Skip to main content
SpringerLink
Log in

Breaking anonymity of some recent lightweight RFID authentication protocols

  • Published:
Wireless Networks Aims and scope Submit manuscript

Abstract

Due to their impressive advantages, Radio Frequency IDentification (RFID) systems are ubiquitously found in various novel applications. These applications are usually in need of quick and accurate authentication or identification. In many cases, it has been shown that if such systems are not properly designed, an adversary can cause security and privacy concerns for end-users. In order to deal with these concerns, impressive endeavors have been made which have resulted in various RFID authentications being proposed. In this study, we analyze three lightweight RFID authentication protocols proposed in Wireless Personal Communications (2014), Computers & Security (2015) and Wireless Networks (2016). We show that none of the studied protocols provides the desired security and privacy required by the end-users. We present various security and privacy attacks such as secret parameter reveal, impersonation, DoS, traceability, and forward traceability against the studied protocols. Our attacks are mounted in the Ouafi–Phan RFID formal privacy model which is a modified version of well-known Juels–Weis privacy model.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

References

  1. Xie, W., Xie, L., Zhang, C., Wang, Q., Xu, J., Zhang, Q., et al. (2014). RFID seeking: Finding a lost tag rather than only detecting its missing. Journal of Network and Computer Applications, 42, 135–142.

    Article  Google Scholar 

  2. Tajima, M. (2007). Strategic value of RFID in supply chain management. Journal of purchasing and supply management, 13(4), 261–273.

    Article  Google Scholar 

  3. Van Deursen, N., Buchanan, W. J., & Duff, A. (2013). Monitoring information security risks within health care. Computers & Security, 37, 31–45.

    Article  Google Scholar 

  4. Gross, H., Wenger, E., Martín, H., & Hutter, M. (2014). Pioneera prototype for the internet of things based on an extendable EPC gen2 RFID tag. In International Workshop on Radio Frequency Identification: Security and Privacy Issues (pp. 54–73). Springer.

  5. Galins, A., Beinarovics, P., Laizans, A., & Jakusenoks, A., et al. (2016). RFID application for electric car identification at charging station. In Engineering for Rural Development: Proceedings of the 15th International scientific conference (pp. 25–27).

  6. Farash, M. S., Turkanović, M., Kumari, S., & Hölbl, M. (2016). An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the internet of things environment. Ad Hoc Networks, 36, 152–176.

    Article  Google Scholar 

  7. Baghery, K., Abdolmaleki, B., Akhbari, B., & Aref, M. R. (2016). Enhancing privacy of recent authentication schemes for low-cost RFID systems. The ISC International Journal of Information Security, 7(2), 135–149.

    Google Scholar 

  8. Suh, W. S., Yoon, E. J., & Piramuthu, S. (2013). RFID-based attack scenarios in retailing, healthcare and sports. Journal of Information Privacy and Security, 9(3), 4–17.

    Article  Google Scholar 

  9. Jannati, H. (2015). Analysis of relay, terrorist fraud and distance fraud attacks on RFID systems. International Journal of Critical Infrastructure Protection, 11, 51–61.

    Article  Google Scholar 

  10. Amendola, S., Lodato, R., Manzari, S., Occhiuzzi, C., & Marrocco, G. (2014). RFID technology for iot-based personal healthcare in smart spaces. IEEE Internet of Things Journal, 1(2), 144–152.

    Article  Google Scholar 

  11. Khoo, B. (2011). RFID as an enabler of the internet of things: Issues of security and privacy. In: Internet of Things (iThings/CPSCom), 2011 international conference on and 4th international conference on cyber, physical and social computing (pp. 709–712). IEEE.

  12. Bolic, M., Rostamian, M., & Djuric, P. M. (2015). Proximity detection with RFID: A step toward the internet of things. IEEE Pervasive Computing, 14(2), 70–76.

    Article  Google Scholar 

  13. Memon, I., Arain, Q. A., Memon, H., & Mangi, F. A. (2017). Efficient user based authentication protocol for location based services discovery over road networks. Wireless Personal Communications, 95(4), 3713–3732.

    Article  Google Scholar 

  14. Memon, I., Hussain, I., Akhtar, R., & Chen, G. (2015). Enhanced privacy and authentication: An efficient and secure anonymous communication for location based service using asymmetric cryptography scheme. Wireless Personal Communications, 84(2), 1487–1508.

    Article  Google Scholar 

  15. Da Xu, L., He, W., & Li, S. (2014). Internet of things in industries: A survey. IEEE Transactions on Industrial Informatics, 10(4), 2233–2243.

    Article  Google Scholar 

  16. Welbourne, E., Battle, L., Cole, G., Gould, K., Rector, K., Raymer, S., et al. (2009). Building the internet of things using RFID: The RFID ecosystem experience. IEEE Internet Computing, 13(3), 48–55.

    Article  Google Scholar 

  17. Shifeng, Y., Chungui, F., Yuanyuan, H., & Shiping, Z. (2011). Application of IoT in agriculture. Journal of Agricultural Mechanization Research, 7, 190–193.

    Google Scholar 

  18. Wang, J., Ni, D., & Li, K. (2014). RFID-based vehicle positioning and its applications in connected vehicles. Sensors, 14(3), 4225–4238.

    Article  Google Scholar 

  19. Hayajneh, T., Mohd, B. J., Imran, M., Almashaqbeh, G., & Vasilakos, A. V. (2016). Secure authentication for remote patient monitoring with wireless medical sensor networks. Sensors, 16(4), 424.

    Article  Google Scholar 

  20. Sun, D.-Z., & Zhong, J.-D. (2012). A hash-based RFID security protocol for strong privacy protection. IEEE Transactions on Consumer Electronics, 58(4), 1246–1252.

    Article  Google Scholar 

  21. Safkhani, M., Bagheri, N., & Naderi, M. (2012). On the designing of a tamper resistant prescription RFID access control system. Journal of medical systems, 36(6), 3995–4004.

    Article  Google Scholar 

  22. Cho, J.-S., Jeong, Y.-S., & Park, S. O. (2015). Consideration on the brute-force attack cost and retrieval cost: A hash-based radio-frequency identification (RFID) tag mutual authentication protocol. Computers & Mathematics with Applications, 69(1), 58–65.

    Article  MATH  Google Scholar 

  23. Farash, M. S. (2014). Cryptanalysis and improvement of an efficient mutual authentication RFID scheme based on elliptic curve cryptography. The Journal of Supercomputing, 70(2), 987–1001.

    Article  MathSciNet  Google Scholar 

  24. Chen, C.-L., & Deng, Y.-Y. (2009). Conformation of EPC class 1 generation 2 standards RFID system with mutual authentication and privacy protection. Engineering Applications of Artificial Intelligence, 22(8), 1284–1291.

    Article  Google Scholar 

  25. Gope, P., & Hwang, T. (2015). A realistic lightweight authentication protocol preserving strong anonymity for securing RFID system. Computers & Security, 55, 271–280.

    Article  Google Scholar 

  26. Niu, B., Zhu, X., Chi, H., & Li, H. (2014). Privacy and authentication protocol for mobile RFID systems. Wireless Personal Communications, 77(3), 1713–1731.

    Article  Google Scholar 

  27. Luo, H., Wen, G., Su, J., & Huang, Z. (2016). SLAP: Succinct and lightweight authentication protocol for low-cost RFID system. Wireless Networks, 24, 1–10.

    Google Scholar 

  28. He, D., & Zeadally, S. (2015). An analysis of RFID authentication schemes for internet of things in healthcare environment using elliptic curve cryptography. IEEE Internet of Things Journal, 2(1), 72–83.

    Article  Google Scholar 

  29. Abdolmaleki, B., Baghery, K., Khazaei, S., & Aref, M. R. (2017). Game-based privacy analysis of RFID security schemes for confident authentication in IoT. Wireless Personal Communications, 95(4), 5057–5080.

    Article  Google Scholar 

  30. Alavi, S. M., Baghery, K., Abdolmaleki, B., & Aref, M. R. (2015). Traceability analysis of recent RFID authentication protocols. Wireless Personal Communications, 83(3), 1663–1682.

    Article  Google Scholar 

  31. Akgün, M., Bayrak, A. O., & Çaglayan, M. U. (2015). Attacks and improvements to chaotic map-based RFID authentication protocol. Security and Communication Networks, 8(18), 4028–4040.

    Article  Google Scholar 

  32. Abdolmaleki, B., Baghery, K., Akhbari, B., Alavi, S. M., & Aref, M. R. (2016). Securing key exchange and key agreement security schemes for rfid passive tags. In Electrical Engineering (ICEE), 2016 24th Iranian Conference on, (pp. 1475–1480). IEEE.

  33. Moradi, F., Mala, H., Ladani, B. T., & Moradi, F. (2018). Security analysis of an epc class-1 generation-2 compliant rfid authentication protocol. Journal of Computing and Security, 3(3).

  34. Hopper, N. J., & Blum, M. (2001). Secure human identification protocols. In International conference on the theory and application of cryptology and information security (pp. 52–66). Springer.

  35. Juels, A., & Weis, S. A. (2005). Authenticating pervasive devices with human protocols. In Annual international cryptology conference (pp. 293–308). Springer.

  36. Bringer, J., Chabanne, H., & Dottax, E. (2006). Hb\(^{\wedge } +^{\wedge }+\): A lightweight authentication protocol secure against some attacks. In Second international workshop on security, privacy and trust in pervasive and ubiquitous computing (SecPerU’06) (pp. 28–33). IEEE.

  37. Piramuthu, S. (2006). Hb and related lightweight authentication protocols for secure RFID tag/reader authentication title. CollECTeR Europe, 2006, 239.

    Google Scholar 

  38. Peris-Lopez, P., Hernandez-Castro, J. C., Estévez-Tapiador, J. M., & Ribagorda, A. (2006). Lmap: A real lightweight mutual authentication protocol for low-cost RFID tags. In Workshop on RFID security (pp. 12–14).

  39. Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., & Ribagorda, A. (2006). M2ap: A minimalist mutual-authentication protocol for low-cost RFID tags. In International conference on ubiquitous intelligence and computing, (pp. 912–923). Springer.

  40. Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., & Ribagorda, A. (2006). Emap: An efficient mutual-authentication protocol for low-cost RFID tags. In: OTM Confederated International Conferences ”On the Move to Meaningful Internet Systems” (pp. 352–361). Springer.

  41. Li, T., & Wang, G. (2007). Security analysis of two ultra-lightweight RFID authentication protocols. In IFIP international information security conference (pp. 109–120). Springer.

  42. Li, T., & Deng, R. (2007). Vulnerability analysis of emap-an efficient RFID mutual authentication protocol. In Availability, reliability and security, 2007. ARES 2007. The second international conference on IEEE (pp. 238–245).

  43. Chien, H.-Y. (2007). Sasi: A new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Transactions on Dependable and Secure Computing, 4(4), 337–340.

    Article  Google Scholar 

  44. Phan, R. C. (2009). Cryptanalysis of a new ultralightweight RFID authentication protocol-sasi. IEEE Transactions on Dependable and Secure Computing, 6(4), 316.

    Article  Google Scholar 

  45. Avoine, G., Carpent, X., & Martin, B. (2010). Strong authentication and strong integrity (sasi) is not that strong. In International workshop on radio frequency identification: security and privacy issues (pp. 50–64). Springer.

  46. Avoine, G., Carpent, X., & Martin, B. (2012). Privacy-friendly synchronized ultralightweight authentication protocols in the storm. Journal of Network and Computer Applications, 35(2), 826–843.

    Article  Google Scholar 

  47. Duc, D. N., Lee, H., & Kim, K. (2006). Enhancing security of epcglobal Gen-2 RFID against traceability and cloning. Auto-ID Labs Information and Communication University, White Paper.

  48. Karthikeyan, S., & Nesterenko, M. (2005). RFID security without extensive cryptography. In: Proceedings of the 3rd ACM workshop on security of ad hoc and sensor networks (pp. 63–67). ACM.

  49. Chien, H.-Y., & Chen, C.-H. (2007). Mutual authentication protocol for RFID conforming to EPC class 1 generation 2 standards. Computer Standards & Interfaces, 29(2), 254–259.

    Article  Google Scholar 

  50. Yoon, E.-J. (2012). Improvement of the securing RFID systems conforming to EPC class 1 generation 2 standard. Expert Systems with Applications, 39(1), 1589–1594.

    Article  Google Scholar 

  51. Ha, J., Moon, S., Zhou, J., & Ha, J. (2008). A new formal proof model for RFID location privacy. In European symposium on research in computer security (pp. 267–281). Springer.

  52. Jung, S. W., & Jung, S. (2013). Hmac-based RFID authentication protocol with minimal retrieval at server. In The fifth international conference on evolving internet (pp. 52–55).

  53. Chen, Y.-Y., Huang, D.-C., Tsai, M.-L., & Jan, J.-K. (2012). A design of tamper resistant prescription RFID access control system. Journal of medical systems, 36(5), 2795–2801.

    Article  Google Scholar 

  54. Liu, B.-H., Nguyen, N.-T., Pham, V.-T., & Yeh, Y.-H. (2016). A maximum-weight-independent-set-based algorithm for reader-coverage collision avoidance arrangement in rfid networks. IEEE Sensors Journal, 16(5), 1342–1350.

    Article  Google Scholar 

  55. Rahman, F., Hoque, M. E., & Ahamed, S. I. (2017). Anonpri: A secure anonymous private authentication protocol for rfid systems. Information Sciences, 379, 195–210.

    Article  Google Scholar 

  56. Rahman, F., Bhuiyan, M. Z. A., & Ahamed, S. I. (2017). A privacy preserving framework for rfid based healthcare systems. Future Generation Computer Systems, 72, 339–352.

    Article  Google Scholar 

  57. Nguyen, N.-T., Liu, B.-H., & Pham, V.-T. (2016). A dynamic-range-based algorithm for reader-tag collision avoidance deployment in rfid networks. In Electronics, information, and communications (ICEIC), 2016 international conference on IEEE (pp. 1–4).

  58. Mohd, B. J., Hayajneh, T., Khalaf, Z. A., Yousef, A., & Mustafa, K. (2016). Modeling and optimization of the lightweight hight block cipher design with fpga implementation. Security and Communication Networks, 9(13), 2200–2216.

    Google Scholar 

  59. Mohd, B. J., Hayajneh, T., & Vasilakos, A. V. (2015). A survey on lightweight block ciphers for low-resource devices: Comparative study and open issues. Journal of Network and Computer Applications, 58, 73–93.

    Article  Google Scholar 

  60. Ouafi, K., & Phan, R.C.-W. (2008). Privacy of recent RFID authentication protocols. In Information security practice and experience (pp. 263–277). Springer.

  61. Abdolmaleki, B., Baghery, K., Akhbari, B., & Aref, M. R. (2014). Attacks and improvements on two new-found RFID authentication protocols. In Telecommunications (IST), 2014 7th international symposium on IEEE (pp. 895–900).

  62. Juels, A. (2006). RFID security and privacy: A research survey. IEEE Journal on Selected Areas in Communications, 24(2), 381–394.

    Article  MathSciNet  Google Scholar 

  63. Vaudenay, S. (2007). On privacy models for RFID. In International Conference on the Theory and Application of Cryptology and Information Security (pp. 68–87). Springer.

  64. Coisel, I., & Martin, T. (2013). Untangling RFID privacy models. Journal of Computer Networks and Communications, 2013, 710275. https://doi.org/10.1155/2013/710275.

    Article  Google Scholar 

  65. Avoine, G. (2005). Adversarial model for radio frequency identification. IACR Cryptology ePrint Archive, 2005, 49.

    Google Scholar 

  66. Juels, A., & Weis, S. A. (2009). Defining strong privacy for RFID. ACM Transactions on Information and System Security (TISSEC), 13(1), 7.

    Article  Google Scholar 

  67. Deng, R. H., Li, Y., Yung, M., & Zhao, Y. (2010). A new framework for RFID privacy. In European Symposium on Research in Computer Security (pp. 1–18). Springer.

  68. Hermans, J., Pashalidis, A., Vercauteren, F., & Preneel, B. (2011). A new RFID privacy model. In European symposium on research in computer security (pp. 568–587). Springer.

  69. Habibi, M. H., Aref, M. R., & Ma, D. (2011). Addressing flaws in RFID authentication protocols. In International conference on cryptology in India (pp. 216–235). Springer.

  70. Phan, R. C.-W., Wu, J., Ouafi, K., & Stinson, D. R. (2011). Privacy analysis of forward and backward untraceable RFID authentication schemes. Wireless Personal Communications, 61(1), 69–81.

    Article  Google Scholar 

  71. Alagheband, M. R., & Aref, M. R. (2013). Unified privacy analysis of new-found RFID authentication protocols. Security and Communication Networks, 6(8), 999–1009.

    Article  Google Scholar 

  72. Wang, S., Liu, S., & Chen, D. (2015). Security analysis and improvement on two RFID authentication protocols. Wireless Personal Communications, 82(1), 21–33.

    Article  Google Scholar 

  73. Safkhani, M., Peris-Lopez, P., Hernandez-Castro, J. C., & Bagheri, N. (2014). Cryptanalysis of the cho et al. protocol: A hash-based RFID tag mutual authentication protocol. Journal of Computational and Applied Mathematics, 259, 571–577.

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

Two first authors were supported by the Estonian Research Council grant (PRG49). The third author has been supported by Iranian National Science Foundation (INSF) under contract No. 92027548 and Sharif Industrial Relation Office (SIRO) under Grant No. G931223.

Author information

Authors and Affiliations

  1. Institute of Computer Science, University of Tartu, Tartu, Estonia

    Karim Baghery & Behzad Abdolmaleki

  2. Department of Mathematical Sciences, Sharif University of Technology, Tehran, Iran

    Shahram Khazaei

  3. ISSL Lab, Department of Electrical Engineering, Sharif University of Technology, Tehran, Iran

    Mohammad Reza Aref

Authors
  1. Karim Baghery
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Behzad Abdolmaleki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shahram Khazaei
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mohammad Reza Aref
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karim Baghery.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Baghery, K., Abdolmaleki, B., Khazaei, S. et al. Breaking anonymity of some recent lightweight RFID authentication protocols. Wireless Netw 25, 1235–1252 (2019). https://doi.org/10.1007/s11276-018-1717-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11276-018-1717-0

Keywords

Search

Navigation