 = 𝐻(𝐼𝐷) = 𝛼

D. Backward and Forward Traceability Attacks According to Shi et al.’s protocol, it can be seen that the tag’s identification number 𝐼𝐷 is fixed in all rounds. Using this issue, an attacker can perform backward traceability attack as follows, Learning phase: In round (𝑖), the attacker 𝒜 sends an 𝐶𝑜𝑟𝑟𝑢𝑝𝑡 𝑞𝑢𝑒𝑟𝑦(𝑇0 , 𝐾 ′ ), and obtains 𝐼𝐷𝑖𝑇0 and computes 𝜓 = 𝑇

𝐻(𝐼𝐷𝑖 0 ).

Challenge phase: The attacker 𝒜 selects two fresh tags 𝑇0 and 𝑇1 for the test, and sends a 𝑇𝑒𝑠𝑡 𝑞𝑢𝑒𝑟𝑦(𝑇0 , 𝑇1 , 𝑖 + 1). According to the randomly chosen bit 𝑏 𝜖 {0, 1}, the attacker is given a tag 𝑇𝑏 𝜖 {𝑇0 , 𝑇1 }. After that, the attacker 𝒜 sends an 𝑇𝑏 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 𝑞𝑢𝑒𝑟𝑦(𝑅, 𝑇𝑏 , 𝑖 − 1), and obtains 𝑚0,𝑖−1 , 𝑅𝑟,𝑖−1 , 𝑇

𝑇

𝑇

𝑏 𝑏 𝑏 𝑚3,𝑖−1 and computes 𝜁 = 𝑚0,𝑖−1 ⊕ 𝑅𝑟,𝑖−1 ⊕ 𝑚3,𝑖−1

𝑅𝑟 ⊕ 𝑅𝑟 ⊕ 𝐻(𝐼𝐷) = 𝑚0′ ⊕ 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) ⊕ 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟 ⊕ 𝑅𝑟 ⊕ 𝐻(𝐼𝐷)

Guess phase: Eventually, the attacker 𝒜 stops the game G, and outputs a bit 𝑏 ′ 𝜖 {0, 1} as a guess of bit 𝑏 as follows.

(1)

𝑏′ = {

C. Traceability Attack In this subsection, we show that although in Shi et al.’s protocol, the NTRU encryption function 𝐸𝑘𝑝𝑢 (. ) is used, the attacker can track the target tag. According to Shi et al.’s protocol, it can be seen that the tag’s identification number 𝐼𝐷 is fixed in all rounds. Using this issue, an attacker can trace the target tag. This attack can be performed as follows, Learning phase: In round (𝑖), the attacker 𝒜 sends an 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 𝑞𝑢𝑒𝑟𝑦(𝑅, 𝑇0 , 𝑖), and obtains exchanged data between 𝑇 𝑇 𝑇 the tag and the reader, including 𝑚0,𝑖0 , 𝑅𝑟,𝑖0 and 𝑚3,𝑖0 . Then 𝑇

𝑇

𝑏 𝑏 𝑖𝑓 𝑚0,𝑖+1 ⊕ 𝑅𝑟,𝑖+1 ⊕ 𝑚3,𝑖+1 = 𝛼 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

As a result, it can be written:

= 𝑚3′ ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟′ = 𝑚0′ ⊕ 𝜃 ⊕ 𝑅𝑟′ ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟′ = 𝑚0′ ⊕ 𝑚0 ⊕ 𝑚3 ⊕ 𝑅𝑟 ⊕ 𝑅𝑟′ ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑟′ = 𝑚0′ ⊕ 𝑚0 ⊕ 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) ⊕ 𝐻(𝐼𝐷) ⊕

= 𝑚0′ ⊕ 𝐻(𝐼𝐷) ⊕ 𝐻(𝐼𝐷) = 𝑚0′

0 1

𝑖𝑓 𝜁 = 𝜓 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

0 1

As a result, it can be written: 𝑢𝑝𝑟𝑖𝑣

𝐴𝑑𝑣𝐴

(𝐾) = |𝑝𝑟(𝑏′ = 𝑏) − 𝑝𝑟(𝑟𝑎𝑛𝑑𝑜𝑚 𝑐𝑜𝑖𝑛 𝑓𝑙𝑖𝑝)| 1

1

1

2

2

2

= |𝑝𝑟(𝑏′ = 𝑏) − | = |1 − | =

≫𝜀

𝑇0 Proof: Since 𝐼𝐷 is fixed in all rounds (𝑖. 𝑒., 𝐼𝐷𝑖𝑇0 = 𝐼𝐷𝑖−1 ), following equations can be written,

𝐼𝑓 𝑇𝑏 = 𝑇0

𝑇

𝑇

𝑏 𝑏 𝜁 = 𝑚0,𝑖−1 ⊕ 𝑅𝑟,𝑖−1 ⊕ 𝑚3,𝑖−1

=

𝑇

computes 𝛼 = 𝑚0,𝑖0 ⊕ 𝑅𝑟,𝑖 ⊕ 𝑚3,𝑖0 .

𝑇𝑏 𝐸𝑘𝑝𝑢 (𝐼𝐷𝑖−1

𝑇

𝑏 𝑅𝑟,𝑖−1 ⊕ 𝑅𝑡,𝑖−1 ) ⊕ 𝐻(𝐼𝐷𝑖−1 ) ⊕ 𝑅𝑟,𝑖−1 𝑇𝑏 = 𝐻(𝐼𝐷𝑖−1 ) 𝑇 = 𝐻(𝐼𝐷𝑖 0 ) = 𝜓

Challenge phase: The attacker 𝒜 selects two fresh tags 𝑇0 and 𝑇1 for the test, and sends a 𝑇𝑒𝑠𝑡 𝑞𝑢𝑒𝑟𝑦(𝑇0 , 𝑇1 , 𝑖 + 1).

897

𝑇

𝑏 ⊕ 𝑅𝑟,𝑖−1 ⊕ 𝑅𝑡,𝑖−1 ) ⊕ 𝑅𝑟,𝑖−1 ⊕ 𝐸𝑘𝑝𝑢 (𝐼𝐷𝑖−1 ⊕

Fig. 2. The Liu et al.’s protocol [8].

attacker can perform this attack on Liu et al.’s protocol. This attack can be done in two phases as follows. Learning phase: Firstly, the attacker sends the information query and 𝑅 = 0 to the target tag and receives 𝑀𝑒𝑡𝑎𝐼𝐷 = ′ 𝐻(𝑆1 ). Then the attacker sets a new variable 𝑆𝑎𝑡𝑡 = 𝑀𝑒𝑡𝑎𝐼𝐷 = 𝐻(𝑆1 ). Attack phase: The attacker waits until a successful run between the target tag and the back-end server happens. Actually after one successful run of the protocol, the target tag and the back-end server update their secret value 𝑆1′ = 𝐻(𝑆1 ). Now, the attacker performs following steps, Step 1) The attacker starts a new session with the reader. When the reader sends a new random number 𝑅′ , the attacker ′ ′ responds to the reader with 𝑀𝑒𝑡𝑎𝐼𝐷𝑎𝑡𝑡 = 𝐻(𝑆𝑎𝑡𝑡 ⊕ 𝑅′ ). ′ Step 2) The reader sends 𝑀𝑒𝑡𝑎𝐼𝐷𝑎𝑡𝑡 to the back-end server. ′ Step 3) Since 𝑆1′ = 𝐻(𝑆1 ) and 𝑆𝑎𝑡𝑡 = 𝑀𝑒𝑡𝑎𝐼𝐷 = 𝐻(𝑆1 ), the back-end server authenticates the attacker as a legitimate tag.

Note that because of the tag’s identification number 𝐼𝐷 that is fixed in all rounds, the attacker can perform forward traceability attack with similar steps of backward traceability attack on Shi et al.’s protocol. Because of space concern, we have not reported forward traceability attack here. IV. WEAKNESSES OF LIU ET AL.’S PROTOCOL In this section we aim to show that the security and the privacy of Liu et al.’s protocol have some problems and suffers from back-end server impersonation, tag impersonation, DoS attack, traceability attack and forward traceability attack. To this aim, the structure of their protocol is given at first. A. Liu et al.’s Protocol Recently, Liu et al. proposed a hash-based RFID authentication protocol for RFID systems [8]. Liu et al.’s protocol consists of nine steps that are shown in Fig. 2. The notations that are used in their protocol are illustrated in Table I.

D. DoS Attack One of the main problems of Liu et al.’s protocol is updating procedure in the tag and the back-end server. It this subsection we show that an attacker can perform DoS attack on Liu et al.’s protocol with three different strategies. 1) DoS Attack A In order to perform this attack, after running seven steps of Liu et al.’s protocol, when the reader wants to send message to the tag, the attacker intercepts the transmitted message to the tag and stops the protocol. As a result, the back-end server updates its secret value 𝑆1′ with 𝐻(𝑆1 ) but the tag does not update its secret value. Hence, in the next session of the protocol, the backend server cannot authenticate the tag. 2) DoS Attack B After back-end server/reader impersonation attack that presented in section IV.B, the tag updates its secret value 𝑆1′ with 𝐻(𝑆1 ) but the back-end server does not update its secret value. As a result, the back-end server and the tag become desynchronized, and in the next session the back-end server and the tag cannot recognize each other. 3) DoS Attack C

B. Back-End Server Impersonation In this subsection, it is shown that an attacker can impersonate a legitimate back-end server in Liu et al.’s protocol. This attack can be performed as follows, 1) In this phase the attacker starts a session with a tag and sends the information query and 𝑅 = 0 to the target tag. 2) Then, the target tag responds 𝑀𝑒𝑡𝑎𝐼𝐷 = 𝐻(𝑆1 ) to the attacker. 3) Now, using received 𝑀𝑒𝑡𝑎𝐼𝐷, the attacker calculates 𝑀𝑒𝑡𝑎𝐼𝐷′ = 𝐻(𝑀𝑒𝑡𝑎𝐼𝐷) and sends it to the target tag. 4) In order to authenticate the back-end server, the target tag calculates 𝑆1′ = 𝐻(𝑆1 ) and checks that whether 𝐻(𝑆1′ ) =? 𝑀𝑒𝑡𝑎𝐼𝐷′. 5) Since 𝑀𝑒𝑡𝑎𝐼𝐷′ = 𝐻(𝐻(𝑆1 )), the target tag authenticates the attacker as a legitimate back-end server. C. Tag Impersonation In this attack, the attacker tries to impersonate a legitimate tag to receive responses from the reader. It is shown that an

898

According to the randomly chosen bit 𝑏 𝜖 {0, 1}, the attacker is given a tag 𝑇𝑏 𝜖 {𝑇0 , 𝑇1 }. After that, in round (𝑖 + 2)th, the attacker 𝒜 sends an 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 𝑞𝑢𝑒𝑟𝑦(𝑅, 𝑇𝑏 , 𝑖 + 2) by sending 𝑇𝑏 𝑅 and obtains 𝑀𝑒𝑡𝑎𝐼𝐷𝑖+2 . Guess phase: The attacker 𝒜 stops the game G, and outputs a bit 𝑏 ′ 𝜖 {0, 1} as a guess of bit 𝑏. In order to guess 𝑏 ′ , the

After tag impersonation attack that presented in section IV.C, the back-end server updates its secret value 𝑆1′ with 𝐻(𝑆1 ), but the tag does not update its secret value. Consequently the tag and the back-end server will be de-synchronized in the next sessions. E. Traceability Attack In the Liu et al.’s protocol, the authors claimed that the attacker cannot trace the tag location. However we show that an attacker can perform traceability attack and trace the target tag. This attack can be done using Ouafi and Phan privacy model and is performed as follows, Learning phase: In round (𝑖), the attacker 𝒜 sends an 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 𝑞𝑢𝑒𝑟𝑦(𝑅, 𝑇0 , 𝑖) to the tag by sending the information 𝑇 𝑇 𝑅 = 0, and obtains 𝑀𝑒𝑡𝑎𝐼𝐷𝑖 0 that is equal to 𝐻(𝑆1,𝑖0 ).

𝑇

attacker 𝒜 computes 𝑀𝑒𝑡𝑎𝐼𝐷𝑎𝑡𝑡 = 𝐻 (𝐻 (𝐻 (𝑆1,𝑖0 )) ⊕ 𝑅). Then, outputs a bit 𝑏′ 𝜖 {0, 1} as a guess of bit 𝑏 as follows,

𝐴𝑑𝑣𝐴𝑢𝑝𝑟𝑖𝑣 (𝐾) = |𝑝𝑟(𝑏′ = 𝑏) − 𝑝𝑟(𝑟𝑎𝑛𝑑𝑜𝑚 𝑐𝑜𝑖𝑛 𝑓𝑙𝑖𝑝)|

𝑇

𝑢𝑝𝑟𝑖𝑣

𝑇

𝑇 𝑇

0 = 𝐻(𝑆1,𝑖+2 ⊕ 𝑅)

𝑇

= 𝐻 (𝐻 (𝐻(𝑆1,𝑖0 )) ⊕ 𝑅) = 𝑀𝑒𝑡𝑎𝐼𝐷𝑎𝑡𝑡

V. IMPROVED PROTOCOLS In order to increase the performance of the investigated protocols some improvements on Shi et al.’s and Liu et al.’s protocols are presented.

(𝐾) = |𝑝𝑟(𝑏′ = 𝑏) − 𝑝𝑟(𝑟𝑎𝑛𝑑𝑜𝑚 𝑐𝑜𝑖𝑛 𝑓𝑙𝑖𝑝)| 1

= |𝑝𝑟(𝑏′ = 𝑏) − 2| = |1 − 2| = 2 ≫ 𝜀

A. Improvements on Shi et al.’s Protocol In Shi et al.’s protocol there are two major problems in computing 𝑚1 and 𝑚3 that make some problems in the security and the privacy of their protocol. In order to increase the security and the privacy of Shi et al.’s protocol we apply some changes as follows,

Proof: After an unsuccessful challenge between the attacker and the tag, the tag does not update 𝑆1 . As a result, the tag uses the same value in both Learning and Challenge phases. F. Forward Traceability Attack In this subsection, it is shown that Liu et al.’s protocol also does not assure the forward traceability, and an attacker can track a target tag as follows. Learning phase: In the 𝑖th round, the attacker 𝒜 sends a 𝑇 𝐶𝑜𝑟𝑟𝑢𝑝𝑡 𝑞𝑢𝑒𝑟𝑦(𝑇0 , 𝐾 ′ ) and obtains 𝑆1,𝑖0 from tag 𝑇0 . Now the 𝑇0 attacker can compute 𝑆1,𝑖+2 at the session 𝑖 + 2 by two times

𝑛0 = 𝐸𝑘𝑝𝑢 (𝐻(𝐼𝐷) ⊕ 𝑅𝑡 ) 𝑚1𝑛𝑒𝑤 𝑚3𝑛𝑒𝑤

= (𝑚0 , 𝑛0 , 𝑅𝑟 ) = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑡

where 𝑛0 is a new variable that is generated with available values in the tag. Furthermore, some changes are applied in the authentication procedure of the back-end server that are shown in Fig. 3.

𝑇

repeating Hash of 𝑆1,𝑖0 . Challenge phase: The attacker 𝒜 selects two fresh tags 𝑇0 and 𝑇1 for the test, and sends a 𝑇𝑒𝑠𝑡 𝑞𝑢𝑒𝑟𝑦( 𝑇0 , 𝑇1 , 𝑖). Database / Reader (𝐼𝐷, 𝐻(𝐼𝐷), 𝐾𝑝𝑟 ) 𝑅𝑡 = 𝐷𝑘𝑝𝑟 (𝐸𝑘𝑝𝑢 (𝐻(𝐼𝐷) ⊕ 𝑅𝑡 )) ⊕ 𝐻(𝐼𝐷)

2

𝑏 𝑏 => 𝑀𝑒𝑡𝑎𝐼𝐷𝑖+2 = 𝐻(𝑆1,𝑖+2 ⊕ 𝑅)

𝑇

1

1

2

𝐼𝑓 𝑇𝑏 = 𝑇0

𝑏 𝑖𝑓 𝑀𝑒𝑡𝑎𝐼𝐷𝑖+1 = 𝑀𝑒𝑡𝑎𝐼𝐷𝑖 0 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

1

1

2

Proof: According to the updating procedure of Liu et al.’s protocol following equations can be written,

As a result, it can be written: 𝐴𝑑𝑣𝐴

1

= |𝑝𝑟(𝑏′ = 𝑏) − | = |1 − | = ≫ 𝜀

Guess phase: Eventually, the attacker 𝒜 stops the game G, and outputs a bit 𝑏 ′ 𝜖 {0, 1} as a guess of bit 𝑏 as follows. 𝑏 = {0 1

𝑏 𝑖𝑓 𝑀𝑒𝑡𝑎𝐼𝐷𝑖+2 = 𝑀𝑒𝑡𝑎𝐼𝐷𝑎𝑡𝑡 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒

As a result, it can be written that,

Challenge phase: The attacker 𝒜 selects two fresh tags 𝑇0 and 𝑇1 for the test, and sends a 𝑇𝑒𝑠𝑡 𝑞𝑢𝑒𝑟𝑦(𝑇0 , 𝑇1 , 𝑖 + 1). According to the randomly chosen bit 𝑏 𝜖 {0, 1}, the attacker is given a tag 𝑇𝑏 𝜖 {𝑇0 , 𝑇1 }. After that, the attacker 𝒜 sends an 𝐸𝑥𝑒𝑐𝑢𝑡𝑒 𝑞𝑢𝑒𝑟𝑦(𝑅, 𝑇𝑏 , 𝑖 + 1) by sending 𝑅 = 0, and obtains 𝑇𝑏 𝑀𝑒𝑡𝑎𝐼𝐷𝑖+1 .

′

𝑇

𝑏′ = {0 1

𝑄𝑢𝑒𝑟𝑦 ∥ (𝑅𝑟 )

𝐼𝐷 ′ = 𝐷𝑘𝑝𝑟 (𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 )) ⊕ 𝑅𝑟 ⊕ 𝑅𝑡

(2) ←

′

Search database and 𝑖𝑓 𝐼𝐷 == 𝐼𝐷 the tag is legitimate 𝑚3𝑛𝑒𝑤 = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑡

𝑚1𝑛𝑒𝑤

𝑚3𝑛𝑒𝑤

(3) →

(1) →

Tag (𝐼𝐷, 𝐻(𝐼𝐷), 𝐾𝑝𝑢 ) Generate 𝑅𝑡 Randomly 𝑚0 = 𝐸𝑘𝑝𝑢 (𝐼𝐷 ⊕ 𝑅𝑟 ⊕ 𝑅𝑡 ) 𝑛0 = 𝐸𝑘𝑝𝑢 (𝐻(𝐼𝐷) ⊕ 𝑅𝑡 ) 𝑚1𝑛𝑒𝑤 = (𝑚0, 𝑛0 , 𝑅𝑟 ) 𝑚4 = 𝑚3𝑛𝑒𝑤 ⊕ 𝐻(𝐼𝐷) ⊕ 𝑅𝑡 If (𝑚4 == 𝑚0 ) the reader is legitimate

Fig. 3. Improved version of Shi et al.’s protocol.

899

Database

Reader

(𝑀𝑒𝑡𝑎𝐼𝐷𝑖 , 𝐼𝐷𝑖 , 𝑆𝑜𝑙𝑑 , 𝑆𝑛𝑒𝑤 )

CRC_8 verify the 𝑀𝑒𝑡𝑎𝐼𝐷 Binary search algorithm Solving 𝑆𝑋 for 𝑋 = 𝑜𝑙𝑑 and 𝑛𝑒𝑤, 𝐼𝐷𝑖 which meet 𝐻(𝑆1 ⊕ 𝑅)= 𝐻(𝑆𝑋 ⊕ 𝑅) 𝑅𝑡 = 𝑀 ⊕ 𝑆𝑋 After successful authentication update following parameters ′ ′ 𝑆𝑛𝑒𝑤 = 𝐻(𝑆𝑋 ⊕ 𝐻(𝑅𝑡 )), 𝑆𝑜𝑙𝑑 = 𝑆𝑋 ′ ′ 𝑀𝑒𝑡𝑎𝐼𝐷 = 𝐻(𝑆𝑛𝑒𝑤 ⊕ 𝑅)

Tag (𝑀𝑒𝑡𝑎𝐼𝐷1 , 𝐼𝐷1 , 𝑆1 )

𝑅→

𝑄𝑢𝑒𝑟𝑦, 𝑅 →

← 𝑀𝑒𝑡𝑎𝐼𝐷, 𝑀

← 𝑀𝑒𝑡𝑎𝐼𝐷, 𝑀

𝑀𝑒𝑡𝑎𝐼𝐷 ′ →

𝑀𝑒𝑡𝑎𝐼𝐷 ′ →

Generate 𝑅𝑡 Randomly 𝑀𝑒𝑡𝑎𝐼𝐷 = 𝐻(𝑆1 ⊕ 𝑅) M= 𝑅𝑡 ⊕ 𝑆1 Verify 𝑀𝑒𝑡𝑎𝐼𝐷 ′ =? 𝐻(𝑆1′ ⊕ 𝑅) 𝑆1′ = 𝐻(𝑆1 ⊕ 𝐻(𝑅𝑡 ))

Fig. 4. Improved version of Liu et al.’s protocol.

B. Improvements on Liu et al.’s Protocol In the previous section, it is shown that the security and the privacy of Liu et al.’s protocol have some problems. In this subsection an improved version of Liu et al.’s protocol is proposed that eliminates all mentioned attacks in section IV. In order to prevent DoS attack, both of the new and old secret values are saved in the back-end server. In order to solve the privacy concern of the Liu et al.’s protocol, we change the updating procedure of their protocol. Furthermore, the impersonation attacks (tag and reader) on Liu et al.’s protocol have been eliminated by using a new message that is shown with 𝑀 in the improved protocol. Fig. 4 shows the improved version of Liu et al.’s protocol. In Table II, the security and the privacy of the proposed protocols are compared with analyzed RFID authentication protocols. As it can be seen, the proposed protocols are more efficient against different attacks. TABLE II.

[1] "HF Application," Ankaref, [Online]. Available: http://ankaref. com/en/content/hf-applications/252. [Accessed 2014 05 15]. [2] S. Maharjan, "RFID and IOT: An overview," Simula Research Laboratory University of Oslo, 2010. [3] B. Song and C. J. Mitchell, "Scalable RFID security protocols supporting tag ownership transfer," Comp. Comm., vol. 34, pp. 556-566, 2011. [4] Z. Sohrabi-Bonab, M. Alagheband, and M. R. Aref, "Traceability analysis of quadratic residue-based RFID authentication protocols," in 11th Annual Int. Conf. on Privacy, Security and Trust (PST), Tarragona, 2013. [5] A. Mohammadali, Z. Ahmadian, and M. R. Aref, "Analysis and Improvement of the securing RFID systems conforming to EPC Class 1 Generation 2 standard," IACR Cryptology ePrint Archive, vol. 66, pp. 1-9, 2013. [6] M. R. Alagheband, and M. R. Aref, "Unified privacy analysis of new found RFID authentication protocols," Security and Comm. Networks, vol. 6, no. 8, pp. 999-1009, 2013. [7] Z. Shi, Y. Xia, and Ch. Yu, "A strong RFID mutual authentication protocol based on a lightweight public-key cryptosystem," TELKOMNIKA Indonesian Journal of Electrical Engineering, vol. 12, no. 3, pp. 2320-2326, 2014. [8] N. Liu, Y. Yin, X. Wu and L. Ye, "RFID cryptographic protocol based on cyclic redundancy check for high efficiency," Journal of Sensors & Transducers,, vol. 168, no. 4, pp. 197-202, 2014. [9] M. H. Habibi, M. Gardeshi, and M. R. Alagheband, "Attacks and improvements to a new RFID authentication protocol," in Proceedings of 3rd Workshop on RFID Security: RFIDsec Asia, 2011. [10] R. I. Paise and S. Vaudenay, "Mutual authentication in RFID: security and privacy," in Proceedings of the 2008 ACM Symposium on Information, Comp. and Comm. Security, 2008. [11] S. V. Kaya, E. Savaş, A. Levi, and Ö. Erçetin,, "Public key cryptography based privacy preserving multi-context RFID infrastructure," Ad Hoc Networks, vol. 7, no. 1, pp. 136-152, 2009. [12] K. Ouafi and R. C.-W. Phan, "Privacy of recent RFID authentication protocols," in 4th Int. Conf. on Information Security Practice and Experience (ISPEC), Springer, 2008.

ANALYSIS OF THE PROPOSED PROTOCOLS

Protocols Attacks Reader Impersonation

Shi et al. [7]

Liu et al. [8]

×

× × × ×

Tag Impersonation DoS Attack Traceability Attack Backward Traceability Forward Traceability

REFERENCES

× × ×

Improved Shi et al.

Improved Liu et al.

× : Secure

×: Insecure

VI. CONCLUSION In this study, the security and the privacy of two recently proposed RFID mutual authentication protocols by Shi et al. and Liu et al have been studied. They claimed that their protocols are safe against different attacks and provide user privacy. However, in this paper, we show that Shi et al.’s protocol suffers from back-end server/reader impersonation, traceability, backward traceability and forward traceability attacks, and Liu et al.’s protocol is not secure against back-end server impersonation, tag impersonation, DoS attack, traceability attack and forward traceability attack. Then, in order to improve the performance of the analyzed protocols, a more effective of each one is proposed that eliminates the mentioned attacks.

900