simulation-based traceability analysis of rfid authentication protocols

Wireless Pers CommunDOI 10.1007/s11277-013-1552-7

Simulation-Based Traceability Analysis of RFIDAuthentication Protocols

Mahdi R. Alagheband · Mohammad R. Aref

© Springer Science+Business Media New York 2013

Abstract Nowadays low-cost RFID systems have moved from obscurity into mainstreamapplications which cause growing security and privacy concerns. The lightweight crypto-graphic primitives and authentication protocols are indispensable requirements for thesedevices to grow pervasive. In recent years, there has been an increasing interest in intuitiveanalysis of RFID protocols. This concept has recently been challenged by formal privacymodels. This paper investigates how to analyse and solve privacy problems in formal model.First, we highlight some vague drawbacks especially in forward and backward traceabilityanalysis and extend it in the simulation-based privacy model family. Then, the privacy weak-nesses of three new-found RFID authentication protocols are analysed in formal privacymodels and three improved protocols are proposed to prevent the aforementioned attacks.

Keywords RFID systems · Privacy models · Authentication protocol · Traceability

1 Introduction

Using radio frequency identification (RFID) system was commenced in the World War II,when the identify friend of foe (IFF) system was deployed [1]. An RFID system usuallyconsists of a large number of passive tags, readers, and one back-end server. RFID technologygenerally provides short distance wireless communication between the readers and the tagsin varied applications such as biometric passport, enhanced driver license, pass checking insupply chain, ticketing in public transportation, anti-theft cars, e-health, etc. [2–4].

M. R. Alagheband (B)Department of Electrical Engineering, Shahre Rey Branch, Islamic Azad University, Tehran, Irane-mail: [email protected]

M. R. ArefInformation Systems and Security (ISSL) Laboratory, Electrical Engineering Department,Sharif University of Technology, Tehran, Irane-mail: [email protected]

123

M. R. Alagheband, M. R. Aref

Table 1 List of notations

Notation Description Notation Description

PRNG Pseudo random number generator T The tag

Ek (.) Encryptor with the key k R The reader

Dk (.) Decryptor with the key k A An adversary

H(.) The one way hash function ID The tag identifier

Hk (.) The keyed hash function with the key k K Shared secret key between tagand reader

a ⊕ b XOR operation of a and b r and s Random numbers

a‖b Concatenation of a and b n′ The length of key table

n The product of two large prime, p and q IV Initial vector of symmetric ciphers

Tr and Ts Current timestamp at the reader or tag RS Internal state of register

� Modulo 216 addition operator N The number of RFID tags in a system

Although RFID systems are now one of the most popular technologies, they suffer fromintrinsic restrictions on memory and computation capabilities. RFID is susceptible to tracing,replay attack, counterfeiting, denial of service, and physical tampering (reverse engineeringof tags) [5]. It is undeniable that a secure and private RFID authentication protocol is essentialto prevent the attacks.

Using strong cryptographic elements such as standard block ciphers, hash functions, andpublic key cryptography schemes are not acceptable. Therefore, to provide security and pri-vacy, RFID authentication protocols are inevitably designed by lightweight cryptographicelements such as bitwise operations, pseudo random number generators, lightweight sym-metric ciphers and hash functions [6–10]. Many RFID authentication protocols are compliantwith electronic product code (EPC) standards [11,12] that constraint protocols to apply onlyto cyclic redundancy checks (CRCs) and pseudo random number generators (PRNGs) onRFID tags. For the sake of simplicity, the notations used throughout this paper are presentedin Table 1.

On the other hand, many proposed RFID authentication protocols have been analysed viaad hoc methods but all of their drawbacks have not been discovered. Hence, there is no doubtthat we require a formal method to discover the privacy and security drawbacks, particularlyinformation leakage and traceability in lightweight RFID authentication protocols [13].

In recent years, there has been an increasing amount of literatures on RFID privacy models.In 2005, Avoine et al. [14–16] introduced the first privacy model based on the untraceabilitynotion for the RFID protocols. Avoine’s model is only able to consider 3-flows RFID protocolsand therefore cannot highlight possible privacy attacks in all the protocols. Afterwards, Limand Kwon [17] extended the Avoine’s approach to introduce a formal definition for forwardand backward untraceability. Moreover, Juels and Weis [18] proposed another privacy modelbased on indistinguishability of the tags. In 2008, Ouafi and Phan [19,20] published papersin which a more practical and understandable version of Juels’s model was described.

An RFID privacy model based on zero-knowledge was introduced by Deng et al. [21].Although they claimed that the zero-knowledge based model is stronger compared to theJuels and Weis and Ouafi and Phan models, In 2012, Moriyama et al. [22] proved that thesemodels have equivalent ability to privacy analysis.

In ASIACRYPT 2007, Vaudenay proposed the first simulation based model that not onlyallows the adversary to create fake tags, but the adversary’s ability is also classified into

123

Simulation-Based Traceability Analysis of RFID Authentication Protocols

2× 4 categories [23,24]. Although, there is an ambiguous relationship between Vaudenay’smodel and forward/backward traceability notion, regarding to some points in Sect. 2.6, theVaudenay’s model is still almost the most complete model. The points impose no functionalitychanges on Vuadenay model. Thus, in the following, we analyse some new-found RFIDprotocols based on the Vaudenay formal privacy model.

The rest of this paper is organized as follows: Sect. 2 elaborates Vaudenay privacy modeland its pros and cons. Although Vaudenay’s model contains worthwhile and unique features,we highlight some vague drawbacks especially in forward and backward traceability analysisand extend it. Then, three recently proposed protocols in [25–27] are analysed and modifiedvia nine theorems in Sects. 3, 4 and 5, respectively. We compare the protocols with theimproved versions and evaluate their performances in Sect. 6. Finally, the conclusion ispresented in Sect. 7.

2 Privacy Models

Privacy models are utilized to consider possible vulnerabilities of RFID via some queries tothe oracles. In this section, we review the existing simulation-based privacy models.

Vaudenay’s model is one of the most complete and powerful models so far. Since thetags are not tamper-proof, the powerful malicious adversary of Vaudenay’s model who caneavesdrop and interfere with all the communications, corrupts all the tags, and reveals boththe related keys and initial states. However, strong private authentication protocols preventadversary from tag tracing, identification, information leakage, and linking tags. Only in thismodel, every tag can be free or drawn, and the adversary’s identity is temporary, also theadversary can create fake tags. In this section, after giving basic definitions and assumptions,the Vaudenay simulation-based model is criticized. The mentioned weaknesses only alter thepre-assumptions of Vaudenay model particularly in forward/backward traceability analysisand practically does not impose any change on the model. Therefore, the original Vaudenaymodel with revised assumpitions is applied for analysis in the next sections.

2.1 Basic Definitions

An RFID system comprise numerous tags and a few readers. T is a passive transponderwith a few distinctive keys and an ID without battery. Being tamper-resistant for RFIDtags is very uncertain and questionable. Hence, the rewritable memory of tags is not tamper-resistant and is vulnerable to corruption via A. RFID tags are only able to perform lightweightcryptographic primitives. T and R communicate via an insecure RF interface. T can justoperate into R’s field communication. R is a device by some transceivers that has a secureconnection with the back-end server. The R’s first task is to authenticate legitimate tags formutual interaction. The reader has the keys and the identity of every T in its database.

Definition 1 (RFID framework) Every RFID system performs the following algorithms[23,28]:

• SetupReader(1k) generates all the essential system parameters including public/privatepairwise keys depending on the security parameter k for a secure connection with theserver.• SetupTag(ID) is utilized to generate tag secret key KT and initial state S via system

parameters. The created KT and S should be stored into the R’s database as well.

123


• Protocol is a polynomial-time, consecutive, and interactive messages exchanged betweenT and R governing the authentication process.

2.2 Adversary Oracles

In the Vaudenay’s model, the links between the reader and database is secure. However, Ahas permission to run the following queries for privacy analysis.

• CreateTagb(ID) creates the free tag with unique TID from the set of tags built bySetupTag(IDi)(1 ≤ i ≤ n). T is either fake (b = 0) or legitimate (b = 1).• DrawTag() randomly conveys one T from the set of free tags to the set of drawn tags

as vtag. It also outputs the bit b to indicate whether the drawn tag is legitimate or not.Subsequently, the pair (vtag, ID) is registered into R’s database (DB).• Free(vtag) returns the vtag to the set of free tags. Therefore, A cannot access the vtag

again unless it is made drawn via DrawTag() under the new vtag′identifier. In fact a tag

can be free or drawn every time and it has two temporary identities provided that thesame tag with TID is drawn, freed, and drawn. Moreover, the related ID is deleted fromDB(vtag) as well.• Launch()→ π gives permission to R to begin a new session of protocol π .• SendReader(m, π)→ m

′sends message m to R in protocol instance π . m

′is returned

as a unique and unrepeatable response.• SendTag(m, vtag)→ m

′sends the message m to the TID which is identified as vtag for

A and responds with m′.

• Result(π) outputs 1 if the session π is successfully completed or 0 otherwise.• Corrupt(vtag)→ S returns the initial states and secret keys of the tag vtag.

2.3 Adversary Class

An adversary is a polynomial time algorithm against the RFID system S that can arbitrarilyutilize the oracles mentioned in Sect. 2.2. The adversary’s ability is classified into 2 × 4categories [23,24] ({Wide, Narrow} ∪ {Weak, Forward,Destructive, Strong}) based onaccess to Result and Corrupt oracles:

• Strong A has access to all the eight oracles without any restrictions.• DestructiveA destroys the corrupted tag. It does not have permission to query any oracle

after sending the first Corrupt() to vtag. However, A can use the corrupted informationagainst the other tags.• Forward A is restricted to use Corrupt only once as the last oracle.• Weak A cannot access to Corrupt at all.

Orthogonal to the four classes:• Narrow A is not able to use Result oracle.• Wide A has access to the R verification result, opposite to Narrow.

It is open-and-shut that Weak ⊆ Forward ⊆ Destructive ⊆ Strong. Regarding the broadrange of A’s ability from Narrow −Weak to Wide− Strong, the Vaudenay-based models[21,23,24,28,29] are so-called simulation-based models.

Definition 2 (Privacy levels) [13,30]. Let X be an adversary class according to Sect. 2.3.The RFID system S is X -private if the same X -level A can win the privacy experimentonly with negligible probability. The relation between privacy levels are described below(N. stands for Narrow):

123


The Nil privacy level is dedicated for protocols that do not provide any privacy level[30].

2.4 Privacy Experiment

The Vaudenay’s simulation-based privacy game consists of two parts including attack andanalysis phases. In the attack phase, A is able to send oracles regarding the adversary classX . In the analysis phase, A receives R’s database (DB) related to the vtag which has beenhidden to it till this phase. Then, it outputs true or false. As long as the outcome be true withmore than negligible probability, the adversary will be succeeded. In contrast, the related Ais trivial and the authentication protocol supports X -privacy level.

Definition 3 (Privacy) A blinded adversary AB does not have access to Launch,

SendReader, SendTag, and Result. It can only query Corrupt oracle. Then, if |Pr(ExpAS

succeeds) − Pr(ExpABS succeeds)| is negligible, A is called trivial A depending on the

related adversary class. The privacy rely on success probability of trivial adversary.

Therefore, since AB is not permitted to execute protocols, the trivial adversary indicatesthe information leakage ratio in the wireless channel. Intuitively, since tag corruption isexactly the same as privacy compromising, if both A and AB produce same output, theadversary is trivial and the protocol is X -private. The adversary’s ability, in privacy analysis(Theorems 1–9), is equivalent to the highest related privacy level. Indeed, an RFID authen-tication protocol is X -private, provided the X -level A could not win the privacy experimentwith more than negligible probability.

2.5 Simulation-Based Privacy Models

After Vaudenay’s model, in recent years, there has been an increasing amount of literature toextend it. In this part, we survey the seminal simulation-based privacy models and analyzetheir pros and cons.

Despite the fact that the adversary in Vaudenay’s model is only allowed to create unregis-tered fake tags, the model has no precise definition for the privacy notion [13]. For instance,although the majority of privacy concepts such as traceability and forward/backward trace-ability [19,20] can be simulated via this model, there is an inconsistency with adversary’sabilities.

Moreover, Vaudenay’s analysis does not take account of reader authentication to tags.In 2008, Paise and Vaudenay [24] enriched the model to get secure mutual authentication.Indeed, T can accept or reject a legitimate R. Armknecht et al. [31,32] however claim thatPaise and Vaudenay improvement could not guarantee both the strongest privacy notions andreader authentication together. More recent arguments against Armknecht’s viewpoint havebeen summarised in [33]. Not only the privacy definition and the adversary goal presentedby Armknecht et al. are completely different from the Paise–Vaudenay ones, but also thehighest achievable privacy level is Narrow −Weak, not Strong.

In 2010, Canard et al. [34] propose another Vaudenay-based model only for untrace-ability notion examination. Contrary to Vaudenay’s model, the adversary class is decreased

123


from 8 to 3 levels. The authors with the aid of the notion of non-obvious link (NOL) anddummy A instead of blinder A recommend a formal untraceability analysis routine. Never-theless, this method contains number of limitations. Perhaps the most serious disadvantageof this method is that no Narrow adversary is applied; thus many protocols are regardeduntraceable.

Following Vaudenay’s model, Hermans et al. [28] propose a new indistinguishable pri-vacy model. Although Vaudenay derived that Wide− Strong privacy is impossible evenwith IND-CCA public key cryptosystems, they proved that Wide− Strong privacy level isaccessible via public key cryptography even though the related oracles are quite similar toVaudenay’s model.

Although Hermans et al. recently assert that their model does not suffer from the identifieddrawbacks, it has several defects: (1) DrawTag is only applicable on two tags (Ti , T j ). Infact A is constrained to opt just between the two drawn tags; (2) the adversary cannot createfake tags; (3) Corrupt oracle is not authorized on the drawn tags; (4) similar to Vaudenay’smodel, it still has vague privacy notion [13]. On the whole, as the authors mentioned, thisrefurbished version of Vaudenay’s model does not take into account the attributes that mightleak private information. Hermans et al. practically performs a trade-off between A’s powerand achievable privacy levels.

On the other hand, as it is impossible to achieve the strongest privacy level of Vaudenay’smodel (Wide Strong), several adaptations have been performed lately. Ng et al. [29] restrainthe adversary to Wise adversary such that it is not able to utilize the same oracle againwith the same input and categorize the eight privacy level of Vaudenay’s model into threelevels. Although they proved that it is possible to achieve strong privacy, the adversary’sability is indeed restricted to wise level compared with A of Vaudenay’s model. Additionally,Armknecht et al. also show the impossibility of reader authentication combined with strongprivacy.

Afterwards, Avoine et al. [35] highlight a notion about R’s computational time in Vaude-nay’s model with the new TimeFul oracle. Since the tags have to constantly send the timevariant information to R owing to untraceability characteristic, the reader needs to carry outan exhaustive search procedure in its DB. The search time that R require to authenticate Tis regularly fixed. Therefore, A can find the given T provided it computes the time itselfvia TimeFul oracle. Thus, apart from Narrow, the four privacy levels can be TimeFul (e.g.TimeFul− Strong). Although it is an important issue for private protocols, it needs thefurther information leakage as side channel information from R to A.

2.6 Forward/Backward Untraceability Notions

In this section we revisit forward and backward untraceability (UNT) notions in Vaudenay’smodel. Forward and backward-UNT should not be regarded as a kind of traceability attack.However, all of them can be considered as the location privacy notion. Not only A lacksCorrupt oracle to query in the notion of traceability attack, but also the traceability analysisis only executed at present. To find traceability vulnerabilities, A has only permission toperform both active and passive attacks in the attack phase without Corrupt oracle. Then,after receiving DB in the analysis phase, it should distinguish the original T between the setof tags.

The notion of forward untraceability, which is essential for private ownership transfer ofRFID tags, is defined as: even if a tag is corrupted at the session r leaking its stored secret, itshould be impossible for the Strong adversary to trace the tag at the session r ′ that r ′ ≥ r+2[20,36].

123


In contrast, the notion of backward untraceability (forward privacy) is related to prior tothe tag corruption. Backward untraceability states that even if given all the internal statesof a tag at session r , the Strong adversary should not be able to identify the target tag’sinteractions that occur at the session r ′ that r ′ < r ′′ [36]. In fact A desires to trace the pacedway in the past by corruption in the current session. Finally, the experiments ExpForward

S,A (k)

or ExpBackwardS,A (k) succeed as long as A returns true.

In 2011, Akgün and Çaglayan [37] lately apply the Vaudenay’s model for forward untrace-ability consideration of three symmetric lightweight RFID authentication protocols. Vaude-nay proved that only public key cryptography can guarantee the highest level of feasible pri-vacy ([Narrow]-Strong privacy) and symmetric cryptography-based protocols can achieve atlast either Desructive or Forward privacy levels [23,24]. Since Akgün and Çaglayan utilizeStrong adversary to analyse symmetric lightweight protocols, it seems that their understand-ing of the Vaudenay framework is highly questionable. There is no way to apply StrongAfor the protocols with Desructive or Forward privacy levels.

Moreover, Ng et al. classify the mutual synchronized RFID authentication protocols basedon their constructions. They mentioned that Narrow − ForwardA against symmetric mutualprotocols with key updating procedure and no access to Corrupt and Result oracles, suc-ceeds to win ExpN .−ForwardA

S (k) by overwhelming probability [30]. Thus the protocols areonly able to achieve Weak, Narrow −Weak, or Nil privacy levels and forward/backwarduntraceability consideration are impractical.

On the other hand, Ouafi and Phan in [19,20] defined a modified version of [36] based onJuels model [18]. In contrast to Vaudenay’s model, this IND-based model gives permissionto A for finding forward/backward traceable vulnerabilities apart from both A’s strength andtraceability analysis outcomes.

For instance, assume symmetric protocol A is weak in both forward traceability andtraceability attacks and symmetric protocol B resists forward traceability attack but it isvulnerable to traceability attack in the IND-based Ouafi model. Nevertheless, the Vaudenay’smodel claims that A and B protocols ensure only either Narrow −Weak or Nil privacylevels. Therefore, although the Vaudenay’s model has good unique features associated withthe present time, unlike the Ouafi, it can not distinguish between A and B and requires tobe amended with the Ouafi forward/backward-UNT notions in the past and future. Perhapsthis is the most serious disadvantage of Vaudenay method. Although Vaudenay’s modelseems to be a comprehensive model, there is the subtle distinguished advantage of IND-based models (e.g. Ouafi) compared with simulation-based models (e.g. Vaudenay). Hencethe pre-assumption of Vaudenay’s model should be alleviated to compensate its drawback inforward/backward analysis.

In a nutshell, at first glance Akgün and Çaglayan wrongly used Vaudenay’s model becausethey did not mention the faint drawback. This finding, while preliminary, suggests that theVaudenay’s model is able to simulate forward/backward-UNT notions regardless of theachievable privacy level because the privacy notions of all the IND-based models can besimulated through it. Thus, we practically apply Vaudenay’s model without functionalitychanges but with different pre-assumption’s interpretation.

For more readability, the notified privacy models are compared in Table 2 due to [13].As can be seen, The Vaudenay model has noticeable advantages. In the following sections,the traceability notions are simulated by means of Vaudenay model inspired Ouafi modelin assumptions. We analyse three new-found symmetric RFID authentication protocols. Notonly we clearly prove that the three of these protocols suffer from the traceability attacks,also the mentioned weaknesses are alleviated in the improved protocols.

123


Table 2 The comparison of presented privacy models [13]

Property Avoine [16] Ouafi [20] Vaudenay [23] HPVP [28] CCEG [34]

A creats fake T × × √ × ×A corrupt any T × × √ √ √Narrow/wide Narrow Narrow Both Both Wide

Simulator/blinder defined × × √ √ √Forward/backward analysis × × N/A N/A N/A

Privacy levels 2 2 8 8 4

Fig. 1 The NRS protocol [25]

3 The NRS Protocol

Fernando and Abawajy [25] proposed an lightweight RFID authentication protocol, calledNRS, based on EPCglobal Class-1 Generatio-2 standard [11,12]. NRS uses only hash functionand XOR operation. Figure 1 displays the detailed interaction flows of the NRS authenticationprotocol. Although the authors claim that NRS is immune to security and privacy attacks, weprove that NRS suffer from both traceability and forward/backward traceability attacks.

Theorem 1 The NRS protocol does not support even Narrow − Forward privacy.

Proof To prevent desynchronization attack, the NRS contains reader authentication and keyupdating, however, it achieves at last Weak privacy level. First, A obtains M1, M2 and M3

related to IDb and obstructs M3 in the attack phase. Then, Corrupt(vtag′) is queried as the

123


last oracle. After receiving DB in the analysis phase, A is able to compute Mb3 by means

of the corrupted keys. It terminates the attack and outputs bit x . The attack fails only withnegligible probability provided the secrets of TID0 and TID1 represent the same. Since thereis just one time access to Corrupt(vtag

′) as the last query and no access to Result(π), this

is a Narrow − Forward privacy level attack.

CreateTag(ID0), CreateTag(ID1)

vtag←− DrawTag()

π i ←− LaunchMi

1, Mi2 ←− SendReader(π i , Init, ID)

Mi3 ←− SendTag(vtag, Mi

1, Mi2)

Free(vtag) The i th session is incomplete.vtag

′ ←− DrawTag()

K1x , K2x , EPCx ←− Corrupt(vtag′)

The queries is ended, receive τ(vtag) = IDb

r ix = Mi

2 ⊕ K1x and Mb3 = H(EPCx ⊕ K2x ⊕ r i

x )

If Mb3 = Mi

3 then x = b O.W. x = |1− b|Output whether τ(vtag

′) = IDx �

Theorem 2 The NRS protocol is traceable and only Nil-private.

Proof Although A is not permitted to apply Corrupt and Result based on traceability defini-tion, the NRS protocol is still traceable just by means of active and passive attacks. Generally,every traceable protocol has no privacy level (Nil). A eavesdrops the whole of one sessionand in the third flow toward T it modifies M4 and M5 to two random numbers (rm4 , rm5 ).Then, in the analysis phase, M1 and M2 are sent again for vtag

′. It is not hard to see that vtag

′

is exactly the same as vtag provided M′3 = M3, and vice versa.



π ←− LaunchM1, M2 ←− SendReader(π, Init, ID)

M3 ←− SendTag(vtag, M1, M2)

M4, M5 ←− SendReader(π, M3)

A chooses 2 random number rm4 and rm5

Null ←− SendTag(vtag, rm4 , rm5)

Free(vtag)

vtag′ ←− DrawTag() between 2 tags

M′3 ←− SendTag(vtag

′, M1, M2)


If M′3 = M3 then x = b O.W. x = |1− b| �

Theorem 3 The NRS protocol does not provide forward untraceability.

Proof A makes Corrupt(Tb) to obtains K1i , K2i , IDi , and EPC. Then,

K1i+1 = (K1iright‖ K2ile f t

)⊕ r2 & K2i+1 = (K2iright‖ K1ile f t

)⊕ r2

�⇒ K1i+1 ⊕ K2i+1 = (K1iright‖ K2ile f t

)⊕ (K2iright‖ K1ile f t

)

123


= (K1iright⊕ K2iright

) ‖ (K2ile f t⊕ K1ile f t

)

= (K1i ⊕ K2i )right ‖ (K2i ⊕ K1i )le f t (1)

Subsequently,

K1i+2 ⊕ K2i+2 =(

K1i+1right⊕ K2i+1right

)‖

(K2i+1left

⊕ K1i+1left

)

= (K1i+1 ⊕ K2i+1

)right ‖

(K2i+1 ⊕ K1i+1

)left

= (K1i ⊕ K2i

)left ‖

(K1i ⊕ K2i

)right

= K1i ⊕ K2i (2)

Since K1i+1 ⊕ K2i+1 is independent of any random numbers, we prove that K1i+2 ⊕ K2i+2 issimply computable via corruption of K1i and K2i in session i .

Regarding this drawback, the NRS is vulnerable to forward traceability attack. After vtagcorruption in the attack phase of the experiment, A queries Execute oracle in session i + 2to achieve Mi+2

1 , Mi+22 , and Mi+2

3 . Later, A randomly sends DrawTag(IDc) between ID0

and I D1(c ∈ {0, 1}) and mostly chooses i + 2 time interval for the analysis phase. Relatedto vtagx , it can compute Y = K i+2

2x⊕ r i+2

x = Mi+22x⊕ K i+2

1x⊕ K i+2

2x.

Finally, the related T is distinguished by means of Mi+23 .



K i1c

, K i2c

, IDic ←− Corrupt()

Free(vtag)

vtagx ←− DrawTag(IDc)

A chooses another time interval I ≥ (i + 2)th session (generally I = [i + 2])πi+2 ←− LaunchMi+2

1 , Mi+22 ←− SendReader(πi+2, Init)

Mi+23 ←− SendTag(vtagx , Mi+2

1 , Mi+22 )

If H(EPC ⊕ Y ) = Mi+23 then x = c O.W. x = |1− c| �

Theorem 4 The NRS protocol is backward traceable as well.

Proof This attack is quite similar to forward traceability. However, the notion of backwarduntraceability (forward privacy) is related to prior to corruption of the tag. The adversaryreceives Tb’s secrets and computes H(EPC⊕ K i−1

2 ⊕ r i−1) to compare with Mi−13 . Similar

to equation 1, K i−11 ⊕ K i−1

2 is computable as following:

K i1 ⊕ K i

2 =(

K i−11 ⊕ K i−1

2

)right‖

(K i−1

2 ⊕ K i−11

)left

�⇒ K i−11 ⊕ K i−1

2 =(

K i1 ⊕ K i

2

)right‖

(K i

1 ⊕ K i2

)left

(3)



K i1c

, K i2c

, IDic ←− Corrupt()

Free(vtag)

vtagx ←− DrawTag(IDc)

A chooses another time interval I ≤ (i − 1)th session (generally I = [i − 1])πi−1 ←− LaunchMi−1

1 , Mi−12 ←− SendReader(πi−1, I ni t)

123


Mi−13 ←− SendTag(vtagx , Mi−1

1 , Mi−12 )

Z = Mi−12x⊕ K i−1

1x⊕ K i−1

2x= K i−1

2x⊕ r i−1

If H(EPC ⊕ Z) = Mi−13 then x = c O.W. x = |1− c|

Eventually, it is clear that Pr[A succeeds] = 1 but Pr [AB succeeds] = 12 because AB

could not eavesdrop the protocol’s flows. Thus, since the adversary is not trivial the backwardtraceability attack is applicable on the NRS as well.

Pr[A succeeds] − Pr[AB succeeds] � ε.

� 3.1 The Improved NRS

As aforementioned, the NRS suffers from both traceability and forward/backward traceabilityattacks. The vulnerability of the protocol arises because T does not have any contributionin the randomness of the NRS protocol. The simplest most logical way to restrain fromtraceability is using the PRNG. Due to the fact that the PRNG is not utilized any morein the tag’s side of NRS protocol and PRNG also imposes the noticeable computationaland memory overhead on the tags, the solution is irrational. Thus one more bit α assistsus for prevention traceability. T sets α = 0 at the end of the correct key updating phase.At the same time and prior to M3 computing (flow 2), α is checked. If α �= 0, the flow 3(M4 ‖ M5) was modified at the last session and T computes M3 = H(H(EPC)⊕ K2 ⊕ r)

rather than M3, otherwise T computes M3 and sets α = r . On the other side, R computesC2 to compare with M3 as long as C2 �= M3. If A repeats the previous attack scenariotwo times, the traceability of tag is impractical in the improved NRS protocol because Rsynchronizes the keys with IDold, K1old, and K2old in every session for prevention of theattack.

Furthermore, lack of correlation between K1new ⊕ K2new and random numbers randr2

causes forward/backward traceability. As an alleviation, T should update the common keysas below in every session:

K1new = H [(K1right ‖ K2left)⊕ r2] and K2new = H [(K2right ‖ K1left)⊕ r2]

Proof



π ←− LaunchM1, M2 ←− SendReader(π, I ni t, I D)

M3 ←− SendTag(vtag, M1, M2)

M4, M5 ←− SendReader(π, M3)

A chooses 2 random number rm4 and rm5

Null ←− SendTag(vtag, rm4 , rm5)

Free(vtag)

vtag′ ←− DrawTag() between 2 tags

M3 ←− SendTag(vtag′, M1, M2) (Since α �= 0)


Since M3 �= M3A is not able to trace vtag′

and eventuallyPr[A succeeds] − Pr[AB succeeds] � ε in the Improved-NRS protocol. �

123


4 The FSA Protocol

He et al. [38] proposed the forward-secure protocol, but Zhu et al. [26] find its drawbacksand alleviate it as the improved forward-secure (FSA) protocol. The lightweight hash-basedFSA protocol is depicted in Fig. 2.

Theorem 5 The FSA protocol does not even support Narrow − Forward privacy.

Proof Although FSA is traceable and Nil− private (see Theorem 6), it supports at the mostWeak privacy level regardless of traceability attack analogous to the NRS protocol. First,A eavesdrops the whole of one session and changes the third flow to the random numbers. Then, since it can obtain KIDx via corruption in the analysis phase, hi

1 is computableand comparable with hi

1 revealed in the attack phase and A succeeds with overwhelmingprobability. Since there is just one time access to Corrupt(vtag

′) as the last query and no

access to Result(π), this is the attack on Narrow − Forward privacy level.



π i ←− Launcht ir , r i

r ←− SendReader(π i , I ni t)hi

1, r it ←− SendTag(vtag, t i

r , r i2)

hi2 ←− SendReader(π i , hi

1, r it )

Replace hi2 with the random number s �= hi

2null←− SendTag(vtag, s)Free(vtag) The update phase is not executed.vtag

′ ←− DrawTag()

KIDx ←− Corrupt(vtag′)

The queries is ended, receive τ(vtag′) = IDb

K ix is revealed If hi

1 = hi1 ←− {HK i

x(0, t i

r , r ir ) or HK i

x(1, r i

t , r ir )}

Then x = b O.W. x = |1− b|Output whether τ(vtag

′) = IDx �

Fig. 2 The FSA protocol [26]

123


Theorem 6 The FSA protocol is traceable and only Nil-private.

Proof A eavesdrops the flows 1 and 2 of one session. After receiving DB in the analysisphase, it queries SendTag to obtain h

′1, r

′t at t

′r which clearly t

′r > tr with noticeably higher

than negligible probability.(

Pr[A succeeds] = 1− Pr[AB succeeds] = 1

2

)� ε



π ←− Launchtr , rr ←− SendReader(π, I ni t)h1, rt ←− SendTag(vtag, tr , rr )

Free(vtag)

vtag′ ←− DrawTag() randomly between the two tags

h′1, r

′t ←− SendTag(vtag

′, t′r > tr , rr )

t′r > tr ⇒ t

′r > t

′t

If h′1 = h1 Then x = b O.W. x = |1− b|

Output whether τ(vtag′) = IDx �

Although the traceability proof is rather similar to the proof of Theorem 5, the untraceabil-ity notion of Ouafi model is generally lower than Vaudeney’s forward privacy level becausethe T corruption is not utilized.

Theorem 7 The FSA protocol does not provide forward untraceability.

Proof A sends Corrupt oracle to Tc in session i . It can plainly compute the secret keyof corrupted tag in the future. So in session i + 2, A obtains a transcript of the executedprotocol between Tc and R. The adversary can compute hi+2

1xand h

′i+2

1xwith the aid of K x

i+2.

If hi+21 = hi+2

1xor hi+2

1 = h′i+2

1x, vtag

′is Tc; otherwise T|1−c|.


vtag←− DrawTag(IDc) where cRε {0, 1}

K ci ←− Corrupt() at time interval [i − 1i + 1]

Free(vtag)

vtagx ←− DrawTag(IDx ) randomly between the two tagsA chooses another time interval (generally I = [i + 2])(K x

i+1 = H(K xi ), K x

i+2 = H(K xi+1))

πi+2 ←− Launcht i+2r , r i+2

r ←− SendReader(πi+2, I ni t)hi+2

1 , r i+2t ←− SendTag(vtagx , t i+2

r , r i+2r )

A computes hi+21x= HK i+2

x(0, t i+2

r , r i+2r ) and h

′i+2

1x= HK i

x(1, r i+2

t , r i+2r )

The queries is ended, receive τ(vtag′) = IDx

If either hi+21 = hi+2

1xor hi+2

1 = h′i+2

1xThen x = c O.W. x = |1− c|

Output whether τ(vtagx ) = IDx � 4.1 The Improved FSA

In the FSA protocol, the most important drawback is lack of refresher in h1 computing whentr > tt . We suggest h∗1 = Hk({0 or1 }, rt , rr ) rather than h1 = HK ({0 or1 }, {tr or rt }, rr ).

123


Moreover, the key updating procedure should be improved by means of rti to prevent forwardtraceability. After receiving the flow 3 (h2) in Fig. 2 and confirmation, T updates the relatedkeys Ki+1 = H(Ki , rti ). Even if A corrupts Ki in session i , the computation of Ki+2 =H(Ki+1, rti+1) is impractical because it has no access to Ki+1.

Proof


vtag←− DrawTag(IDc) where cRε {0, 1}

K ci ←− Corrupt() at time interval [i − 1 i + 1]

Free(vtag)

vtagx ←− DrawTag(IDx ) randomly between the two tagsA chooses another time interval (generally I = [i + 2])(K x

i+1 = H(K xi , rti ), K x

i+2 = H(K xi+1, rti+1))

πi+2 ←− Launcht i+2r , r i+2

r ←− SendReader(πi+2, I ni t)hi+2

1 , r i+2t ←− SendTag(vtagx , t i+2

r , r i+2r )

The queries is ended, receive τ(vtag′) = IDx

If either hi+21 = hi+2

1xor hi+2

1 = h′i+2

1xThen x = c O.W. x = |1− c|

Output whether τ(vtagx ) = IDx

(The lack of knowledge about , r i+1t causes ambiguity for A to distinguish between vtag

and vtagx .)Since A cannot compute hi+2

1xwithout K i+2

x , A is not trivial and{AdvUPriv−ImprovedFSA

A (k), AdvForward−UPriv−ImprovedFSAA (k)

}= 0� ε.

�

5 The LPP Protocol

The lightweight cryptography primitives are quite practical for RFID systems. Hummingbird-2 is a new lightweight block cipher specialized for RFID systems [39]. Fan et al. [27] proposea lightweight privacy-preserving (LPP) mutual authentication protocol based on the internalstate, initial vector, and secret key of the Hummingbird-2. The LPP protocol is detailedin Fig. 3. INIT K (IV) is the initialization function of Hummingbird-2 with secret key Kand 64-bits initial vector IV . RSi (i = 1, . . . , 8) is the i th 16-bit internal state register ofHummingbird-2.

Although the authors claim that LPP is privacy preserve, the Theorems 8 and 9 clarify thatLPP not only supports Wide−Weak privacy level in Vaudenay’s model, also it is forwardtraceable.

Theorem 8 The LPP protocol does not even support Narrow − Forward privacy.

Proof The narrow-forward adversary eavesdrops one session to obtain r1, r2, r3, r4, CT1,

CT2, CT′5, and CT

′6. The attacker transmits r5 and r6 instead of CT

′5 and CT

′6 to vtag in third

flow. In analysis phase, A queries Corrupt oracle as the last one and receives KIDx , RS1�RS3,and DB. Obviously, CT x

5 and CT x6 are computable via CT x

3, CT x4 and internal states. Since R

and T are synchronize, CT xi = CT

′i (i ∈ {5, 6}) with overwhelming probability and finally

Tx =Tb.

123


Fig. 3 The LPP protocol [27]



π ←− Launchr1 ←− SendReader(π, I ni t)r2, CT1, CT2 ←− SendTag(vtag, r1)

r3, r4, CT′5, CT

′6 ←− SendReader(π, r2, CT1, CT2)

A Replaces CT′5 and CT

′6 with two random numbers r5 and r6

null←− SendTag(vtag, r3, r4, r5, r6)

Free(vtag)

123


vtag′ ←− DrawTag()

KIDx , RS1 � RS3 ←− Corrupt(vtag′)

The queries is ended, receive τ(vtag′) = IDb

CT x3 = EKx (r3) and CT x

4 = EKx (r4)

CT x5 = EKx (RS1 � RS3) and CT x

6 = EKx (RS1 � RS3)

If CT x5 = CT

′5 and CT x

6 = CT′6 then x = b O.W. x = |1− b|

Output τ(vtagx ) = IDx � Theorem 9 The LPP protocol provides forward traceability.

Proof The Narrow − Strong A executes session i . The secrets are corrupted and two randomnumbers r i∗

3 and r i∗4 are applied to compute CTi∗

5 and CTi∗6 . The vtag confirms the third flow

and computes K i+1IDc

via Key-Updating section. Nevertheless, R is not able to confirm vtagas legitimate tag. In session i + 2, A obtains a transcript of the executed protocol between

vtagx and R. If CTi+21,2 = CTi+2

1,2 , Tx == Tc with overwhelming probability, and vice versa.


vtag←− DrawTag(IDc), c ∈ {0, 1}π i ←− Launchr i

1 ←− SendReader(π i , I ni t)r i

2, CTi1, CTi

2 ←− SendTag(vtag, r i1)

K iIDc

, RS1 � RS3 ←− Corrupt() at i th session ∈ [i − 1 i + 1]A randomly chooses r i∗

3 , r i∗4 and computes

CTi∗3 = EK i

IDc(r i∗

3 ) and CTi∗4 = EK i

IDc(r i∗

4 )

CTi∗5 = EK i

IDc(RS1 � RS3) and CTi∗

6 = EK iIDc

(RS1 � RS3)

null←− SendTag(vtag, r i∗3 , r i∗

4 , CTi∗5 , CTi∗

6 )

K i+1IDc= Key − Updating− ALG.(K i

IDc)

Free(vtag)

vtagx ←− DrawTag(IDx ) randomly between the two tags {0, 1}A chooses another time interval after i + 1th session (generally I = [i + 2])π i+2 ←− Launchr i+2

1 ←− SendReader(π i+2, I ni t)r i+2

2 , CTi+21 , CTi+2

2 ←− SendTag(vtagx , r i+21 )

CTi+21 = EK i+2

IDx(RS1 � RS3) and CT

i+22 = EK i+2

IDx(RS1 � RS3)

If CTi+21 = CTi+2

1 and CTi+22 = CTi+2

2 then x = c O.W. x = |1− c|Output τ(vtagx ) = IDc

5.1 The Improved LPP

The most important drawback in LPP is the conditions under which r2, r3 and r4 are transmit-ted. As an alleviation, both R and T should save K i

old = K i−1. As long as T sends EiKold

(r2)

instead of r2 in second flow, adversary cannot reveal r2 by eavesdropping. Also since Rknows K i

old , every active attack in session i is detectable in the next session. However, Trequires more memory compared with LPP. Indeed, if A modifies r i

3, r i4 for beginning forward

traceability, R can discover the malicious attack in session i + 1 via K iold and synchronize

the common key with T .

123


Proof


vtag←− DrawTag(IDc), c ∈ {0, 1}π i ←− Launchr i

1 ←− SendReader(π i , I ni t)Ei

Kold(r i

2), CTi1, CTi

2 ←− SendTag(vtag, r i1)//Kold = Ki−1

K iIDc

, RS1 � RS3 ←− Corrupt() at i th session ∈ [i − 1 i + 1]A randomly chooses r i∗

3 , r i∗4 and computes

CTi∗3 = EK i

IDc(r i∗

3 ) and CTi∗4 = EK i

IDc(r i∗

4 )

CTi∗5 = EK i

IDc(RS1 � RS3) and CTi∗

6 = EK iIDc

(RS1 � RS3)

null←− SendTag(vtag, r i∗3 , r i∗

4 , CTi∗5 , CTi∗

6 )

K i+1IDc= Key − Updating− ALG.(K i

IDc)

Free(vtag)

vtagx ←− DrawTag(IDx ) randomly between the two tags {0, 1}A chooses another time interval after i + 1th session (generally I = [i + 2])π i+2 ←− Launchr i+2

1 ←− SendReader(π i+2, I ni t)Ei

Kold(r i+2

2 ), CTi+21 , CTi+2

2 ←− SendTag(vtagx , r i+21 )

// Although R and T have been desyncronized in the i th session, they// alleviate the situation via re-synchronization in the (i + 1)th session with// the aid of K i

old = K i−1.

CTi+21 = EK i+2

IDx(RS1 � RS3) and CT

i+22 = EK i+2

IDx(RS1 � RS3)

Since CTi+21 �= CTi+2

1 and CTi+22 �= CTi+2

2 , vtag is untraceable. �

6 Comparison

To sum up, the computation overhead and privacy drawbacks of improved protocols inSects. 3.1, 4.1 and 5.1 are compared with NRS, FSA and LPP protocols in Table 3. Since atag has a quite restricted hardware for saving and computation, we only compare tag oper-

Table 3 The comparison of computation overheads and privacy vulnerabilities of related RFID authenticationprotocols

Scheme Feature

Trace. att. Forwardtrace. att.

Backwardtrace. att.

# (Symm. enc./dec. + PRNG)

# (Hashcomputation)

NRS√ √ √

_ 3

FSA√ √ × 1 2

LPP × √ × 15 _

Improved NRS × × × _ 5

Improved FSA × × × 1 2

Improved LPP × × × 16 _

Trace. traceability, Att. attack, Symm. symmetric

123


ations. According to Table 3, although the LPP only suffers from forward traceability, ithas the highest computational complexity. The NRS with the lowest computations but with-out PRNG undergoes widespread weaknesses. It can be seen from the data in Table 3 thatthe disadvantages are alleviated with the least overhead in improved protocols. Moreover,we proved that both NRS and FSA provide no privacy (Nil) level and LPP only supportsWide−Weak privacy level.

7 Conclusion

Authentication protocols are the foundation of the secure RFID systems. In this paper, thedrawbacks of Vaudenay’s model were highlighted. We also analysed privacy aspects in threenovel and recently proposed protocols based on lightweight cryptography including the NRS,FSA, and LPP via Ouafi privacy notions in Vaudenay’s privacy model. Eventually, due toinhibition of mentioned shortcomings, three improved protocols were proposed with thelowest communication and computation extra overheads.

Acknowledgments This work was supported in part by Iran National Science Fund (INSF)-Cryptographychair- and in part by Iran Telecommunication Research Center (ITRC).

References

1. Kulseng, L. S. (2009). Lightweight mutual authentication, owner transfer, and secure search protocolsfor RFID systems. Msc Thesis in Iowa State University.

2. Konomi, S., & Roussos, G. (2007). Ubiquitous computing in the real world: Lessons learnt from largescale RFID deployments. Personal and Ubiquitous Computing, 11(7), 507–521.

3. Koscher, K., Juels, A., Kohno, T., & Brajkovic, V. (2008). EPC RFID tags in security applications: Passportcards, enhanced drivers licenses, and beyond. In 16th ACM conference on computer and communicationssecurity (pp. 33–42).

4. Ouafi, K., & Vaudenay, S. (2009). Pathchecker: An RFID application for tracing products in supply-chains.In RFIDsec.

5. Chai, Q. (2012). Design and analysis of security schemes for low-cost RFID systems. PhD thesis presentedto the University of Waterloo.

6. Tsudik, G. (2006). YA-TRAP: Yet another trivial RFID authentication protocol. In 4th annual IEEEinternational conference on pervasive computing and communications workshops (pp. 640–643).

7. Juels, A. (2005). Strengthening EPC tags against cloning. In Workshop on wireless security (WiSec) (pp.67–76).

8. Li, T., & Deng, R. (2008). Scalable RFID authentication and discovery in EPCglobal network. In Com-munications and networking in China (ChinaCom) (pp. 1138–1142).

9. Duc, D. N., & Kim, K. (2011). Defending RFID authentication protocols against DoS attacks. Journal ofComputer Communications, 34, 384–390.

10. Cho, J.-S., Yeo, S.-S., & Kim, S. K. (2011). Securing against brute-force attack: A hash-based RFIDmutual authentication protocol using a secret value. Journal of Computer Communications, 34, 391–397.

11. EPCglobal. (2008). EPC radio-frequency identity protocols class-1 generation-2 UHF RFID protocol forcommunications at 860 MHz 960 MHz, Ver. 1.2.0. Specification for RFID Air Interface EPCglobal 2008.

12. EPCglobal. (2007). Low level reader protocol (LLRP), Ver. 1.0.1. Ratified Standard, EPCglobal 2007.13. Coisel, I., & Martin, T. (2013). Untangling RFID privacy models. Journal of Computer Networks and

Communications, 2013, 26. doi:10.1155/2013/710275.14. Avoine, G. (2005). Adversarial model for radio frequency identification. Cryptology ePrint archive, report

2005/049. http://eprint.iacr.org/2005/049.15. Avoine, G. (2005). Cryptography in radio frequency identification and fair ex-change protocols. Phd

Thesis no. 3407, EPFL. http://library.epfl.ch/theses/?nr=3407.16. Avoine, G., Dysli, E., & Oechslin, P. (2006). Reducing time complexity in RFID systems. In B. Preneel

& S. Tavares (Eds.), SAC 2005. LNCS (Vol. 3897, pp. 291–306). Heidelberg: Springer.

123

http://dx.doi.org/10.1155/2013/710275

http://eprint.iacr.org/2005/049

http://library.epfl.ch/theses/?nr=3407


17. Lim, C.H., & Kwon, T. (2006). Strong and robust RFID authentication enabling perfect ownership transfer.In Eighth international conference on information and communications security (ICICS) (pp. 1–20).

18. Juels, A., & Weis, S. (2006). Defining strong privacy for RFID. Cryptology ePrint archive, report 2006/137.19. Ouafi, K., & Phan, R. C.-W. (2008). Privacy of recent RFID authentication protocols. In L. Chen, Y. Mu,

& W. Susilo (Eds.), ISPEC 2008. LNCS (Vol. 4991, pp. 263–277). Heidelberg: Springer.20. Ouafi, K., & Phan, R. C.-W. (2008). Traceable privacy of recent provably-secure RFID Protocols. In S.

M. Bellovin, et al. (Eds.), ACNS 2008. LNCS (Vol. 5037, pp. 479–489). Berlin, Heidelberg: Springer.21. Deng, R. H., Li, Y., Yung, M.,& Zhao, Y. (2010). A new framework for RFID privacy. In 15th European

symposium on research in computer security (ESORICS) (pp. 1–18).22. Moriyama, D., Matsuo, S., & Ohkubo, M. (2012). Relation among the security models for RFID authenti-

cation protocol. In 17th European symposium on research in computer security (ESORICS) (pp. 661–678).23. Vaudenay, S. (2007). On privacy models for RFID. In K. Kurosawa (Ed.), ASIACRYPT 2007. LNCS (Vol.

4833, pp. 68–87). Heidelberg: Springer.24. Paise, R.-I., & Vaudenay, S. (2008). Mutual authentication in RFID: Security and privacy. In The 3rd

ACM symposium on information, computer and communications security (ASIACCS) (pp. 292–299).25. Fernando, H., & Abawajy, J. (2011). Mutual authentication protocol for networked RFID systems. In

IEEE TrustComm.26. Zhu, H., Zhao, Y., Ding, S., & Jin, B. (2011). An improved forward-secure anonymous RFID authentication

protocol. In Wireless communications, networking and mobile computing (WiCOM) (pp. 1–5).27. Fan, X., Gong, G., Engels, D. W. & Smith, E. M. (2011). A lightweight privacy-preserving mutual

authentication protocol for RFID systems. In IEEE GLOBECOM workshops (GC Wkshps) (pp. 1083–1087).

28. Hermans, J., Pashalidis, A., Vercauteren, F. & Preneel, B. (2011). A new RFID privacy model. In V.Atluri, C. Diaz (Eds.), ESORICS 2011. LNCS (Vol. 6879, pp. 568–587).

29. Ng, C. Y., Susilo, W., Mu, Y., & Safavi-Naini, R. (2010). Practical RFID ownership transfer scheme. InWorkshop on RFID security (RFIDSec Asia) volume 4 of cryptology and information security. IOS press.

30. Ng, C. Y., Susilo, W., Mu, Y., & Safavi-Naini, R. (2009). New privacy results on synchronized RFIDauthentication protocols against tag tracing. In M. Backes & P. Ning (Eds.), ESORICS 2009. LNCS (Vol.5789, pp. 321–336). Heidelberg: Springer.

31. Armknecht, F., Sadeghi, A., Scafuro, A., Visconti, I. & Wachsmann, C. (2010). On RFID privacy withmutual authentication and tag corruption. In Applied cryptography and network security (ACNS) 2010,LNCS (Vol. 6123, pp. 493–510).

32. Armknecht, F., Sadeghi, A., Scafuro, A., Visconti, I., & Wachsmann, C. (2010). Impossibility results forRFID Privacy notions. In Transactions on computational science XI, LNCS, (Vol. 6480, pp. 39–63).

33. Habibi, M. H., & Aref, M. R. (2011) Two RFID privacy models in front of a court. Eprint IACR archive.http://eprint.iacr.org/2011/625.

34. Canard, S., Coisel, I., & Girauld, M. (2010). Security of privacy-preserving RFID systems. In IEEEInternational conference on RFID-technology and applications (RFID-TA) (pp. 269–274).

35. Avoine, G., Coisel, I., & Martin, T. (2010). Time measurement threatens privacy-friendly RFID authen-tication protocols. In RFIDSec. Sprinfer LNCS (Vol. 6370, pp. 138–157).

36. Lim, C. H., & Kwon, T. (2006). Strong and robust RFID authentication enabling perfect ownership transfer.In 8th international conference of information and communications security (ICICS) Springer-LNCS

37. Akgün, M., & Çaglayan, M. (2011). Extending an RFID security and privacy model by consideringforward untraceability. Security and trust management LNCS, (Vol. 6710, pp. 239–254).

38. He, L., Jin, S., Zhang, T., & Li, N. (2009). An enhanced 2-pass optimistic anonymous RFID authenticationprotocol with forward security. In WiCOM (pp. 1–4).

39. Engels, D., Saarinen, M.-J. O., & Smith, E. M. (2011). The Hummingbird-2 lightweight authenticatedencryption algorithm. In RFIDSec 2011.

123

http://eprint.iacr.org/2011/625


Author Biographies

Mahdi R. Alagheband received the Bachelor’s degree in Telecom-munication Engineering from Azad University, Tehran, Iran, in 2005and Master’s degree in Telecommunication in the field of Cryptog-raphy with the honor degree from IHU, Tehran, Iran (2007), wherehe obtained the Best Student Academic Award. he received his Ph.D.in 2013 from Azad university, Research and Science branch in Iranwith his thesis “Lightweight cryptography in wireless sensor networksand RFID systems”. Also he is research assistant at Information Sys-tems and Security (ISSL) Laboratory, Sharif University of Technol-ogy and Assistant Professor at Electrical Engineering of Azad univer-sity. Recently, he has published noticeable papers on RFID securityin the top international conferences and journals. His research inter-est includes: Lightweight cryptography, RFID security, WSN secu-rity, authentication protocols, cryptanalysis, network security and pub-lic key cryptography.

Mohammad R. Aref received his B.Sc., in 1975 from University ofTehran, his M.Sc., and Ph.D. in 1976 and 1980 respectively, from Stan-ford University, all in Electrical Engineering. He has been a Profes-sor of Electrical Engineering at Sharif University of Technology since1995 and has published more than 170 technical papers in Communi-cation and Information Theory and Cryptography in international jour-nals and conferences proceedings.

123

simulation-based traceability analysis of rfid authentication protocols

Documents