Subscribe
Issue No.04 - July/August (2011 vol.8)
pp: 548-563
Paolo D'Arco , Università degli Studi di Salerno, Fisciano
Alfredo De Santis , Università degli Studi di Salerno, Fisciano
ABSTRACT
A recent research trend, motivated by the massive deployment of RFID technology, looks at cryptographic protocols for securing communication between entities in which some of the parties have very limited computing capabilities. In this paper, we focus our attention on SASI, a new RFID authentication protocol, designed for providing Strong Authentication and Strong Integrity. SASI is a good representative of a family of RFID authentication protocols, referred to as Ultralightweight RFID authentication protocols. These protocols, suitable for passive Tags with limited computational power and storage, involve simple bitwise operations such as and, or, exclusive or, modular addition, and cyclic shift operations. They are efficient, fit the hardware constraints, and can be seen as an example of the above research trend. However, the main concern is the real security of these protocols, which are often supported only by apparently reasonable and intuitive arguments. The contribution we provide with this work is the following: we start by showing some weaknesses in the SASI protocol, and then, we describe how such weaknesses, through a sequence of simple steps, can be used to compute in an efficient way all secret data used for the authentication process. Specifically, we describe three attacks: 1) a desynchronization attack, through which an adversary can break the synchronization between the RFID Reader and the Tag; 2) an identity disclosure attack, through which an adversary can compute the identity of the Tag; and 3) a full disclosure attack, which enables an adversary to retrieve all secret data stored in the Tag. Then, we present some experimental results, obtained by running several tests on an implementation of the protocol, in order to evaluate the performance of the proposed attacks, which confirm that the attacks are effective and efficient. It comes out that an active adversary by interacting with a Tag more or less three hundred times, makes the authentication protocol completely useless. Finally, we close the paper with some observations. The cryptoanalysis of SASI gets some new light on the ultralightweight approach, and can also serve as a warning to researchers working on the field and tempted to apply these techniques. Indeed, the results of this work, rise serious questions regarding the limits of the ultralightweight family of protocols, and on the benefits of these ad hoc protocol design strategies and informal security analysis.
INDEX TERMS
RFID technology, cryptographic protocols, cryptoanalysis.
CITATION
Paolo D'Arco, Alfredo De Santis, "On Ultralightweight RFID Authentication Protocols", IEEE Transactions on Dependable and Secure Computing, vol.8, no. 4, pp. 548-563, July/August 2011, doi:10.1109/TDSC.2010.75
REFERENCES
 [1] G. Avoine, “Adversarial Model for Radio Frequency Identification,” Cryptology ePrint Archive, Report 2005/049, http://eprint.iacr.org/2005049, 2005. [2] G. Avoine, “Bibliography on Security and Privacy in RFID Systems,” Massachusetts Inst. of Technology, Cambridge, Massachusetts, http://lasecwww.epfl.ch/~gavoinerfid/, June 2007. [3] E. Biham and A. Shamir, “Differential Cryptanalysis of DES-Like Cryptosystems,” Proc. Ann. Int'l Cryptology Conf. Advances in Cryptology (CRYPTO '90), pp. 2-21, 1990. [4] M. Burmester, T. van Le, and B. de Medeiros, “Provably Secure Ubiquitous Systems: Universally Composable RFID Authentication Protocols,” Proc. Securecomm and Workshops (SECCOMM '06), pp. 1-9, 2006. [5] T. Cao, E. Bertino, and H. Li, “Security Analysis of the SASI Protocol,” IEEE Trans. Dependable and Secure Computing, vol. 6, no. 1, pp. 73-77, Jan.-Mar. 2009. [6] H. Chien, “SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 4, pp. 337-340, Oct.-Dec. 2007. [7] H. Chien and C. Hwang, “Security of Ultra-Lightweight RFID Authentication Protocols and Its Improvements,” ACM SIGOPS Operating Systems Rev., vol. 41, no. 4, pp. 83-86, July 2007. [8] I. Damgård and M. Østergaard, “RFID Security: Tradeoffs between Security and Efficiency,” Proc. RSA Conf., pp. 318-332, 2008. [9] J.-H. Ha, S.-J. Moon, J. Zhou, and J.-C. Ha, “A New Formal Proof Model for RFID Location Privacy,” Proc. 13th European Symp. Research in Computer Security (ESORICS '08), pp. 267-281, 2008. [10] N.J. Hopper and M. Blum, “Secure Human Identification Protocols,” Proc. Int'l Conf. Theory and Application of Cryptology and Information Security: Advances in Cryptology (ASIACRYPT '01), pp. 52-66, 2001. [11] H. Gilbert, M.J.B. Robshaw, and Y. Seurin, “$HB^{\#}$ : Increasing the Security and Efficiency of $HB+$ ,” Proc. EUROCRYPT '08, pp. 361-378, 2008. [12] H. Gilbert, M.J.B. Robshaw, and Y. Seurin, “Good Variants of $HB+$ Are Hard to Find,” Proc. Financial Cryptography '08, pp. 156-170, 2008. [13] H. Gilbert, M.J.B. Robshaw, and H. Sibert, “An Active Attack against $HB+$ a Provably Secure Lightweight Authentication Protocol,” Electronics Letters, vol. 41, no. 21, pp. 1169-1170, 2005. [14] J.C. Hernandez-Castro, J.M.E. Tapiador, P. Peris-Lopez, and J.-J. Quisquater, “Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol,” Proc. Int'l Workshop on Coding and Cryptography (WCC '09), May 2009. [15] A. Juels, “The Vision of Secure RFID,” Proc. IEEE, vol. 95, no. 8, pp. 1507-1508, Aug. 2007. [16] A. Juels, R. Pappu, and S. Garfinkel, “RFID Privacy: An Overview of Problems and Proposed Solutions,” IEEE Security and Privacy, vol. 3, no. 3, pp. 34-43, May/June 2005. [17] A. Juels and S. Weiss, “Authenticating Pervasive Devices with Human Protocols,” Proc. CRYPTO '05, pp. 293-308, 2005. [18] A. Juels and S.A. Weis, “Defining Strong Privacy for RFID,” Cryptology ePrint Archive, Report 2006/137, http://eprint.iacr. org/2006137, 2006. [19] T. Li and R. Deng, “Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol,” Proc. Second Int'l Conf. Availability, Reliability and Security, pp. 238-245, 2007. [20] T. Li and G. Wang, “Security Analysis of Two Ultra-Lightweight RFID Authentication Protocols,” Proc. 22nd Int'l Federation for Information Processing (IFIP SEC '07), May 2007. [21] P. Peris-Lopez, J.C. Hernandez-Castro, J.M.E. Tapiador, and A. Ribagorda, “Advances in Ultralightweight Cryptography for Low-Cost RFID Tags: Gossamer Protocol,” Proc. Int'l Symp. Web Information Systems and Applications (WISA '08), pp. 56-68, 2008. [22] C. Yu Ng and W. Susilo, Y. Mu, and R. Safavi-Naini, “RFID Privacy Models Revisited,” Proc. European Symp. Research in Computer Security: Computer Security (ESORICS '08), pp. 251-256, 2008. [23] K. Ouafi, R. Overbeck, and S. Vaudenay, “On the Security of $HB^{\#}$ against a Man-in-the-Middle Attack,” Proc. Int'l Conf. Theory and Application of Cryptology and Information Security: Advances in Cryptology (ASIACRYPT '08), pp. 108-124, 2008. [24] K. Ouafi and S. Vaudenay, “Smashing SQUASH-0,” Proc. Ann. Int'l Conf. Theory and Applications of Cryptographic Techniques: Advances in Cryptology (EUROCRYPT '09), pp. 300-312, 2009. [25] R. Paise and S. Vaudenay, “Mutual Authentication in RFID: Security and Privacy,” Proc. ACM Symp. Information, Computer and Comm. Security (ASIACCS '08), pp. 292-299, 2008. [26] R.C.-W. Phan, “Cryptanalysis of a New Ultralightweight RFID Authentication Protocol—SASI,” IEEE Trans. Dependable and Secure Computing, vol. 6, no. 4, pp. 316-320, Oct.-Dec. 2009. [27] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A. Ribagorda, “LMAP: A Real Lightweight Mutual Authentication Protocol for Low-Cost RFID Tags,” Proc. Second Workshop RFID Security, July 2006. [28] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A. Ribagorda, “EMAP: An Efficient Mutual-Authentication Protocol for Low-Cost RFID Tags,” Proc. OTM '06 Workshop, pp. 352-361, 2006. [29] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A. Ribagorda, “$M^{2}AP$ : A Minimalist Mutual-Authentication Protocol for Low-Cost RFID Tags,” Proc. Ubiquitous Intelligence and Computing, pp. 912-923, 2006. [30] H. Sun, W. Ting, and K. Wang, “On the Security of Chien's Ultralightweight RFID Authentication Protocol,” eprint archieve, Report 83, Feb. 2008. [31] A. Shamir, “SQUASHA New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tags,” Proc. Fast Software Encryption (FSE '08), pp. 144-157, 2008. [32] S. Vaudenay, “On Privacy Models for RFID,” Proc. Advances in Cryptology (ASIACRYPT '07), pp. 68-87, 2007.