Security Issues in Ultralightweight RFID Authentication Protocols

Abstract

Ultralightweight RFID authentication protocols have attracted much attention from both fields of science and industry in recent years due to their high efficiencies and extensive applicability. However, many studies have shown that the published ultralightweight protocols are vulnerable to various kinds of malicious attacks, which generally are empirical analysis based and protocol dependent. A general and comprehensive study of these security issues is still absent. To supplement theory study in this area, this paper propose general attack models of three most serious attacks: de-synchronization attack, replay attack and full disclosure attack, for ultralightweight RFID protocols. To formalize the de-synchronization attack, we define an artificial function named FindIndex to analyze the ability of an ultralightweight RFID protocol to keep its data integrity. The proposed de-synchronization attack can break synchronization between RFID tag and database of most ultralightweight protocols with considerable success rates. Our replay attack demonstrates the uselessness of all existing redundancy mechanisms used to solve problems caused by losing final messages. That means all the protocols adopting redundancy mechanisms that store old secrets in one side or both sides cannot resist the proposed replay attack. Furthermore, we develop full-disclosure attacks for T-function based and rotation based RFID protocols, respectively. The described full-disclosure attacks are quite effective and can reveal some or all secrets in RFID tags. Our study shows the most common design flaws in those RFID protocols so that researchers are still faced with challenges to develop a secure ultralightweight RFID protocol.

Appendix

For simplicity, we only present the steps to reveal the LSBs of secrets in protocols.

1.1 Breaking M²AP

Taking into consideration of the n-th, (n + 1)-th and (n + 2)-th consecutive protocol sessions of M²AP, Linear equations are obtained:

$$ \begin{aligned} & [A]_{0}^{(n)} = [IDS]_{0}^{(n)} \oplus [K1]_{0}^{(n)} \oplus [n1]_{0}^{(n)} , \\ & [C]_{0}^{(n)} = [IDS]_{0}^{(n)} \oplus [K3]_{0}^{(n)} \oplus [n2]_{0}^{(n)} , \\ & [E]_{0}^{(n)} = [IDS]_{0}^{(n)} \oplus [ID]_{0} \oplus [n1]_{0}^{(n)} { ,} \\ & [IDS]_{0}^{(n + 1)} = [IDS]_{0}^{(n)} \oplus [ID]_{0} \oplus [n1]_{0}^{(n)} \, \oplus [n2]_{0}^{(n)} { ,} \\ & [C]_{0}^{(n)} = [IDS]_{0}^{(n + 1)} \oplus [K1]_{0}^{(n)} \oplus [K3]_{0}^{(n)} \oplus [n1]_{0}^{(n)} \oplus [ID]_{0} \oplus [n2]_{0}^{(n + 1)} , \\ & [E]_{0}^{(n)} = [IDS]_{0}^{(n + 1)} \oplus [ID]_{0} \oplus [n1]_{0}^{(n + 1)} { ,} \\ & [IDS]_{0}^{(n + 2)} = [IDS]_{0}^{(n + 1)} \oplus [ID]_{0} \oplus [n1]_{0}^{(n + 1)} \, \oplus [n2]_{0}^{(n + 1)} \, .\\ \end{aligned} $$

(81)

The matrix representation is

$$ M \cdot \left( {\begin{array}{*{20}c} {[K1]_{0}^{(n)} } & {[K3]_{0}^{(n)} } & {[n1]_{0}^{(n)} } & {[n2]_{0}^{(n)} } & {[n1]_{0}^{(n + 1)} } & {[n2]_{0}^{(n + 1)} } & {[ID]_{0} } \\ \end{array} } \right)^{\text{T}} = V, $$

(82)

where

$$ M = \left( {\begin{array}{*{20}c} 1 & 0 & 1 & 0 & 0 & 0 & 0 \\ 0 & 1 & 0 & 1 & 0 & 0 & 0 \\ 0 & 0 & 1 & 0 & 0 & 0 & 1 \\ 0 & 0 & 1 & 1 & 0 & 0 & 1 \\ 1 & 1 & 1 & 0 & 0 & 1 & 1 \\ 0 & 0 & 0 & 0 & 1 & 0 & 1 \\ 0 & 0 & 0 & 0 & 1 & 1 & 1 \\ \end{array} } \right)\quad {\text{and}}\quad V{ = }\left( {\begin{array}{*{20}c} {[A]_{0}^{(n)} \oplus [K1]_{0}^{(n)} \oplus [n1]_{0}^{(n)} } \\ {[C]_{0}^{(n)} \oplus [IDS]_{0}^{(n)} } \\ {[E]_{0}^{(n)} \oplus [IDS]_{0}^{(n)} \, } \\ {[IDS]_{0}^{(n + 1)} \oplus [IDS]_{0}^{(n)} \, } \\ {[C]_{0}^{(n)} \oplus [IDS]_{0}^{(n + 1)} } \\ {[E]_{0}^{(n)} \oplus [IDS]_{0}^{(n + 1)} \, } \\ {[IDS]_{0}^{(n + 2)} \oplus [IDS]_{0}^{(n + 1)} \, } \\ \end{array} } \right). $$

(83)

M is nonsingular and Equation has unique solution. Therefore, we can conclude that using data in three consecutive protocol sessions, an attacker can compute K1, K3 and ID in a tag of M²AP.

1.2 Breaking EMAP

Strictly speaking, EMAP is not a T-function based ultralightweight RFID protocol because parity function is used in it. However, our attack is still applied to EMAP since most operators used in it are T-functions. Note that all operators used in EMAP will not cause any carry bit, and we can directly create equations for any bit.

An attacker first sends Wait([IDS] ⁽ⁿ⁾ _i  = 0) query, and then have

$$ \begin{aligned} & [A]_{i}^{(n)} = [K1]_{i}^{(n)} \oplus [n1]_{i}^{(n)} , \\ & [B]_{i}^{(n)} = [K2]_{i}^{(n)} \oplus [n1]_{i}^{(n)} , \\ & [C]_{i}^{(n)} = [K3]_{i}^{(n)} \oplus [n2]_{i}^{(n)} , \\ & [D]_{i}^{(n)} = [n2]_{i}^{(n)} , \\ & [IDS]_{i}^{(n + 1)} = [n2]_{i}^{(n)} \oplus [K1]_{i}^{(n)} . \\ \end{aligned} $$

(84)

The matrix representation is

$$ M \cdot \left( {\begin{array}{*{20}c} {[K1]_{i}^{(n)} } & {[K2]_{i}^{(n)} } & {[K3]_{i}^{(n)} } & {[n1]_{i}^{(n)} } & {[n2]_{i}^{(n)} } \\ \end{array} } \right)^{\text{T}} = V, $$

(85)

where

$$ M = \left( {\begin{array}{*{20}c} 1 & 0 & 0 & 1 & 0 \\ 0 & 1 & 0 & 1 & 0 \\ 0 & 0 & 1 & 0 & 1 \\ 0 & 0 & 0 & 0 & 1 \\ 1 & 0 & 0 & 0 & 1 \\ \end{array} } \right)\quad {\text{and}}\quad V{ = }\left( {\begin{array}{*{20}c} {[A]_{i}^{(n)} } \\ {[B]_{i}^{(n)} } \\ {[C]_{i}^{(n)} } \\ {[D]_{i}^{(n)} } \\ {[IDS]_{i}^{(n + 1)} } \\ \end{array} } \right). $$

(86)

Obviously, M is nonsingular and we can compute secrets K1, K2, K3 and two random numbers n1 and n2 in the n-th protocol session. It is obvious that we can use the same method to compute those secrets in (n + 1)-th protocol session if an attacker sends Wait([IDS] ⁽ⁿ⁾ _i  = 0 and [IDS] ⁽ⁿ⁺¹⁾ _i  = 0) query.

From the updating formulas, it is easy to know that

$$ ID = (K1^{(n)} \oplus K1^{(n + 1)} \oplus n2^{(n)} )(0:47)||(K2^{(n)} \oplus K2^{(n + 1)} \oplus n2^{(n)} )(48:95). $$

(87)

So we can fully compromise all secrets in EMAP.