Abstract
In recent years, RFID (radio-frequency identification) systems are widely used in many applications. One of the most important applications for this technology is the Internet of things (IoT). Therefore, researchers have proposed several authentication protocols that can be employed in RFID-based IoT systems, and they have claimed that their protocols can satisfy all security requirements of these systems. However, in RFID-based IoT systems we have mobile readers that can be compromised by the adversary. Due to this attack, the adversary can compromise a legitimate reader and obtain its secrets. So, the protocol designers must consider the security of their proposals even in the reader compromised scenario. In this paper, we consider the security of the ultra-lightweight RFID mutual authentication (ULRMAPC) protocol recently proposed by Fan et al. They claimed that their protocol could be applied in the IoT systems and provide strong security. However, in this paper we show that their protocol is vulnerable to denial of service, reader and tag impersonation and de-synchronization attacks. To provide a solution, we present a new authentication protocol, which is more secure than the ULRMAPC protocol and also can be employed in RFID-based IoT systems.
Similar content being viewed by others
References
Akgün M, Uekae T, Caglayan MU (2014) Vulnerabilities of RFID security protocol based on chaotic maps. In: 2014 IEEE 22nd International Conference on Network Protocols. IEEE, pp 648–653
Alamr AA, Kausar F, Kim J (2016) A secure ECC-based RFID mutual authentication protocol for internet of things. J Supercomput 1–14. doi:10.1007/s11227-016-1861-1
An R, Feng H, Liu Q, Li L (2016) Three elliptic curve cryptography-based RFID authentication protocols for internet of things. In: International Conference on Broadband and Wireless Computing, Communication and Applications. Springer, pp 857–878
Avoine G, Lauradoux C, Martin T (2009) When compromised readers meet RFID. In: Information Security Applications. Springer pp 36–50
Benssalah M, Djeddou M, Drouiche K (2014) Security enhancement of the authenticated RFID security mechanism based on chaotic maps. Secur Commun Netw 7(12):2356–2372
Chen CL, Jan JK, Chien CF (2010) Based on mobile RFID device to design a secure mutual authentication scheme for market application. In: 2010 International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA). IEEE, pp 423–428
Chen Y, Chou JS (2015) ECC-based untraceable authentication for large-scale active-tag RFID systems. Electron Commer Res 15(1):97–120
Cheng ZY, Liu Y, Chang CC, Chang SC (2013) Authenticated RFID security mechanism based on chaotic maps. Secur Commun Netw 6(2):247–256
Chien HY (2007) Sasi: a new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Trans Dependable Secure Comput 4(4):337–340
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Erguler I (2015) A potential weakness in RFID-based internet-of-things systems. Pervasive Mob Comput 20:115–126
EPCglobal Inc. (2008) Class 1 Generation 2 UHF Air Interface protocol standard version 1.09. Available online at http://www.epcglobalinc.org/standardstechnology/specifications.html
Fan K, Ge N, Gong Y, Li H, Su R, Yang Y (2017) An ultra-lightweight RFID authentication scheme for mobile commerce. Peer-to-Peer Netw 10(2):368–376
Fan K, Gong Y, Liang C, Li H, Yang Y (2015) Lightweight and ultralightweight RFID mutual authentication protocol with cache in the reader for IoT in 5G. Secur Commun Netw 9(16):3095–3104
Finkenzeller K (2010) Fundamentals and applications in contactless smart cards, radio frequency identification and near-field communication. In: RFID Handbook, 3rd edn. Wiley, Hoboken, NJ, USA. doi:10.1002/9780470665121
Grasso J (2004) The EPCglobal network: overview of design, benefits, and security. EPCglobal Inc. Position Paper 24
Grossklags J, Good N (2007) Empirical studies on software notices to inform policy makers and usability designers. In: International Conference on Financial Cryptography and Data Security. Springer, pp 341–355
He D, Zeadally S (2015) An analysis of RFID authentication schemes for internet of things in healthcare environment using elliptic curve cryptography. IEEE Internet Things J 2(1):72–83
Juels A (2006) RFID security and privacy: a research survey. IEEE J Sel Areas Commun 24(2):381–394
Khattab A, Jeddi Z, Amini E, Bayoumi M (2017) RBS RFID security and the internet of things. In: RFID Security. Springer, pp 147–162
Lee JY, Lin WC, Huang YH (2014) A lightweight authentication protocol for internet of things. In: 2014 International Symposium on Next-Generation Electronics (ISNE). IEEE, pp 1–2
Lei H, Yong G, Na-Na L, Zeng-Yu C (2007) A security-provable authentication and key agreement protocol in RFID system. In: 2007 International Conference on Wireless Communications, Networking and Mobile Computing
Li CT, Lee CC, Weng CY, Chen CM (2017) Towards secure authenticating of cache in the reader for RFID-based IoT systems. Peer-to-Peer Networking and Applications, pp 1–11
Liu Z, Liu D, Li L, Lin H, Yong Z (2015) Implementation of a new RFID authentication protocol for EPC Gen2 standard. IEEE Sens J 15(2):1003–1011
Musa A, Dabo AAA (2016) A review of RFID in supply chain management: 2000–2015. Glob J Flex Syst Manag 17(2):189–228
Peris-Lopez P, Hernandez-Castro JC, Tapiador JM, Ribagorda A (2008) Advances in ultralightweight cryptography for low-cost RFID tags: Gossamer protocol. In: International Workshop on Information Security Applications. Springer, pp 56–68
Prodanoff ZG (2010) Optimal frame size analysis for framed slotted aloha based RFID networks. Comput Commun 33(5):648–653
Safkhani M, Bagheri N (2017) Passive secret disclosure attack on an ultralightweight authentication protocol for internet of things. J Supercomput 73(8):3579–3585
Shen H, Shen J, Khan MK, Lee JH (2016) Efficient RFID authentication using elliptic curve cryptography for the internet of things. Wirel Pers Commun 1–14. doi:10.1007/s11277-016-3739-1
Song B, Mitchell CJ (2008) RFID authentication protocol for low-cost tags. In: Proceedings of the first ACM conference on Wireless Network Security. ACM, pp 140–147
Tewari A, Gupta B (2017) Cryptanalysis of a novel ultra-lightweight mutual authentication protocol for IoT devices using RFID tags. J Supercomput 73(3):1085–1102
Wang KH, Chen CM, Fang W, Wu TY (2017) On the security of a new ultra-lightweight authentication protocol in IoT environment for RFID tags. J Supercomput 1–6. doi:10.1007/s11227-017-2105-8
Weinstein R (2005) RFID: a technical overview and its application to the enterprise. IT Prof 7(3):27–33
Yan T, Wen Q (2010) A secure mobile RFID architecture for the internet of things. In: 2010 IEEE International Conference on Information Theory and Information Security (ICITIS). IEEE, pp 616–619
Zhu W, Yu J, Wang T (2012) A security and privacy model for mobile RFID systems in the internet of things. In: 2012 IEEE 14th International Conference on Communication Technology (ICCT). IEEE, pp 726–732
Acknowledgements
We would like to thank anonymous reviewers for their careful review and constructive suggestions.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Aghili, S.F., Ashouri-Talouki, M. & Mala, H. DoS, impersonation and de-synchronization attacks against an ultra-lightweight RFID mutual authentication protocol for IoT. J Supercomput 74, 509–525 (2018). https://doi.org/10.1007/s11227-017-2139-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-017-2139-y