Improvement of the RFID authentication scheme based on quadratic residues

Computer Communications 34 (2011) 337–341

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

Improvement of the RFID authentication scheme based on quadratic residues Tzu-Chang Yeh a,*, Chien-Hung Wu a, Yuh-Min Tseng b a b

Department of Information Management, Minghsin University of Science and Technology, Hsin Feng, Hsinchu 30401, Taiwan Department of Mathematics, National Changhua University of Education, Jin-De Campus, Chang-Hua City 50007, Taiwan

a r t i c l e

i n f o

Article history: Available online 26 May 2010 Keywords: RFID Security Privacy Authentication

a b s t r a c t RFID, with its capability of remote automatic identification, is taking the place of barcodes and becoming the new generation of electronic tags. However, information transmitted through the air is vulnerable to eavesdropping, interception, or modification due to its radio transmission nature; the prevalence of RFID has greatly increased security and privacy concerns. In 2008, Chen et al. proposed an RFID authentication scheme which can enhance security and privacy by using hash functions and quadratic residues. However, their scheme was found to be vulnerable to impersonation attacks. This study further demonstrates that their scheme does not provide location privacy and suffers from replay attacks. An improved scheme is also proposed which can prevent possible attacks and be applied in environments requiring a high level of security. Ó 2010 Elsevier B.V. All rights reserved.

1. Introduction RFID (Radio Frequency Identification) is a kind of contactless automatic identification system [1–3] which consists of tags, tag readers, and a backend server. A reader accesses the information contained within a tag via radio transmission. With the accessed information as an index, the reader can retrieve the corresponding record from the database of the backend server. Owing to the radio transmission nature of RFID, the information transmitted through the air can easily be eavesdropped on, intercepted, or modified. As the use of RFID increases, many security and privacy issues are being raised. The following threats are of the most concern [4–8].  Secrecy: The data kept in the tag is illegally accessed.  Location privacy: Communications between the tag and the reader/server can be used to trace the tag or the person holding the tag.  Forward secrecy: If the data kept in the tag is compromised by attackers later on, the tag’s past communications can be identified and traced from the historical transaction records.  Replay attack: Adversaries can intercept transmitted information and resend it illegally in an attempt to deceive a legal device and pass the authentication.  DoS (Denial of Service) attack: Adversaries can disable the system by sending excessive data or simply shielding the RFID device to keep it from operating. Moreover, they can intercept

* Corresponding author. Tel.: +886 3 5593142x3430; fax: +886 3 5267672. E-mail address: [email protected] (T.-C. Yeh). 0140-3664/$ - see front matter Ó 2010 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2010.05.011

the transmitted information so that the tag and the server are unable to update their shared secret data synchronously, in which case the following authentications and accesses fail.  Impersonation attack: Attackers can masquerade as the reader or the tag to pass the authentication by falsifying data and thereby gain illegal advantages. As its cost declines, RFID is anticipated to be widely used in our daily life. Adversaries may use illegal readers to trace tags or their holders. Therefore, location privacy will become a major topic of RFID in the near future. Many RFID security mechanisms for location privacy protection have been proposed in recent years. By the method used, those mechanisms can be categorized into the following two types:  Pseudonym [9,10]: A series of pseudonyms are pre-shared by the server and the tag. For each tag reading, the tag sends a new pseudonym to the reader to prevent from being traced. However, this method needs large memory space to store pseudonyms and the pseudonyms need to be updated when they are all used.  Shared secret update [4,5,11–15]: At the end of each tag reading, the server and the tag update the shared secret synchronously. Therefore, a different shared secret will be used for each tag reading. However, if the information transmitted through the air is intercepted, modified, lost, or replayed, the server and the tag will be unable to update their shared secret synchronously. That causes DoS attack. In 2008, Chen et al. [4] proposed a novel RFID authentication scheme based on quadratic residues to enhance location privacy

338

T.-C. Yeh et al. / Computer Communications 34 (2011) 337–341

protection. However, Cao and Shen [16] found that the proposed scheme is vulnerable to impersonation attacks. This study further demonstrates that their scheme does not provide location privacy and suffers from replay attacks. Therefore, we propose an improvement based on Chen et al.’s RFID authentication scheme. A security analysis has been given to demonstrate that the improved scheme can withstand the above-mentioned threats and can, therefore, be applied in environments requiring a high level of security. The rest of this paper is organized as follows: Section 2 briefly reviews Chen et al.’s scheme. Section 3 presents the security weaknesses of Chen et al.’s scheme. Section 4 presents the improved scheme. Section 5 shows the security analysis of the improved scheme. Finally, a conclusion is given in Section 6.

for a tag, the server generates a random number r and stores hTID, h(TID), ri into the tag memory. Meanwhile, the server stores hTID, h(TID), r, roldi into its database, where rold = r at the beginning.

2.2. Authentication phase The authentication phase of Chen et al.’s scheme is depicted in Fig. 1. The interactions between a tag, a tag reader and the server are described as follows. Step 1: Reader ? Tag The reader generates a random number s and then sends it with a hello message to the tag.

2. Review of Chen et al.’s scheme This section will briefly review Chen et al.’s scheme, which assumes that the communication between the server and the tag reader is based on an authenticated channel and its confidentiality is ensured. Their scheme consists of two phases: an initialization phase and an authentication phase. The following notations are used throughout this paper:

Step 2: Tag ? Reader After receiving s and the hello message, the tag computes x = h(TID)  r  s, X = x2 mod n; and R = r2 mod n, and then sends hX, R, h(x), h(r)i as a response to the reader. Step 3: Reader ? Server

n: The product of two large primes, p and q. s: A random number generated by the reader. h(.): The one-way hash function. PRNG: Pseudo-Random Number Generator. TID: The tag identifier. h(TID): The hash value of the tag identifier which is used as a database index. r: The current authentication key shared between the tag and the server. rold: The old authentication key stored in the server. A ? B: A sends a message to B. 2.1. Initialization phase The backend server first generates two large secret primes p and q, and computes the public value n = pq. Without loss of generality,

After receiving the tag response, the reader forwards this response together with s to the server. Step 4: Server ? Reader After receiving hX, R, h(x), h(r), si, the server solves X = x2 mod n and R = r2 mod n by using the Chinese Remainder Theorem with p and q to obtain four roots (x1, x2, x3, x4) and (r1, r2, r3, r4), respectively. Then, it compares h(xi) with h(x) and h(ri) with h(r), for i = 1 to 4, to find the correct values of x and r. Next, the server computes x  r  s to get h(TID), which is used as an index to find the corresponding tag record in the server. If no matching record is found, the session is aborted. After that, the resulting r is checked. If it is not equal to r or rold stored in the corresponding tag record, the session is also aborted.

Fig. 1. Chen et al.’s scheme.

T.-C. Yeh et al. / Computer Communications 34 (2011) 337–341

(i) If the resulting r is identical to r in the corresponding tag record, the server computes h(xack) = h(TID  r) and sends it to the reader, and updates the tag record by replacing rold with r, and r with PRNG(r). (ii) If the resulting r is identical to rold in the corresponding tag record, the server computes h(xack) = h(TID  rold) and sends it to the reader. Neither r nor rold stored in the server will be updated.

Step 5: Reader ? Tag

339

tag reading, R and h(r), coming out from the tag, will keep the old values. Attackers can thus trace the tag or the person holding the tag by R and h(r).  Replay attack: The server’s authentication token, h(xack), is a function of TID and r. However, TID is a fixed value, and r will not be updated if the data transmitted in Step 5 is intercepted or modified. Therefore, attackers can intercept the data transmitted in Step 5 and then replay the intercepted token h(xack) in the next tag reading to impersonate the server and pass the tag’s authentication. 4. The improved scheme

After receiving h(xack), the reader forwards it to the tag. The tag then verifies whether the received h(xack) is equal to h(TID  r) computed by itself. If it holds, the tag updates r with PRNG (r).

3. Weaknesses of Chen et al.’s scheme Cao and Shen [16] found that Chen et al.’s RFID authentication scheme is vulnerable to impersonation attacks. This study further demonstrates that their scheme does not provide location privacy and suffers from replay attacks. These threats are the result of the fact that the tag does not generate any random numbers for each tag reading, and are as follows:  Tag impersonation attack: In Chen et al.’s scheme, only the server generates a random number s for each session. The tag impersonation attack can be performed as follows. Attackers can record R and h(r) in Step 2 of a legal reading, send malicious queries to cheat the tag out of the responses three times, and then derive the secret value h(TID)  r. After that, attackers can impersonate the tag by using the secret value h(TID)  r and the recorded R and h(r). The detailed attacking steps refer to [16].  Location privacy: If the data transmitted in Step 5 is intercepted or modified, r and rold stored in the server will have been updated while the tag’s resident r will not. In Step 2 of the next

To avoid the security threats mentioned above, the tag is allowed to generate a random number t for each tag reading to protect the data in Steps 2 and 4. The following will present the improved scheme. The initialization phase is the same as that of Chen et al.’s scheme. The authentication phase is depicted in Fig. 2. The detailed steps of the authentication phase are presented as follows. Step 1: Reader ? Tag The reader generates a random number s and then sends it with a hello message to the tag. Step 2: Tag ? Reader After receiving s and the hello message, the tag generates a random number t; computes x = h(TID)  r  s  t, y = r  t, X = x2 mod n, R = (r2 mod n)  t, and T = t2 mod n; and sends hX, R, T, h(x), h(y), h(t)i as a response to the reader. Step 3: Reader ? Server After receiving the tag response, the reader forwards this response together with s to the server.

Fig. 2. The improved scheme.

340

T.-C. Yeh et al. / Computer Communications 34 (2011) 337–341

Step 4: Server ? Reader After receiving hX, R, T, h(x), h(y), h(t), si, the server solves X = x2 mod n and T = t2 mod n by using the Chinese Remainder Theorem with p and q to obtain four roots (x1, x2, x3, x4) and (t1, t2, t3, t4), respectively. Then, it compares h(xi) with h(x) and h(ti) with h(t), for i = 1 to 4, to determine the unique values of x and t. Next, the server computes R  t = (r2 mod n) and then solves it by using the Chinese Remainder Theorem with p and q to obtain four roots (r1, r2, r3, r4). Then, it compares h(ri  t) with h(y), for i = 1 to 4, to determine the unique value of r. After that, the server computes x  r  s  t to obtain h(TID) and uses h(TID) as an index to find the tag record in the server. If no matching record is found, the session is aborted. Then, the resulting r is checked. If it is not equal to the value of r or rold stored in the corresponding tag record, the session is also aborted. (i) If the resulting r is identical to r in the corresponding tag record, the server computes h(xack) = h(TID  t  r), sends it to the reader and updates the tag record by replacing rold with r, and r with PRNG(r). (ii) If the resulting r is identical to rold in the corresponding tag record, the server computes h(xack) = h(TID  t  rold) and sends it to the reader. Neither r nor rold stored in the server will be updated. Step 5: Reader ? Tag After receiving h(xack), the reader forwards it to the tag. The tag then verifies whether the received h(xack) is equal to h(TID  t  r) computed by itself. If it holds, the tag updates r with PRNG(r).

5. Security analysis of the improved scheme

 Secrecy: The data transmitted between the server and the tag is well protected, so that the tag’s resident data hTID, h(TID), ri could not be retrieved from the communications. Only the legal server with p and q can solve the correct x, r, and t by using the Chinese Remainder Theorem. Even if the attacker could solve x, r, and t; he still could not obtain TID due to the one-way property of the hash function (x = h(TID)  r  s  t in Step 2 and h(xack) = h(TID  t  r) in Step 4). Secrecy will, thus, be ensured.  Location privacy: In Chen et al.’s scheme, because the tag does not generate any random numbers for each tag reading, the response coming out from the tag, R and h(r), can be used to trace the tag or the person holding the tag. In the proposed scheme, a random number t generated by the tag is added for each tag reading to make the response un-expectable. Even if the data transmitted in Step 5 is intercepted or modified, the attacker still could not trace the tag or the person holding the tag. Location privacy will, thus, be achieved.  Forward secrecy: The data transmitted between the server and the tag is well protected so that the tag’s resident data hTID, h(TID), ri could not be retrieved from the communications. Even if the data kept in the tag is compromised by the attacker, he still could not trace back any of its previous communications. Moreover, the tag’s resident r is updated after each successful tag reading. Let the tag’s current resident authentication key be ri and the previous one be ri1. If the tag is compromised and ri is thus obtained, the attacker still could not use ri to derive ri1 or to trace the tag’s previous communications. Random numbers s and t are generated by the reader and the tag, respectively for each tag reading. Since s, t and r are different for each tag reading, the communications are independent of

each other. Attackers will not be able to find the tag’s previous communications using the knowledge of the compromised triple hTID, h(TID), ri.  Replay attack: In Chen et al.’s scheme, only the reader generates a random number s for each tag reading. In the proposed scheme, a random number t generated by the tag is added to make the server’s authentication token h(xack) different for each tag reading. Even if the data transmitted in Step 5 is intercepted or modified, attackers still could not replay the intercepted token h(xack) in the next tag reading to impersonate the server and pass the tag’s authentication.  DoS attack: The server always keeps the old value of the tag’s authentication key (rold). If the data transmitted in Step 5 is intercepted or modified, r and rold stored in the server will have been updated while the tag’s resident r will not. The tag’s resident r still can match rold in the server and pass the server’s authentication. The DoS attack caused by the synchronous update of the share secret will thus be prevented.  Impersonation attack: The server and the tag authenticate each other with the shared secret TID and r. Only the legal server with p and q can solve the correct x, r, and t by using the Chinese Remainder Theorem. Only the legal server with the correct TID can compute the correct h(xack) to pass the tag’s authentication. To avoid the tag impersonation attack encountered in Chen et al.’s scheme, this study adds the random number t generated by the tag for each tag reading to make the response in Step 2 un-expectable and different for each tag reading. Thus, attackers will not be able to derive the secret from the response of the tag and then impersonate the tag to pass the server’s authentication. 6. Conclusion RFID is widely used in our daily life, however, information transmitted through the air is vulnerable to eavesdropping, interception, or modification. That threatens the security and privacy of individuals and organizations, and has been a hindrance to the development of RFID. Recently, Chen et al. proposed a scheme which enhances security and privacy by using hash functions and quadratic residues. This study demonstrates the weaknesses of Chen et al.’s scheme. An improved scheme is also proposed to avoid the problems mentioned above and, thus, can be applied in environments requiring a high level of security. Acknowledgment This research is partially supported by the National Science Council, Taiwan, ROC, under contract No. NSC 96–2416-H-159– 001. The authors gratefully acknowledge the anonymous reviewers for their valuable comments. References [1] AIM web site. Available from: . [2] A.X. Liu, L.A. Bailey, PAP: a privacy and authentication protocol for passive RFID tags, Computer Communications 32 (7–10) (2009) 1194–1199. [3] M.R. Rieback, B. Crispo, A.S. Tanenbaum, The evolution of RFID security, Pervasive Computing IEEE 5 (1) (2006) 62–693. [4] Y. Chen, J.S. Chou, H.M. Sun, A novel mutual-authentication scheme based on quadratic residues for RFID systems, Computer Networks 52 (12) (2008) 2373– 2380. [5] H.Y. Chien, C.H. Chen, Mutual-authentication protocol for RFID conforming to EPC class 1 generation 2 standards, Computer Standards & Interfaces 29 (2) (2007) 254–259. [6] S.Y. Kang, D.G. Lee, I.Y. Lee, A study on secure RFID mutual-authentication scheme in pervasive computing environment, Computer Communications 31 (18) (2008) 4248–4254. [7] C.M. Roberts, Radio frequency identification (RFID), Computers & Security 25 (1) (2006) 18–26. [8] P. Rotter, A framework for assessing RFID system security and privacy risks, Pervasive Computing IEEE 7 (2) (2008) 70–77.

T.-C. Yeh et al. / Computer Communications 34 (2011) 337–341 [9] A. Juels, Minimalist cryptography for low-cost RFID tags, LNCS 3352 (2004) 149–164. [10] E.K. Ryu, T. Takagi, A hybrid approach for privacy-preserving RFID tags, Computer Standards & Interfaces 31 (4) (2009) 812–815. [11] P. Peris-Lopez, J.C. Hernandez-Castro, M.J. Estevez-Tapiador, A. Ribagorda, M2AP: a minimalist mutual-authentication protocol for low-cost RFID tags, LNCS 4159 (2006) 912–923. [12] P. Peris-Lopez, J.C. Hernandez-Castro, M.J. Estevez-Tapiador, A. Ribagorda, EMAP: an efficient mutual-authentication protocol for low-cost RFID tags, LNCS 4277 (2006) 352–361.

341

[13] N.W. Lo, K.H. Yeh, An efficient mutual-authentication scheme for EPCglobal class-1 generation-2 RFID system, LNCS 4809 (2007) 43–56. [14] H.Y. Chien, SASI: a new ultralightweight RFID authentication protocol providing strong authentication and strong integrity, IEEE Transactions on Dependable and Secure Computing (4) (2007) 337–340. [15] C.L. Chen, Y.Y. Deng, Conformation of EPC class 1 generation 2 standards RFID system with mutual-authentication and privacy protection, Engineering Applications of Artificial Intelligence 22 (8) (2009) 1284–1291. [16] T. Cao, P. Shen, Cryptanalysis of some RFID authentication protocols, Journal of Communications 3 (7) (2008) 20–27.