foreign-australia-hydconf

7/30/2019 Foreign-australia-HydConf

http://slidepdf.com/reader/full/foreign-australia-hydconf 1/7

RFID Security Issues - An Overview(Invited Paper)

Saravanan Sundaresan, Robin Doss and Wanlei ZhouSchool of Information Technology, Deakin University, Australia

Email: [email protected]

Abstract—Radio Frequency Identification (RFID) is a technol-ogy that enables the non-contact, automatic and unique iden-tification of objects using radio waves. Its use for commercialapplications has recently become attractive with RFID technologyseen as the replacement for the optical barcode system that iscurrently in widespread use. RFID has many advantages overthe traditional barcode and these advantages have the potentialto significantly increase the efficiency of decentralised businessenvironments such as logistics and supply chain management. The

large-scale implementation of RFID is curtailed mainly due tosecurity/privacy issues. Security plays a significant role in areasof RFID such as mutual authentication, secure search and tagownership/delegation to name a few. It is also quite challenging toimplement security features in low-cost passive RFID tags whichare highly resource constrained. Many of the schemes that claim tomeet the necessary security requirements, do not comply with theEPC Class-1 Gen-2 standards as these protocols use expensivehash operations or sophisticated encryption schemes that thepassive tags cannot handle. Here in this article, we discuss thegeneral security issues in RFID and also cover some of the keycontributions made in these areas.

I. INTRODUCTION

The history of RFID can be traced back to World War IIwhen several countries started using radar technology - that

was discovered by a Scottish Physicist Sir Robert Alexander

Watson-Watt in 1935 - to warn approaching planes while they

were still miles away. It was under Watson-Watt, the British

developed the first active Identify Friend or Foe (IFF) system.

UHF RFID got its boost in late 1990s when low-cost tags were

deployed on all products to track them through the supply chain

[1]. The global RFID industry will be valued at 9.7 billion US

dollars by 2013 with an annual growth rate at about 15 percent

and the total volume of tags used worldwide was estimated to

be 10.6 billion pieces by 2011 of which 80 percent were UHF

passive tags [2]. The three key elements of an RFID system are

the tags, readers and the backend server. Tags are physicallyattached to objects, readers (wired or mobile) are devices that

recognizes the presence of objects in its range and the server

maintains all the crucial information about the IDs for the tags,

readers, their secrets, information about the object attached to

the tag and so on. There are three types of RFID Tags - active

tags, semi-active tags and passive tags [3], [4]. Active tags have

their own battery to power its internal circuitry and transmission

components. Semi-active tags also have their own power source

which is used only for powering the internal circuitry but not

for transmission. Passive tags have no internal battery to power

themselves. They use electromagnetic signal from the reader

as the power source. This makes the passive tags highly cost-

effective thereby enabling large-scale application.

A. Need for Security

It is noted in [5] that due to the privacy concerns arising

from RFID usage, the Consumers Against Supermarket Pri-

vacy Invasion and Numbering - CASPIAN , Electronic Privacy

Information Center (EPIC) and American Civil Liberties Union

(ACLU) rally against the use of RFID technology especiallyin retail environments. One classic example for the security

needs noted in [4] is when the location privacy of the tag

holder should not be compromised. When an unauthorized

reader obtains a constant reply from a tag, this information can

be used to track the movements of the holder of the tag. For

example, consider a tag attached to a passport. An unauthorized

reader queries the tag and obtains a constant encrypted reply.

Even though the contents could not be deciphered by the

adversary, it can compare tag replies at different locations and

times. When the same tag reply is obtained in two different

locations, the adversary can infer that the person holding the

passport has been to those two locations. Thus the location

privacy of this person is compromised. It is noted in [6] thatthe traceability problem is considered as the biggest security

challenge to general acceptability and wide-scale deployment

of RFID technology. Thus, in order for it to be successful, RFID

systems should be robust, safe and secure.

B. Security Challenges and Constraints

Passive tags are highly resource constrained and cannot

perform hash operations or handle any complex encryption

schemes. Hence meeting security requirements is one of the

biggest challenges when developing protocols for passive tags.

It is observed in [7] that if radio waves can pass through

some materials they can also be blocked and interfered with.

The problem is solved using blocker tags which are designedto transmit an interfering signal especially to confound the

singulation process. But this strategy may be defeated if the

reader does not follow the singulation protocol. Two main

security issues are discussed in [8] - The first concerns the

attacks that aim to wipe out the functioning of the system (DoS

attack for example). The second category relates to privacy

which includes both information leakage and also traceability.

Avoine [8] argues that ensuring privacy in RFID without using

any cryptographic functions would only be a pipedream. It is

also noted that designing and analyzing RFID protocols remains

a real challenge since no universal model has been defined. It

is observed in [9] that passive tags can broadcast information

Proceedings of International Conference on Innovation inElectronics and Communication Engineering

20-21, July 2012, GNI Hyderabad



when powered and queried by a reader without the tag owner

being aware of this action. It is also stated that most passive

tags can even transmit a static serial number in response to a

reader’s query thus allowing tracking of the tags and in turn

the individuals.According to [10] Tag Killing is a concern for companies and

customers. The aim is to cut out the functionality of the tags

when deactivation is necessary (ex: demand from the customer

at the point-of-sale). This idea protects the customers when

properly used by giving them the privacy they need but an

adversary can use it maliciously to cause DoS attacks making

the tag useless and inoperative. Lei and Cao (2007) cited in [10]

solve the tag killing problem by adding complexity to the tag.

The solution requires additional PRNG, chip area for storing

this random number. Also, the identifier is concatenated with

the random number prior to hashing which causes the hash

function to be run twice. This results in slowing down even

the commonly performed tasks such as reading a tag and alsoincreases the energy consumption of the tag thereby questioning

the feasibility of the solution as pointed out by Trcek and Kovac

(2008) and Feldhofer and Wolkerstorfer (2007) cited in [10].

According to [4], when searching for a particular tag, tags

should only respond to authenticated readers. Also, the readers

should only query authenticated tags. This creates a chicken-

and-egg problem - since readers want to query authenticated

tags but tags will only respond to authenticated readers.

Thus, given the resource constraints of passive tags, it is

apparent that implementing security in such tags can be quite

challenging. The rest of the paper is organized as follows.

Section II discusses the required security properties in RFID.

Sections III, IV, V discuss the existing literature and issuesrelated to mutual authentication, secure search and tag own-

ership/delegation areas respectively. section VI discusses the

open research problems in RFID and section VII concludes the

paper.

I I . REQUIRED SECURITY PROPERTIES IN RFID

The required security properties to achieve authentication and

privacy in RFID systems can be summarized as follows [11],

[12].

• Tag Anonymity (P1): The protocol should protect against

information leakage that can lead to disclosure of a tags

real identifier. This is important as otherwise an attacker

may be able to clone a valid tag.• Tag Location Privacy (P2): The protocol should ensure

that the message contents are sufficiently randomized to

ensure that they cannot be used to track the location(s)

of the tags and thereby glean social information about the

wearer of the tag.

• Forward Secrecy (P3): The protocol should ensure that on

compromise of the internal secrets of the tag, its previous

communications cannot be traced by the attacker. This

requires that previous messages are not dependent on

current resident data on the tag.

• Reader Anonymity (P4): The protocol should protect

against information leakage that can lead to disclosure of

a readers real identifier. This is important as otherwise an

attacker may be able to clone a valid reader.

• Reader Location Privacy (P5): The protocol should ensure

that the message contents are sufficiently randomized to

ensure that they cannot be used to track the location(s) of the readers and thereby glean social information about the

owner.

• Replay Attacks (A1): The protocol should be able to resist

compromise by an attacker through the replay of messages

that have been collected by an attacker during previous

protocol sequences. This requires that protocol messages

in each round of the protocol are unique.

• De-synchronization Attack (A2): The protocol should be

able to recover from incomplete protocol sequences that

can occur due to an attacker selectively blocking messages.

Importantly, such blocking of messages by an attacker

should not lead to de-synchronization between the tag and

the server/reader.• Server Impersonation (A3): The protocol should ensure

that the server cannot be impersonated by an attacker. This

requires that the tag/reader challenges a server to prove its

legitimacy thereby achieving mutual authentication.

III. MUTUAL AUTHENTICATION

The need for security and privacy in RFID systems is well

recognized and there has been a significant amount of work in

this area [13], [12], [14]. However, the practical implementation

of most schemes are limited by three main factors. Firstly,

many schemes do not achieve conformance to EPC Class 1

Gen-2 standards and hence cannot be implemented on low

cost tags which cannot support complex computation (such ashash functions). Secondly, schemes that are compliant to EPC

Class 1 Gen-2 standards do not provide robust security in terms

of authentication and privacy. Thirdly, most schemes assume

that the channel between the back-end server and the reader

is secure and hence they are not suitable in mobile/wireless

reader environments where this assumption does not hold.

Early approaches to deal with the security problem in RFID

systems include the use of shared secrets with the use of

a pseudorandom function ensemble; hash chains to update

a shared random identifier; monotonically increasing session

hashes to prevent replay attacks; shared secrets and random

nonces; monotonically increasing timestamps; and the use of

XOR (exclusive OR), hash chains and a shared secret keybetween the reader and the back end server for reader tag

authentication. Security flaws and protocol vulnerabilities have

been identified in [15] in the schemes employing one or more

of these techniques.

[16] identifies that the scheme proposed in Jules (2004)

(a Yoking proof based on keyed hash functions and message

authentication code (MAC) functions for pharmaceutical appli-

cations) fails to provide tag anonymity and is not resistant to

replay attacks and chosen plain-text attacks. [16] also identifies

that the scheme proposed in Wong (2005) (hash-lock scheme)

does not provide location privacy and is not resistant to replay

and server impersonation attacks. Further, since both schemes





require the implementation of hash functions on the tags they

are not EPC Class-1 Gen-2 compliant.

In 2007, Chien et al. [17], proposed a mutual authentication

protocol that achieves EPC Class-1 Gen-2 compliance and

is based on random nonces and CRC calculations. However,it suffers from significant security drawbacks. Cryptanalysis

of Chiens scheme by Peris-Lopez et al. [18], shows that it

cannot guarantee the unequivocal identification of tags, forward

secrecy and location privacy of tags. It is also observed that

it is not robust to resist tag impersonation and auto de-

synchronization attacks. Lo et al. [19] proposed an improve-

ment to Chiens scheme but it still does not address the location

privacy concern and can be compromised by collaborating

readers [2]. Chen and Dengs scheme [20] is based on CRC

and PRNG functions and suitable for implementation on EPC

Class-1 Gen-2 tags. However, the use of CRC functions makes

it possible for attackers to exploit the completely linear property

of the CRC function [18] and Kapoor et al. [21] haverecently shown that Chen and Dengs scheme is vulnerable to

impersonation attacks.

In [22] Liu and Bailey have proposed the privacy and

authentication protocol (PAP) specifically for a retail environ-

ment. It is based on a shared key between the reader and

the tag, a privacy state and hash value computation by the

tag and the reader. Variations of the protocol are proposed

for check-out, in-store, out-store and return actions that are

common in a retail environment. However, PAP fails to provide

tag anonymity as the tag identifier is transmitted in the clear.

The authors argue that this is acceptable since the protocol is

designed specifically for a controlled environment. In addition,

PAP fails to comply with EPC Class-1 Gen-2 standards. Further,vulnerability analysis of PAP by Nasser et al [23] shows

that PAP suffers from traceability and impersonation attacks.

In [16], Chen et al. proposed the first mutual authentication

scheme based on quadratic residues. The scheme was designed

to achieve mutual authentication, tag privacy and resistance to

replay and de-synchronization attacks. However, cryptanalysis

of this scheme by Cao and Shen [24] shows that the scheme

is vulnerable to tag impersonation attacks, replay attacks and

tag location disclosure. Chen’s scheme was improved by Yeh

and Wu [25] by having the tag generate an additional random

number. Both Chens original quadratic residue based scheme

and Yehs improved version require the tag to compute multiple

hash functions. Hence both schemes are not suitable for EPC

Class-1 Gen-2 tags.

IV. SECURE SEARCH

While there has been a significant amount of work done

in the areas of RFID mutual authentication and tag owner-

ship/delegation [11], [25], [22], [2], it is not the case for secure

search. For the search to be secure, a tag should authenticate

the reader before replying and the reader should also ensure

that only legitimate tags receive the query which prevents an

adversary from learning the content of the query. As noted

in [4], the problem statement can be simply put as: readers

want to query authenticated tags but tags will only respond to

authenticated readers.

Huang and Shieh propose a Secret Search Protocol in [29]

which solves the privacy problem by offering a search mecha-

nism over encrypted data. The protocol conducts search directlyon ciphertexts without the need to decrypt them which gives

enhanced performance. Won et al [30] propose a search proto-

col utilizing AES-128 block cipher and timestamps without the

need of a central database. The authors claim that the timestamp

generated by a portable reader protects from illegal tag-tracking

by an adversary. The protocol also protects a portable reader’s

privacy even in an insecure channel by encrypting the Reader

ID using AES-128 block-cipher. Both of these schemes by

Huang et al. and Won et al. require tags to compute one-

way hash functions or perform expensive encryptions such as

AES-128 and hence are not compliant with the EPC C1G2

standard. Tan et al [31] propose a serverless secure search

protocol considering the security for both the reader and thetag. A reader broadcasts h(f (ri, tj) nr) ⊕ idj , nr, ri. The

tag use its secret tj to obtain idj and if it matches with its own

id then it sends back a response h(f (ri, tj) nt) nr) ⊕ idj ,

nt. However it is noted in [30] that Tan et al’s scheme does

not completely solve the illegal tag tracking problem and also

does not consider a reader holder’s privacy. Zuo [32] proposes a

similar secure search protocol using a pseudo-random function

with a seed and one-way hash function. The reader broadcasts

F ki(idi ⊕ H (n1)) n1 F N ki (idi ⊕ H (n1)) n1 and the tag

responds back with H (idi F ki(n1). The tag then updates

its secret key ki. However, there are security issues with this

scheme relating to reader compromise as noted in [4].

Kim et al [33] propose a serverless search protocol by

providing the readers with unique access lists with a group of

tags that they are authorized to search. In the search phase, the

reader broadcasts the group id Gk, S i,k and random number

nR. Tags receiving the search request check to see if they

belong to the group. If so, and if the intended tag exists

in the group it generates a random number nT and sends

h(h(S i,k tj) nR nT ) along with the random number.

A vulnerability noted by the authors in their protocol is that

the tags should send their group identity to a querying reader.

Also, the tags reply to a search query for a specific group. Thus,

a simple eavesdropping leads to knowing the group identity

of the tags. We further note that the broadcasting group-idsand also the pseudonyms in the clear is not advisable since

these two pieces of information are vital to providing security

to the tags and the readers. Ahamed et al [34] propose a

serverless forward secure, anonymous search protocol using

a pseudorandom number generator P (·) that takes a seed as

an argument and a function M (·) that generates the next

pseudorandom number. The reader generates and broadcasts

the random number nkdesired using P (seedkdesired) to find out

the desired tag T desired. Tags receiving the random number

compares it with its own nki and if there is a match, it knows

that the query is for itself and also authenticates the reader

since only a legitimate reader can know its seed. The tag replies





Table ICOMPARISON OF SECURITY AND PRIVACY PROPERTIES (MUTUAL AUTHENTICATION )

Scheme P1 P2 P3 P4 P5 A1 A2 A3

Juels [26] No No § § No No

Wong et al. [27] No § § No No

Chien et al. [17] No No § § No No Chen et al. [16] No § § No

Yeh et al [25] § §

Lo et al. [19] No § § No NoYeh et al. [2] No NoChen and Deng [20] No No § § NoLiu et al. [22] No No No § § No NoCho et al. [28] No No

: Fully satisfied; §: partially satisfied under certain assumptions; : not applicable.P1: Tag anonymity; P2: Tag location privacy; P3: Forward secrecy; P4: Reader privacy; P5: Reader locationprivacy; A1: Resistant to replay attacks; A2: Resistant to desynchronisation attacks; A3: Resistant toimpersonation attacks.

with nk+1i and updates its seed. After receiving the response

the reader computes nk+1desired and compares it with nk+1i andif there is a match it can be sure that the tag is valid as only a

legitimate tag can generate this.

Kulseng et al [35] propose a secure search protocol based on

Physically Unclonable Functions (PUF) and Linear Feedback

Shift Register (LFSR). The authors claim that their protocol

requires not more than 1400 hardware gates to implement the

security features which is well within the limits of low-cost

passive RFID tags. LFSR is used to generate random numbers

and PUF is used to authenticate the tags. The protocol addresses

physical attacks and replay attacks. The protocol provides

security from eavesdropping attacks since all secrets are XORed

with some random numbers which are changed every round of the search. Also the implementation of the P function based

on the PUF circuit can protect the tag from physical attacks.

A probe on the wire of the PUF will change the resistance

in the link that is being probed and therefore render the PUF

to alter its behavior. Also, the P function is unclonable. If

the content of the tag is somehow copied to another tag, the

new tag will not be able to mimic the behavior of the original

tag, because no two PUF circuits behave exactly the same.

Replay attacks are also not possible since the greeting numbers

are updated after each authentication/search. An improvement

of the protocol is suggested by the authors to prevent de-

synchronization attacks. Here, the reader and the tag do not

share any secret key K . Instead, the tag stores the greetingnumbers from the previous round and the currently expected

greeting number. All tags maintain a predefined probability

and decide whether to generate a fake response based on this

probability to provide tag location privacy and prevent tracking

attacks.

Now, we present our protocol proposed in [36] that is based

on simple XOR and PRNG operations. A blind-factor (β )is used to hide the random numbers during all transmissions

to provide additional security. The scheme is designed to

conform with EPC C1G2 standards since we do not employ

any encryption or hash functions while meeting the necessary

security requirements. The protocol has two phases. In the first

Table IICOMPARISON OF SECURITY AND PRIVACY PROPERTIES (S ECURE SEARCH)

Scheme P1 P2 P3 P4 P5 P6 A1 A2

Huang et al [29] No NA NA

Won et al [30] No NATan et al [31] No No No

Zuo [32] NA NA

Kulseng et al [35] § NA

Kim et al [33] No No

Our Scheme

P1: Basic Privacy P5: Tag Location PrivacyP2: Mutual Authentication P6: Reader Location PrivacyP3: Tag Anonymity A1: Replay Attack P4: Reader Anonymity A2: DoS/De-synchronization Attack C1: EPC Class-1 Gen-2 Compli-ance

- Fully Satisfied NA - Not Applicable - Partially Satisfied § - Fully Satisfied under certain as-

sumptions

phase the backend server setups all the tags and the readers

with the necessary information such as IDs, private/shared

secrets and so on. The second phase is where the search

is conducted using the proposed protocol. Reader computes

M 1 using idj , reader-tag shared secret rtsj and the random

number as M 1 = idj ⊕ PRNG(rtsj ⊕ rr). M 2 is computed

as M 2 = rr ⊕ β . The tags compute their own β , extracts

rr from M 2, computes x = id ⊕ PRNG(rts ⊕ rr) or

x = id ⊕ PRNG(rts−1 ⊕ rr), compares it with M 1 and if there is a match, computes M 3 = rts ⊕ PRNG(id ⊕ tr) (or)

M 3 = rts−1 ⊕ PRNG(id ⊕ tr) and M 4 = tr ⊕ β and sends

it back to the reader. Reader verifies the response to see if the

tag is present.

V. TAG OWNERSHIP

Lopez et al [37] and Cai et al [38] discuss the vulnerability

in Song et al’s ownership transfer scheme. It is shown that

the secret update protocol is vulnerable to de-synchronization

attack by blocking the first message (r1, M 1, M 2) from reach-

ing the tag. The adversary then forges a second message

(r1, M

1, M

2) that will be accepted by the tag which results





Figure 1. Our Secure Search Protocol from [36]

in the tag’s secret be updated to a value that the legitimate

server does not know. Henceforth the legitimate server cannot

access the tag resulting in de-synchronization. As a fix, it is

suggested that M 2 be modified from si(new) ⊕ (t

i >> l/2)

to si(new) ⊕ h(t

i) on the server side. Then on the tag side,

si ← M 2 ⊕ (t

i >> l/2) is revised to si ← M 2 ⊕ h(t

i). Songet al [39] provide a further revised version of the protocol in

which M 2 = f t(r1 r2) remains the same as in [38] and

M 3 is changed to s ⊕ f t(r2 r1). Zhou et al [40] propose

a tag ownership transfer protocol which considers third party

logistics (TPL) provider and the Trusted Third Party (TTP) and

their roles in the ownership transfer in a distributed supply

chain environment. The scheme uses two keys one main key for

the owner and a sub-key for the third-party logistics provider.

The sequence of events are: 1) The current owner possesses or

obtains from the TTP the main key K , to the item of interest;

2) The tag, current owner and the TPL provider (if any) obtain

sub-key ki, for the item at the origin location; 3) The item

is transported from the origin to the destination location; 4)The new owner obtains the main key from TTP. 5) The new

owner, TPL provider and tag obtain the updated sub-key from

the TTP. The owners have to have knowledge of both the main

and sub-keys to communicate with the tag and the composite

key is represented by K ⊕ ki. It is noted by the authors that

the protocol: 1) does not guarantee forward secrecy since none

of the messages are encrypted by any hash function and 2)

does not protect from relay attacks (which is when an attacker

simply relay messages between an honest reader and honest tag

with or without the knowledge of the other party) due to the

absence of cryptographic manipulations by the attacker.

Song et al discuss a RFID pseudonym protocol in [39] that

uses a pre-computed lookup table for tag authentication result-

ing in O(1) work to identify and authenticate a tag as opposed

to O(n) in some other protocols. The look-up table contains

a number of entries (determined by the hash-chain length m)

for each tag, one for each element of a tag-specific hash-chain.Elements from this hash-chain are used as tag identifiers. In the

init phase the server S chooses l (bit-length of tag identifier), lr(bit-length of a random string), lm (bit-length of integer m), e, f and g as keyed-hash functions and h a hash function. To build

the look-up table, S chooses l-bit string s and computes the key

k= h(s). S chooses a random l-bit string x0 and computes the

hash-chain xi = ek(xi−1) for 1 ≤ i ≤ m . Each value in the

hash-chain is used as a one-time tag identifier. S stores s, k and

the identifiers x0, x1 ... xm as the entries for T in the look-

up table. Following the tag authentication, the secret update

takes places if x = xm where the secrets are updated from

(s−1, k−1, s , k , x0, x1,...,xm) to (s ,k,s, k, x , x

1, x

2,...,x

m).

Tag delegation is pretty straightforward. When S wants todelegate tag T to an entity, it transfers the secret k and the

identifiers x0, x1 ... xm to the entity via a secure channel. Then

the entity can authenticate the tag a maximum of m times but

cannot update the tag secrets since it does not know s. For

the tag ownership transfer the secret update is accomplished

as follows: Server S chooses new secret s, a random string

r and an integer m . It then computes k = h(s) and

M s = gk(x r) ⊕ (s k m) and sends r, M s to tag

T . T computes (s k m) = M s ⊕ gk(x r). If h(s) = k,

S is authenticated and T updates its secret from k to k and

its counter c to m. T then computes M T = f k(r x) using

the new secret k and sends M T to S . If M T = f k(r x), S





now knows that T has received the new secret k , and updates

secrets s and k for T to s and k respectively. S computes the

hash-chain values, xi = ek(xi−1) for 1 ≤ i ≤ m, where x0 is

set to x. Otherwise, S starts over again.

Fouldagar and Afifi [9] propose two privacy preservingscheme for ownership transfer based on hash functions and

symmetric key cryptographic functions. As noted earlier the

use of hash function or keyed encryption functions is not

in compliance with EPC Class-1 Gen-2 standards. Besides

this however, in both the schemes the update of the secret

keys K U and K P is not protected against de-synchronization.

An attacker can easily achieve DoS by blocking the final

ACK message to the tag leading to the tag and the back-

end database having different keys. The authors claim that this

is an issue that is not inherent to the scheme but rather due

to the nature of the wireless channel. However, no solution

is proposed. One possible solution is to store previous key

values in the database. Seo et al. [41] propose a schemebased on a Public Key Infrastructure (PKI) with the tag’s

computation moved to a “proxy” that manages each tag and

is within the backward channel range of each tag. In our

opinion, the infrastructure overhead of the scheme and the

notion of a “proxy” makes the scheme impractical. Kapoor

and Piramuthu [42] propose two schemes with both a TTP

and without a TTP to enable ownership transfer. The schemes

are based on keyed hash and keyed encryption functions. The

protocol with TTP suffers from de-synchronization as the tag

updates its secret even before the new secret is given to the

new owner by the TTP. This means that the attacker can cause

de-synchronization by blocking any of the following messages.

The non-TTP version also suffers from vulnerabilities that canlead to forward secrecy compromise and tag cloning attacks.

In [43] a lightweight ownership transfer protocol that is based

on physically unclonable functions (PUF) and linear feedback

shift registers (LFSR) is proposed. The authors propose two

protocols, one with a TTP and another without a TTP. However,

on analysis both the protocols fail to provide the required

security properties. As noted in [43] the protocol with TTP

suffers from permanent de-synchronization when an attacker

selectively blocks messages; while the protocol without a TTP

is designed based on the assumption that an attacker is not able

to eavesdrop on the transmission over the wireless channel. This

is not a valid assumption as noted by Kapoor et al. [44].

VI . OPE N RESEARCH PROBLEMS

RFID security and privacy research is broadly categorized

into two areas [4]. The first is protocol based which emphasize

on designing protocols using lightweight primitives. The second

category is hardware based emphasizing on improving tag

hardware to provide additional security primitives like elliptic

curve cryptography. Several existing research problems in the

RFID arena are discussed below as given in [28]. Intended

or Meaningless Request: This type of attack is used in tag

location tracking and traffic analysis. Here an adversary trans-

mits intended or meaningless requests to a tag instead of

eavesdropping the communication. The weaknesses in some

Table IIICOMPARISON OF SECURITY AND PRIVACY PROPERTIES (TAG OWNERSHIP)

Scheme P1 P2 P3 P4 A1 A2 A3

Osaka et al. [45] No No No

Fouldagar and Afifi [9] No

Kulseng et al (withTTP). [43]

No

Kulseng et al (withoutTTP). [43]

No

Dimitriou [46] No No No NoSong and Mitchell [39] No No §Kapoor and Piramuthu(with TTP). [44]

§ § No

Kapoor and Piramuthu(without TTP). [44]

§ § No No

: Fully satisfied§: partially satisfied under certain assumptions.

protocols enables the adversary to anticipate the response

message of the tag that can be used to perform locationtracking. Acquisition of tag information with complexity equal

to the backend server: A hash based protocol generally has a

computational complexity of O(n) where n is the number of

tags and if the cost of an adversary to obtain the tag information

via brute-force attack is the same then the attack is considered

to be effective. Excessive growth of computational complexity

of backend server to recognize a tag: If tag identification by

the backend server has excessive computational complexity

then the efficiency of the overall system declines thereby

making the protocol unrealistic for realtime applications. Over

Dependency of response message of tag on random number:

Random numbers that are used in the operations are exposed

during the transmission. An adversary can use this to perform

a traffic analysis and brute-force attack.

VII. CONCLUSION

In this paper, we have discussed - RFID and its role in our

everyday lives; the security/privacy threats posed by RFID and

how security plays a significant role in areas such as mutual

authentication, secure search and tag ownership/delegation; the

challenges in implementing security features in low-cost passive

RFID tags which are highly resource constrained; how, many of

the schemes that claim to meet the necessary security require-

ments do not comply with the EPC Class-1 Gen-2 standards due

to the use expensive hash operations or sophisticated encryption

schemes that passive tags cannot handle.

Our future work involves the development of such C1G2

compliant protocols for passive tags in the area of ownership

transfer/delegation.

REFERENCES

[1] M. Roberti, “The history of rfid technology,” RFID Journal LLC.[Online]. Available: http://www.rfidjournal.com/article/view/1338

[2] T.-C. Yeh, Y.-J. Wang, T.-C. Kuo, and S.-S. Wang, “Securing RFIDsystems conforming to EPC Class 1 Generation 2 standard,” Expert Systems with Applications, vol. 37, no. 12, pp. 7678–7683, Dec. 2010.

[3] C. Lee, S. Park, K. Lee, and D. Won, “An Attack on an RFID Authen-tication Protocol Conforming to EPC Class 1 Generation 2 Standard,”

International Conference on Hybrid Information Technology, pp. 488–495, 2011.





[4] C. Tan, B. Sheng, and Q. Li, “Secure and Serverless RFID Authenticationand Search Protocols,” IEEE Transactions on Wireless Communications,vol. 7, no. 4, pp. 1400–1407, Apr. 2008.

[5] H. Pagey and K. A. Hua, “TagPay: A Payment Atomic RFID OwnershipTransfer Protocol,” 2010 IEEE 12th Conference on Commerce and

Enterprise Computing, pp. 196–203, Nov. 2010.

[6] C. H. Lim and T. Kwon, “Strong and Robust RFID AuthenticationEnabling Perfect Ownership Transfer,” International Conference on In-

formation and Communications Security – ICICS’06 , vol. 4307, pp. 1–20,2006.

[7] L. Leinweber, F. G. Wolff, C. Papachristou, and F. L. Merat, “A minimalprotocol with public key c ryptography for identification and privacy inRFID tags,” 2009 International Symposium on Signals, Circuits and Systems, pp. 1–4, Jul. 2009.

[8] G. Avoine, “Adversarial Model for Radio Frequency Identification,”Cryptology ePrint Archive, Report 2005/049, 2005.

[9] S. Fouladgar and H. Afifi, “A Simple Privacy Protecting Scheme En-abling Delegation and Ownership Transfer for RFID Tags,” Journal of Communications, vol. 2, no. 6, pp. 6–13, Nov. 2007.

[10] P. Japinnen and H. Hamalainen, “Enhanced RFID security method withownership transfer,” in Proc. of International Conference on Computa-tional Intelligence and Security, 2008.

[11] H.-Y. Chien and C.-S. Laih, “ECC-based lightweight authenticationprotocol with untraceability for low-cost RFID,” Journal of Parallel and Distributed Computing, vol. 69, pp. 848–853, 2009.

[12] R. D. Pietro and R. Molva, “An optimal probabilistic solution forinformation confinement, privacy and security in RFID systems,” Journalof Network and Computer Applications, 2010.

[13] T. van Deursen and S. Radomirovic, “On a new formal proof for RFIDLocation Privacy,” Information Processing Letters, vol. 110, pp. 57–61,2009.

[14] E. Choi, D. H. Lee, and J. I. Lim, “Anti-cloning protocol suitable forEPCglobal Class-1 Generation-2 RFID systems,” Computer Standardsand Interfaces, vol. 31, pp. 1124–1130, 2009.

[15] S. Piramuthu, “Protocols for RFID tag/reader authentication,” DecisionSupport Systems, vol. 43, pp. 897–914, 2007.

[16] Y. Chen, J.-S. Chou, and H.-M. Sun, “A novel mutual authenticationscheme based on quadratic residues for RFID systems,” Computer Net-works, vol. 52, pp. 2373–2380, April 2008.

[17] H.-Y. Chien and C.-H. Chen, “Mutual Authentication Protocol for RFIDconforming to EPC Class 1 Generation 2 Standards,” Computer Standardsand Interfaces, vol. 29, no. 2, pp. 254–259, April 2007.

[18] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, andA. Ribagorda, “Cryptanalysis of a novel authentication protocol conform-ing to epc-c1g2 standard,” Computer Standards and Interfaces, vol. 31,no. 2, pp. 372 – 380, 2009.

[19] N. Lo and K. Yeh, “An efficient mutual authentication scheme for EPC-global Class-1 Generation-2 RFID systems,” in Intenational Conferenceon Embedded and Ubiquitous Computing, 2007.

[20] C.-L. Chen and Y.-Y. Deng, “Conformation of EPC Class-1 Generation2 standards RFID system with mutual authentication and privacy pro-tection,” Engineering Applications of Artificial Intelligence, vol. 22, pp.1284–1291, January 2009.

[21] G. Kapoor and S. Piramuthu, “Vulnerabilities in chen and deng’s rfidmutual authentication and privacy protection protocol,” Engineering Ap-

plications of Artificial Intelligence, vol. 24, no. 7, pp. 1300 – 1302, 2011.

[22] A. Liu and L. Bailey, “PAP: Privacy and authentication protocol forpassive RFID tags,” Computer Communications, vol. 32, pp. 1194–1199,2009.

[23] M. Nasser, P. Peris-Lopez, P. Rafie, and M. J. van der Lubbe, “Vulnera-bility analysis of pap for rfid tags,” ArXiv e-prints, August 2010.

[24] T. Cao and P. Shen, “Cryptanalysis of some RFID authentication proto-cols,” Journal of Communications, vol. 3, no. 7, pp. 20–27, December2008.

[25] T.-C. Yeh, C.-H. Wu, and Y.-M. Tseng, “Improvement of the RFIDauthentication scheme based on quadratic residues,” Computer Commu-nications, 2010.

[26] A. Juels, “Yoking-Proofs for RFID Tags,” in International Workshop onPervasive Computing and Communication Security – PerSec 2004, 2004,pp. 138–143.

[27] K. Wong, P. Hui, and A. Chan, “Cryptography and authentication onRFID tags for apparels,” Computer in Industry, vol. 57, pp. 342–349,2005.

[28] J.-S. Cho, S.-S. Yeo, and S. K. Kim, “Securing against brute-force attack:A hash-based RFID mutual authentication protocol using a secret value,”Computer Communications, vol. 34, no. 3, pp. 391–397, Mar. 2011.

[29] S.-I. Huang and S. Shieh, “Authentication and secret search mechanismsfor RFID-aware wireless sensor networks,” Int. J. Security and Networks,vol. 5, no. 1, pp. 15–25, 2010.

[30] T. Y. Won, J. Y. Chun, and D. H. Lee, “Strong Authentication Protocolfor Secure RFID Tag Search without Help of Central Database,” 2008

IEEE/IFIP International Conference on Embedded and Ubiquitous Com- puting, pp. 153–158, Dec. 2008.

[31] C. C. Tan, B. Sheng, and Q. Li, “Serverless Search and AuthenticationProtocols for RFID,” International Conference on Pervasive Computingand Communications – PerCom 2007 , pp. 3–12, 2007.

[32] Y. Zuo, “Secure and private search protocols for RFID systems,” Infor-mation Systems Frontiers, vol. 12, no. 5, pp. 507–519, Aug. 2009.

[33] Z. Kim, J. Kim, K. Kim, I. Choi, and T. Shon, “Untraceable andServerless RFID Authentication and Search Protocols,” 2011 IEEE Ninth

International Symposium on Parallel and Distributed Processing with Applications Workshops, pp. 278–283, May 2011.

[34] S. I. Ahamed, F. Rahman, E. Hoque, F. Kawsar, and T. Nakajima,“S3PR: Secure Serverless Search Protocols for RFID,” 2008 InternationalConference on Information Security and Assurance (isa 2008) , pp. 187–192, Apr. 2008.

[35] L. Kulseng, Z. Yu, Y. Wei, and Y. Guan, “Lightweight Secure SearchProtocols for Low-cost RFID Systems,” 2009 29th IEEE InternationalConference on Distributed Computing Systems, pp. 40–48, Jun. 2009.

[36] S. Sundaresan, R. Doss, and W. Zhou, “A serverless ultra-lightweightsecure search protocol for epc class-1 gen-2 uhf rfid tags,” 2012 Inter-national Conference on Computer and Information Sciences, To appear,2012.

[37] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Tapiador, T. Li, and Y. Li,“Vulnerability analysis of RFID protocols for tag ownership transfer,”Computer Networks, vol. 54, no. 9, pp. 1502–1508, Jun. 2010.

[38] C. Shaoying, Y. Li, T. Li, and R. H. Deng, “Attacks and Improvements toan RFID Mutual Authentication Protocol and its Extensions,” Proceedingsof the 2nd ACM Conference on Wireless Network Security – WiSec’09,pp. 51–58, 2009.

[39] B. Song and C. J. Mitchell, “Scalable RFID security protocols supportingtag ownership transfer,” Computer Communications, vol. 34, no. 4, pp.556–566, Apr. 2011.

[40] W. Zhou, E. J. Yoon, and S. Piramuthu, “Varying Levels of RFID TagOwnership in Supply Chains,” On the Move to Meaningful Internet Systems – OTM 2011, pp. 228–235, 2011.

[41] Y. Seo, T. Asano, H. Lee, and K. Kim, “A lightweight protocol enablingownership transfer and granular data access of RFID tags,” the 2007 Symposium on Cryptography and Information Security Sasebo, pp. 23–26, 2007.

[42] G. Kapoor and S. Piramuthu, “Single RFID Tag Ownership TransferProtocols,” IEEE Transactions on Systems, Man, and Cybernetics, Part

C: Applications and Reviews, vol. 99, pp. 1–10, 2011.[43] L. Kuseng, Z. Yu, Y. Wei, and Y. Guan, “Lighweight Mutual Authenti-

cation and Ownership Transfer for RFID Systems,” in INFOCOM 2010,2010.

[44] G. Kapoor and S. Piramuthu, “Vulnerabilities in some recently proposedRFID ownership transfer protocols,” IEEE Communications Letters,vol. 14, no. 3, pp. 260–262, Mar. 2010.

[45] K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi, “An Efficient

and Secure RFID Security Method with Ownership Transfer,” in 2006 International Conference on Computational Intelligence and Security.Ieee, nov 2006, pp. 1090–1095.

[46] T. Dimitriou, “RFIDDOT: RFID Delegation and Ownership Transfermade simple,” in SecureComm, 2008.



foreign-australia-hydconf

Documents