A Survey of RFID Authentication Protocols

Compiled by :

Dr. Vidyasagar Potdar

Yawer Yousuf Khan

Introduction RFID technology used for identification of objects, where data is

carried by radio waves. Seen as a replacement to barcode system. RFID system consists of a RFID Transponder (tag) and a RFID

Interrogator (Reader). A tag uniquely identifies an object. Frequencies: LF (124-135 kHz), HF(13.56 MHz), UHF(860-960 MHz) Reading range: LF (up to half meter), HF(upto 1 meter), UHF( upto

tens of meters)

RFID Architecture Types of tags:

Semi Passive ActivePassive

RFID Architecture (cont.)

Operational Process

RFID Architecture (cont.)

RFID Architecture

Applications of RFID Contactless cards for building access Interactive appliances like mobile phones Payment tokens like SpeedPassTM

In Retail markets Passports Toll payment Implantation in humans and animals.

Security Issues Authentication to provide a certain level of trust

between reader and tag & vice versa Integrity of the data exchanged between reader

and tag Availability of the bandwidth for communication Confidentiality of communication reader and tag Anonymity against unauthorised interrogation

Types of attacks Eavesdropping of communication between tag and

reader Full-Disclosure Attacks to obtain private data of

the tag Masquerading the legitimate tags Replay Attack DoS Attack Blocking Attack

Classification of Authentication Protocols: what, why and how?

Authentication Protocols: Provide level of trust between the reader

and the tag Limitations include limited read\write

memory, few logic gates to perform computational tasks

Classification of Authentication Protocols: what, why and how?

Need for Classification of authentication protocols:

Distinguishing on the basis of general prototypes which can cover various fundamental protocols.

Numerous Protocols are being proposed every year

Similar type of protocols may have same type of errors and their solutions.

Classification of Authentication Protocols: what, why and how?

Classification is based on these points Underlying algorithm used in the protocols. Procedure of message exchange. Secure combination of above two. Complex Cryptographic functions or the

structure of Protocol may limit the classification process

Concentration on message exchange to help abstracting away from cryptographic mechanism

Preliminary Concepts

Definition 1: Forced Challenge (F): Data is a random nonce

generated by the verifier, delivered as a plaintext or a ciphertext to the prover

Self Challenge (S): Data is generated by the prover himself

No Challenge (Ø): No challenge value exchanged in the protocol

Preliminary Concepts

Definition 2: Origin Authentication (OA): If the protocol

contains the message of the form APriKey{} Destination Authentication (DA): If the protocol

contains message of the form APubKey{·} Implicit Authentication (IA): If the protocol

contains no message of the form APriKey{·} or APubKey{·}

Process of Classification

Step 1: Identify the type of authentication used in a given protocol

Step 2: Identify the type of challenge values used between two sender and receiver

Step 3: In case of DA with forced challenge, protocols are further classified as DAF, No Ack (No Acknowledgment) and DAF, Ack.(Yes, Acknowledgment).

Process of Classification Always, Verifier is A and prover is B There are eight generic prototypes for

classification for verifier to prover Authentication

For Mutual Authentication There should be 82 = 64 prototypes, but the

protocols in which the responder entity B, act as an initiator can be regarded as illegal

In all 47 prototypes are legal

Prototypes of Authentication

Authentication Type Example

ImplicitAuthentication (IA)

IAØ A : ApriKey{ B }

IAF A B : rB

A:ApriKey { B, rB }

OriginAuthentication (OA)

OA A B : APriKey{ B }

OAS A B : TSA , APriKey{ B, TSA }

OAF A B : rB

AB : APriKey { B, rB }

DestinationAuthentication (DA)

DA A B : APubKey{ B }

DAF, NoAck A B : APubKey{ B, rB }

DAF, Ack A B : APubKey{ B, rB }

A B : rB

Prototypes of Mutual Authentication

Prototype

Example

IAF- 1. AB: rA

B:

DA 1. A B: BPubKey{ A }

A: APriKey{ B }B: BPriKey{ A }

IAF-IAF 1. A B: rA

2. A B: rB

A: APriKey{ B, rB }

B: BPriKey{ A, rA }

Prototypes of Mutual Authentication

Prototype Example

IAF-OAS

1. A B: rA , TSA , APriKey{ B, TSA }

B: BPriKey{ rA }

OAF-OAF 1. A B: rA

2. A B: BPriKey{ A, rA }, rB

3. A B: APrikey{ B, rB }

OAF- DAF,NoAck

1. A B: rA

2. AB: APubKey{B, rB , BPriKey{ A,

rA } }

or,1. A B: rA

2. A B: BPriKey{ A, rA , APubKey{B, rB } }

Prototypes of Mutual Authentication

Prototype

Example

DAF,NoAck-OAS 1. A B: BPubKey{A, rA , TSA ,

APriKey{ B, TSA } }

or,1. A B: TSA , APriKey{ B, TSA ,

BPubKey{A, rA } }

DAF,Ack-OAF 1. A B: BPubKey{ A, rA }

2. A B: rA , rB

3. AB: APriKey{ B, rB }

DAF,NoAck-DAF,NoAck 1. AB: BPubKey{ A, rA }

2. A B: APubKey{ B, rB }

DAF,Ack-DAF,Ack 1. A B: BPubKey{ A, rA }

2. AB: APubKey{ B, rB }, rA

3. AB: rB

Minimalist Approach Protocols named LMAP[3], M2AP[4] and

EMAP[5] proposed by Pedro Peris-Lopez et al Comes under Implicit Authentication with forced

challenge- Implicit Authentication with forced challenge IAF-IAF

simple binary operations like XOR, OR, AND, mod 2m are used by using few hundred gates

Minimalist Approach on index-pseudonyms (96-bits) which is a row of a

table to store all information related to the tag a 480 EEPROM and a 96-bit key divided into 4

parts updates after each message cycle Vulnerable to De-synchronization attack and

subsequently full-disclosure attack

Conclusion We studied several protocols and focussed on three main

researches LMAP, EMAP and M2AP Several protocols can be classified according to [1] to

provide generic study of RFID authentication protocols.

References DongGook Park, Colin Boyd, and Ed Dawson, "Classification of Authentication

Protocols: A Practical Approach", Proceedings of Information Security Workshop (ISW 2000), Springer-Verlag, LNCS Vol.1975, pp.194-208

Ari Juels, “RFID Security and Privacy: A research Survey”, September 2005, Manuscript, RSA Laboratories, 2005.

Peris-Lopez, Pedro and Hernandez-Castro, Julio Cesar and Estevez-Tapiador, Juan and Ribagorda, Arturo, “LMAP: A Real Lightweight Mutual Authentication Protocol for Low-cost RFID tags” Printed handout of Workshop on RFID Security -- RFIDSec 06, July 2006.

Peris-Lopez, Pedro and Hernandez-Castro, Julio Cesar and Estevez-Tapiador, Juan and Ribagorda, Arturo,”M2AP: A Minimalist Mutual-Authentication Protocol for Low-cost RFID Tags”, Lecture Notes in Computer Science, 912--923, Springer-Verlag, Sep-2006.

Peris-Lopez, Pedro and Hernandez-Castro, Julio Cesar and Estevez-Tapiador, Juan M. and Ribagorda, Arturo, “EMAP: An Efficient Mutual Authentication Protocol for Low-cost RFID Tags”, OTM Federated Conferences and Workshop: IS Workshop -- IS'06, 2006, 4277 Lecture Notes in Computer Science, P-352--361, November Springer-Verlag.

Li, Tieyan and Wang, Guilin “Security Analysis of Two Ultra-Lightweight {RFID} Authentication” Protocols IFIP SEC 2007.

Li, Tieyan and Deng, Robert~H., “Vulnerability Analysis of {EMAP} - An Efficient RFID Mutual Authentication Protocols” Second International Conference on Availability, Reliability and Security -- AReS 2007 April 2007 Vienna, Austria.

http://www.simtech.a-star.edu.sg/events/images/rg_RFID_BigSafe2.jpg

Thank You