Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme
- 193 Downloads
Recently, Chen and Chien have proposed a novel ownership transfer scheme with low implementation costs and conforming to the EPC Class-1 Generation-2 standard. The authors claimed that the proposed scheme is able to resist all attacks, and hence it has better security and performance than its predecessors. However, in this paper we show that the protocol fails short of its security objectives, and it is even less secure than the previously proposed schemes. In fact, we describe several attacks which allow to recover all the secret information stored in the tag. Obviously, once this information is known, tags can be easily traced and impersonated.
KeywordsRFID EPCC1G2 Ownership transfer Cryptanalysis
This work has been partially supported by Ministerio de Ciencia e Innovación (Spain) and the European FEDER Fund under project TIN2011-25452.
- 1.Finkenzeller, K. (2003). RFID Handbook: Fundamentals and applications in contactless smart cards and identification (2nd ed.). London: Wiley.Google Scholar
- 5.Molnar, D., Soppera, A., & Wagner, D. (2005). A scalable, delegatable pseudonym protocol enabling ownership transfer of RFID tags. In B. Preneel & S. Tavares (Eds.), 12th international workshop on selected areas in cryptography—SAC, Lecture Notes in Computer Science (Vol. 3897, pp. 276–290), Kingston, ON, Canada. Berlin: Springer.Google Scholar
- 6.Song. B. (2008). RFID tag ownership transfer. In Proceedings of RFIDSec, 2008.Google Scholar
- 7.Ng, C. Y., Susilo, W., Mu, Y., & Safavi-Naini, R. (2011). Practical RFID ownership transfer scheme. Journal of Computer Security, 19(2), 319–341.Google Scholar
- 8.Fernàndez-Mir, A., Trujillo-Rasua, R., Castellà-Roca, J., & Domingo-Ferrer, J. (2011). A scalable RFID authentication protocol supporting ownership transfer and controlled delegation. RFIDSec-11 (pp. 146–162).Google Scholar
- 11.EPC Global. EPC tag data standards. http://www.epcglobalinc.orgblock.
- 12.ISO/IEC. Standard # 18000—RFID Air Interface Standard. http://www.hightechaid.com/standards/18000.htm.
- 13.Chen, C. L., & Chien, C. F. (2012). An ownership transfer scheme using mobile RFIDs. Wireless Personal Communications, 1–27. doi: 10.1007/s11277-012-0500-2.
- 14.Osaka, K., Takagi, T., Yamazaki, K., & Takahashi, O. (2006). An efficient and secure RFID security method with ownership transfer. In Proceedings of the 2006 international conference on computational intelligence and security (pp. 1090–1095), Guangzhou.Google Scholar
- 15.Avoine, G. (2005). Adversary Model for Radio Frequency Identification. Swiss Federal Institute of Technology (EPFL), Security and Cryptography Laboratory (LASEC), Lausanne, Switzerland: Technical Report LASEC-REPORT.Google Scholar
- 16.Juels, A., & Weis, S. (2007). Defining strong privacy for RFID. International conference on pervasive computing and communications PerCom 2007 (pp. 342–347), New York City, NY, USA.Google Scholar
- 17.Vaudenay, S. (2007). On privacy models for RFID. In Advances in cryptology. InASIACRYPT 2007, Vol. 4833 of Lecture Notes in Computer Science (p. 6887), Kuching, Malaysia.Google Scholar
- 18.Burmester, M., & Munilla, J. (2011). Lightweight RFID authentication with forward and backward security. ACM Transactions on Information and System Security, 14(1).Google Scholar