Security analysis of an RFID tag search protocol

JID:IPL

AID:5427 /SCO

[m3G; v1.175; Prn:11/05/2016; 17:13] P.1 (1-5)

Information Processing Letters ••• (••••) •••–•••

Contents lists available at ScienceDirect

Information Processing Letters www.elsevier.com/locate/ipl

Security analysis of an RFID tag search protocol Hoda Jannati a,∗ , Behnam Bahrak b a b

School of Computer Science, Institute for Research in Fundamental Sciences (IPM), Tehran, Iran Department of Electrical and Computer Engineering, University of Tehran, Tehran, Iran

a r t i c l e

i n f o

Article history: Received 26 May 2015 Received in revised form 24 February 2016 Accepted 3 May 2016 Available online xxxx Communicated by L. Viganò Keywords: Tag search protocol RFID security Impersonation attack De-synchronization attack Location privacy Analysis of algorithms

a b s t r a c t Over the past decade, tag search protocols have been suggested to efficiently acquire a specific RFID tag among a large group of tags by an RFID reader. For instance, in a warehouse, where there are thousands of packages each having an RFID tag attached, staffs may find specific packages using a reader that employs a tag search protocol. Although tag search protocols promise convenience, most of them can threaten the privacy of RFID tags in different ways. For instance, an attacker can impersonate a tag to replace it with another tag or can find the identity of a tag to track it. Recently, Sundaresan et al. have proposed an RFID tag search protocol based on 128-bit pseudo random number generators and exclusive-or operations which both can be easily implemented on low-cost RFID passive tags in EPC global Class-1 Gen-2 standard even for large-scale implementations. They claim that their protocol not only offers anonymity, location privacy and forward secrecy for the reader and the tag, but also resists against de-synchronization, replay and impersonation attacks. In this paper, we analyze the security of their proposed tag search protocol and show that the protocol is vulnerable to de-synchronization and impersonation attacks and also cannot provide location privacy for the tag. © 2016 Elsevier B.V. All rights reserved.

1. Introduction Radio Frequency Identification (RFID) is a wireless technology for the purposes of automatic identification of electronic tags physically attached to objects using an RFID reader [1]. Recently, RFID systems are widely employed in supply chain management, pharmacy management, library collection management, electronic payment systems, automatic toll collection, proximity cards, hospital patient care, container search within seaports and many more applications [2]. In all such applications, process for the authentication of RFID tags by an RFID reader is necessary to ensure the validity of the RFID tags when they appear in the vicinity of the reader [3,4].

*

Corresponding author. E-mail addresses: [email protected] (H. Jannati), [email protected] (B. Bahrak). http://dx.doi.org/10.1016/j.ipl.2016.05.001 0020-0190/© 2016 Elsevier B.V. All rights reserved.

In addition to the authentication process, an RFID reader must also be able to efficiently find out a specific tag among a large group of tags. However, in RFID authentication protocols, the reader is allowed to query only one tag at each session. Hence, the authentication process cannot support such a target efficiently since the reader has to check each item separately. Thus, utilizing the authentication process to find out a tag among a group of tags can be slow or impractical as the number of tags increases [5]. Many tag search protocols have been proposed to achieve an efficient solution for this problem [5–10]. In these tag search protocols, the reader broadcasts a query for a specific tag with a known identity in its field of operation. If the tag is in the vicinity of the reader, it will reply back. The existing tag search protocols have been investigated from various viewpoints such as strength against impersonation attack, de-synchronization attack, and reply attack, anonymity, location privacy, and computational

JID:IPL

AID:5427 /SCO

[m3G; v1.175; Prn:11/05/2016; 17:13] P.2 (1-5)

H. Jannati, B. Bahrak / Information Processing Letters ••• (••••) •••–•••

2

Table 1 Notations utilized to formulate the Sundaresan et al. tag search protocol. S, R, T j T ID j (t s ) j rts j 1 rts− j id j ctrmax j ctr j tr rr (rr−1 ) j

⊕ H (.)

P R N G(w) P R N G m (.)

Server, Reader, jth tag The unique identity for T j Secret key for T j Shared secret key between T j and R The previous value of rts j Stores the pre-computed hashed value of T I D j as id j = H ( T I D j (t s ) j ) The number of allowed searches for T j The current counter value for T j The pseudo-random number generated by the tag in the current session The pseudo-random number generated by the reader in the current session The pseudo-random number generated by R in the last successful session of searching for T j The bitwise exclusive-or operation A one-way hash function A pseudo-random number generator with seed w Composing the function P R N G (.) with itself for m times

costs. However, not all tag search schemes can achieve these security and privacy requirements [11–13]. For instance, Piramuthu [12] showed that the Zou’s search protocol [6] is vulnerable to de-synchronization attack. Moreover, Safkhani et al. [13] showed that the Tan et al.’s search protocol [5] is vulnerable to id disclosure and traceability attacks. Furthermore, implementation of secure tag search protocols is costly in terms of resources and consumption power. Such protocols utilize hash functions which require 8000 to 10000 two-input NAND gate equivalents (GEs) for implementation. Hence, they are not applicable on the low-cost devices which have at most 2000 GEs available for security properties. To this end, Sundaresan et al. proposed an efficient RFID tag search protocol which is highly constrained in computational resources, and is claimed to preserve the security requirements for the tag and the reader [14]. Their protocol relies only on 128-bit pseudo random number generators and exclusive-or operations for execution. Both operations are easily implemented on low-cost RFID passive tags that comply with the Electronic Product Code Class 1 Generation 2 (EPC-C1G2) standard [15] even for large-scale implementations [16]. Sundaresan et al. claim that their protocol is resistant against de-synchronization, replay and impersonation attacks and preserves anonymity, location privacy and forward secrecy for the reader and the tag. In this letter, we analyze the security of the tag search protocol proposed by Sundaresan et al. and show that it has pernicious security vulnerabilities in hostile environments. In particular, an adversary is able to perform desynchronization attack and impersonate the tag and the reader with a high probability of success. Moreover, we show that the protocol cannot provide location privacy for the RFID tags. The rest of this paper is organized as follows: In Section 2, we briefly review the tag search protocol proposed by Sundaresan et al. Section 3 discusses the vulnerabilities of this protocol. And finally Section 4 concludes the paper. 2. Review of the Sundaresan et al. tag search protocol There are three types of players in the protocol proposed by Sundaresan et al. [14]: 1. A server S;

2. A set of readers; 3. A set of tags. In this protocol, each tag T j has a unique identity T I D j , two secret keys (t s ) j and rts j , a required number of allowed searches ctrmax j and a current counter value ctr j which all these parameters are shared with the server S. After authenticating the reader R, the server S feeds R via a secure channel with information of X tags that it has permission to search. Finally, R has access to id j = H ( T I D j (t s ) j ) (where H (.) is a one-way hash function), rts j , ctrmax j and ctr j for each tag T j of X tags. At the end of each successful session performed between the reader R and the tag T j two parameters rts j and ctr j are updated by R and the tag T j . In order to prevent de-synchronization attack, the tag keeps the backup 1 of its previous state rts j as rts− too. Moreover, the tag j T j stores (rr−1 ) j which is the pseudo-random number sent by the reader R in the last successful session to prevent replay attack. Table 1 lists the notations deployed for this protocol. Fig. 1 also shows the details of the interaction between the reader R and the tag T k in the Sundaresan et al. protocol.

1. The reader R first checks the correctness of ctr j < ctrmax j . If it is not, the protocol aborts and the reader goes back to the server to renew the search access permission. Otherwise, R generates a pseudo-random number rr , and computes M 1 = id j ⊕ P R N G (rts j ⊕ rr ) and M 2 = rr ⊕ rts j ⊕ id j . Then, it broadcasts M 1 and M 2 as the query for searching the tag T j among all the tags in its field of operation. 2. After receiving M 1 and M 2 from the reader, each tag T k which its current counter value (ctrk ) is smaller than its maximum counter value (ctrmaxk ), computes β = rtsk ⊕ idk , checks idk = M 1 ⊕ P R N G (rtsk ⊕ M 2 ⊕ β) and (rr−1 )k = M 2 ⊕ β . If both are valid, the tag T k knows that the query is for itself, i.e., T k is the tag T j . Hence, in this case, the tag T k generates a pseudo-random number tr , computes M 3 = rtsk ⊕ P R N G (idk ⊕ tr ) and M 4 = tr ⊕ rtsk ⊕ idk and sends the messages M 3 and M 4 as its reply to the reader R. Then, the tag T k updates rtsk−1 to rtsk and rtsk to P R N G (rtsk ) as well as ctrk is incremented by 1. The tag T k also updates (rr−1 )k to M 2 ⊕ rtsk ⊕ idk . But, if

JID:IPL

AID:5427 /SCO

[m3G; v1.175; Prn:11/05/2016; 17:13] P.3 (1-5)

H. Jannati, B. Bahrak / Information Processing Letters ••• (••••) •••–••• Reader R (id j , rts j , ctr j , ctrmax j )

3

Tag T k (idk , rtsk , rtsk−1 , ctrk , ctrmaxk , (rr−1 )k )

If ctr j < ctrmax j : Select a pseudo-random number rr Compute β = rts j ⊕ id j Compute M 1 = id j ⊕ P R N G (rts j ⊕ rr ) Compute M 2 = rr ⊕ β Else Renew the search access permission End

M 1 and M 2

−−−−−−−−−−−→

If ctrk ≥ ctrmaxk : Do not respond and abort the protocol End If ctrk < ctrmaxk and idk = M 1 ⊕ P R N G (rtsk ⊕ M 2 ⊕ β) and (rr−1 )k = M 2 ⊕ β where β = rtsk ⊕ idk : Select a pseudo-random number tr Compute M 3 = rtsk ⊕ P R N G (idk ⊕ tr ) Compute M 4 = tr ⊕ rtsk ⊕ idk Update rtsk−1 : rtsk → rtsk−1 Update rtsk : P R N G (rtsk ) → rtsk Update ctrk : ctrk + 1 → ctrk Update (rr−1 )k : M 2 ⊕ rtsk ⊕ idk → (rr−1 )k Elseif ctrk < ctrmaxk and idk = M 1 ⊕ P R N G (rtsk−1 ⊕ M 2 ⊕ β) and (rr−1 )k = M 2 ⊕ β where β = rtsk−1 ⊕ idk : Select a pseudo-random number tr Compute M 3 = rtsk−1 ⊕ P (idk ⊕ tr ) Compute M 4 = tr ⊕ rtsk−1 ⊕ idk Update ctrk : ctrk + 1 → ctrk Update (rr−1 )k : M 2 ⊕ rtsk−1 ⊕ idk → (rr−1 )k Else Reply with probability of λ with two random numbers as M 3 and M 4

M 3 and M 4

If rts j = M 3 ⊕ P R N G (id j ⊕ M 4 ⊕ β): Tag T j is present. Update rts j : P R N G (rts j ) → rts j Update ctr j : ctr j + 1 → ctr j Else Tag T j is not present. End

←−−−−−−−−−−−

End

Fig. 1. Sundaresan et al. tag search protocol [14].

either one of two conditions is not valid, T k repeats the above steps using rtsk−1 instead of rtsk . Otherwise, it chooses two random numbers as M 3 and M 4 and sends them to the reader with a probability of λ, to provide location privacy for the tag. 3. After receiving M 3 and M 4 from the tags, the reader R verifies the correctness of the received messages using rts j = M 3 ⊕ P R N G (id j ⊕ M 4 ⊕ β). If so, the reader R knows that the tag T j is present and the search has been successful. Then, the reader R updates rts j as P R N G (rts j ) and ctr j is incremented by 1. Otherwise, the reader knows that the tag T j is not present and aborts the protocol. 3. Security vulnerabilities of Sundaresan et al. tag search protocol The authors of [14] claim that their proposed tag search protocol is resistant against de-synchronization and impersonation attacks and provides location privacy for RFID tags. In this section, we show that their protocol cannot preserve these security properties and an adversary can perform various attacks with a high success probability against the protocol. First we prove a property of the Sun-

daresan et al. protocol that can be used by the attacker and then describe the weaknesses of the protocol. Theorem 1. In Sundaresan et al. tag search protocol, a valid query of the reader R, in a session, remains a valid query in all the sessions afterwards. In other words, the reader’s query is vulnerable to a replay attack. Proof. As we mentioned earlier, the query (M 1 ,M 2 ) of the reader is valid at the zth session of searching for the tag T j if it satisfies the following two properties: 1. The random number selected by the reader at this session of searching for the tag T j must not be equal to the random number at the previous successful session of searching for the tag T j . 2. M 1 and M 2 must be verified using the identity and the secret key of the tag T j at this session. Let (M 1 = id j ⊕ P R N G (rts j ⊕ rr ),M 2 = rr ⊕ rts j ⊕ id j ) be the valid query of the reader R at the qth session of searching for the tag T j . We assume that after receiving the valid query at the qth session, the tag T j at the zth

JID:IPL

AID:5427 /SCO

4

[m3G; v1.175; Prn:11/05/2016; 17:13] P.4 (1-5)

H. Jannati, B. Bahrak / Information Processing Letters ••• (••••) •••–•••

session (z > q) has updated its secret key rts j at most m times. Note that since the query at the qth session is valid, m is greater than or equal to 1. Moreover, the tag T j stores the random number selected by the reader at the previous successful session as (rr−1 ) j . In order to verify the correctness of the first property of the query (M 1 ,M 2 ) of the reader at the zth session, the tag T j computes the random number selected by the reader as M 2 ⊕ β where β = P R N G m (rts j ) ⊕ id j . Thus, we have M 2 ⊕ β = M 2 ⊕ P R N G m (rts j ) ⊕ id j . After computation of M 2 ⊕ β , the tag T j checks if it is equal to (rr−1 ) j . When m = 1,

(rr−1 ) j is equal to rr = M 2 ⊕ rts j ⊕ id j and when m > 1, (rr−1 ) j has a random value. Therefore, M 2 ⊕ β is equal to l

(rr−1 ) j for m ≥ 1 with a probability of ( 12 ) where l is the bit length of (rr ) j . In the Sundaresan et al. protocol, l is equal to 128, and as a result, this probability is negligible. In other words, this property can be satisfied by (M 1 ,M 2 ) with a very large (almost one) probability. Then, in order to check the correctness of the second property of the query (M 1 ,M 2 ) of the reader at the zth session, the tag T j checks if M 1 ⊕ P R N G ( P R N G m (rts j ) ⊕ M 2 ⊕ β) (for simplicity we named it φ ) is equal to id j . According to (1), M 1 ⊕ P R N G ( P R N G m (rts j ) ⊕ M 2 ⊕ β) is equal to id j . Hence, this property can be satisfied by ( M 1 , M 2 ) with probability 1.

φ = M 1 ⊕ P R N G ( P R N G m (rts j ) ⊕ M 2 ⊕ β) = M 1 ⊕ P R N G ( P R N G m (rts j ) ⊕ rr ⊕ rts j ⊕ id j ⊕ P R N G m (rts j ) ⊕ id j ) = M 1 ⊕ P R N G (rts j ⊕ rr ) = id j ⊕ P R N G (rts j ⊕ rr ) ⊕ P R N G (rts j ⊕ rr ) = id j .

(1)

Consequently, the reader’s query for the tag T j at the qth session is also valid at the zth session for all z > q with probability 1 − ( 12 )128 , even when the tag T j updates its secret key (rts j ) m times (m ≥ 1). 2 3.1. De-synchronization attack In this section we describe a de-synchronization attack on the Sundaresan et al. tag search protocol. An attacker A eavesdrops a successful session between a reader and a tag, and stores the query sent by the reader. Let the intercepted session be the qth successful session performed between the reader R and the tag T j , and assume that the attacker A has stored the query ( M 1 , M 2 ) of the reader R which has been computed using rts j . After this session, both R and T j update their state and both parties are synchronized in state S (1) = P R N G (rts j ). We also assume that T j is still in the reader’s field of operation. At this time, the attacker broadcasts the reader’s query at the qth session, i.e., ( M 1 , M 2 ), again. According to the Theorem 1, the tag T j cannot detect the repeated query and recognizes it as a valid query from R. Thus, T j updates its states to S (2) = P R N G ( P R N G (rts j )) while R stays at state S (1) = P R N G (rts j ). After the aforementioned activity of the attacker, whenever the reader wants to search for the tag T j , it sends the query for T j with state S (1). However, according to the

Theorem 1, T j confirms the validity of the reader’s query, and responds to it using state S(2). Since R is in state S (1), it detects T j as an invalid tag. More precisely, the tag responds with M 3 = P R N G ( P R N G (rts j )) ⊕ P R N G (id j ⊕ tr ) and M 4 = tr ⊕ P R N G ( P R N G (rts j )) ⊕ id j to the reader’s query. The reader checks if P R N G (rts j ) is equal to M 3 ⊕ P R N G (id j ⊕ M 4 ⊕ β) where β = P R N G (rts j ) ⊕ id j . But these two parameters are not the same and the adversary succeeds in performing de-synchronization attack for the tag T j . According to the Theorem 1 the probability of a successful de-synchronization attack is equal to 1 − ( 12 )128 , which is very close to 1. 3.2. Inference attack against tag location privacy At each session of the Sundaresan et al. tag search protocol, in addition to the searched tag, some of other tags in the vicinity of the reader operate as noise tags and respond to the reader’s query with random bits to provide tag location privacy. Hence, they claim an attacker cannot infer which tag is addressed in the reader’s query. However, according to the Theorem 1, it is clear that an attacker can broadcast the reader’s query for one tag several times. Each time, the attacker obtains a set of tags that respond to the query. By repeating the query several times when a specific tag is still present within the reader’s field of operation, and finding the intersection of the obtained sets, the attacker may limit the number of candidate tags significantly. Thus, the proposed protocol cannot preserve location privacy for the tags. Let t denote the number of tags in the reader’s vicinity. In Sandaresan et al. protocol, it is assumed that a tag that is not addressed in the reader’s query, responds to the query with probability λ. We define E i as the event of such a noise tag T i responding to all of the queries that an attacker make in order to find the tag which is addressed by the reader. It is obvious that if the attacker repeat the reader’s query N times, we have: P r ( E i ) = λ N . Without loss of generality, assume that the searched tag is T 1 , and T 2 , · · · , T t are the noise tags. It must be noted that we assume T 1 , T 2 , · · · , T t are present continuously in the reader’s field of operation during the N times repetition of the reader’s query. Suppose that the attacker wants to limit the probability of the attack’s failure to δ . In other words, the probability P r ( E 2 ∪ E 3 ∪ · · · E t ) ≤ δ . Using the union bound we have:

P r(E 2 ∪ E 3 ∪ · · · Et ) ≤

t 

P r ( E i ) = (t − 1)λ N .

i =2

Thus in order to bound the probability of failure to δ , the attacker needs to repeat the reader’s query N = log(t −1)  log(δ)− times. log(λ) 3.3. Impersonation attack According to the Theorem 1, it is clear that the impersonation of the reader on Sundaresan et al. protocol is possible. In more details, if an adversary has access to the

JID:IPL

AID:5427 /SCO

[m3G; v1.175; Prn:11/05/2016; 17:13] P.5 (1-5)

H. Jannati, B. Bahrak / Information Processing Letters ••• (••••) •••–•••

reader’s query for one tag at one session, it can convince the tag that it is a valid reader in all sessions afterwards. Moreover, under the assumption that the attacker knows which tag is searched by the reader’s query, it can repeat this query several times to obtain different verifiable responses from the tag with various updated secret keys (because according to the Theorem 1, even when the tag’s secret key is updated, the reader’s query will be verified). The attacker can repeat this attack for queries that address other tags. Hence, whenever the reader queries a tag, the attacker can reply to the reader with a verifiable response from the tag. Therefore, this protocol is vulnerable to impersonation attack and cannot preserve mutual authentication. 4. Conclusion We showed that the tag search protocol proposed by Sandaresan et al. [14] is vulnerable to de-synchronization and impersonation attacks. Moreover, it cannot provide location privacy for the tags during the continuous presence of the tags within the reader’s field of operation. The main reason for these vulnerabilities is a weakness in the process of generating queries by the reader. The reasons for these vulnerabilities are: – The updated secret key of the tag has no effect in verification of the query’s correctness. – The computation of the tag’s response to the reader’s query is done independently from the parameters of the query. – The protocol uses a fixed (not updated) seed in P R N G function of M 1 . In order to make the protocol resilient to the aforementioned attacks, we suggest utilizing the secret key that is updated in each query more effectively and applying the random number used by the reader in its query in the tag’s response. Improving the protocol and its security analysis are left as a topic for future research. References [1] R. Want, An introduction to RFID technology, IEEE Pervasive Comput. 5 (1) (2006) 25–33.

5

[2] S.B. Miles, S.E. Sarma, J.R. Williams, RFID Technology and Applications, Cambridge University Press, Cambridge, United Kingdom, 2008. [3] H. Jannati, A. Falahati, Cryptanalysis and enhancement of a secure group ownership transfer protocol for RFID tags, in: C.K. Georgiadis, H. Jahankhani, E. Pimenidis, R. Bashroush, A. Al-Memrat (Eds.), Global Security, Safety and Sustainability & e-Democracy, in: Lect. Notes Inst. Comput. Sci., Soc. Inform. Telecommun. Eng., vol. 99, Springer, Heidelberg, 2011, pp. 186–193. [4] Z. Ahmadian, M. Salmasizadeh, M.R. Aref, Desynchronization attack on RAPP ultralightweight authentication protocol, Inf. Process. Lett. 113 (7) (2013) 205–209. [5] C.C. Tan, B. Sheng, Q. Li, Secure and serverless RFID authentication and search protocols, IEEE Trans. Wirel. Commun. 7 (4) (2008) 1400–1407. [6] Y. Zuo, Secure and private search protocols for RFID systems, Inf. Syst. Front. 12 (5) (2009) 507–519. [7] Y.K. Lee, L. Batina, D. Singelee, I. Verbauwhede, Low-cost untraceable authentication protocols for RFID, in: Proceedings of the Third ACM Conference on Wireless Network Security, WiSec’10, 2010, pp. 55–64. [8] M.E. Hoque, F. Rahman, S.I. Ahamed, J.I. Park, Enhancing privacy and security of RFID system with serverless authentication and search protocols in pervasive environments, Wirel. Pers. Commun. 55 (1) (2010) 65–79. [9] Y. Zhang, M. Li, Fast tag searching protocol for large-scale RFID systems, IEEE/ACM Trans. Netw. 21 (3) (2013) 924–934. [10] M. Chen, W. Luo, Z. Mo, S. Chen, Y. Fang, An efficient tag search protocol in large-scale RFID systems, in: Proceedings of the TwentySecond IEEE International Conference on Computer Communications, INFOCOM’13, Turin, Italy, 2013, pp. 899–907. [11] Z. Kim, J. Kim, K. Kim, I. Choi, T. Shon, Untraceable and serverless RFID authentication and search protocols, in: Proceedings of Ninth IEEE International Symposium on Parallel and Distributed Processing with Applications Workshops, ISPAW’11, Busan, South Korea, 2011, pp. 278–283. [12] S. Piramuth, Vulnerabilities of RFID protocols proposed in ISF, Inf. Syst. Front. 14 (3) (2012) 647–651. [13] M. Safkhani, P.P. Lopez, N. Bagheri, M. Naderi, J.C.H. Castro, On the security of Tan et al. serverless RFID authentication and search protocols, in: J.H. Hoepman, I. Verbauwhede (Eds.), Radio Frequency Identification, Security and Privacy Issues, in: Lect. Notes Comput. Sci., vol. 7739, Springer, Heidelberg, 2013, pp. 1–19. [14] S. Sundaresan, R. Doss, S. Piramuthu, W. Zhou, Secure tag search in RFID systems using mobile readers, IEEE Trans. Dependable Secure Comput. 12 (2) (2015) 230–242. [15] EPCglobal, EPCC1Gen2 EPC radio-frequency identity protocols Class-1 Gen-2 UHF RFID protocol for communications at 860 MHz–960 MHz, online, http://www.epcglobalinc.org/standards/uhfc1g2, 2013. [16] H. Lee, D. Hong, The tag authentication scheme using self-shrinking generator on RFID system, World Acad. Sci., Eng. Technol. 18 (2006) 52–57.