Practical attacks on a mutual authentication scheme under the EPC Class-1 Generation-2 standard

doi:10.1016/j.comcom.2009.03.010

Computer Communications

Volume 32, Issues 7–10, 28 May 2009, Pages 1185-1193

https://doi.org/10.1016/j.comcom.2009.03.010 Get rights and content

Abstract

The EPC Class-1 Generation-2 RFID standard provides little security, as has been shown in previous works such as [S. Karthikeyan, M. Nesterenko, RFID security without extensive cryptography, in: Proceedings of the 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks, 2005, pp. 63–67; D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning, in: The 2006 Symposium on Cryptography and Information Security, 2006; H.Y. Chien, C.H. Chen, Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards, Computer Standards & Interfaces 29 (2007) 254–259; P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, A. Ribagorda, Cryptanalysis of a novel authentication protocol conforming to EPC-C1G2 standard, in: Proceedings of Int’l Conference on RFID Security (RFIDSec)’07, Jul 2007; T.L. Lim, T. Li, Addressing the weakness in a lightweight RFID tag-reader mutual authentication scheme, in Proceedings of the IEEE Int’l Global Telecommunications Conference (GLOBECOM) 2007, Nov 2007, pp. 59–63]. In particular, the security of an RFID tag’s access and kill passwords is almost non-existent. Konidala and Kim recently proposed a new mutual authentication scheme [D.M. Konidala, Z. Kim, K. Kim, A simple and cost-effective RFID tag-reader mutual authentication scheme, in: Proceedings of Int’l Conference on RFID Security (RFIDSec)’07, Jul 2007, pp. 141–152] – an improved version of their first attempt [D.M. Konidala, K. Kim, RFID tag-reader mutual authentication scheme utilizing tag’s access password, Auto-ID Labs White Paper WP-HARDWARE-033, Jan 2007] – in which a tag’s access and kill passwords are used for authentication. In this paper, we show that the new scheme continues to present serious security flaws. The 16 least significant bits of the access password can be obtained with probability $2^{- 2}$ , and the 16 most significant bits with a probability greater than $2^{- 5}$ . Finally, we show how an attacker can recover the entire kill password with probability $2^{- 2}$ .

Introduction

EPCglobal is an organization that develops standards for the electronic product code (EPC), as well as an RFID framework (the EPCglobal Architecture Framework [9]) that supports the use of EPC. Among the few standards that have been developed by EPCglobal is the EPC Class-1 Gen-2 standard (EPC-C1G2 for short) [10] that specifies the RFID communications protocol for ultra-high frequency (UHF) communication between 860 and 960 MHz. The standard specifies that a compliant RFID tag should contain two 32-bit secrets – the access password and the kill password. The access password is used to authenticate readers that wish to access information stored on the tag and controls access to the information. The kill password is used to disable the tag permanently. Once a tag has been ‘killed’, it is rendered in silence thereafter.

EPC-C1G2 standard additionally specifies a simple scheme that allows a tag to authenticate a reader. This attempts to protect the access password by using a simple form of masking prior to transmission. However, a passive eavesdropper monitoring the messages exchanged between reader and tag can acquire this sensitive information by simply computing an XOR operation [11]. Konidala and Kim exposed this weakness and proposed tag-reader mutual authentication scheme (TRMA) to protect the access password [8]. Unfortunately, their scheme was soon found to be vulnerable to a number of attacks that could reveal the access password [5]. Konidala and Kim therefore proposed a new improved scheme (TRMA⁺) in [7], which they claimed to be secure. However, under close scrutiny, we have found that there are still weaknesses in the scheme. We show how practical attacks can effectively disclose both the access and the kill passwords. This paper highlights the need for designers of security schemes to conduct stringent cryptanalysis in order to be sure that their schemes provide the necessary resilience to attacks.

Other approaches to RFID authentication that conform to the EPC-C1G2 standard have been proposed previously. An efficient tag identification and reader authentication protocol based on the use of XORs and matrix operations was proposed in [1]. Duc et al. proposed a tag-to-backend database authentication protocol in [2], which uses a 16-bit pseudo-random number generator (PRNG), cyclic redundancy checksum (CRC) and XOR operations. Chien and Chen examined both protocols and pointed out particular security flaws [3]. Correspondingly, they proposed a new scheme similar to that of Duc et al., but this later came under attack by Peris-Lopez et al. [4].

Section snippets

The original TRMA scheme and its extension

For completeness and coherence we will first provide with a brief description of the original TRMA scheme and its extended version TRMA⁺.

Access password disclosure on TRMA⁺

In this section we describe how an attacker may succeed in recovering the 32-bit access password for a tag in the TRMA⁺ scheme.

Kill password disclosure on TRMA⁺

In this section, we describe how an attacker can succeed in recovering the 32-bit kill password for a tag in the TRMA⁺ scheme. We present two different approaches towards this objective. First, we assume that the attacker has no information (i.e. APWD, KPWD) about the target tag (see Section 4.1). Second, we assume that the attacker knows the 8 least significant bits of the access password (see Section 4.2).

Conclusion

In this paper, we have shown the existence of significant security flaws in a lightweight mutual authentication scheme¹ conforming to the EPC-C1G2 standard. The protocol uses the access and kill passwords defined in the specification, which are shared between legitimate entities (tags and readers). The authors suggested the use of a pad generation (see Section 2.3) function

Acknowledgement

We are grateful to Tong-Lee Lim for helpful comments and invaluable help.

References (10)

H.Y. Chien et al.
Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards
Computer Standards & Interfaces
(2007)
S. Karthikeyan, M. Nesterenko, RFID security without extensive cryptography, in: Proceedings of the 3rd ACM Workshop on...
D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning, in:...
P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, A. Ribagorda. Cryptanalysis of a novel authentication...
T.L. Lim, T. Li, Addressing the weakness in a lightweight RFID tag-reader mutual authentication scheme, in: Proceedings...

There are more references available in the full text version of this article.

Cited by (16)

On the security of RFID anti-counting security protocol (ACSP)
2014, Journal of Computational and Applied Mathematics
Citation Excerpt :
Designing secure authentication protocols for low-cost RFID tags has received the attention of a lot of researchers, though many protocols have been published lately [1–19]. However, most of them have not satisfied the claimed security goals [20–25]. The security of an RFID protocol can be analyzed in several directions.
Recently Qian et al. (2012) [26] have proposed a new attack for RFID systems, called counting attack, where the attacker just aims to estimate the number of tagged objects instead of steal the tags’ private information. They have stated that most of the existing RFID mutual authentication protocols are vulnerable to this attack. To defend against counting attack, they proposed a novel Anti-Counting Security Protocol called ACSP. The designers of ACSP have claimed that their protocol is resistant against counting attack and also the other known RFID security threats. However in this paper we present the following efficient attacks against this protocol:
- •
  Two tag impersonation attack: the success probability of each attack is “1” while the complexity is at most three runs of the protocol.
- •
  Two single tag de-synchronization attacks, the success probability of both attacks is “1” while the complexity is at most two runs of the protocol.
- •
  Group of tags de-synchronization attack: this attack, which can de-synchronize all tags in the range at once, has a success probability of “1” while its complexity is one run of the protocol.
- •
  Traceability attack: the adversary’s advantage in this attack is almost the maximum of possible advantages for an adversary in the same model, i.e., $\frac{1}{2}$ . The complexity of this attack is three runs of the protocol.
To counteract such flaws, we improve the ACSP protocol by applying some modifications so that it provides the desired security.
Authentication protocol conforming to EPC class-1 Gen-2 standard
2017, 2016 International Conference on Advanced Communication Systems and Information Security, ACOSIS 2016 - Proceedings
A secure privacy and authentication protocol for passive RFID tags
2017, International Journal of Mobile Communications
Keep all mobile users′ whereabouts secure: a radio frequency identification protocol anti-tracking in 5G
2016, International Journal of Communication Systems
Security Analysis and Strengthening of an RFID Lightweight Authentication Protocol Suitable for VANETs
2015, Wireless Personal Communications
Lightweight anti-desynchronization RFID mutual authentication protocol
2015, Zhongnan Daxue Xuebao (Ziran Kexue Ban)/Journal of Central South University (Science and Technology)

View all citing articles on Scopus

View full text