Attacks and Improvements to an RFID Mutual Authentication Protocol

and its Extensions

Shaoying Cai1 Yingjiu Li1

Tieyan Li2 Robert H. Deng1

1Singapore Management University2Institute for Infocomm Research (I2R)

March 16-18, 2009, Zurich, Switzerland

Second ACM Conference on Wireless Network Security (WiSec ‘09)

OverallRFID Authentication Protocol for Low-Cost Tags B. Song and C. J. Mitchell (WiSec 08)

RFID Tag Ownership TransferB. Song (RFIDsec 08)

Tag impersonation attack

Server impersonation attack

De-synchronization attack

Song-Mitchell Protocol

Song’s Secret Update Protocol

Outline

• RFID Background

• Attacks and Improvements to

the Song–Mitchell Protocol

• Attacks and Improvements to

the Song’s Secret Update Protocol

• Conclusions

Radio Frequency Identification System

Components: Tag, Reader, Back-end database Characteristics: Wireless connection ( tag reader ) Limited capability of the tags

100 meters

Tag Reader

Attacker

Attacker Model: Active attacker

Backend Server

Privacy and Security Concerns of Mutual Authentication Protocol

• Tag information privacy• Tag location privacy• Resistance to server\tag impersonation attack• Resistance to replay attack• Resistance to de-synchronization attack• Forward and backward security

Privacy Concerns of Ownership Transfer

• New owner privacy

• Old owner privacy

• Authorization recovery

Song-Mitchell Mutual Authentication Protocol

ti = h(si)

Implicit tag authentication

Identification

Server authenticatio

nUpdate

Update

Server Impersonation Attackr1

M1 , M2

M3

M1 , M3

r1’

M1’, M2’

M3’

Em, you are valid.I’m

server

L1R3L1R3

R1L3R1L3

]'[M][M][M]'[M

]'[M][M][M]'[M

Result ?

Result of Server Impersonation Attack

r1

M1 , M2

TiSearch database,

Search…

Search….

But,

[(si,ti)new, (si,ti)old]

Server [t’]

Who are

you?

It’s me, Ti….I was

changed by Attacker.

Tag Impersonation Attack

r1

’M1’, M2’

r1

M1, M2

M3

Yeah, you are Ti.

I’m serve

r'M M

rr 'MM

22

11

'11

I’m tag Ti

Ti

Result ?

Vulnerability Analysis

baba :

>> :

S >> l/2 = [S]R || [S]L

Modified Song-Mitchell Protocol

)||( 212 rrfM it

)||( 112 tMrfM t

srhM )2(3

)( 23 rhMsi

Song's secret update protocol

ti ti’

De-Synchronization Attack

r1 , M1, M2

r2’, M3’

Ti

r1 , M1’ , M2’

Update Ti’s secret

to ti’

Ti

L1R2L1R2

R1L2R1L2

l 1

]'[M][M][M]'[M

]'[M][M][M]'[M

1} {0, 'M

R

Updates to ti’’

Modified Tag Update Protocol

)'()(2 inewi thsM

)'(2 ii thMs

Conclusions Song-Mitchell mutual authentication protocol

Tag secret update protocol

Server impersonation attack

Tag impersonation attack

De-synchronization attack

Discussion

F denotes a computationally complex function such as hash and keyed hash, and k is an integer between 1 and 2N

• Performance

• Formal Proof

Will be given in our future work.

Q & A?

Thank you!

Shaoying Cai:

sycai@smu.edu.sg