The Journal of Supercomputing

, Volume 65, Issue 2, pp 949–960

Cryptanalysis of the RNTS system

  • Pablo Picazo-Sanchez
  • Lara Ortiz-Martin
  • Pedro Peris-Lopez
  • Julio Cesar Hernandez-Castro
Article

Abstract

Internet of Things is a paradigm that enables communication between different devices connected to a local network or to Internet. Identification and communication between sensors used in Internet of Things and devices like smart-phones or tablets are established using radio frequency identification technology. However, this technology still has several security and privacy issues because of its severe computational constraints. In 2011, Jeong and Anh proposed the combined use of an authentication radio frequency identification protocol together with a ticket issuing system for bank services (in J. Supercomput. 55:307, 2011). In this paper we show that their message generation is weak, because it abuses the XOR operation and the use of a counter, which leaks too much secret protocol information. Our analysis shows important security faults that ruin most of the security properties claimed in the original paper. More precisely, information privacy (via a disclosure and leakage attack) and location privacy (traceability attack) are both compromised. Moreover, an attacker can disrupt the proper working of the system by exploiting the fact that message integrity is not properly checked.

Keywords

RFID Authentication Banking services Cryptanalysis 

References

  1. 1.
    Atzori L, Iera A, Morabito G (2010) The Internet of things: a survey. Comput Netw 54(15):2787–2805 MATHCrossRefGoogle Scholar
  2. 2.
    Avoine G, Carpent X, Martin B (2010) Strong authentication and strong integrity (SASI) is not that strong. In: Proceedings of RFIDSec, pp 50–64 Google Scholar
  3. 3.
    Chien H-Y (2007) SASI a new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Trans Dependable Secure Comput 4(4):337–340 CrossRefGoogle Scholar
  4. 4.
    Chien H-Y, Huang C-W (2007) Security of ultra-lightweight RFID authentication protocols and its improvements. Oper Syst Rev 41:83–86 CrossRefGoogle Scholar
  5. 5.
    Darianian M, Michael MP (2008) Smart home mobile rfid-based Internet-of-things systems and services. In: Proceedings of the 2008 international conference on advanced computer theory and engineering, ICACTE’08, Washington, DC, USA. IEEE Computer Society Press, Los Alamitos, pp 116–120 CrossRefGoogle Scholar
  6. 6.
    Feldhofer M, Rechberger C (2006) A case against currently used hash functions in RFID protocols. In: Proceedings of OTM. Lecture notes in computer science, vol 4277. Springer, Berlin, pp 372–381 Google Scholar
  7. 7.
    Haller S, Karnouskos S, Schroth C (2009) Future Internet—fis 2008. In: The Internet of things in an enterprise context. Springer, Berlin, pp 14–28 Google Scholar
  8. 8.
    Hardy GH, Wright EM (1979) An introduction to the theory of numbers, 5th edn. Clarendon Press, Oxford MATHGoogle Scholar
  9. 9.
    Jeong C, Ahn K (2011) Efficient RNTS system for privacy of banking off-line customer. J Supercomput 55:307–319 CrossRefGoogle Scholar
  10. 10.
    Juels A (2006) RFID security and privacy: a research survey. IEEE J Sel Areas Commun 24(2):381–394 MathSciNetCrossRefGoogle Scholar
  11. 11.
    Juels A, Weis SA (2007) Defining strong privacy for RFID. In: Proceedings of PerCom, pp 342–347 Google Scholar
  12. 12.
    Knudsen LR (2000) Block chaining modes of operation. Reports in Informatics N0. 207, Department of Informatics, University of Bergen, Norway (ISSN 0333-3590), October 2000 Google Scholar
  13. 13.
    Lee K (2010) A two-step mutual authentication protocol based on randomized hash-lock for small RFID networks. In: Proceedings of NSS, September 2010, pp 527–533 Google Scholar
  14. 14.
    Michael MP, Darianian M (2008) Architectural solutions for mobile rfid services for the Internet of things. In: Proceedings of the 2008 IEEE congress on services—part I, SERVICES ’08, Washington, DC, USA. IEEE Computer Society Press, Los Alamitos, pp 71–74 CrossRefGoogle Scholar
  15. 15.
    Miorandi D, Sicari S, Pellegrini FD, Chlamtac I (2012) Internet of things: vision, applications and research challenges. Ad Hoc Netw 10(7):1497–1516 CrossRefGoogle Scholar
  16. 16.
    Moradi A, Poschmann A, Ling S, Paar C, Wang H (2011) Pushing the limits: a very compact and a threshold implementation of AES. In: Proceedings of EUROCRYPT’11, pp 69–88 Google Scholar
  17. 17.
    Syamsuddin I, Dillon T, Chang E, Han S (2008) A survey of RFID authentication protocols based on hash-chain method. In: Proceedings of ICCIT, vol 2. IEEE Press, New York, pp 559–564 Google Scholar
  18. 18.
    Tan L, Wang N (2010) Future Internet: the Internet of things. In: 3rd international conference on advanced computer theory and engineering (ICACTE), vol 5, pp V5–376–V5–380 Google Scholar
  19. 19.
    Weber RH (2010) Internet of things new security and privacy challenges. Comput Law & Secur Rev 26(1):23–30 CrossRefGoogle Scholar
  20. 20.
    Welbourne E, Battle L, Cole G, Gould K, Rector K, Raymer S, Balazinska M, Borriello G (2009) Building the Internet of things using rfid: the rfid ecosystem experience. IEEE Internet Comput 13(3):48–55 CrossRefGoogle Scholar
  21. 21.
    Yan T, Wen Q (2011) Building the Internet of things using a mobile rfid security protocol based on information technology. In: Jin D, Lin S (eds) Advances in computer science, intelligent system and environment. Advances in intelligent and soft computing, vol 104. Springer, Berlin, pp 143–149 CrossRefGoogle Scholar
  22. 22.
    Yeh K-H, Lo N, Winata E (2010) An efficient ultralightweight authentication protocol for RFID systems. In: Proceedings of RFIDSec Asia, pp 49–60 Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  • Pablo Picazo-Sanchez
    • 1
  • Lara Ortiz-Martin
    • 1
  • Pedro Peris-Lopez
    • 2
  • Julio Cesar Hernandez-Castro
    • 3
  1. 1.Department of Applied MathematicsUniversity School of Computer Science (UPM) of MadridMadridSpain
  2. 2.Computer Security Lab (COSEC)Carlos III University of MadridMadridSpain
  3. 3.School of ComputingUniversity of KentCanterburyUK

Personalised recommendations