foreign-australia-hydconf
TRANSCRIPT
![Page 1: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/1.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 1/7
RFID Security Issues - An Overview(Invited Paper)
Saravanan Sundaresan, Robin Doss and Wanlei ZhouSchool of Information Technology, Deakin University, Australia
Email: [email protected]
Abstract—Radio Frequency Identification (RFID) is a technol-ogy that enables the non-contact, automatic and unique iden-tification of objects using radio waves. Its use for commercialapplications has recently become attractive with RFID technologyseen as the replacement for the optical barcode system that iscurrently in widespread use. RFID has many advantages overthe traditional barcode and these advantages have the potentialto significantly increase the efficiency of decentralised businessenvironments such as logistics and supply chain management. The
large-scale implementation of RFID is curtailed mainly due tosecurity/privacy issues. Security plays a significant role in areasof RFID such as mutual authentication, secure search and tagownership/delegation to name a few. It is also quite challenging toimplement security features in low-cost passive RFID tags whichare highly resource constrained. Many of the schemes that claim tomeet the necessary security requirements, do not comply with theEPC Class-1 Gen-2 standards as these protocols use expensivehash operations or sophisticated encryption schemes that thepassive tags cannot handle. Here in this article, we discuss thegeneral security issues in RFID and also cover some of the keycontributions made in these areas.
I. INTRODUCTION
The history of RFID can be traced back to World War IIwhen several countries started using radar technology - that
was discovered by a Scottish Physicist Sir Robert Alexander
Watson-Watt in 1935 - to warn approaching planes while they
were still miles away. It was under Watson-Watt, the British
developed the first active Identify Friend or Foe (IFF) system.
UHF RFID got its boost in late 1990s when low-cost tags were
deployed on all products to track them through the supply chain
[1]. The global RFID industry will be valued at 9.7 billion US
dollars by 2013 with an annual growth rate at about 15 percent
and the total volume of tags used worldwide was estimated to
be 10.6 billion pieces by 2011 of which 80 percent were UHF
passive tags [2]. The three key elements of an RFID system are
the tags, readers and the backend server. Tags are physicallyattached to objects, readers (wired or mobile) are devices that
recognizes the presence of objects in its range and the server
maintains all the crucial information about the IDs for the tags,
readers, their secrets, information about the object attached to
the tag and so on. There are three types of RFID Tags - active
tags, semi-active tags and passive tags [3], [4]. Active tags have
their own battery to power its internal circuitry and transmission
components. Semi-active tags also have their own power source
which is used only for powering the internal circuitry but not
for transmission. Passive tags have no internal battery to power
themselves. They use electromagnetic signal from the reader
as the power source. This makes the passive tags highly cost-
effective thereby enabling large-scale application.
A. Need for Security
It is noted in [5] that due to the privacy concerns arising
from RFID usage, the Consumers Against Supermarket Pri-
vacy Invasion and Numbering - CASPIAN , Electronic Privacy
Information Center (EPIC) and American Civil Liberties Union
(ACLU) rally against the use of RFID technology especiallyin retail environments. One classic example for the security
needs noted in [4] is when the location privacy of the tag
holder should not be compromised. When an unauthorized
reader obtains a constant reply from a tag, this information can
be used to track the movements of the holder of the tag. For
example, consider a tag attached to a passport. An unauthorized
reader queries the tag and obtains a constant encrypted reply.
Even though the contents could not be deciphered by the
adversary, it can compare tag replies at different locations and
times. When the same tag reply is obtained in two different
locations, the adversary can infer that the person holding the
passport has been to those two locations. Thus the location
privacy of this person is compromised. It is noted in [6] thatthe traceability problem is considered as the biggest security
challenge to general acceptability and wide-scale deployment
of RFID technology. Thus, in order for it to be successful, RFID
systems should be robust, safe and secure.
B. Security Challenges and Constraints
Passive tags are highly resource constrained and cannot
perform hash operations or handle any complex encryption
schemes. Hence meeting security requirements is one of the
biggest challenges when developing protocols for passive tags.
It is observed in [7] that if radio waves can pass through
some materials they can also be blocked and interfered with.
The problem is solved using blocker tags which are designedto transmit an interfering signal especially to confound the
singulation process. But this strategy may be defeated if the
reader does not follow the singulation protocol. Two main
security issues are discussed in [8] - The first concerns the
attacks that aim to wipe out the functioning of the system (DoS
attack for example). The second category relates to privacy
which includes both information leakage and also traceability.
Avoine [8] argues that ensuring privacy in RFID without using
any cryptographic functions would only be a pipedream. It is
also noted that designing and analyzing RFID protocols remains
a real challenge since no universal model has been defined. It
is observed in [9] that passive tags can broadcast information
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad
![Page 2: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/2.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 2/7
when powered and queried by a reader without the tag owner
being aware of this action. It is also stated that most passive
tags can even transmit a static serial number in response to a
reader’s query thus allowing tracking of the tags and in turn
the individuals.According to [10] Tag Killing is a concern for companies and
customers. The aim is to cut out the functionality of the tags
when deactivation is necessary (ex: demand from the customer
at the point-of-sale). This idea protects the customers when
properly used by giving them the privacy they need but an
adversary can use it maliciously to cause DoS attacks making
the tag useless and inoperative. Lei and Cao (2007) cited in [10]
solve the tag killing problem by adding complexity to the tag.
The solution requires additional PRNG, chip area for storing
this random number. Also, the identifier is concatenated with
the random number prior to hashing which causes the hash
function to be run twice. This results in slowing down even
the commonly performed tasks such as reading a tag and alsoincreases the energy consumption of the tag thereby questioning
the feasibility of the solution as pointed out by Trcek and Kovac
(2008) and Feldhofer and Wolkerstorfer (2007) cited in [10].
According to [4], when searching for a particular tag, tags
should only respond to authenticated readers. Also, the readers
should only query authenticated tags. This creates a chicken-
and-egg problem - since readers want to query authenticated
tags but tags will only respond to authenticated readers.
Thus, given the resource constraints of passive tags, it is
apparent that implementing security in such tags can be quite
challenging. The rest of the paper is organized as follows.
Section II discusses the required security properties in RFID.
Sections III, IV, V discuss the existing literature and issuesrelated to mutual authentication, secure search and tag own-
ership/delegation areas respectively. section VI discusses the
open research problems in RFID and section VII concludes the
paper.
I I . REQUIRED SECURITY PROPERTIES IN RFID
The required security properties to achieve authentication and
privacy in RFID systems can be summarized as follows [11],
[12].
• Tag Anonymity (P1): The protocol should protect against
information leakage that can lead to disclosure of a tags
real identifier. This is important as otherwise an attacker
may be able to clone a valid tag.• Tag Location Privacy (P2): The protocol should ensure
that the message contents are sufficiently randomized to
ensure that they cannot be used to track the location(s)
of the tags and thereby glean social information about the
wearer of the tag.
• Forward Secrecy (P3): The protocol should ensure that on
compromise of the internal secrets of the tag, its previous
communications cannot be traced by the attacker. This
requires that previous messages are not dependent on
current resident data on the tag.
• Reader Anonymity (P4): The protocol should protect
against information leakage that can lead to disclosure of
a readers real identifier. This is important as otherwise an
attacker may be able to clone a valid reader.
• Reader Location Privacy (P5): The protocol should ensure
that the message contents are sufficiently randomized to
ensure that they cannot be used to track the location(s) of the readers and thereby glean social information about the
owner.
• Replay Attacks (A1): The protocol should be able to resist
compromise by an attacker through the replay of messages
that have been collected by an attacker during previous
protocol sequences. This requires that protocol messages
in each round of the protocol are unique.
• De-synchronization Attack (A2): The protocol should be
able to recover from incomplete protocol sequences that
can occur due to an attacker selectively blocking messages.
Importantly, such blocking of messages by an attacker
should not lead to de-synchronization between the tag and
the server/reader.• Server Impersonation (A3): The protocol should ensure
that the server cannot be impersonated by an attacker. This
requires that the tag/reader challenges a server to prove its
legitimacy thereby achieving mutual authentication.
III. MUTUAL AUTHENTICATION
The need for security and privacy in RFID systems is well
recognized and there has been a significant amount of work in
this area [13], [12], [14]. However, the practical implementation
of most schemes are limited by three main factors. Firstly,
many schemes do not achieve conformance to EPC Class 1
Gen-2 standards and hence cannot be implemented on low
cost tags which cannot support complex computation (such ashash functions). Secondly, schemes that are compliant to EPC
Class 1 Gen-2 standards do not provide robust security in terms
of authentication and privacy. Thirdly, most schemes assume
that the channel between the back-end server and the reader
is secure and hence they are not suitable in mobile/wireless
reader environments where this assumption does not hold.
Early approaches to deal with the security problem in RFID
systems include the use of shared secrets with the use of
a pseudorandom function ensemble; hash chains to update
a shared random identifier; monotonically increasing session
hashes to prevent replay attacks; shared secrets and random
nonces; monotonically increasing timestamps; and the use of
XOR (exclusive OR), hash chains and a shared secret keybetween the reader and the back end server for reader tag
authentication. Security flaws and protocol vulnerabilities have
been identified in [15] in the schemes employing one or more
of these techniques.
[16] identifies that the scheme proposed in Jules (2004)
(a Yoking proof based on keyed hash functions and message
authentication code (MAC) functions for pharmaceutical appli-
cations) fails to provide tag anonymity and is not resistant to
replay attacks and chosen plain-text attacks. [16] also identifies
that the scheme proposed in Wong (2005) (hash-lock scheme)
does not provide location privacy and is not resistant to replay
and server impersonation attacks. Further, since both schemes
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad
![Page 3: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/3.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 3/7
require the implementation of hash functions on the tags they
are not EPC Class-1 Gen-2 compliant.
In 2007, Chien et al. [17], proposed a mutual authentication
protocol that achieves EPC Class-1 Gen-2 compliance and
is based on random nonces and CRC calculations. However,it suffers from significant security drawbacks. Cryptanalysis
of Chiens scheme by Peris-Lopez et al. [18], shows that it
cannot guarantee the unequivocal identification of tags, forward
secrecy and location privacy of tags. It is also observed that
it is not robust to resist tag impersonation and auto de-
synchronization attacks. Lo et al. [19] proposed an improve-
ment to Chiens scheme but it still does not address the location
privacy concern and can be compromised by collaborating
readers [2]. Chen and Dengs scheme [20] is based on CRC
and PRNG functions and suitable for implementation on EPC
Class-1 Gen-2 tags. However, the use of CRC functions makes
it possible for attackers to exploit the completely linear property
of the CRC function [18] and Kapoor et al. [21] haverecently shown that Chen and Dengs scheme is vulnerable to
impersonation attacks.
In [22] Liu and Bailey have proposed the privacy and
authentication protocol (PAP) specifically for a retail environ-
ment. It is based on a shared key between the reader and
the tag, a privacy state and hash value computation by the
tag and the reader. Variations of the protocol are proposed
for check-out, in-store, out-store and return actions that are
common in a retail environment. However, PAP fails to provide
tag anonymity as the tag identifier is transmitted in the clear.
The authors argue that this is acceptable since the protocol is
designed specifically for a controlled environment. In addition,
PAP fails to comply with EPC Class-1 Gen-2 standards. Further,vulnerability analysis of PAP by Nasser et al [23] shows
that PAP suffers from traceability and impersonation attacks.
In [16], Chen et al. proposed the first mutual authentication
scheme based on quadratic residues. The scheme was designed
to achieve mutual authentication, tag privacy and resistance to
replay and de-synchronization attacks. However, cryptanalysis
of this scheme by Cao and Shen [24] shows that the scheme
is vulnerable to tag impersonation attacks, replay attacks and
tag location disclosure. Chen’s scheme was improved by Yeh
and Wu [25] by having the tag generate an additional random
number. Both Chens original quadratic residue based scheme
and Yehs improved version require the tag to compute multiple
hash functions. Hence both schemes are not suitable for EPC
Class-1 Gen-2 tags.
IV. SECURE SEARCH
While there has been a significant amount of work done
in the areas of RFID mutual authentication and tag owner-
ship/delegation [11], [25], [22], [2], it is not the case for secure
search. For the search to be secure, a tag should authenticate
the reader before replying and the reader should also ensure
that only legitimate tags receive the query which prevents an
adversary from learning the content of the query. As noted
in [4], the problem statement can be simply put as: readers
want to query authenticated tags but tags will only respond to
authenticated readers.
Huang and Shieh propose a Secret Search Protocol in [29]
which solves the privacy problem by offering a search mecha-
nism over encrypted data. The protocol conducts search directlyon ciphertexts without the need to decrypt them which gives
enhanced performance. Won et al [30] propose a search proto-
col utilizing AES-128 block cipher and timestamps without the
need of a central database. The authors claim that the timestamp
generated by a portable reader protects from illegal tag-tracking
by an adversary. The protocol also protects a portable reader’s
privacy even in an insecure channel by encrypting the Reader
ID using AES-128 block-cipher. Both of these schemes by
Huang et al. and Won et al. require tags to compute one-
way hash functions or perform expensive encryptions such as
AES-128 and hence are not compliant with the EPC C1G2
standard. Tan et al [31] propose a serverless secure search
protocol considering the security for both the reader and thetag. A reader broadcasts h(f (ri, tj) nr) ⊕ idj , nr, ri. The
tag use its secret tj to obtain idj and if it matches with its own
id then it sends back a response h(f (ri, tj) nt) nr) ⊕ idj ,
nt. However it is noted in [30] that Tan et al’s scheme does
not completely solve the illegal tag tracking problem and also
does not consider a reader holder’s privacy. Zuo [32] proposes a
similar secure search protocol using a pseudo-random function
with a seed and one-way hash function. The reader broadcasts
F ki(idi ⊕ H (n1)) n1 F N ki (idi ⊕ H (n1)) n1 and the tag
responds back with H (idi F ki(n1). The tag then updates
its secret key ki. However, there are security issues with this
scheme relating to reader compromise as noted in [4].
Kim et al [33] propose a serverless search protocol by
providing the readers with unique access lists with a group of
tags that they are authorized to search. In the search phase, the
reader broadcasts the group id Gk, S i,k and random number
nR. Tags receiving the search request check to see if they
belong to the group. If so, and if the intended tag exists
in the group it generates a random number nT and sends
h(h(S i,k tj) nR nT ) along with the random number.
A vulnerability noted by the authors in their protocol is that
the tags should send their group identity to a querying reader.
Also, the tags reply to a search query for a specific group. Thus,
a simple eavesdropping leads to knowing the group identity
of the tags. We further note that the broadcasting group-idsand also the pseudonyms in the clear is not advisable since
these two pieces of information are vital to providing security
to the tags and the readers. Ahamed et al [34] propose a
serverless forward secure, anonymous search protocol using
a pseudorandom number generator P (·) that takes a seed as
an argument and a function M (·) that generates the next
pseudorandom number. The reader generates and broadcasts
the random number nkdesired using P (seedkdesired) to find out
the desired tag T desired. Tags receiving the random number
compares it with its own nki and if there is a match, it knows
that the query is for itself and also authenticates the reader
since only a legitimate reader can know its seed. The tag replies
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad
![Page 4: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/4.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 4/7
Table ICOMPARISON OF SECURITY AND PRIVACY PROPERTIES (MUTUAL AUTHENTICATION )
Scheme P1 P2 P3 P4 P5 A1 A2 A3
Juels [26] No No § § No No
Wong et al. [27] No § § No No
Chien et al. [17] No No § § No No Chen et al. [16] No § § No
Yeh et al [25] § §
Lo et al. [19] No § § No NoYeh et al. [2] No NoChen and Deng [20] No No § § NoLiu et al. [22] No No No § § No NoCho et al. [28] No No
: Fully satisfied; §: partially satisfied under certain assumptions; : not applicable.P1: Tag anonymity; P2: Tag location privacy; P3: Forward secrecy; P4: Reader privacy; P5: Reader locationprivacy; A1: Resistant to replay attacks; A2: Resistant to desynchronisation attacks; A3: Resistant toimpersonation attacks.
with nk+1i and updates its seed. After receiving the response
the reader computes nk+1desired and compares it with nk+1i andif there is a match it can be sure that the tag is valid as only a
legitimate tag can generate this.
Kulseng et al [35] propose a secure search protocol based on
Physically Unclonable Functions (PUF) and Linear Feedback
Shift Register (LFSR). The authors claim that their protocol
requires not more than 1400 hardware gates to implement the
security features which is well within the limits of low-cost
passive RFID tags. LFSR is used to generate random numbers
and PUF is used to authenticate the tags. The protocol addresses
physical attacks and replay attacks. The protocol provides
security from eavesdropping attacks since all secrets are XORed
with some random numbers which are changed every round of the search. Also the implementation of the P function based
on the PUF circuit can protect the tag from physical attacks.
A probe on the wire of the PUF will change the resistance
in the link that is being probed and therefore render the PUF
to alter its behavior. Also, the P function is unclonable. If
the content of the tag is somehow copied to another tag, the
new tag will not be able to mimic the behavior of the original
tag, because no two PUF circuits behave exactly the same.
Replay attacks are also not possible since the greeting numbers
are updated after each authentication/search. An improvement
of the protocol is suggested by the authors to prevent de-
synchronization attacks. Here, the reader and the tag do not
share any secret key K . Instead, the tag stores the greetingnumbers from the previous round and the currently expected
greeting number. All tags maintain a predefined probability
and decide whether to generate a fake response based on this
probability to provide tag location privacy and prevent tracking
attacks.
Now, we present our protocol proposed in [36] that is based
on simple XOR and PRNG operations. A blind-factor (β )is used to hide the random numbers during all transmissions
to provide additional security. The scheme is designed to
conform with EPC C1G2 standards since we do not employ
any encryption or hash functions while meeting the necessary
security requirements. The protocol has two phases. In the first
Table IICOMPARISON OF SECURITY AND PRIVACY PROPERTIES (S ECURE SEARCH)
Scheme P1 P2 P3 P4 P5 P6 A1 A2
Huang et al [29] No NA NA
Won et al [30] No NATan et al [31] No No No
Zuo [32] NA NA
Kulseng et al [35] § NA
Kim et al [33] No No
Our Scheme
P1: Basic Privacy P5: Tag Location PrivacyP2: Mutual Authentication P6: Reader Location PrivacyP3: Tag Anonymity A1: Replay Attack P4: Reader Anonymity A2: DoS/De-synchronization Attack C1: EPC Class-1 Gen-2 Compli-ance
- Fully Satisfied NA - Not Applicable - Partially Satisfied § - Fully Satisfied under certain as-
sumptions
phase the backend server setups all the tags and the readers
with the necessary information such as IDs, private/shared
secrets and so on. The second phase is where the search
is conducted using the proposed protocol. Reader computes
M 1 using idj , reader-tag shared secret rtsj and the random
number as M 1 = idj ⊕ PRNG(rtsj ⊕ rr). M 2 is computed
as M 2 = rr ⊕ β . The tags compute their own β , extracts
rr from M 2, computes x = id ⊕ PRNG(rts ⊕ rr) or
x = id ⊕ PRNG(rts−1 ⊕ rr), compares it with M 1 and if there is a match, computes M 3 = rts ⊕ PRNG(id ⊕ tr) (or)
M 3 = rts−1 ⊕ PRNG(id ⊕ tr) and M 4 = tr ⊕ β and sends
it back to the reader. Reader verifies the response to see if the
tag is present.
V. TAG OWNERSHIP
Lopez et al [37] and Cai et al [38] discuss the vulnerability
in Song et al’s ownership transfer scheme. It is shown that
the secret update protocol is vulnerable to de-synchronization
attack by blocking the first message (r1, M 1, M 2) from reach-
ing the tag. The adversary then forges a second message
(r1, M
1, M
2) that will be accepted by the tag which results
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad
![Page 5: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/5.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 5/7
Figure 1. Our Secure Search Protocol from [36]
in the tag’s secret be updated to a value that the legitimate
server does not know. Henceforth the legitimate server cannot
access the tag resulting in de-synchronization. As a fix, it is
suggested that M 2 be modified from si(new) ⊕ (t
i >> l/2)
to si(new) ⊕ h(t
i) on the server side. Then on the tag side,
si ← M 2 ⊕ (t
i >> l/2) is revised to si ← M 2 ⊕ h(t
i). Songet al [39] provide a further revised version of the protocol in
which M 2 = f t(r1 r2) remains the same as in [38] and
M 3 is changed to s ⊕ f t(r2 r1). Zhou et al [40] propose
a tag ownership transfer protocol which considers third party
logistics (TPL) provider and the Trusted Third Party (TTP) and
their roles in the ownership transfer in a distributed supply
chain environment. The scheme uses two keys one main key for
the owner and a sub-key for the third-party logistics provider.
The sequence of events are: 1) The current owner possesses or
obtains from the TTP the main key K , to the item of interest;
2) The tag, current owner and the TPL provider (if any) obtain
sub-key ki, for the item at the origin location; 3) The item
is transported from the origin to the destination location; 4)The new owner obtains the main key from TTP. 5) The new
owner, TPL provider and tag obtain the updated sub-key from
the TTP. The owners have to have knowledge of both the main
and sub-keys to communicate with the tag and the composite
key is represented by K ⊕ ki. It is noted by the authors that
the protocol: 1) does not guarantee forward secrecy since none
of the messages are encrypted by any hash function and 2)
does not protect from relay attacks (which is when an attacker
simply relay messages between an honest reader and honest tag
with or without the knowledge of the other party) due to the
absence of cryptographic manipulations by the attacker.
Song et al discuss a RFID pseudonym protocol in [39] that
uses a pre-computed lookup table for tag authentication result-
ing in O(1) work to identify and authenticate a tag as opposed
to O(n) in some other protocols. The look-up table contains
a number of entries (determined by the hash-chain length m)
for each tag, one for each element of a tag-specific hash-chain.Elements from this hash-chain are used as tag identifiers. In the
init phase the server S chooses l (bit-length of tag identifier), lr(bit-length of a random string), lm (bit-length of integer m), e, f and g as keyed-hash functions and h a hash function. To build
the look-up table, S chooses l-bit string s and computes the key
k= h(s). S chooses a random l-bit string x0 and computes the
hash-chain xi = ek(xi−1) for 1 ≤ i ≤ m . Each value in the
hash-chain is used as a one-time tag identifier. S stores s, k and
the identifiers x0, x1 ... xm as the entries for T in the look-
up table. Following the tag authentication, the secret update
takes places if x = xm where the secrets are updated from
(s−1, k−1, s , k , x0, x1,...,xm) to (s ,k,s, k, x , x
1, x
2,...,x
m).
Tag delegation is pretty straightforward. When S wants todelegate tag T to an entity, it transfers the secret k and the
identifiers x0, x1 ... xm to the entity via a secure channel. Then
the entity can authenticate the tag a maximum of m times but
cannot update the tag secrets since it does not know s. For
the tag ownership transfer the secret update is accomplished
as follows: Server S chooses new secret s, a random string
r and an integer m . It then computes k = h(s) and
M s = gk(x r) ⊕ (s k m) and sends r, M s to tag
T . T computes (s k m) = M s ⊕ gk(x r). If h(s) = k,
S is authenticated and T updates its secret from k to k and
its counter c to m. T then computes M T = f k(r x) using
the new secret k and sends M T to S . If M T = f k(r x), S
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad
![Page 6: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/6.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 6/7
now knows that T has received the new secret k , and updates
secrets s and k for T to s and k respectively. S computes the
hash-chain values, xi = ek(xi−1) for 1 ≤ i ≤ m, where x0 is
set to x. Otherwise, S starts over again.
Fouldagar and Afifi [9] propose two privacy preservingscheme for ownership transfer based on hash functions and
symmetric key cryptographic functions. As noted earlier the
use of hash function or keyed encryption functions is not
in compliance with EPC Class-1 Gen-2 standards. Besides
this however, in both the schemes the update of the secret
keys K U and K P is not protected against de-synchronization.
An attacker can easily achieve DoS by blocking the final
ACK message to the tag leading to the tag and the back-
end database having different keys. The authors claim that this
is an issue that is not inherent to the scheme but rather due
to the nature of the wireless channel. However, no solution
is proposed. One possible solution is to store previous key
values in the database. Seo et al. [41] propose a schemebased on a Public Key Infrastructure (PKI) with the tag’s
computation moved to a “proxy” that manages each tag and
is within the backward channel range of each tag. In our
opinion, the infrastructure overhead of the scheme and the
notion of a “proxy” makes the scheme impractical. Kapoor
and Piramuthu [42] propose two schemes with both a TTP
and without a TTP to enable ownership transfer. The schemes
are based on keyed hash and keyed encryption functions. The
protocol with TTP suffers from de-synchronization as the tag
updates its secret even before the new secret is given to the
new owner by the TTP. This means that the attacker can cause
de-synchronization by blocking any of the following messages.
The non-TTP version also suffers from vulnerabilities that canlead to forward secrecy compromise and tag cloning attacks.
In [43] a lightweight ownership transfer protocol that is based
on physically unclonable functions (PUF) and linear feedback
shift registers (LFSR) is proposed. The authors propose two
protocols, one with a TTP and another without a TTP. However,
on analysis both the protocols fail to provide the required
security properties. As noted in [43] the protocol with TTP
suffers from permanent de-synchronization when an attacker
selectively blocks messages; while the protocol without a TTP
is designed based on the assumption that an attacker is not able
to eavesdrop on the transmission over the wireless channel. This
is not a valid assumption as noted by Kapoor et al. [44].
VI . OPE N RESEARCH PROBLEMS
RFID security and privacy research is broadly categorized
into two areas [4]. The first is protocol based which emphasize
on designing protocols using lightweight primitives. The second
category is hardware based emphasizing on improving tag
hardware to provide additional security primitives like elliptic
curve cryptography. Several existing research problems in the
RFID arena are discussed below as given in [28]. Intended
or Meaningless Request: This type of attack is used in tag
location tracking and traffic analysis. Here an adversary trans-
mits intended or meaningless requests to a tag instead of
eavesdropping the communication. The weaknesses in some
Table IIICOMPARISON OF SECURITY AND PRIVACY PROPERTIES (TAG OWNERSHIP)
Scheme P1 P2 P3 P4 A1 A2 A3
Osaka et al. [45] No No No
Fouldagar and Afifi [9] No
Kulseng et al (withTTP). [43]
No
Kulseng et al (withoutTTP). [43]
No
Dimitriou [46] No No No NoSong and Mitchell [39] No No §Kapoor and Piramuthu(with TTP). [44]
§ § No
Kapoor and Piramuthu(without TTP). [44]
§ § No No
: Fully satisfied§: partially satisfied under certain assumptions.
protocols enables the adversary to anticipate the response
message of the tag that can be used to perform locationtracking. Acquisition of tag information with complexity equal
to the backend server: A hash based protocol generally has a
computational complexity of O(n) where n is the number of
tags and if the cost of an adversary to obtain the tag information
via brute-force attack is the same then the attack is considered
to be effective. Excessive growth of computational complexity
of backend server to recognize a tag: If tag identification by
the backend server has excessive computational complexity
then the efficiency of the overall system declines thereby
making the protocol unrealistic for realtime applications. Over
Dependency of response message of tag on random number:
Random numbers that are used in the operations are exposed
during the transmission. An adversary can use this to perform
a traffic analysis and brute-force attack.
VII. CONCLUSION
In this paper, we have discussed - RFID and its role in our
everyday lives; the security/privacy threats posed by RFID and
how security plays a significant role in areas such as mutual
authentication, secure search and tag ownership/delegation; the
challenges in implementing security features in low-cost passive
RFID tags which are highly resource constrained; how, many of
the schemes that claim to meet the necessary security require-
ments do not comply with the EPC Class-1 Gen-2 standards due
to the use expensive hash operations or sophisticated encryption
schemes that passive tags cannot handle.
Our future work involves the development of such C1G2
compliant protocols for passive tags in the area of ownership
transfer/delegation.
REFERENCES
[1] M. Roberti, “The history of rfid technology,” RFID Journal LLC.[Online]. Available: http://www.rfidjournal.com/article/view/1338
[2] T.-C. Yeh, Y.-J. Wang, T.-C. Kuo, and S.-S. Wang, “Securing RFIDsystems conforming to EPC Class 1 Generation 2 standard,” Expert Systems with Applications, vol. 37, no. 12, pp. 7678–7683, Dec. 2010.
[3] C. Lee, S. Park, K. Lee, and D. Won, “An Attack on an RFID Authen-tication Protocol Conforming to EPC Class 1 Generation 2 Standard,”
International Conference on Hybrid Information Technology, pp. 488–495, 2011.
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad
![Page 7: Foreign-australia-HydConf](https://reader030.vdocuments.us/reader030/viewer/2022021223/577ce39c1a28abf1038c8e2e/html5/thumbnails/7.jpg)
7/30/2019 Foreign-australia-HydConf
http://slidepdf.com/reader/full/foreign-australia-hydconf 7/7
[4] C. Tan, B. Sheng, and Q. Li, “Secure and Serverless RFID Authenticationand Search Protocols,” IEEE Transactions on Wireless Communications,vol. 7, no. 4, pp. 1400–1407, Apr. 2008.
[5] H. Pagey and K. A. Hua, “TagPay: A Payment Atomic RFID OwnershipTransfer Protocol,” 2010 IEEE 12th Conference on Commerce and
Enterprise Computing, pp. 196–203, Nov. 2010.
[6] C. H. Lim and T. Kwon, “Strong and Robust RFID AuthenticationEnabling Perfect Ownership Transfer,” International Conference on In-
formation and Communications Security – ICICS’06 , vol. 4307, pp. 1–20,2006.
[7] L. Leinweber, F. G. Wolff, C. Papachristou, and F. L. Merat, “A minimalprotocol with public key c ryptography for identification and privacy inRFID tags,” 2009 International Symposium on Signals, Circuits and Systems, pp. 1–4, Jul. 2009.
[8] G. Avoine, “Adversarial Model for Radio Frequency Identification,”Cryptology ePrint Archive, Report 2005/049, 2005.
[9] S. Fouladgar and H. Afifi, “A Simple Privacy Protecting Scheme En-abling Delegation and Ownership Transfer for RFID Tags,” Journal of Communications, vol. 2, no. 6, pp. 6–13, Nov. 2007.
[10] P. Japinnen and H. Hamalainen, “Enhanced RFID security method withownership transfer,” in Proc. of International Conference on Computa-tional Intelligence and Security, 2008.
[11] H.-Y. Chien and C.-S. Laih, “ECC-based lightweight authenticationprotocol with untraceability for low-cost RFID,” Journal of Parallel and Distributed Computing, vol. 69, pp. 848–853, 2009.
[12] R. D. Pietro and R. Molva, “An optimal probabilistic solution forinformation confinement, privacy and security in RFID systems,” Journalof Network and Computer Applications, 2010.
[13] T. van Deursen and S. Radomirovic, “On a new formal proof for RFIDLocation Privacy,” Information Processing Letters, vol. 110, pp. 57–61,2009.
[14] E. Choi, D. H. Lee, and J. I. Lim, “Anti-cloning protocol suitable forEPCglobal Class-1 Generation-2 RFID systems,” Computer Standardsand Interfaces, vol. 31, pp. 1124–1130, 2009.
[15] S. Piramuthu, “Protocols for RFID tag/reader authentication,” DecisionSupport Systems, vol. 43, pp. 897–914, 2007.
[16] Y. Chen, J.-S. Chou, and H.-M. Sun, “A novel mutual authenticationscheme based on quadratic residues for RFID systems,” Computer Net-works, vol. 52, pp. 2373–2380, April 2008.
[17] H.-Y. Chien and C.-H. Chen, “Mutual Authentication Protocol for RFIDconforming to EPC Class 1 Generation 2 Standards,” Computer Standardsand Interfaces, vol. 29, no. 2, pp. 254–259, April 2007.
[18] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, andA. Ribagorda, “Cryptanalysis of a novel authentication protocol conform-ing to epc-c1g2 standard,” Computer Standards and Interfaces, vol. 31,no. 2, pp. 372 – 380, 2009.
[19] N. Lo and K. Yeh, “An efficient mutual authentication scheme for EPC-global Class-1 Generation-2 RFID systems,” in Intenational Conferenceon Embedded and Ubiquitous Computing, 2007.
[20] C.-L. Chen and Y.-Y. Deng, “Conformation of EPC Class-1 Generation2 standards RFID system with mutual authentication and privacy pro-tection,” Engineering Applications of Artificial Intelligence, vol. 22, pp.1284–1291, January 2009.
[21] G. Kapoor and S. Piramuthu, “Vulnerabilities in chen and deng’s rfidmutual authentication and privacy protection protocol,” Engineering Ap-
plications of Artificial Intelligence, vol. 24, no. 7, pp. 1300 – 1302, 2011.
[22] A. Liu and L. Bailey, “PAP: Privacy and authentication protocol forpassive RFID tags,” Computer Communications, vol. 32, pp. 1194–1199,2009.
[23] M. Nasser, P. Peris-Lopez, P. Rafie, and M. J. van der Lubbe, “Vulnera-bility analysis of pap for rfid tags,” ArXiv e-prints, August 2010.
[24] T. Cao and P. Shen, “Cryptanalysis of some RFID authentication proto-cols,” Journal of Communications, vol. 3, no. 7, pp. 20–27, December2008.
[25] T.-C. Yeh, C.-H. Wu, and Y.-M. Tseng, “Improvement of the RFIDauthentication scheme based on quadratic residues,” Computer Commu-nications, 2010.
[26] A. Juels, “Yoking-Proofs for RFID Tags,” in International Workshop onPervasive Computing and Communication Security – PerSec 2004, 2004,pp. 138–143.
[27] K. Wong, P. Hui, and A. Chan, “Cryptography and authentication onRFID tags for apparels,” Computer in Industry, vol. 57, pp. 342–349,2005.
[28] J.-S. Cho, S.-S. Yeo, and S. K. Kim, “Securing against brute-force attack:A hash-based RFID mutual authentication protocol using a secret value,”Computer Communications, vol. 34, no. 3, pp. 391–397, Mar. 2011.
[29] S.-I. Huang and S. Shieh, “Authentication and secret search mechanismsfor RFID-aware wireless sensor networks,” Int. J. Security and Networks,vol. 5, no. 1, pp. 15–25, 2010.
[30] T. Y. Won, J. Y. Chun, and D. H. Lee, “Strong Authentication Protocolfor Secure RFID Tag Search without Help of Central Database,” 2008
IEEE/IFIP International Conference on Embedded and Ubiquitous Com- puting, pp. 153–158, Dec. 2008.
[31] C. C. Tan, B. Sheng, and Q. Li, “Serverless Search and AuthenticationProtocols for RFID,” International Conference on Pervasive Computingand Communications – PerCom 2007 , pp. 3–12, 2007.
[32] Y. Zuo, “Secure and private search protocols for RFID systems,” Infor-mation Systems Frontiers, vol. 12, no. 5, pp. 507–519, Aug. 2009.
[33] Z. Kim, J. Kim, K. Kim, I. Choi, and T. Shon, “Untraceable andServerless RFID Authentication and Search Protocols,” 2011 IEEE Ninth
International Symposium on Parallel and Distributed Processing with Applications Workshops, pp. 278–283, May 2011.
[34] S. I. Ahamed, F. Rahman, E. Hoque, F. Kawsar, and T. Nakajima,“S3PR: Secure Serverless Search Protocols for RFID,” 2008 InternationalConference on Information Security and Assurance (isa 2008) , pp. 187–192, Apr. 2008.
[35] L. Kulseng, Z. Yu, Y. Wei, and Y. Guan, “Lightweight Secure SearchProtocols for Low-cost RFID Systems,” 2009 29th IEEE InternationalConference on Distributed Computing Systems, pp. 40–48, Jun. 2009.
[36] S. Sundaresan, R. Doss, and W. Zhou, “A serverless ultra-lightweightsecure search protocol for epc class-1 gen-2 uhf rfid tags,” 2012 Inter-national Conference on Computer and Information Sciences, To appear,2012.
[37] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Tapiador, T. Li, and Y. Li,“Vulnerability analysis of RFID protocols for tag ownership transfer,”Computer Networks, vol. 54, no. 9, pp. 1502–1508, Jun. 2010.
[38] C. Shaoying, Y. Li, T. Li, and R. H. Deng, “Attacks and Improvements toan RFID Mutual Authentication Protocol and its Extensions,” Proceedingsof the 2nd ACM Conference on Wireless Network Security – WiSec’09,pp. 51–58, 2009.
[39] B. Song and C. J. Mitchell, “Scalable RFID security protocols supportingtag ownership transfer,” Computer Communications, vol. 34, no. 4, pp.556–566, Apr. 2011.
[40] W. Zhou, E. J. Yoon, and S. Piramuthu, “Varying Levels of RFID TagOwnership in Supply Chains,” On the Move to Meaningful Internet Systems – OTM 2011, pp. 228–235, 2011.
[41] Y. Seo, T. Asano, H. Lee, and K. Kim, “A lightweight protocol enablingownership transfer and granular data access of RFID tags,” the 2007 Symposium on Cryptography and Information Security Sasebo, pp. 23–26, 2007.
[42] G. Kapoor and S. Piramuthu, “Single RFID Tag Ownership TransferProtocols,” IEEE Transactions on Systems, Man, and Cybernetics, Part
C: Applications and Reviews, vol. 99, pp. 1–10, 2011.[43] L. Kuseng, Z. Yu, Y. Wei, and Y. Guan, “Lighweight Mutual Authenti-
cation and Ownership Transfer for RFID Systems,” in INFOCOM 2010,2010.
[44] G. Kapoor and S. Piramuthu, “Vulnerabilities in some recently proposedRFID ownership transfer protocols,” IEEE Communications Letters,vol. 14, no. 3, pp. 260–262, Mar. 2010.
[45] K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi, “An Efficient
and Secure RFID Security Method with Ownership Transfer,” in 2006 International Conference on Computational Intelligence and Security.Ieee, nov 2006, pp. 1090–1095.
[46] T. Dimitriou, “RFIDDOT: RFID Delegation and Ownership Transfermade simple,” in SecureComm, 2008.
Proceedings of International Conference on Innovation inElectronics and Communication Engineering
20-21, July 2012, GNI Hyderabad