Cryptanalysis of a novel authentication protocol conforming to EPC-C1G2 standard
Introduction
RFID technology today is employed in a great number of applications. However, security aspects do not play an important role in the introduction of this promising technology. We should have learned from past errors such as those related to bluetooth or WiFi technology. However, the security level offered by commercial solutions is very low (e.g. Texas Instruments DST tags [4], Philips Mifare cards [14]). The two main problems related to RFID technology are privacy and tracking:
Privacy: Tag content, which may include sensitive information, is revealed when insecure tags are interrogated by readers. Tags and readers should be authenticated to correct this problem. However, readers are frequently not authenticated, and tags usually answer in a completely transparent way.
Tracking: A problem closely related to privacy is tracking, or violations of location privacy. Even if access of tag content were only allowed to authorized readers, tracking still might not be guaranteed. The answer provided by tags is usually a constant value (i.e. a static identifier). Under this assumption, an attacker will be able to establish an association between tags and its owners. Additionally, we can relax our conditions and assume that tags only contain product codes rather than a unique identifier. In spite of this, Weis et al. claims that tracking will still be possible by using an assembly of tags (a constellation) [29].
In addition to the previous threats, there are some other aspects that must be considered: eavesdropping, physical attacks, counterfeiting, active attacks, denial of service, etc. For depth in all these matters we recommend reading of [12], [21], [22] which provide surveys of the most important advances in RFID technology.
Each time a new protocol is defined, the class of tag for which the proposed protocol is appropriate should also be specified. In general terms, a tag contains a microchip with some computational and storage capabilities, and a coupling element, such as an antenna coil for communication. Tags can be classified according to two main criteria:
The type of memory: The memory element serves as writable and non-writable data storage. Tags can be programmed to be read-only, write-once read-many, or fully rewritable. Depending on the kind of tag, tag programming can take place at the manufacturing level or at the application level.
The source of power: A tag can obtain power from the signal received from the reader, or it can have its own internal power source. The way the tag gets its power generally defines the category of the tag: 1. Passive tags do not have internal source of power. They harvest their power from the reader that sends out electromagnetic waves. These kind of tags are restricted in their read/write range as they rely on RF electromagnetic energy from the reader for both power and communication. 2. Semi-passive tags use a battery to run the microchip's circuitry but communicate by harvesting power from the reader signal. 3. Active tags possess a power source that is used to run the microchip's circuitry and to broadcast a signal to the reader.
Another relevant parameter is tag price, in which we mainly distinguish between high-cost and low-cost RFID tags. We note that depending on the class of tag, the security level that can be supported will also be different. For example, the security level of a tag used in e-passports should not be the same as that of a low-cost tag employed in the supply chain (e.g. tags compliant to EPC Class-1 Generation-2 specification). To clarify the kind of systems we refer to as low-cost/high-cost RFID tags, Table 1 summarizes their specifications, these being relevant to current-commercial RFID tags.
Section snippets
Motivation
RFID is a relatively heterogeneous technology with a significant number of connected standards. As in [21], standards can be classified according to five main categories: contactless integrated circuit cards, RFID in animals, item management, near field communication (NFC) and EPC. Fig. 1 summarizes the most important of those. Within these standards, one of the most relevant is the EPCglobal Class-1 Gen-2 RFID specification (EPC-C1G2) [8]. It was adopted in 2004, and eighteen months later was
Related work
The vast majority of designs for security protocols for RFID either do not conform to the EPC-C1G2 [6], [7], [10], [11], [25], [31] specification or they suffer from major security flaws. In this section, we briefly present some recent attempts to raise the security level of low-cost RFID tags, whilst still conforming to EPC-C1G2.
In [13], Juels shows that EPC tags are vulnerable to elementary cloning and counterfeiting attacks. The proposals he makes for solving these problems, while resistant
Chien et al. protocol
In [5], Chien et al. propose a mutual authentication protocol for improving the security performance of EPC-C1G2. Their scheme consists of two phases: an initialization phase and authentication phase.
Cyclic Redundancy Codes — CRCs
A Cyclic Redundancy Code (CRC) is a checksum algorithm that can be used to detect transmission errors (typically one or two bit flips, or bursts) in a very efficient way. CRCs operate by interpreting input binary sequences as polynomial coefficients that they divide over a prefixed polynomial in order to obtain a remainder, which, in its binary expression, constitutes the crc value.
CRCs are completely linear, so they shouldn't be used in cryptographic applications as they cannot detect
Vulnerabilities of Chien's protocol
In this section we will analyze the most important vulnerabilities in Chien et al.'s protocol.
Conclusions
Due to the security faults both of EPC-C1G2 and of the previous proposals conforming to this standard, in 2007 Chien et al. proposed a new mutual authentication protocol that tried to solve these problems. After briefly presenting the Chien scheme, the security of his protocol was analyzed, showing some important security failures: non-unequivocal-identification, identity impersonation (both of tags and, importantly, the back-end database), non-forward security, tracking, and
Pedro Peris-Lopez is Assistant Professor at the Computer Science Department of Carlos III University of Madrid. He has a M.Sc. in Telecommunications Engineering. His research interests are in the field of protocols design, authentication, privacy, lightweight cryptography, cryptanalysis, etc. Nowadays, his research is focused on Radio Frequency Identification Systems (RFID). In these fields, he has published a great number of papers in specialized journals and conference proceedings.
References (31)
- et al.
Protocols for RFID tag/reader authentication
Decis. support syst.
(2007)Philips and Texas Instruments join forces to accelerate EPC Gen-2 RFID deployment
(2005)CRC and how to reverse it
(1999)- et al.
Shoehorning security into the EPC standard
(2006) - et al.
Security analysis of a cryptographically-enabled device
- et al.
Efficient RFID authentication protocol for ubiquitous computing environment
A lightweight RFID protocol to protect against traceability and cloning attacks
Class-1 Generation-2 UHF air interface protocol standard version 1.0.9: “Gen 2”
(January 2005)EPC Generation-1 tag data standards version 1.1
(May 2005)
Low-cost and strong- security RFID authentication protocol
Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers
RFID security and privacy: a research survey. Manuscript
Strengthening EPC tags against cloning. Manuscript
Cited by (0)
Pedro Peris-Lopez is Assistant Professor at the Computer Science Department of Carlos III University of Madrid. He has a M.Sc. in Telecommunications Engineering. His research interests are in the field of protocols design, authentication, privacy, lightweight cryptography, cryptanalysis, etc. Nowadays, his research is focused on Radio Frequency Identification Systems (RFID). In these fields, he has published a great number of papers in specialized journals and conference proceedings.
Julio C. Hernandez-Castro is Associate Professor at the Computer Science Department of Carlos III University of Madrid. He has a B.Sc. in Mathematics, a M.Sc. in Coding Theory and Network Security, and a Ph.D. in Computer Science. His interests are mainly focused in cryptology, network security, steganography and evolutionary computation. He loves chess and dreams of becoming, one day, a professional chess player. He also loves Recreational Mathematics and has published some fun articles in journals specialized in this area.
Juan M. Estevez-Tapiador is Associate Professor at the Computer Science Department of Carlos III University of Madrid. He holds a M.Sc. in Computer Science from the University of Granada (2000), where he obtained the Best Student Academic Award, and a Ph.D. in Computer Science (2004) from the same university. His research is focused on cryptology and information security. In these fields, he has published around 40 papers in specialized journals and conference proceedings. He is a member of the program committee of several conferences related to information security and serves as regular referee for various journals.
Arturo Ribagorda is Full Professor at Carlos III University of Madrid, where he is also the Head of the Cryptography and Information Security Group and currently acts as the Director of the Computer Science Department. He has a M.Sc. in Telecommunications Engineering and a Ph.D. in Computer Science. He is one of the pioneers of computer security in Spain, having more than 25 years of research and development experience in this field. He has authored 4 books and more than 100 articles in several areas of information security. Additionally, he is a member of the program committee of several conferences related to cryptography and information security.