This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Cryptanalysis of a New Ultralightweight RFID Authentication Protocol—SASI
October-December 2009 (vol. 6 no. 4)
pp. 316-320
Raphael C.-W. Phan, Loughborough University, Loughborough
Since RFID tags are ubiquitous and at times even oblivious to the human user, all modern RFID protocols are designed to resist tracking so that the location privacy of the human RFID user is not violated. Another design criterion for RFIDs is the low computational effort required for tags, in view that most tags are passive devices that derive power from an RFID reader's signals. Along this vein, a class of ultralightweight RFID authentication protocols has been designed, which uses only the most basic bitwise and arithmetic operations like exclusive-OR, OR, addition, rotation, and so forth. In this paper, we analyze the security of the SASI protocol, a recently proposed ultralightweight RFID protocol with better claimed security than earlier protocols. We show that SASI does not achieve resistance to tracking, which is one of its design objectives.

[1] “Albertsons Announces Mandate,” RFID J., http://www.rfidjournal.com/article/articleview/ 819/11/, Mar. 2004.
[2] G. Avoine, Adversarial Model for Radio Frequency Identification, Cryptology ePrint Archive, report 2005/049, IACR ePrint Archive, http://eprint. iacr.org/2005049, Feb. 2005.
[3] M. Bellare, D. Pointcheval, and P. Rogaway, “Authenticated Key Exchange Secure against Dictionary Attacks,” Proc. Int'l Conf. Theory and Application of Cryptographic Techniques (EUROCRYPT '00), pp. 139-155, 2000.
[4] D. Carluccio, K. Lemke, and C. Paar, “E-Passport: The Global Traceability or How to Feel Like a UPS Package,” Proc. Seventh Int'l Workshop Information Security Applications (WISA '07), pp. 391-404, 2007.
[5] CASPIAN, Boycott Benetton, http:/www.boycottbenetton.com, 2007.
[6] H.-Y. Chien, “SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 4, pp. 337-340, Oct.-Dec. 2007.
[7] H.-Y. Chien and C.-W. Huang, “Security of Ultra-Lightweight RFID Authentication Protocols and Its Improvements,” ACM Operating System Rev., vol. 41, no. 2, pp. 83-86, 2007.
[8] T.S. Heydt-Benjamin, D.V. Bailey, K. Fu, A. Juels, and T. O'Hare, “Vulnerabilities in First-Generation RFID-Enabled Credit Cards,” Proc. 11th Int'l Conf. Financial Cryptography and Data Security (FC '07), pp. 2-14, 2007.
[9] J.-H. Hoepman, E. Hubbers, B. Jacobs, M. Oostdijk, and R.W. Schreur, “Crossing Borders: Security and Privacy Issues of the European e-Passport,” Proc. First Int'l Workshop Security (IWSEC '06), pp.152-167, 2006.
[10] A. Juels, D. Molnar, and D. Wagner, “Security and Privacy Issues in E-Passports,” Proc. First IEEE Conf. Security and Privacy for Emerging Areas in Comm. Networks (SecureComm '05), http://eprint.iacr.org/2005095, last revised Sept. 2007, pp. 74-88, 2005.
[11] A. Juels and S.A. Weis, “Defining Strong Privacy for RFID,” Proc. Fifth Ann. IEEE Int'l Conf. Pervasive Computing and Comm. (PerCom'07), http://eprint.iacr.org/2006137, pp. 342-347, Mar. 2007.
[12] E. Kosta, M. Meints, M. Hensen, and M. Gasson, “An Analysis of Security and Privacy Issues Relating to RFID Enabled ePassports,” Proc. 22nd IFIP TC-11 Int'l Information Security Conf. (IFIP SEC '07), vol. 232, pp. 467-472, 2007.
[13] T.V. Le, M. Burmester, and B. de Medeiros, “Universally Composable and Forward-Secure RFID Authentication and Authenticated Key Exchange,” Proc. ACM Symp. Information, Computer and Comm. Security (ASIACCS '07), http://eprint.iacr.org/2007051, pp. 242-252, 2007.
[14] T. Li and R.H. Deng, “Vulnerability Analysis of EMAP—An Efficient RFID Mutual Authentication Protocol,” Proc. Second Int'l Conf. Availability, Reliability and Security (AReS '07), pp. 238-245, 2007.
[15] T. Li and G. Wang, “Security Analysis of Two Ultra-Lightweight RFID Authentication Protocols,” Proc. 22nd IFIP TC-11 Int'l Information Security Conf. (IFIP SEC '07), vol. 232, pp. 109-120, 2007.
[16] T. Li, G. Wang, and R.H. Deng, “Security Analysis on a Family of Ultra-Lightweight RFID Authentication Protocols,” J. Software, vol. 3, no. 3, pp. 1-10, 2008.
[17] “Michelin Embeds RFID Tags in Tires,” RFID J., http://www.rfidjournal. com/article/articleview/ 269/11/, Jan. 2003.
[18] “Mitsubishi Electric Asia Switches on RFID,” RFID J., http://www.rfidjournal.com/article/articleview 2644/, Sept. 2006.
[19] J. Monnerat, S. Vaudenay, and M. Vuagnoux, “About Machine-Readable Travel Documents: Privacy Enhancement Using (Weakly) Non-Transferable Data Authentication,” Proc. Third Workshop RFID Security (RFIDSec'07), pp. 15-28, 2007.
[20] M. Naor and M. Yung, “Public-Key Cryptosystems Provably Secure against Chosen Ciphertext Attacks,” Proc. ACM Symp. Theory of Computing (STOC '90), pp. 427-437, 1990.
[21] K. Ouafi and R.C.-W. Phan, “Privacy of Recent RFID Authentication Protocols,” Proc. Fourth Information Security Practice and Experience Conf. (ISPEC '08), pp. 263-277, 2008.
[22] K. Ouafi and R.C.-W. Phan, “Traceable Privacy of Recent Provably-Secure RFID Protocols,” Proc. Sixth Int'l Conf. Applied Cryptography and Network Security (ACNS '08), pp. 479-489, 2008.
[23] R.I. Paise and S. Vaudenay, “Mutual Authentication in RFID,” Proc. ACM Symp. Information, Computer and Comm. Security (ASIACCS '08), pp. 292-299, 2008.
[24] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A. Ribagorda, “LMAP: A Real Lightweight Mutual Authentication Protocolfor Low-Cost RFID Tags,” Proc. Second Workshop RFID Security (RFIDSec'06), July 2006.
[25] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A. Ribagorda, “EMAP: A Efficient Mutual Authentication Protocol for Low-Cost RFID Tags,” Proc. OTM Information Security Workshop (IS '06), pp.352-361, 2006.
[26] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A. Ribagorda, “${\rm M}^{2}{\rm AP}$ : A Minimalist Mutual-Authentication Protocol for Low-Cost RFID Tags,” Proc. Third Int'l Conf. Ubiquitous Intelligence and Computing (UIC '06), pp. 912-923, 2006.
[27] R.C.-W. Phan, K.-K.R. Choo, and S.-H. Heng, “Security of a Leakage-Resilient Protocol for Key Establishment and Mutual Authentication,” Proc. Int'l Conf. Provable Security (ProvSec '07), pp. 169-177, 2007.
[28] R.C.-W. Phan and B.-M. Goi, “Cryptanalysis of the N-Party Encrypted Diffie-Hellman Key Exchange Using Different Passwords,” Proc. Fourth Int'l Conf. Applied Cryptography and Network Security (ACNS '06), pp.226-238, 2006.
[29] R.C.-W. Phan and B.-M. Goi, “Cryptanalysis of Two Provably Secure Cross-Realm C2C-PAKE Protocols,” Proc. Seventh Int'l Conf. Cryptology in India (Indocrypt '06), pp. 104-117, 2006.
[30] C. Rackoff and D. Simon, “Non-interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack,” Proc. 11th Ann. Int'l Cryptology Conf. (CRYPTO '91), pp. 433-444, 1991.
[31] “Target, Wal-Mart Share EPC Data,” RFID J., http://www.rfidjournal. com/article/articleview/ 642/11/, Oct. 2005.
[32] S. Vaudenay, “RFID Privacy Based on Public-Key Cryptography,” Proc. Ninth Ann. Int'l Conf. Information Security and Cryptology (ICISC '06), pp. 1-6, 2006.
[33] S. Vaudenay, “On Privacy Models for RFID,” Proc. 13th Ann. Int'l Conf. Theory and Application of Cryptology and Information Security (Asiacrypt '07), pp. 68-87, 2007.
[34] A. Westin, Privacy and Freedom. Atheneum, 1967.

Index Terms:
Security of cryptographic protocols, pervasive and embedded computing, RFID, authentication, ultralightweight, cryptanalysis, traceability, SASI.
Citation:
Raphael C.-W. Phan, "Cryptanalysis of a New Ultralightweight RFID Authentication Protocol—SASI," IEEE Transactions on Dependable and Secure Computing, vol. 6, no. 4, pp. 316-320, Oct.-Dec. 2009, doi:10.1109/TDSC.2008.33
Usage of this product signifies your acceptance of the Terms of Use.