1 An Ultra-lightweight Authentication Protocol in RFID Speaker: 魏家惠

2 Outline Introduction –Environment Definition –Authenticate Analysis Related Work –First paper –Important paper between 2006 ~ 2009 –Recently paper 2009 –Security Analysis Comments

3 Environment Definition Chien ‘ s four class in RFID –Full-fledged Symmetric encryption Public key algorithms –Simple Random number generator One-way hashing function –Lightweight Random number generator Cyclic Redundancy Code checksum –Ultralightweigh XOR, AND, OR, Rot

4 Authenticate Analysis Tag Identification Mutual Authentication Index-Pseudonym Updating Key Updating –Mutual authentication –Data integrity –Tag anonymity –Tracking –Data confidentiality –Forward security –Replay attack –Man-in-the-middle attack –de-synchronization attack

5 First paper (M 2 AP scheme) [2006] M 2 AP A Minimalist Mutual Authentication Protocol for Low-cost RFID Tags, In: LNCS, vol Springer. pp ,2006. ReaderTags 1. hello 2. IDS ID, IDS, K1, K2, K3 3. A ∥ B ∥ C 4. D ∥ E A=IDS ♁ K1 ♁ n1 B=(IDS ^ K2)ˇn1 C=IDS+K3+n2 D=(IDSˇK4) ^ n2 E=(IDS+ID) ♁ n1

6 Second paper (LMAP scheme) [2006]LMAP A Real Lightweight Mutual Authentication Protocol for Low-cost RFID tags, in Proceedings of the 2nd Workshop on RFID Security, ReaderTags 1. hello 2. IDS (ID, IDS, K1, K2, K3) next (ID, IDS, K1, K2, K3) old 3. A ∥ B ∥ C 4. D (ID, IDS, K1, K2, K3) next (ID, IDS, K1, K2, K3) old A=IDS ♁ K1 ♁ n1 B=(IDSˇK2)+n1 C=IDS+K3+n2 D=(IDS+ID) ♁ n1 ♁ n2 M 2 AP A=IDS ♁ K1 ♁ n1 B=(IDS ^ K2)ˇn1 C=IDS+K3+n2 D=(IDSˇK4) ^ n2 E=(IDS+ID) ♁ n1

7 Security analysis of LMAP and M 2 AP (Li and Wang ’ s Scheme) [2007] Security Analysis of Two Ultra lightweight RFID Authentication Protocol, International Federation for Information Processing, Vol. 232, pp , Vulnerabilities of LMAP and M 2 AP –de-synchronization Changing message C –Full-disclosure Reader Tags 1. hello 2. IDS 3. A ∥ B ∥ C’ 4. D’ A=IDS ♁ K1 ♁ n1 B=(IDS V K2)+n1 C=IDS+K3+n2’ D=(IDS+ID) ♁ n1 ♁ n2’ C=(IDS+K3)+n2 D=(IDS+ID) ♁ n1 ♁ n2 C-IDS-K3=(IDS+ID) ♁ n1 ♁ D C new =(IDS+K3)+n2 new D new =(IDS+ID) ♁ n1 ♁ n2 new C new -IDS-K3=(IDS+ID) ♁ n1 ♁ D new C new -C=(IDS+ID) ♁ D new -(IDS+ID) ♁ n1 ♁ D (1) (2) (1) - (2) x ♁ a = x ♁ b + c mod bits/4=24 (2 24 — 1) times

8 Countermeasures of Li and Wang ’ s Scheme (cont.) Countermeasures –Sending `D (to solve full-disclosure attack) The tag always send a message to fool the attacker. If the reader is authenticated, it sends D=(IDS+ID) ♁ n1 ♁ n2 ; otherwise, it sends D ’ =(IDS+ID) ♁ n2 –Storing status (to solve incomplete protocol) The reader and the tag keep the status and the random number of the protocol A status bit S=0 → the protocol is completed (synchronized) A status bit S=1 → the protocol is uncompleted (desynchronized) After that can updating n1 and n2

9 Security analysis of Li and Wang ’ s scheme [2007]Security of ultra-lightweight RFID authentication protocols and its improvements, ACM SIGOPS Operating Systems Review, Vol.41 Issue 4, Vulnerabilities of Li Wang ’ s attacks –Sending `D (to solve full-disclosure attack) modify phase 3: successfully authenticate response D=(IDS+ID) ♁ n1 ♁ n2 next, send A ’ ∥ B ∥ C authentication will fail response D ’ =(IDS+ID) ♁ n2 D ’ ♁ D get n1 A ∥ B ∥ C D=(IDS+ID) ♁ n 1 ♁ n2 A’ ∥ B ∥ C D’=(IDS+ID) ♁ n2

10 Security analysis of Li and Wang ’ s attacks (cont.) Countermeasures –Sending `D (to solve full-disclosure attack) The tag extracted value (n1, n1 ’, n2) from A ∥ B ∥ C Outputs the value shift(n1,n1 ’ ) ♁ shift(n1 ’,n2) is random value D=(IDS+ID) ♁ shift(n1,n1 ’ ) ♁ shift(n1 ’,n2) –Full-disclosure modify phase 5: (1) set n1 new =0. (2) set C 1 new =C new +1 n2[1]=0, n2=000 … 00, n2 ♁ (n2+1)=000 … 01 n2[1]=1, n2=00 … 01 … 1, n2 ♁ (n2+1)=000 … 01 … 1 The attacker can determine iє[0,95], i+1 < ( ) A=IDS ♁ K1 ♁ n1 B=(IDSˇK2)+n1 C=IDS+K3+n2 D=(IDS+ID) ♁ n1 ♁ n2 A new =IDS ♁ K1 B new =IDSˇK2 D new =(IDS ♁ ID) ♁ n2 D 1 new =(IDS ♁ ID) ♁ n2+1 D new ♁ D 1 new = (n2+1) ♁ n2

11 Important paper [2007] SASI A New Ultra-lightweight RFID Authentication protocol providing strong authentication and strong integrity, IEEE Transactions on Dependable and Secure Computing 4(4), pp , October, ReaderTags 1. hello 2. IDS ID, IDS, K1, K2, K3 3. A ∥ B ∥ C 4. D

12 Cryptanalysis of SASI [2008]Cryptanalysis of a New Ultralightweight RFID Authentication Protocol-SASI, IEEE Transactions on Dependable and Secure Computing, Vol. 6, No. 4, pp , bits 固定值 ”E0” 8bits IC 廠商的編碼 (MSB) 48bits 廠商所定的獨一序號 (LSB)

13 Security analysis of SASI (cont.) [2009] On the Security of Chien's Ultra-Lightweight RFID Authentication Protocol, IEEE Transactions on Dependable and Secure Computing, pp.1-3, Reader Tags 1. hello 2. IDS 3. A’ ∥ B’ ∥ C’ 4. D ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 3, K1 3, K2 3, K3 3 A’ ∥ B’ ∥ C’ Attacker ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 2, K1 2, K2 2, K3 2 1st round 2st round Normal ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 3, K1 3, K2 3, K3 3 ID, IDS 0, K1 0, K2 0, K3 0 ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 0, K1 0, K2 0, K3 0 ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 0, K1 0, K2 0, K3 0 ID, IDS 1, K1 1, K2 1, K A’’ ∥ B’’ ∥ C’’ 3st round 1. hello 2. IDS 1 3. A’ ∥ B’ ∥ C’ 4. D’ ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 3, K1 3, K2 3, K3 3 ID, IDS 1, K1 1, K2 1, K3 1 ID, IDS 2, K1 2, K2 2, K3 2 Attacker

14 Recently paper [2009] An Ultra Light Authentication Protocol Resistant to Passive Attacks under the Gen-2 Specification, Journal of Information Science and Engineering 25(1), pp.33-57, –Assumption: backward and forward channel can be passively listened by an attacker. –Min-in-the-middle and other active attacks are not feasible

15 Comments [2009] On the Security of Chien's Ultra-Lightweight RFID Authentication Protocol, IEEE Transactions on Dependable and Secure Computing, pp.1-3, –3st is not authenticated by the reader –Because the reader generate new n2, it not equal to B ’ and C ’ [2009] An Ultra Light Authentication Protocol Resistant to Passive Attacks under the Gen-2 Specification, Journal of Information Science and Engineering 25(1):33-57, –Cryptanalysis of ULAP is the same as LMAP

16 Thank you