Attacks and Improvements to an RFID Mutual Authentication Protocol
and its Extensions
Shaoying Cai1 Yingjiu Li1
Tieyan Li2 Robert H. Deng1
1Singapore Management University2Institute for Infocomm Research (I2R)
March 16-18, 2009, Zurich, Switzerland
Second ACM Conference on Wireless Network Security (WiSec ‘09)
OverallRFID Authentication Protocol for Low-Cost Tags B. Song and C. J. Mitchell (WiSec 08)
RFID Tag Ownership TransferB. Song (RFIDsec 08)
Tag impersonation attack
Server impersonation attack
De-synchronization attack
Song-Mitchell Protocol
Song’s Secret Update Protocol
Outline
• RFID Background
• Attacks and Improvements to
the Song–Mitchell Protocol
• Attacks and Improvements to
the Song’s Secret Update Protocol
• Conclusions
Radio Frequency Identification System
Components: Tag, Reader, Back-end database Characteristics: Wireless connection ( tag reader ) Limited capability of the tags
100 meters
Tag Reader
Attacker
Attacker Model: Active attacker
Backend Server
Privacy and Security Concerns of Mutual Authentication Protocol
• Tag information privacy• Tag location privacy• Resistance to server\tag impersonation attack• Resistance to replay attack• Resistance to de-synchronization attack• Forward and backward security
Privacy Concerns of Ownership Transfer
• New owner privacy
• Old owner privacy
• Authorization recovery
Song-Mitchell Mutual Authentication Protocol
ti = h(si)
Implicit tag authentication
Identification
Server authenticatio
nUpdate
Update
Server Impersonation Attackr1
M1 , M2
M3
M1 , M3
r1’
M1’, M2’
M3’
Em, you are valid.I’m
server
L1R3L1R3
R1L3R1L3
]'[M][M][M]'[M
]'[M][M][M]'[M
Result ?
Result of Server Impersonation Attack
r1
M1 , M2
TiSearch database,
Search…
Search….
But,
[(si,ti)new, (si,ti)old]
Server [t’]
Who are
you?
It’s me, Ti….I was
changed by Attacker.
Tag Impersonation Attack
r1
’M1’, M2’
r1
M1, M2
M3
Yeah, you are Ti.
I’m serve
r'M M
rr 'MM
22
11
'11
I’m tag Ti
Ti
Result ?
Vulnerability Analysis
baba :
>> :
S >> l/2 = [S]R || [S]L
Modified Song-Mitchell Protocol
)||( 212 rrfM it
)||( 112 tMrfM t
srhM )2(3
)( 23 rhMsi
Song's secret update protocol
ti ti’
De-Synchronization Attack
r1 , M1, M2
r2’, M3’
Ti
r1 , M1’ , M2’
Update Ti’s secret
to ti’
Ti
L1R2L1R2
R1L2R1L2
l 1
]'[M][M][M]'[M
]'[M][M][M]'[M
1} {0, 'M
R
Updates to ti’’
Modified Tag Update Protocol
)'()(2 inewi thsM
)'(2 ii thMs
Conclusions Song-Mitchell mutual authentication protocol
Tag secret update protocol
Server impersonation attack
Tag impersonation attack
De-synchronization attack
Discussion
F denotes a computationally complex function such as hash and keyed hash, and k is an integer between 1 and 2N
• Performance
• Formal Proof
Will be given in our future work.
Q & A?