Cryptanalysis of a novel authentication protocol conforming to EPC-C1G2 standard

https://doi.org/10.1016/j.csi.2008.05.012Get rights and content

Abstract

In 2006, the standard EPC Class-1 Generation-2 (EPC-C1G2) was ratified both by EPCglobal and ISO. This standard can be considered as a “universal” specification for low-cost RFID tags. Although it represents a great advance for the consolidation of RFID technology, it does not pay due attention to security and, as expected, its security level is very low. In 2007, Chien et al. published a mutual authentication protocol conforming to EPC-C1G2 which tried to correct all its security shortcomings. In this article, we point out various major security flaws in Chien et al.'s proposal. We show that none of the authentication protocol objectives are met. Unequivocal identification of tagged items is not guaranteed because of possible birthday attacks. Furthermore, an attacker can impersonate not only legitimate tags, but also the back-end database. The protocol does not provide forward security either. Location privacy is easily jeopardized by a straightforward tracking attack. Finally, we show how a successful auto-desynchronization (DoS attack) can be accomplished in the back-end database despite the security measures taken against it.

Introduction

RFID technology today is employed in a great number of applications. However, security aspects do not play an important role in the introduction of this promising technology. We should have learned from past errors such as those related to bluetooth or WiFi technology. However, the security level offered by commercial solutions is very low (e.g. Texas Instruments DST tags [4], Philips Mifare cards [14]). The two main problems related to RFID technology are privacy and tracking:

Privacy: Tag content, which may include sensitive information, is revealed when insecure tags are interrogated by readers. Tags and readers should be authenticated to correct this problem. However, readers are frequently not authenticated, and tags usually answer in a completely transparent way.

Tracking: A problem closely related to privacy is tracking, or violations of location privacy. Even if access of tag content were only allowed to authorized readers, tracking still might not be guaranteed. The answer provided by tags is usually a constant value (i.e. a static identifier). Under this assumption, an attacker will be able to establish an association between tags and its owners. Additionally, we can relax our conditions and assume that tags only contain product codes rather than a unique identifier. In spite of this, Weis et al. claims that tracking will still be possible by using an assembly of tags (a constellation) [29].

In addition to the previous threats, there are some other aspects that must be considered: eavesdropping, physical attacks, counterfeiting, active attacks, denial of service, etc. For depth in all these matters we recommend reading of [12], [21], [22] which provide surveys of the most important advances in RFID technology.

Each time a new protocol is defined, the class of tag for which the proposed protocol is appropriate should also be specified. In general terms, a tag contains a microchip with some computational and storage capabilities, and a coupling element, such as an antenna coil for communication. Tags can be classified according to two main criteria:

The type of memory: The memory element serves as writable and non-writable data storage. Tags can be programmed to be read-only, write-once read-many, or fully rewritable. Depending on the kind of tag, tag programming can take place at the manufacturing level or at the application level.

The source of power: A tag can obtain power from the signal received from the reader, or it can have its own internal power source. The way the tag gets its power generally defines the category of the tag: 1. Passive tags do not have internal source of power. They harvest their power from the reader that sends out electromagnetic waves. These kind of tags are restricted in their read/write range as they rely on RF electromagnetic energy from the reader for both power and communication. 2. Semi-passive tags use a battery to run the microchip's circuitry but communicate by harvesting power from the reader signal. 3. Active tags possess a power source that is used to run the microchip's circuitry and to broadcast a signal to the reader.

Another relevant parameter is tag price, in which we mainly distinguish between high-cost and low-cost RFID tags. We note that depending on the class of tag, the security level that can be supported will also be different. For example, the security level of a tag used in e-passports should not be the same as that of a low-cost tag employed in the supply chain (e.g. tags compliant to EPC Class-1 Generation-2 specification). To clarify the kind of systems we refer to as low-cost/high-cost RFID tags, Table 1 summarizes their specifications, these being relevant to current-commercial RFID tags.

Section snippets

Motivation

RFID is a relatively heterogeneous technology with a significant number of connected standards. As in [21], standards can be classified according to five main categories: contactless integrated circuit cards, RFID in animals, item management, near field communication (NFC) and EPC. Fig. 1 summarizes the most important of those. Within these standards, one of the most relevant is the EPCglobal Class-1 Gen-2 RFID specification (EPC-C1G2) [8]. It was adopted in 2004, and eighteen months later was

Related work

The vast majority of designs for security protocols for RFID either do not conform to the EPC-C1G2 [6], [7], [10], [11], [25], [31] specification or they suffer from major security flaws. In this section, we briefly present some recent attempts to raise the security level of low-cost RFID tags, whilst still conforming to EPC-C1G2.

In [13], Juels shows that EPC tags are vulnerable to elementary cloning and counterfeiting attacks. The proposals he makes for solving these problems, while resistant

Chien et al. protocol

In [5], Chien et al. propose a mutual authentication protocol for improving the security performance of EPC-C1G2. Their scheme consists of two phases: an initialization phase and authentication phase.

Cyclic Redundancy Codes — CRCs

A Cyclic Redundancy Code (CRC) is a checksum algorithm that can be used to detect transmission errors (typically one or two bit flips, or bursts) in a very efficient way. CRCs operate by interpreting input binary sequences as polynomial coefficients that they divide over a prefixed polynomial in order to obtain a remainder, which, in its binary expression, constitutes the crc value.

CRCs are completely linear, so they shouldn't be used in cryptographic applications as they cannot detect

Vulnerabilities of Chien's protocol

In this section we will analyze the most important vulnerabilities in Chien et al.'s protocol.

Conclusions

Due to the security faults both of EPC-C1G2 and of the previous proposals conforming to this standard, in 2007 Chien et al. proposed a new mutual authentication protocol that tried to solve these problems. After briefly presenting the Chien scheme, the security of his protocol was analyzed, showing some important security failures: non-unequivocal-identification, identity impersonation (both of tags and, importantly, the back-end database), non-forward security, tracking, and

Pedro Peris-Lopez is Assistant Professor at the Computer Science Department of Carlos III University of Madrid. He has a M.Sc. in Telecommunications Engineering. His research interests are in the field of protocols design, authentication, privacy, lightweight cryptography, cryptanalysis, etc. Nowadays, his research is focused on Radio Frequency Identification Systems (RFID). In these fields, he has published a great number of papers in specialized journals and conference proceedings.

References (31)

  • Hung-Yu Chien et al.
  • S. Piramuthu

    Protocols for RFID tag/reader authentication

    Decis. support syst.

    (2007)

  • Philips and Texas Instruments join forces to accelerate EPC Gen-2 RFID deployment

    (2005)
  • Anarchriz

    CRC and how to reverse it

    (1999)
  • D. Bailey et al.

    Shoehorning security into the EPC standard

    (2006)
  • S. Bono et al.

    Security analysis of a cryptographically-enabled device

  • E.Y. Choi et al.

    Efficient RFID authentication protocol for ubiquitous computing environment

  • T. Dimitriou

    A lightweight RFID protocol to protect against traceability and cloning attacks

  • Class-1 Generation-2 UHF air interface protocol standard version 1.0.9: “Gen 2”

    (January 2005)

  • EPC Generation-1 tag data standards version 1.1

    (May 2005)
  • J. Ha et al.

    Low-cost and strong- security RFID authentication protocol

  • D. Henrici et al.

    Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers

  • A. Juels

    RFID security and privacy: a research survey. Manuscript

    (September 2005)
  • A. Juels

    Strengthening EPC tags against cloning. Manuscript

    (March 2005)
  • N. Karten and H. Pltz. Mifare little security, despite obscurity....

    • Cited by (0)

    1. Download : Download full-size image
    Pedro Peris-Lopez is Assistant Professor at the Computer Science Department of Carlos III University of Madrid. He has a M.Sc. in Telecommunications Engineering. His research interests are in the field of protocols design, authentication, privacy, lightweight cryptography, cryptanalysis, etc. Nowadays, his research is focused on Radio Frequency Identification Systems (RFID). In these fields, he has published a great number of papers in specialized journals and conference proceedings.

    1. Download : Download full-size image
    Julio C. Hernandez-Castro is Associate Professor at the Computer Science Department of Carlos III University of Madrid. He has a B.Sc. in Mathematics, a M.Sc. in Coding Theory and Network Security, and a Ph.D. in Computer Science. His interests are mainly focused in cryptology, network security, steganography and evolutionary computation. He loves chess and dreams of becoming, one day, a professional chess player. He also loves Recreational Mathematics and has published some fun articles in journals specialized in this area.

    1. Download : Download full-size image
    Juan M. Estevez-Tapiador is Associate Professor at the Computer Science Department of Carlos III University of Madrid. He holds a M.Sc. in Computer Science from the University of Granada (2000), where he obtained the Best Student Academic Award, and a Ph.D. in Computer Science (2004) from the same university. His research is focused on cryptology and information security. In these fields, he has published around 40 papers in specialized journals and conference proceedings. He is a member of the program committee of several conferences related to information security and serves as regular referee for various journals.

    1. Download : Download full-size image
    Arturo Ribagorda is Full Professor at Carlos III University of Madrid, where he is also the Head of the Cryptography and Information Security Group and currently acts as the Director of the Computer Science Department. He has a M.Sc. in Telecommunications Engineering and a Ph.D. in Computer Science. He is one of the pioneers of computer security in Spain, having more than 25 years of research and development experience in this field. He has authored 4 books and more than 100 articles in several areas of information security. Additionally, he is a member of the program committee of several conferences related to cryptography and information security.

    View full text
    Copyright © 2008 Elsevier B.V. All rights reserved.