Passive secret disclosure attack on an ultralightweight authentication protocol for Internet of Things


Internet of Things (IoT) is a technology in which for any object the ability to send data via communications networks is provided. Ensuring the security of Internet services and applications is an important factor in attracting users to use this platform. In the other words, if people are unable to trust that the equipment and information will be reasonably safe against damage, abuse and the other security threats, this lack of trust leads to a reduction in the use of IoT-based applications. Recently, Tewari and Gupta (J Supercomput 1–18, 2016) have proposed an ultralightweight RFID authentication protocol to provide desired security for objects in IoT. In this paper, we consider the security of the proposed protocol and present a passive secret disclosure attack against it. The success probability of the attack is ‘1’ while the complexity of the attack is only eavesdropping one session of the protocol. The presented attack has negligible complexity. We verify the correctness of the presented attack by simulation.

This is a preview of subscription content, access via your institution.

Fig. 1


  1. 1.

    Ahmadian Z, Salmasizadeh M, Aref MR (2013) Desynchronization attack on RAPP ultralightweight authentication protocol. Inf Process Lett 113(7):205–209

    MathSciNet  Article  MATH  Google Scholar 

  2. 2.

    Ahmadian Z, Salmasizadeh M, Aref MR (2013) Recursive linear and differential cryptanalysis of ultralightweight authentication protocols. IEEE Trans Inf Forensics Secur 8(7):1140–1151

    Article  Google Scholar 

  3. 3.

    An R, Feng H, Liu Q, Li L (2017) Three elliptic curve cryptography-based RFID authentication protocols for Internet of Things. Springer, Berlin, pp 857–878

    Google Scholar 

  4. 4.

    Avoine G, Carpent X (2012) Yet another ultralightweight authentication protocol that is broken. In: Workshop on s Security—RFIDSec’12, Nijmegen

  5. 5.

    Avoine G, Carpent X, Martin B (2012) Privacy-friendly synchronized ultralightweight authentication protocols in the storm. J Netw Comput Appl 35(2):826–843

    Article  Google Scholar 

  6. 6.

    Bagheri N, Safkhani M (2017) Attack on Tewari and Gupta protocol code repository.

  7. 7.

    Bagheri N, Safkhani M, Peris-Lopez P, Tapiador JE (2014) Weaknesses in a new ultralightweight RFID authentication protocol with permutation—RAPP. Secur Commun Netw 7(6):945–949

    Article  Google Scholar 

  8. 8.

    Chien H-Y (2007) Sasi: a new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Trans Dependable Secur Comput 4(4):337–340

    Article  Google Scholar 

  9. 9.

    Daemen J, Rijmen V (2002) The design of Rijndael: AES—the advanced encryption standard. Information Security and Cryptography. Springer, Berlin

    Google Scholar 

  10. 10.

    D’Arco P, Santis AD (2008) Weaknesses in a recent ultra-lightweight RFID authentication protocol. In: Vaudenay S (ed) AFRICACRYPT Lecture Notes in Computer Science, vol 5023. Springer, Berlin, pp 27–39

    Google Scholar 

  11. 11.

    D’Arco P, Santis AD (2011) On ultralightweight RFID authentication protocols. IEEE Trans Dependable Secur Comput 8(4):548–563

    Article  Google Scholar 

  12. 12.

    Guo P, Wang J, Geng XH, Kim CS, Kim J-U (2014) A variable threshold-value authentication architecture for wireless mesh networks. J Internet Technol 15(6):929–935

    Google Scholar 

  13. 13.

    Gupta B, Agrawal DP, Yamaguchi S (eds) (2016) Handbook of research on modern cryptographic solutions for computer and cyber security. IGI Global, Hershey

    Google Scholar 

  14. 14.

    Peris-Lopez P, Castro JCH, Estévez-Tapiador JM, Ribagorda A (2008) Advances in ultralightweight cryptography for low-cost RFID tags: Gossamer protocol. In: WISA, pp 56–68

  15. 15.

    Phan RC-W (2009) Cryptanalysis of a new ultralightweight RFID authentication protocol—SASI. IEEE Trans Dependable Secur Comput 6(4):316–320

    Article  Google Scholar 

  16. 16.

    Quan Q, Jia Y-L, Zhang R (2016) A lightweight RFID security protocol based on elliptic curve cryptography. Int J Netw Secur 18(2):354–361

    Google Scholar 

  17. 17.

    Rivest RL, Shamir A, Adleman LM (1978) A method for obtaining digital signatures and public-key cryptosystems. Commun ACM 21(2):120–126

    MathSciNet  Article  MATH  Google Scholar 

  18. 18.

    Ronen E, O’Flynn C, Shamir A, Weingarten A (2016) IoT goes nuclear: creating a zigbee chain reaction. IACR Cryptology ePrint Archive 2016:1047

  19. 19.

    Ronen E, Shamir A (2016) Extended functionality attacks on IoT devices: the case of smart lights. In: IEEE European Symposium on Security and Privacy, EuroS&P 2016, Saarbrücken, Germany, 21–24 March 2016, pp 3–12

  20. 20.

    Tewari A, Gupta BB (2016) Cryptanalysis of a novel ultra-lightweight mutual authentication protocol for IoT devices using RFID tags. J Supercomput 1–18. doi:10.1007/s11227-016-1849-x

  21. 21.

    Tian Y, Chen G, Li J (2012) A new ultralightweight RFID authentication protocol with permutation. IEEE Commun Lett 16(5):702–705

    Article  Google Scholar 

Download references


The authors would like to thank the anonymous reviewers for their suggestions to improve the content and presentation of this paper. This work was supported by Shahid Rajaee Teacher Training University under contract number 27770.

Author information



Corresponding author

Correspondence to Nasour Bagheri.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Safkhani, M., Bagheri, N. Passive secret disclosure attack on an ultralightweight authentication protocol for Internet of Things. J Supercomput 73, 3579–3585 (2017).

Download citation


  • RFID
  • Secret disclosure
  • Authentication
  • Internet of Things