Desynchronization and Traceability Attacks on RIPTA-DA Protocol

  • Nasour Bagheri
  • Praveen Gauravaram
  • Masoumeh Safkhani
  • Somitra Kumar Sanadhya
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8262)

Abstract

Recently Gao et al. proposed a lightweight RFID mutual authentication protocol [3] to resist against intermittent position trace attacks and desynchronization attacks and called it RIPTA-DA. They also verified their protocol’s security by data reduction method with the learning parity with noise (LPN) and also formally verified the functionality of the proposed scheme by Colored Petri Nets. In this paper, we investigate RIPTA-DA’s security. We present an efficient secret disclosure attack against the protocol which can be used to mount both de-synchronization and traceability attacks against the protocol. Thus our attacks show that RIPTA-DA protocol is not a RIPTA-DA.

Keywords

RFID Security Disclosure attack Intermittence position trace attack Desynchronization attack 

1 Introduction

An RFID system typically includes a reader and a number of tags, which may range from the expensive and battery-powered tags (active tags) with Wi-Fi capabilities to the low-cost tags that are quite constrained in resources and have no internal power (passive tags). ISO-18000-6c [5] is one of the important standards for RFID passive tags that proposes a mutual authentication protocol to communicate with passive RFID tags. However, the original protocol in the standard is known to be insecure [8]. To improve the security of this standard several protocols have been proposed in compliance to this standard, e.g., SASI [4], Gossamer [6], RAPP [13] and EMAP [7]. In this direction, Gao et al. [3] have recently discussed the security concerns of RFID systems and proposed a lightweight protocol to protect ISO-18000-6c against desynchronization attacks and intermittent position trace attacks, for which a man in the middle adversary aims to trace the tag holder, and named it “resisting the intermittent position trace attacks and desynchronization attacks (RIPTA-DA)”. RIPTA-DA does not use any classical cryptographic primitive such as a block cipher, a stream cipher or a hash function to meet the passive RFID tags restrictions. The only nonlinear function which is used to provide the desired confusion and protect secret parameters of the tag is a function called “square random number function”. In this function the main source of nonlinearity is number squaring calculation. More precisely, given two \(n\)-bit values, the “square random number function” computes some linear calculation combined with squaring a number and returns an \(n\)-bit result. The protocol is a lightweight protocol as it is compliant to passive tags. Hence it could be a promising solution to strengthen the security of the tags confirming ISO-18000-6c if it could provide an accepted level of security against intermittent adversary which was the main goal of the designers of the protocol.

In this paper we show that RIPTA-DA protocol is not secure against an active adversary which is able to impersonate the reader and sends several consecutive queries to a passive RFID tag. We present an efficient secret disclosure attack which, given \(512\) consecutive queries to the tag and its responses, retrieves more than \(n\) bits out of a \(3n\)-bit secret key with the success probability of almost 1. In addition, given the recovered secret, we present an approach to trace the tag for which the adversary’s advantage is 0.738 for each query to the tag. Moreover we present a desynchronization attack, which after two queries to the tag, desynchronizes the tag and the reader with the probability of 1, thus they do not authenticate each other anymore. This attack contradicts the claims on the security of the RIPTA-DA protocol against desynchronization attack.

The rest of the paper is organised as follows: In Sect. 2 we present a high-level discussion on the attacks considered in this paper. In Sect. 3 we review RIPTA-DA protocol. In Sect. 4 we present secret disclosure attack on RIPTA-DA. In Sects. 5 and 6, we show how to use the revealed secrets to mount traceability attack and desynchronization attack against the protocol. Section 7 concludes the paper.

2 General Overview of Attacks on RFID Tags

Previous studies [1, 9, 10, 11, 12] discussed several threats to RFID applications, e.g., eavesdropping, replay attack, cloning, tag impersonation, secret disclosure attack, tag tracing, data forging, denial of service and counting attack. In this section we review the attacks which we mount against RIPTA-DA protocol.

Secret disclosure attack: In an RFID system, the tags and the readers have secret parameters that the adversary should not be able to discover with a complexity less that searching for them with brute force. However, if the messages transferred in a protocol are not designed properly then the adversary may reveal these secrets parameters partially or completely.

Traceability attack: In an RFID system tags and readers interact in protocol sessions. Since the communications take place over a wireless channel, it is assumed that an adversary can control any communications among all the participants and can interact passively or actively with them. In this scenario, if an adversary finds any meaningful relation between the messages transferred in different sessions of the protocol with non-negligible success probability then it succeeds in tracing the tag, thus compromising the tag holder’s privacy. For example, if a specific tag always returns its static ID-value as a part of its response to the reader’s query then this value can be used as a measure to trace the tag and apply a traceability attack against the protocol.

Desynchronization attack: Desynchronization attack in an RFID protocol is a type of denial of service attack. Desynchronization attack occurs if a legitimate tag and a legitimate reader do not authenticate each other because of not receiving the expected response while communicating. In RFID protocols, to provide anonymity, it is common to update some of the shared parameters among the protocol parties. In this case, a promising approach to desynchronize the tag and the reader is to force the tag and the reader to update their common values to different values. If the adversary can succeed in forcing the tag and the reader to do so, they will not authenticate each other in further transactions.

3 RIPTA-DA Protocol

RIPTA-DA protocol was proposed by Gao et al. [3] to fix the security concerns of ISO-18000-6c compliant protocols. Assume that \((\mathcal {X})_{i\sim j}\) indicates the fraction of a string \(\mathcal {X}\) from the ith bit to the jth bit, \(A\in \{0,1\}^n\) and \(B\in \{0,1\}^n\). We explain the protocol with a discussion on the functionality of its building block, called ‘square random function’ and denoted by \(S(A\oplus B)\), as below:
$$\begin{aligned} x&=A\oplus B; \\ y&=x^2; \\ z&=(y)_{((B)_{k-1\sim 0}) \sim {(((B)_{k-1\sim 0})-(n-1)) }}; \\ S(A\oplus B)&=z; \end{aligned}$$
where \(k\) is a fixed value and the factory determines this \(k\) such that \(k\le log_2(n)\), \(x\in \{0,1\}^n\), \(z\in \{0,1\}^n\) and \(y\in \{0,1\}^{2n}\). In this function, bit extraction is performed modulus the bit length of string \(\mathcal {X}\), i.e., the bit extraction is done in a circular modulus; if the extraction reaches the end of the string with less than \(n\) bits, several bits will be taken from the beginning of the source string to make the length of the extracted string to be \(n\) bits. The right-most bit of \(\mathcal {X}\) is the least significant bit and indexed by ‘0’.
For example, assume that \(n=16\), \(A=1011~0100~1110~0101\), \(B=0100~0111~0101~1101\) and \(k=3\), then:
$$\begin{aligned} x&=A\oplus B=1111~0011~1011~1000;\\ y=x^2&= 1110~1000~0000~0110~1101~0100~0100~0000;\\ (B)_{(3-1)\sim 0}=(B)_{(2)\sim 0}&=101;\\ z=(y)_{5 \sim (-10) }&=0000~00~1110~1000~00;\\ S(A\oplus B)&=0000~0011~1010~0000. \end{aligned}$$
In RIPTA-DA protocol, the tag and the reader share three \(n\)-bit secret keys denoted by \(key_iH\), \( key_iM\) and \(key_iL\), where \(i\) is the session index. In this protocol, to avoid desynchronization attacks, both the tag and the reader keep two records of the secret parameters denoted by \(key_i1\) and \(key_i2\) respectively where \(key_i\) is a key group that includes \(\{key_iH, key_iM,key_iL\}\) and is updated after each successful run of the protocol. In addition, each tag has a single bit \(flag\) and a judgment function that could be used to determine which of \(key_i1\) or \(key_i2\) of the secret key group is the last successful authentication secret key group. More precisely, \(flag=1\) implies that \(key_i1\) group keeps the previous success authentication secret key group and \(flag=0\) implies that \(key_i2\) group keeps the previous successful secret key group. The purpose of this bit is to ensure that the correct secret key group of a mutual authentication will always be kept in any situation between the reader and the tag. This is aimed at avoiding desynchronization attack. The \(flag\) bit is updated by Update(\(flag\)) function. In addition, on each round of the protocol a random number \(v\) is contributed to the calculation of the transferred messages by the tag. The designers of the protocol claim that this random value plays the role of the noise in the LPN based protocols [3, p. 1950], aiming to employ the LPN to enhance the protocol security functionality.
RIPTA-DA protocol which is shown in Fig. 1 runs as follows:
  1. 1.

    The reader sends \(Query\) command with a random number \(N\), generated by database, to the tag \(T\).

     
  2. 2.
    Upon receiving the message, \(T\) does as follows:
    • generates a random number \(v\),

    • computes \( R=S(key_iH\oplus v)\), \( \alpha = key_iM\oplus v, \beta = key_iL\oplus R,\) and \(\mu =H(N\oplus key_iH\oplus v)\), where H is a hash function1 The effective key group is \(key_i1\) group if \(flag =1\), otherwise it is \(key_i 2\).

    • and sends the tuple \(\{\alpha , \beta , \mu \} \) to the reader.

     
  3. 3.

    The reader receives the message sent by the tag and transmits it to the database.

     
  4. 4.
    Upon receiving the message, database does as follows:
    • It searches for a tag \(T'\) for which \(S(key_iH \oplus \alpha \oplus key_iM)=\beta \oplus key_iL\) and \(H(N\oplus key_iH\oplus v)=\mu \).

    • If it finds such a tag, it authenticates the tag, generates fresh \(\{key_{i+1}H, key_{i+1}M, key_{i+1}L\}\), chosen uniformly at random from the key space, computes \(\delta =key_{i+1}H\oplus key_{i}H\), \(\xi =key_{i+1}L\oplus key_{i}L\), \(\varphi =key_{i+1}M\oplus key_{i}M\) and \(\varPsi =S(key_{i+1}L\oplus R)\oplus S(key_{i+1}H \oplus R)\oplus S(key_{i+1}M\oplus R)\) and sends the tuple \((\delta ,\varphi ,\xi ,\varPsi )\) to the reader,

    • updates \(\{key_{i+1}H, key_{i+1}M, key_{i+1}L\}\).

     
  5. 5.

    The reader transfers the received \((\delta ,\varphi ,\xi ,\varPsi )\) to the tag.

     
  6. 6.

    Upon receiving the message, \(T\) extracts \(\{key_{i+1}H,key_{i+1}M,key_{i+1}L\}\) by using the variables \(\delta \), \(\varphi \), \(\xi \) and verifies the correctness of \(\varPsi \) using the extracted values. If \(\varPsi \) is valid, the tag updates the non effective secret group by the extracted data, keeps the effective \(key_i\) group and adopts the \(flag\) bit to indicate the secret group which has been involved in this run of protocol.

     
The designers of RIPTA-DA claim that their protocol provides optimal security against desynchronization attack and traceability attack. However, in this paper we show that the protocol is weak by presenting a secret disclosure attack which can be employed to desynchronize the tag and the reader and also trace the tag’s holder.
Fig. 1.

RIPTA-DA mutual authentication protocol.

4 Secret Disclosure Attack on RIPTA-DA

The only source of nonlinearity in RIPTA-DA protocol is square random number function which is mainly squaring an \(n\)-bit value and dropping \(n\) bits of the result. However, by a close look at \(\mathcal {X}^2=\mathcal {X}\times \mathcal {X}\) we see some interesting properties that can be employed through our analysis. Assuming that \(\mathcal {X}=(\mathcal {X})_{n-1}\Vert \ldots \Vert (\mathcal {X})_{1}\Vert (\mathcal {X})_{0}\), where \((\mathcal {X})_i\) denotes the \(i\)th bit of \(\mathcal {X}\), the following properties hold between the bits of \(\mathcal {X}\) and the bits of \(\mathcal {X}^2\), also see Table 1:
$$\begin{aligned} (\mathcal {X}^2)_{0}&=(\mathcal {X})_{0};\end{aligned}$$
(1)
$$\begin{aligned} (\mathcal {X}^2)_{1}&=0;\end{aligned}$$
(2)
$$\begin{aligned} (\mathcal {X}^2)_{2}&=(\mathcal {X})_{1}.\overline{(\mathcal {X})_{0}}. \end{aligned}$$
(3)
Table 1.

\((\mathcal {X}^2)_{2\sim 0}\) given \((\mathcal {X})_{2\sim 0}\). Note that \((\mathcal {X})_{n-1\sim 3}\) has no effect on the result of \((\mathcal {X}^2)_{2\sim 0}\)

\((\mathcal {X})_{2}\)

\((\mathcal {X})_{1}\)

\((\mathcal {X})_{0}\)

\((\mathcal {X}^2)_{2}\)

\((\mathcal {X}^2)_{1}\)

\((\mathcal {X}^2)_{0}\)

0

0

0

0

0

0

0

0

1

0

0

1

0

1

0

1

0

0

0

1

1

0

0

1

1

0

0

0

0

0

1

0

1

0

0

1

1

1

0

1

0

0

1

1

1

0

0

1

On each query to the tag \(T\) by a reader, which can potentially be an adversary as well, the tag returns the following values:
$$\begin{aligned} \alpha&= key_iM\oplus v;\end{aligned}$$
(4)
$$\begin{aligned} \beta&= key_iL\oplus R. \end{aligned}$$
(5)
where \( R=S(key_iH\oplus v)\). In addition, as long as the tag has not been involved in a successful run of the protocol, the effective secret key remains fixed. We assume the adversary initiates \(t\) consecutive sessions. In the \(j\)th session, the adversary sends \(N^j\) to the tag and the tag answers the query by \(\{\alpha ^j, \beta ^j, \mu ^j\} \), where:
$$\begin{aligned} \alpha ^j&= key_iM\oplus v^j;\\ \beta ^j&= key_iL\oplus R^j;\\ R^j&=S(key_iH\oplus v^j). \end{aligned}$$
for \(1\le j\le t\). On the other hand, for \(1\le m \le n\) as a bit position, \(1\le j \le t\) and \(1\le f \le t\), we have:
$$\begin{aligned} (\alpha ^j\oplus \alpha ^f)_m=(v^j\oplus v^f)_m=(v^j)_m\oplus (v^f)_m \end{aligned}$$
Since the attacker knows \(\alpha ^j\) and \(\alpha ^f\), he can easily determine \((v^j)_m\mathop {=}\limits ^{?} (v^f)_m\). Given this information, it is possible to group \(v^1, \ldots , v^t\) into two groups, denoted by \(G1\) and \(G2\), respectively, where any entry in a group holds the same value in its \(m\)th bit of \(v\). For example, given \((v^1)_m\oplus (v^j)_m\), for \(1\le j\le t\), it is possible to assign to \(G1\) any entry that contains \((v)_m\) equal to \((v^1)_m\), i.e., \((v^1)_m\oplus (v^j)_m=0\), and assign to \(G2\) any entry that contains \((v)_m\) not equal to \((v^1)_m\), i.e., \((v^1)_m\oplus (v^j)_m=1\). Similar approach can be used to group \(v^1, \ldots , v^t\) into \(2^{k}\) groups, denoted by \(G1,\ldots ,G2^k\), respectively, where any entry in a group holds the same value in its \(k\) least significant bits of \(v\), i.e., \((v)_{k-1\sim 0}\). Next, we look for a group for which the \(k\) least significant bits of \(v\) are equal to \(n-1\). For such a value of \(v\), \(R= S(key_iH\oplus v)\) is calculated as follows:
$$\begin{aligned} x&=key_iH\oplus v;\nonumber \\ y&=x^2;\nonumber \\ R&=(y)_{(n-1) \sim {0}}. \end{aligned}$$
(6)
Hence \((R)_{2\sim 0}=((key_iH\oplus v)^2)_{2\sim 0}\), where based on Eq. (2) we have \((R)_{1}=0\) and therefore \((\beta ^j)_1= (key_iL\oplus R)_{1}=(key_iL)_1\). Based on this observation, if for a group \(Gi\), \((v)_{k-1\sim 0}=n-1\), then for all elements of that group \((\beta )_1\) should remain constant. Given such a group we have revealed \((key_iL)_1\) and \((v)_{k-1\sim 0}=n-1\). By using the second value (\((v)_{k-1\sim 0}=n-1\)) which is revealed we can determine \(k\) bits of \(key_iM\) because \((\alpha ^j)_{k-1\sim 0}= ((key_iM)\oplus (n-1))_{k-1\sim 0}\). Given \((key_iM)_{k-1\sim 0}\) it is possible to determine \((v)_{k-1\sim 0}\) of each group. It must be noted the extracted bits of \(v\) contradict the claimed reduction for the security of the protocol to LPN problem because in the LPN problem the adversary’s advantage to receive any information related to the noise parameter \(v\) should be negligible otherwise Gaussian elimination to obtain the secret parameter would be possible. So far, for each group \(Gi\), for \(1\le i \le 2^{k}\), we know where the location of \(((key_iH\oplus v)^2)_1=0\) would be to determine another bit of \(key_iL\). Following this approach, we can determine \(2^{k}\) bits of the secret parameter \(key_iL\) and also \((key_iM)_{k-1\sim 0}\) (if \(2^{k}=n\) then we can retrieves all bits of \(key_iL\)). Given \(key_iL\) , the adversary can determine \(R\) as \(R=\beta \oplus key_iL\). On the other hand, based on Eq. 1\((x^2)_0=x_0\) which combined with the extracted \((v)_0\) reveals \((key_iH)_0\). In addition, given \((key_iH)_0\), \((v)_1\) and Eq. (3), the adversary retrieves \((key_iH)_1\). (This attack is a partial key recovery attack for \(key_iH\). Although it is possible to extend this attack to recover up to \(k\) bits of \(key_iH\) given \((v)_{0\sim k}\) and \(R\) for the eavesdropped messages in the previous sessions and some simple calculations, it is not needed for our attacks in the rest of the paper.)
The adversary succeeds in her attack if she selects a correct group in the first step of the attack, as a group for which \((v)_{k-1\sim 0}=n-1\). On the other hand, if for a group \((v)_{k-1\sim 0}=n-1\) then for all elements of that group \((\beta )_1\) would be constant and if \((v)_{k-1\sim 0}\ne n-1\) all elements of that group holds the same value of \((\beta )_1\) only with the probability of \(2^{-|G|}\), where \(|G|\) denotes the group’s cardinality which is approximately \(\frac{t}{2^k}\). Hence, excluding the correct group, the adversary is expected to receive \((|\# G|-1)\times 2^{-|G|}\) groups that satisfy the given condition on \((\beta )_1\), where \(|\# G|\) denotes the total number of groups ,i.e, \(2^k\). We call such a group a quasi-correct-group. In addition, after this step the adversary knows the expected value of \((v)_{k-1\sim 0}\) for each group. This value can be used to determine the location of \((key_iL)_1\) in each group which in turn can be used to filter wrong guesses. The adversary fails in her attack if all the given conditions are satisfied for a wrongly selected group. For a quasi-correct-group all bits in the expected location for \((key_iL)_1\) on each group holds with the probability of \(2^{-|G|}\). We have \(2^k\) groups and \((|\# G|-1)\times 2^{-|G|}\) quasi-correct-groups. So a quasi-correct-group passes all conditions with the following probability:
$$\begin{aligned} ((|\# G|-1)\times 2^{-|G|})\times \left( 2^{-|G|}\right) ^{\#| G|}=(2^k-1)\times 2^{-\frac{t}{2^k}} \times \left( 2^{-\frac{t}{2^k}}\right) ^{2^k}. \end{aligned}$$
As a numerical example, for \(l=128\), \(k=8\) and \(t=512\), the group’s cardinality is expected to be \(\frac{512}{128}=4\) and a quasi-correct-group passes the given conditions with the probability of \((2^8-1)\times 2^{-4} \times \left( 2^{-4}\right) ^{128}\cong 2^{-508}\). Hence the adversary’s advantage in the given attack for \(t\ge 512\) is almost 1.

5 Traceability Attack

Given the target tag \(T\) and its secret \((key_iH)_{1\sim 0}\), \((key_iM)_{k-1\sim 0}\) and \(key_iL\), to determine whether a randomly selected tag \(T'\) is \(T\), the adversary initiates a session by sending a random number \(N\) and receives tuples \(\{\alpha , \beta , \mu \}\) and does the following calculations:
$$\begin{aligned} R'&= key_iL\oplus \beta ;\\ (v')_{k-1\sim 0}&= (key_iM\oplus \alpha )_{k-1\sim 0}. \end{aligned}$$
Given \(\beta = key_iL\oplus R'\) and \(key_iL\) we can compute \(R'\). Given \(\alpha \) and \((key_iM)_{k-1\sim 0}\) we can determine \((v')_{k-1\sim 0}\). Given \((v')_{k-1\sim 0}\) we know the value of \(((key'_iH \oplus v')^2)_{2\sim 0}\), which combined with \((v')_{k-1\sim 0}\) allows us to determine \((key'_iH)_{1\sim 0}\). Remember that \(((key'_iH\oplus v')^2)_{0}=(key'_iH\oplus v')_0\) and \(((key'_iH\oplus v')^2)_{ 2}=(key'_iH\oplus v')_1 . \overline{(key'_iH\oplus v')_0}\). Therefore, if \((v')_{k-1\sim 0}\ge 2\) then the adversary can determine \(((key'_iH\oplus v')^2)_{2\sim 0}\) and \((key'_iH)_{1\sim 0}\). Then the adversary outputs ‘1’ if \((key_iH)_{1\sim 0}=(key'_iH)_{1\sim 0}\), otherwise outputs ‘0’. The adversary’s advantage \(Adv_{A}\) to make the correct decision in this attack is defined as follows:
$$\begin{aligned} Adv_{A}=\left| Pr [A^{T=T'}\Rightarrow 1 ]-Pr [A^{T\ne T'}\Rightarrow 1] \right| . \end{aligned}$$
To determine \(Adv_{A}\) we need \(Pr((v')_{k-1\sim 0}\ge 2)\) which is \(1-\frac{2}{2^{k}}\). If \(T=T'\) and \((v')_{k-1\sim 0}\ge 2\) then with the probability of 1, the adversary outputs “1” and if \((v')_{k-1\sim 0}< 2\) then it just return a random bit as its decision. on the other hand, if \(T\ne T'\) and \((v')_{k-1\sim 0}\ge 2\) then with the probability of \(\frac{1}{4}\) the adversary outputs ‘1’ and if \((v')_{k-1\sim 0}< 2\) then it just return a random bit as its decision. Hence:
$$\begin{aligned} Adv_{A}=\left| (1-\frac{2}{2^{k}}) \times 1+ (\frac{2}{2^{k}})\times \frac{1}{2}- (1-\frac{2}{2^{k}}) \times \frac{1}{4}- (\frac{2}{2^{k}})\times \frac{1}{2}\right| . \end{aligned}$$
For \(k=7\), \(Adv_{A}=0.738\) which is not negligible. It must be noted the adversary may repeat the above attack to increase its advantage. It is clear given a tag \(T'\), to verify whether it is the target tag \(T\) the adversary can use the approach presented in Sect. 4 to extract its secret parameters, compare them with those of \(T\) and output its decision. However, the complexity of this approach is much higher than the detailed attack in this section.

6 Desynchronization Attack

If an authentication protocol’s secret parameters, that are used through the authentication process, are updated then both parties should keep the same value. Otherwise they won’t authenticate each other in the later sessions and we say they have been desynchronized. In the desynchronization attack which is presented in this section, the adversary forces the tag and the back-end server to update their common values to different values. Gao et al. [3] claim that their protocol is secure against desynchronization attack. More precisely, the authors state that to prevent desynchronization attacks both the tag and the back-end database keep the latest successful authenticated group of secrets which can be used to resynchronize the tag and the server. However, based on the secret disclosure attack given in Sect. 4, we present an efficient attack where the adversary forces the tag to update both records of secret values such that neither of them matches the values that back-end database keeps in its records. Given the target tag \(T\) and its secret \((key_iH))_{1\sim 0}\), \((key_iM))_{k-1\sim 0}\) and \(key_iL\), an active adversary (\(\mathcal {A}\)), which is present during the communication of the tag and the reader follows a two phased attack to desynchronize the tag and the reader.

Phase 1 (updating\(key_{i+1}\)): In this phase of attack, the adversary \(\mathcal {A}\) forces the tag and the database to update their record of \(key_{i+1}L\) to different values as follows:
  1. 1.

    The reader sends \(Query\) command with a random number \(N\), generated by database, to the tag \(T\).

     
  2. 2.
    Upon receiving the message, \(T\) does as follows:
    • generates a random number \(v\),

    • computes \( R=S(key_iH\oplus v)\), \( \alpha = key_iM\oplus v, \beta = key_iL\oplus R,\) and \(\mu =H(N\oplus key_iH\oplus v)\), where if \(flag=1\) then \(key_i1\) group is the effective secret key group; otherwise \(key_i2\),

    • and sends the tuple \(\{\alpha , \beta , \mu \} \) to the reader.

     
  3. 3.

    \(\mathcal {A}\) eavesdrops the message and extracts \(R\) from \(\beta = key_iL\oplus R\).

     
  4. 4.

    The reader receives the message sent by the tag and transmits it to the database.

     
  5. 5.
    Upon receiving the message, database does as follows:
    • It searches for a tag \(T'\) for which \(S(key_iH \oplus \alpha \oplus key_iM)=\beta \oplus key_iL\) and \(H(N\oplus key_iH\oplus v)=\mu \).

    • It finds \(T\) and generates fresh \(\{key_{i+1}H, key_{i+1}M,key_{i+1}L\}\) uniformly at random from the key space, computes \(\delta =key_{i+1}H\oplus key_{i}H\), \(\xi =key_{i+1}L\oplus key_{i}L\), \(\varphi =key_{i+1}M\oplus key_{i}M\) and \(\varPsi =S(key_{i+1}L\oplus R)\oplus S(key_{i+1}H\oplus R)\oplus S(key_{i+1}M\oplus R)\) and sends the tuple \((\delta ,\xi ,\varphi ,\varPsi )\) to the reader,

    • updates \(\{key_{i+1}H, key_{i+1}M,key_{i+1}L\}\).

     
  6. 6.

    The reader transfers the received \((\delta ,\xi ,\varphi ,\varPsi )\) to the tag.

     
  7. 7.

    \(\mathcal {A}\) blocks the message, extracts \(key_{i+1}L\) from \(\xi \), chooses a random \(key'_{i+1}L\ne key_{i+1}L\) and computes \(\xi '=key'_{i+1}L\oplus key_{i}L\) and \(\varPsi '=\varPsi \oplus S(key_{i+1}L\oplus R)\oplus S(key'_{i+1}L\oplus R)=S(key_{i+1}L\oplus R)\oplus S(key_{i+1}H\oplus R)\oplus S(key_{i+1}M\oplus R)\oplus S(key_{i+1}L\oplus R)\oplus S(key'_{i+1}L\oplus R)\) and sends \(\delta ,\xi ',\varphi \) and \(\varPsi '\) to the tag.

     
  8. 8.

    Upon receiving the message, \(T\) extracts \(\{key_{i+1}H, key_{i+1}M,key'_{i+1}L\}\) and verifies the correctness of the received \(\varPsi '\). If \(\varPsi '\) is valid, which it is, the tag updates the non effective secret group by the extracted data, keeps the effective \(key_i\) group and adopts the \(flag\) bit to indicate the secret group which has been involved in this run of the protocol.

     
Phase 2 (updating\(key_{i}\)): In this phase of attack, which should be accomplished in the next consecutive session of protocol between \(T\) and the reader, the adversary \(\mathcal {A}\) forces the tag and the database to update their record of \(key_{i}L\) to different values as follows:
  1. 1.

    The reader sends \(Query\) command with a random number \(N'\), generated by database, to the tag \(T\).

     
  2. 2.
    Upon receiving the message, \(T\) does as follows:
    • generates a random number \(v'\),

    • computes \( R'=S(key_{i+1}H\oplus v')\), \( \alpha '= key_{i+1}M\oplus v', \beta '= key'_{i+1}L\oplus R,\) and \(\mu '=H(N'\oplus key_iH\oplus v')\), where if for the previous session \(flag=0\) and \(key_i1\) group was the effective secret key group here \(key_i2\) is the effective one and vice versa,

    • and sends the tuple \(\{\alpha ', \beta ', \mu '\} \) to the reader.

     
  3. 3.

    \(\mathcal {A}\) blocks the message, extracts \(R'\) from \(\beta '= key'_{i+1}L\oplus R'\), generates \(\beta ''= key_{i+1}L\oplus R'\) and sends the tuple \(\{\alpha ', \beta '', \mu '\} \) to the reader.

     
  4. 4.

    The reader receives the tuple \(\{\alpha ', \beta '', \mu '\} \) and transmits it to the database.

     
  5. 5.
    Upon receiving the message, database does as follows:
    • It searches for a tag \(T'\) for which \(S(key_{i+1}H \oplus \alpha '\oplus key_{i+1}M)=\beta '' \oplus key_{i+1}L\) and \(H(N'\oplus key_{i+1}H\oplus v')=\mu '\).

    • It finds \(T\) and generates fresh \(\{key'_{i}H, key'_{i}M,key'_{i}L\}\), computes \(\delta '=key_{i+1}H\oplus key'_{i}H\), \(\xi '=key_{i+1}L\oplus key'_{i}L\), \(\varphi '=key_{i+1}M\oplus key'_{i}M\) and \(\varPsi '=S(key'_{i}L\oplus R)\oplus S(key'_{i}H\oplus R)\oplus S(key'_{i}M\oplus R)\) and sends the tuple \((\delta ',\xi ',\varphi ',\varPsi ')\) to the reader,

    • updates \(\{key'_{i}H, key'_{i}M,key'_{i}L\}\).

     
  6. 6.

    The reader transfers the received \((\delta ',\xi ',\varphi ',\varPsi ')\) to the tag.

     
  7. 7.

    \(\mathcal {A}\) blocks the message, extracts \(key'_{i}L\) form \(\xi '\), chooses a random \(key''_{i}L\) such that \((key''_{i}L\ne key'_{i}L)\) and \(key''_{i}L\ne key_{i+1}L\) and computes \(\xi ''=key'_{i+1}L\oplus key''_{i}L\) and \(\varPsi ''=\varPsi '\oplus S(key_{i}L\oplus R)\oplus S(key''_{i}L\oplus R)=S(key'_{i}L\oplus R)\oplus S(key'_{i}H\oplus R)\oplus S(key'_{i}M\oplus R)\oplus S(key_{i}L\oplus R)\oplus S(key''_{i}L\oplus R)\) and sends \(\delta ',\xi '',\varphi '\) and \(\varPsi ''\) to the tag.

     
  8. 8.

    Upon receiving the message, \(T\) extracts \(\{key'_{i}H, key'_{i}M,key''_{i}L\}\) and verifies the correctness of the received \(\varPsi ''\). If \(\varPsi ''\) is valid, which it is, the tag updates the non effective secret group by the extracted data, keeps the effective \(key_{i+1}\) group and adopts the \(flag\) bit to indicate the secret group which has been involved in this run of protocol.

     
At the end of this attack, the database keeps the following records of secret key groups:
$$\begin{aligned} key_i&= \{key'_{i}H, key'_{i}M,key'_{i}L\};\\ key_{i+1}&= \{key_{i+1}H, key_{i+1}M,key_{i+1}L\}; \end{aligned}$$
while the tag \(T\) keeps the following records as its secret key groups:
$$\begin{aligned} key_i&= \{key'_{i}H, key'_{i}M,key''_{i}L\};\\ key_{i+1}&= \{key_{i+1}H,key_{i+1}M,key'_{i+1}L\}; \end{aligned}$$
where \(key'_{i+1}\ne key_{i+1}\) and \(key''_{i}\ne key'_{i}\). Hence the adversary successfully forced the tag and the reader to update their records to different values and they won’t authenticate each other in later sessions of protocol. The success probability of the presented attack is almost 1 while the complexity is just two sessions of protocol, given that the adversary has already extracted the related secrets.

An interesting property of the attack is that, when the tag and the database have been desynchronized, the only party which can resynchronize them again or let them to perform a particular session correctly is the adversary. To do so, it is enough to follow Phase 2 of the above attack.

7 Conclusion

In this paper we have shown some security pitfalls in the design of RIPTA-DA protocol. We present three attacks against the protocol. The main reason why we do not attempt to repair RIPTA-DA or design a new protocol is because we believe that it is simply not possible. We remark that it is worth investigating the design and performance aspects of RFID protocols by using standard ciphers such as PRESENT [2].

Footnotes

  1. 1.

    We note that [3] does not clearly state that \(H(.)\) is a hash function. However, for other protocols discussed in this paper the authors have used this notation for a hash function, e.g. [3, p. 1951]. Therefore we take it that \(H\) denotes a hash function in the calculation of \(\mu \). It must be noted that the details of \(H(.)\) have no impact on the success probability of the attacks presented in this paper.

Notes

Acknowledgments

We would like to thank anonymous reviewers for useful comments.

References

  1. 1.
    Bagheri, N., Safkhani, M., Peris-Lopez, P., Tapiador, J.E.: Weaknesses in a new ultralightweight RFID authentication protocol with permutation-RAPP. Secur. Commun. Networks (2013). doi:10.1002/sec.803
  2. 2.
    Bogdanov, A., Knudsen, L.R., Leander, G., Paar, C., Poschmann, A., Robshaw, M., Seurin, Y., Vikkelsoe, C.: PRESENT: an ultra-lightweight block cipher. In: Paillier, P., Verbauwhede, I. (eds.) CHES 2007. LNCS, vol. 4727, pp. 450–466. Springer, Heidelberg (2007)Google Scholar
  3. 3.
    Gao, L., Ma, M., Shu, Y., Wei, Y.: A security protocol resistant to intermittent position trace attacks and desynchronization attacks in RFID systems. Wirel. Pers. Commun. 68(4), 1943–1959 (2013)CrossRefGoogle Scholar
  4. 4.
    Hung-Yu, C.: SASI: a new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Trans. Dependable Secure Comput. 4(4), 337–340 (2007)CrossRefGoogle Scholar
  5. 5.
    Information technology Radio frequency identification for item management. Part 6: parameters for air interface communications at 860 MHz to 960 MHz. http://www.iso.org (2005)
  6. 6.
    Peris-Lopez, P., Hernandez-Castro, J.C., Tapiador, J.M.E., Ribagorda, A.: Advances in ultralightweight cryptography for low-cost RFID tags: gossamer protocol. In: Chung, K.-I., Sohn, K., Yung, M. (eds.) WISA 2008. LNCS, vol. 5379, pp. 56–68. Springer, Heidelberg (2008)Google Scholar
  7. 7.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: EMAP: an efficient mutual-authentication protocol for low-cost RFID tags. In: Meersman, R., Tari, Z., Herrero, P. (eds.) OTM 2006 Workshops. LNCS, vol. 4277, pp. 352–361. Springer, Heidelberg (2006)Google Scholar
  8. 8.
    Peris-Lopez, P., Hernandez-Castro, J.C., Estevez-Tapiador, J.M., Ribagorda, A.: RFID specification revisited. In: The Internet of Things: From RFID to the Next-Generation Pervasive Networked Systems, pp. 311–346. Taylor & Francis, Bristol (2008)Google Scholar
  9. 9.
    Qian, Z., Chen, C., You, I., Lu, S.: ACSP: a novel security protocol against counting attack for UHF RFID systems. Comput. Math. Appl. 63(2), 492–500 (2012)CrossRefGoogle Scholar
  10. 10.
    Safkhani, M., Peris-Lopez, P., Bagheri, N., Naderi, M., Hernandez-Castro, J.C.: On the security of Tan et al. serverless RFID authentication and search protocols. In: Hoepman, J.-H., Verbauwhede, I. (eds.) RFIDSec 2012. LNCS, vol. 7739, pp. 1–19. Springer, Heidelberg (2013)Google Scholar
  11. 11.
    Sun, H.-M., Ting, W.-C.: A Gen2-based RFID authentication protocol for security and privacy. IEEE Trans. Mob. Comput. 8(8), 1052–1062 (2009)CrossRefGoogle Scholar
  12. 12.
    Tan, C.C., Sheng, B., Li, Q.: Secure and serverless RFID authentication and search protocols. IEEE Trans. Wireless Commun. 7(4), 1400–1407 (2008)CrossRefGoogle Scholar
  13. 13.
    Tian, Y., Chen, G., Li, J.: A new ultralightweight RFID authentication protocol with permutation. IEEE Commun. Lett. 16(5), 702–705 (2012)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Nasour Bagheri
    • 1
  • Praveen Gauravaram
    • 2
  • Masoumeh Safkhani
    • 3
  • Somitra Kumar Sanadhya
    • 4
  1. 1.Electrical Engineering DepartmentShahid Rajaee Teacher Training UniversityTehranIran
  2. 2.Innovation Labs HyderabadTata Consultancy Services LimitedHyderabadIndia
  3. 3.Electrical Engineering DepartmentIran University of Science and TechnologyTehranIran
  4. 4.Indraprastha Institute of Information TechnologyDelhiIndia

Personalised recommendations