Another Fallen Hash-Based RFID Authentication Protocol

  • Julio Cesar Hernandez-Castro
  • Pedro Peris-Lopez
  • Masoumeh Safkhani
  • Nasour Bagheri
  • Majid Naderi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7322)


In this paper, we scrutinize the security of an RFID protocol [9], which has been recently proposed, and show important vulnerabilities. Our first attack is a passive one that can disclose all secret information stored on the tags’ memory. We only need to eavesdrop one session of the protocol between a tag and a legitimate reader (connected to the back-end database) and perform O(217) off-line evaluations of the PRNG-function – while the authors wrongly claimed the complexity of any such attack would be around 248 operations. Although the extracted information is enough to launch other relevant attacks and thus to completely rule out any of the protocol’s security claims, we additionally present several attacks using alternative strategies that show the protocol is flawed in more than one way and has many exploitable weaknesses. More precisely, we present a tag impersonation attack that requires the execution of only two runs of the protocol, and has a success probability of 1. It must be noted that this attack is, however, not applicable to the original protocol that the authors attempted to improve so, in a way, their improvement is not such. Finally, we show two approaches to trace a tag, as long as it has not updated its secret values. For all the above, we conclude that the improved protocol is even less secure than the original proposal, which is also quite insecure, and cannot be recommended.


RFID EPC-C1G2 Authentication Secret Disclosure Impersonation Traceability 


  1. 1.
    Bailey, D.V., Juels, A.: Shoehorning Security into the EPC Tag Standard. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 303–320. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Burmester, M., de Medeiros, B.: The Security of EPC Gen2 Compliant RFID Protocols. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 490–506. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Burmester, M., de Medeiros, B., Munilla, J., Peinado, A.: Secure EPC Gen2 Compliant Radio Frequency Identification. In: Ruiz, P.M., Garcia-Luna-Aceves, J.J. (eds.) ADHOC-NOW 2009. LNCS, vol. 5793, pp. 227–240. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    Chen, C.-L., Deng, Y.-Y.: Conformation of EPC Class-1 Generation-2 standards RFID system with mutual authentication and privacy protection. Eng. Appl. of AI 22(8), 1284–1291 (2009)MathSciNetGoogle Scholar
  5. 5.
    Chien, H.-Y., Chen, C.-H.: Mutual authentication protocol for RFID conforming to EPC Class-1 Generation-2 standardsGoogle Scholar
  6. 6.
    Class-1 Generation-2 UHF air interface protocol standard version 1.2.0, EPCGlobal (2008),
  7. 7.
    Duc, D.N., Kim, K.: Defending RFID authentication protocols against DoS attacks. Computer Communications 34(3), 384–390 (2011)CrossRefGoogle Scholar
  8. 8.
    EPC Tag data standard version 1.6, EPCGlobal (2011),
  9. 9.
    Habibi, M.H., Alagheband, M.R., Aref, M.R.: Attacks on a Lightweight Mutual Authentication Protocol under EPC C-1 G-2 Standard. In: Ardagna, C.A., Zhou, J. (eds.) WISTP 2011. LNCS, vol. 6633, pp. 254–263. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Hung-Yu, C.: SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity. IEEE Transactions on Dependable and Secure Computing 4(4), 337–340 (2007)CrossRefGoogle Scholar
  11. 11.
    Chien, H.Y.: Secure access control schemes for RFID systems with anonymity. In: Proceedings of MDM, p. 96 (2006)Google Scholar
  12. 12.
    Information technology Radio frequency identification for item management. Part 6: parameters for air interface communications at 860 MHz to 960MHz- (2005),
  13. 13.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: RFID specification revisited. In: The Internet of Things: From RFID to The Next-Generation Pervasive Networked Systems, pp. 6:311–6:346. Taylor & Francis Group (2008)Google Scholar
  14. 14.
    Weis, R.-D.E.S., Sarma, S.: Security and privacy aspects of low-cost radio frequency identification systems. In: Proceedings of WiCom, pp. 2078–2080 (2007)Google Scholar
  15. 15.
    Yeh, T.-C., Wang, Y.-J., Kuo, T.-C., Wang, S.-S.: Securing RFID systems conforming to EPC Class-1 Generation-2 standard. Expert Syst. Appl. 37(12), 7678–7683 (2010)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Julio Cesar Hernandez-Castro
    • 1
  • Pedro Peris-Lopez
    • 2
  • Masoumeh Safkhani
    • 3
  • Nasour Bagheri
    • 4
  • Majid Naderi
    • 3
  1. 1.School of ComputingPortsmouth UniversityUK
  2. 2.Computer Science DepartmentCarlos III University of MadridSpain
  3. 3.Electrical Eng. DepartmentIran University of Science and TechnologyTehranIran
  4. 4.Electrical Engineering DepartmentShahid Rajaee Teacher Training UniversityTehranIran

Personalised recommendations