Weaknesses in New Ultralightweight RFID Authentication Protocol with Permutation RAPP

Transcription

1 1 Weaknesses in New Ultralightweight RFID Authentication Protocol with Permutation RAPP This article has beenbagheri, accepted formasoumeh inclusion in a future issue of this journal. Content is final Juan as presented, with the exception of pagination. Nasour Safkhani, Pedro Peris-Lopez, E. Tapiador IEEE COMMUNICATIONS LETTERS, ACCEPTED FOR PUBLICATION Abstract Tian et al. proposed a novel ultralightweight RFID mutual authentication protocol [4] that has recently been analyzed in [1], [], [5]. In this letter, we first propose a desynchronization that succeeds with probability almost 1, which improves upon the 0.5 given by the in [1]. We also show that the bad properties of the proposed 1. The computation the example. to disclose several Fig. function can be ofexploited bits of the tag s secret (rather than just one bit as in []), which increases the power of a traceability. Finally, Moreover, the Hamming weight of B, wt(b), is m(0 m we show how to extend the above to run a full l) and disclosure, which requires to eavesdrop less protocol bk1 = bk = = bkm = 1, runs than the described in [5] (i.e., 19 << 30 ). b =b = = b = 0, km+1 km+ kl Index Terms RFID, Authentication, Attacks. where 1 k1 < k < < km l and 1 km+1 < km+ < < kl l. Then, the of A according I. I NTRODUCTION to B, denoted as P er(a, B), is Tian et al. recently proposed a based P er(a, B) = ak1 ak akm akl akl 1 akm+ akm+1. mutual authentication protocol called RAPP [4]. In this Example Given X =simple , Y = Then we scheme, tags only use three operations: bitwise have XOR, left rotation and a Pvery er(x,lightweight Y ) = Fig.. RAPP protocol. function P er( ), defined as: Fig. 1 shows the computation. th Definition: Let (X )i denote the i bit of X, x = Fig. 1. Messages exchanged in RAPP [4]. Permutation can be computed effectively on passive tags. In (x)1 k(x) k order k(x) (y)b), k k(y), where l and yp = 1 k(y) to compute er(a, twopointers, pa land pb, are set to L1. On the other hand, the probability distribution of the (x)i, (y)i to{0, 1} A and denotes concatenation. Assume string andkstring B respectively, indicating the index of number of rotated bits in Rot1 (X, Y ) is not uniform due to the strings. Firstly, pa and the most fact that thethe distribution wt(y ) two is unbalanced. too that (y) p B go = synchronously (y)km = from 1 and last the message), reader ofkeeps sets of But thethattuple k1 = (y)k = bit (msb) to the least significant bit (lsb). During of Rot Thus, the sole use of Rot1 (X, Y ) (X, x Y )xis uniform. x (y)km+1 =significant (y)km+ = = (y)kl = 0, where {IDS x, K, K3 } for x =protocol old (previous values) and 1,K the movement of the pointers, if the bit pointed by pb is 1, the is not proper inthe authentication because X is more 1 k1 <bitkpointed < by p< km be copied l and km+1 x =likely newto(updated into1the third string.<since be rotated values). by L bits than by 1 bit. In our case, the A will km+ < A and < kbl are ofl. the Then x based samethe length, pa and pb will reach lsb at Contributions: purpose is to changerapp the position lsb in the second of is ofclaimed to beinput resistant the same Then willfollows: change thepmovement. As a result, we decide to use Rot1 (, ) and just on y, denoted as Ptime. er(x, y),they is as er(x, y)direction = against common s, including desynchronization and back to msb simultaneously. During the return process, denote it by Rot(, ). (x)k1 (x)kand go (x) km (x)kl (x)kl 1 (x)km+1. traceability. In thisthree letter, we first propose a desynchroif the bit pointed by pb is 0, the bit pointed by pa will be RAPP involves entities: the tag, the reader and the The protocol sketched in Fig. To prevent copiedisinto the third string. The1. willdesyngo to an end back-end database. communication between the readerused nization that isthe independent of the mechanism chronizationwhen s if return the to adversary theis theto build pa and(e.g, pb both msb and theblocks third string and thethe back-end database assumed to be secure since of messages and ishas a success probability computation result. both the reader and the back-end database can use traditional almost 1, which improves a 75% the success probability Nasour Bagheri is with the remarks Department Electrical Engineering, There are two that of should be noticed in the use of cryptographic primitives to protect the communication. On [1]. Secondly, we the introduce Shahid Rajaee. Teachers Training Tehran,ofIran. One isuniversity, the invariability Hamming weight. of It the the previous other hand,known the channel between the reader and tag Masoumeh Safkhani withwt(p the Department Electrical Engineeris obviousisthat er(a, B)) =ofwt(a). Hence, the permuis wireless and vulnerable to all thethepossible due of a traceability that exploits weak s properties ing, Tehran, Iran. tation can not be used alone as it will reveal the information to theour fact that the is tagmuch has limited to protect the one P er( ). moreresources powerful than the Pedro Peris-Lopez and Juan E. So Tapiador with COSEC Lab, takes of Hamming weight. in our are protocol, transmitted data. Each tag has an L-bit unique identity ID and described in [], since we disclose several bits of the ID Universidad Carlos III de Madrid, Spain. random numbers as input and the result is always XORed shares the four elements {IDS, K, K, K } with the back1 with other values. The other remark is about the value of the second input of. Suppose that B and B are two strings that only differ in lsb. Then the following equation holds: P er(a, B) = P er(a, B ). This means that lsb of B doesn t influence the output. Although A is not revealed, this is a weakness that can be exploited by the adversary to flip lsb of B and pass the verification. Therefore, in our protocol, we add rotation operation to shift lsb in the second input of. There are two kinds of rotation operations, denoted by Rot1 (X, Y ) and Rot (X, Y ). Rot1 (X, Y ) is defined to left rotate X by wt(y ) bits. Rot (X, Y ) left rotates X by Y (mod L) bits, where L is the bit length of X. Except that Y is composed of all 0s or 1s, X will always be rotated by certain bits in the result of Rot1 (X, Y ). However, the result 3 end database. IDS is the pseudonym of the tag and K1, K, K3 are the secret keys. IDS, K1, K and K3 are all Lbits and will be updated at the end of a successful protocol run. In order to resist de-synchronization s, the back-end database keeps {IDS old, K1old, Kold, K3old } for the old values and {IDS new, K1new, Knew, K3new } for the new values as an entry of each tag. Fig. illustrates the specification of the protocol. The details of the messages exchanged are presented below. 1. The reader sends a Hello message to the tag to initiate a protocol session.. Upon receiving the reader s query, the tag transmits IDS to the reader. 3. After receiving IDS, the reader uses it as an index to

2 instead of just one. The can be extended to disclose the whole ID (as in [5]) at the expense of requiring various protocol runs. II. DESYNCHRONIZATION ATTACK ON RAPP In this, the adversary misleads both the tag and the reader to update their common values to different values. The is based on the observation that the two random numbers used in the protocol are both generated by the reader. In a first step, the adversary A eavesdrops one protocol run between the reader R i and the tag T i, stores the exchanged values, and blocks D and E to prevent T i from updating its internal secret. Note that the captured values are: A = P er(k, K 1) n 1, B = P er(k 1 K, Rot(n 1, n 1)) P er(n 1, K 1), C = P er(n 1 K 1, n 1 K 3) ID, D = P er(k 3, K ) n and E = P er(k 3, Rot(n, n )) P er(n 1, K 3 K ). After that, A waits until a legitimate reader initiates a new session with T i. In this session R i sends A = P er(k, K 1 ) n 1 and B = P er(k 1 K, Rot(n 1, n 1)) P er(n 1, K 1 ) to T i and T i sends C = P er(n 1 K 1, n 1 K 3 ) ID to R i. In response, R i computes D = P er(k 3, K ) n and E = P er(k 3, Rot(n, n )) P er(n 1, K 3 K ) and sends D and E to T i, which are both blocked by A. Thus, the tag does not execute the updating mechanism but the reader does it. In particular, R i gets: IDS old = IDS, K1 old = K 1, K old = K, K3 old = K 3, IDS new = P er(ids, n 1 n ) K 1 K K 3, K1 new = P er(k 1, n 1) K, K new = P er(k, n ) K 1, K3 new = P er(k 3, n 1 n ) IDS. whereas T i does not update its internal values and these remain as {IDS, K 1, K, K 3 }. Finally, A supplants a legitimate R i by replying old values. A sends Hello message to T i and T i replies with its pseudonym IDS. Then, A sends A and B (captured in the first step) to T i. Then T i extracts n 1 from A, verifies B, and sends C to R i (i.e., to A). Upon receiving C, A replies with the values D and E eavesdropped in step 1. Finally, T i extracts n from D, verifies E, and updates its secrets: IDS = P er(ids, n 1 n ) K 1 K K 3, K1 = P er(k 1, n 1) K, K = P er(k, n ) K 1, K3 = P er(k 3, n 1 n ) IDS, IDS = IDS, K 1 = K1, K = K,K 3 = K1. Thus, given that n 1, n 1, n and n are chosen randomly, by the end of the the reader keeps two records for the tag, none of which match the values stored in the tag (see Table I for details). Note that the success probability for this is 1 l, where l is the bit length of the random numbers. For instance, for l = 96 as in [], the success probability is almost 1. III. TRACEABILITY ATTACK ON RAPP In RAPP, a desynchronized tag never updates its IDS. Therefore, such a constant value can be used to carry out a straightforward traceability. We next describe a different based on the uniqueness of ID and some weak properties of the function P er( ): Observation 1: P er(x, y) = (P ) 1... (P ) l is not a perfect. More precisely, (x) 1 will be assigned to either (P ) 1 or (P ) l ; (x) will be assigned to either (P ) 1, (P ), (P ) l 1 or (P ) l ; and so on. Observation : Given the location of (x) i in P er(x, y), there are only two possible choices for the location of (x) i+1 ; Observation 3: Given y 1, y,..., y i and P j = P er(x, y j ), for j i, if (y 1 ) 1 = (y ) 1 =... = (y i ) 1, either (P 1 ) 1 = (P ) 1 =... = (P i ) 1 or (P 1 ) l = (P ) l =... = (P i ) l. We next show how to obtain {(ID) l (i 1) (ID) i } l/ i=1. The adversary A eavesdrops t protocol runs, stores the exchanged values and blocks message C to abort the protocol. The values captured in the j th round are A j = P er(k, K 1 ) n j 1, Bj = P er(k 1 K, Rot(n j 1, nj 1 )) P er(nj 1, K 1), and C j = P er(n j 1 K 1, n j 1 K 3) ID. It is easy to see that A j A f = n j 1 nf 1 t. Hence, it is possible to determine whether (n j 1 ) m, for j, f (n f 1 ) m for 1 m l and group n 1 1,..., n t 1 into two groups, denoted by G1 and G, respectively, where any entry in a group holds the same value in its m th bit. Now, consider the case where G1 and G are grouped by the Least Significant Bit (LSB) of each entry. Then, for any n j 1, nf 1 G1 one can state that (nj 1 ) 1 = (n f 1 ) 1 and for n j 1 G1 and any nf 1 G we have (nj 1 ) 1 (n f 1 ) 1 = 1. A can also group the values of C based on how n 1 has been grouped. In addition, given that in each group the LSB of all n 1 s are the same, K 3 remains? =

3 3 TABLE I INTERNAL SECRET VALUES AFTER DESYNCHRONIZATION. Reader (database) Tag IDS old = IDS K old 1 = K 1; K old = K ; K old 3 = K 3 IDS new = P er(ids, n 1 n ) K 1 K K 3 IDS new = P er(ids, n 1 n ) K1 K K3 Knew 1 = P er(k 1, n 1) K K new 1 = P er(k 1, n 1 ) K; Knew = P er(k, n ) K1 Knew = P er(k, n ) K 1 K new 3 = P er(k 3, n 1 n ) IDS Knew 3 = P er(k 3, n 1 n ) IDS constant (non-updating condition by the blockage of C), and ID is fixed, then either LSB or, equivalently, the Most Significant Bit (MSB) of all Cs in that group must be the same. For instance, if for all C j G1 the LSBs are the same and for all C j G the MSBs are the same then A deduces that for any n j 1 G1, (nj 1 K 3) 1 = 1 and (C j ) 1 = (n j 1 ) 1 (K 1 ) 1 (ID) 1 and for any n j 1 G, (n j 1 K 3) 1 = 0 and (C j ) l = (n j 1 ) 1 (K 1 ) 1 (ID) l In this case, it is easy to deduce that for any C j G1 and any C f G, (C j ) 1 (C f ) l = 1 (ID) 1 (ID) l. Otherwise, for all C j G1 the MSBs are the same and for all C j G the LSBs are the same, then A deduces that for any n j 1 G1, (nj 1 K 3) 1 = 0 and (C j ) l = (n j 1 ) 1 (K 1 ) 1 (ID) l and for any n j 1 G, (nj 1 K 3 ) 1 = 1 and (C j ) 1 = (n j 1 ) 1 (K 1 ) 1 (ID) 1. In this case, for any C j G1 and any C f G, we have (C j ) l (C f ) 1 = 1 (ID) l (ID) 1. Therefore, in both of the above cases, A reveals one bit of information about the ID (in particular, the XOR of two of its bits), which remains unchanged during all the tag s life. Given the location of (n j 1 ) 1 (K 1 ) 1 for C j G1, e.g., (C j ) 1, there are two possible locations for (n j 1 ) (K 1 ) in C j, e.g., (C j ) or (C j ) l. Following the given procedure, we can group the values of n 1 and C in G1 based on the second bits of n 1 s and determine (ID) (ID) l. This process can be repeated to retrieve (ID) 1 (ID) l 1 based on the grouping of the n 1 s and Cs in G. These new information increases the adversary s probability of tracing the tag. The adversary fails to determine the correct value of ID 1 ID l if all (n j ) 1, for j t, has the same value, which occurs with a probability of t, or for any C j G1 and C j G we have (C j ) 1 = (C j ) l, which happens with a probability of G1 G = t, where G1 and G denotes the cardinality of G1 and G respectively. Hence, the the total success probability is (1 t ). We note here that formal traceability models (e.g., [3]) require the disclosure of just one bit. Nevertheless, more bits are needed to trace a constelation of tags. Our facilitates this at the expense of requiring several protocol runs. For instance, if the er wants to disclose 3 bits, the success probability is approximately ( (1 t ) ( 1 t/) ). For example, for t = 8 the success probability is 0.77, which is greater than 0.5. For the given, the complexity increments exponentially with the number of bits recovered. However, a more efficient disclosure is possible, as described next. IV. DISCLOSURE ATTACK From Section III, we can generally state that to determine (n j 1 ) f (K 3 ) f, given the location of (n j 1 ) f 1 (K 1 ) f 1, there are two possible locations for (n j 1 ) f (K 1 ) f, i.e., m for (n j 1 K 3) f = 0 and n for (n j 1 K 3 ) f = 1. An adversary A can calculate such m and n for all the stored records. Since t > l, there are at least t l collisions for those cases where (n j 1 ) f (K 3 ) f = 0 and also t l collisions for those where (n j 1 ) f (K 3 ) f = 1, with j t. Assume that for (n j 1 ) f (K 3 ) f = 1 and (n e 1) f (K 3 ) f = 1, (n j 1 ) f (K 1 ) f and (n e 1) f (K 1 ) f are grouped into (C j ) m and (C e ) m respectively. Then, for (n j 1 ) f = (n e 1) f we have (C j ) m = (C e ) m because (C j ) m = (n j 1 ) f (K 1 ) f (ID) m and (C e ) m = (n e 1) f (K 1 ) f (ID) m. This may be used to verify whether the assumption is correct or not. Thus, to determine (n j 1 ) f (K 3 ) f, given (n j 1 ) f 1 (K 3 ) f 1, A groups the records based on the f th bit of n 1 s, i.e., G1 and G, where all entries in each group hold the same value in that bit of n 1. Now, it is obvious that for any n j 1 G1 and n e 1 G1 one can state that (n j 1 ) f (K 3 ) f = (n e 1) f (K 3 ) f and (n j 1 ) f (K 1 ) f = (n e 1) f (K 1 ) f. (The same is applicable for entries in G). Next A guesses (n j 1 ) f (K 3 ) f = 1 for entries in G1 and checks its correctness by verifying the collision in the expected location of Cs, e.g., (n j 1 ) f = (n e 1) f and also the adversary expects to have (C j ) m = (C e ) m as previously

4 4 explained. If (n j 1 ) f (K 3 ) f = 1 passes the verification for G1, then (n j 1 ) f (K 3 ) f = 0 must pass the verification for entries in G. However, it is possible that a wrong guess for (n j 1 ) f (K 3 ) f passes all verifications, with a probability upper bounded by l t, where the probability of determining the correct value is 1 l t. Summarizing, the success probability of extracting a correct value for K 3 n j 1, and 1 j t, is ( 1 l t) l 1 l l t. For instance, if l = 64 and t = l, then it is By the end of the above process, for any n j 1 we have l equations of the form (K 3 n j 1 ) f, for f l. Moreover, for any bit of (C j ) we have (C j ) m = (n e 1) f (K 1 ) f (ID) m. These equations are not all linearly independent collided values to the same position in a group generate the same equation. Hence, assuming that there are n possible locations for (n 1 ) f (K 1 ) f s that are confirmed, A has n distinct equations of the form (n j 1 ) f (K 1 ) f (ID) m1,..., (n j 1 ) f (K 1 ) f (ID) m+n, where 1 m 1 <... < m n l. For instance, if A determines (K 3 n j 1 ), she has the following information: {(n j 1 ) 1 (K 1 ) 1 (ID) 1, (n j 1 ) 1 (K 1 ) 1 (ID) l, (n j 1 ) (K 1 ) (ID) 1, (n j 1 ) (K 1 ) (ID), (n j 1 ) (K 1 ) (ID) l, (n j 1 ) (K 1 ) (ID) l 1 }. The above equations can be used to compute {(n j 1 ) 1 (K 1 ) 1 (n j 1 ) (K 1 ), (n j 1 ) 1 (K 1 ) 1 (ID), (n j 1 ) 1 (K 1 ) 1 (ID) l 1 }. Therefore, when A discloses (K 3 n j 1 ) l, she is expected to have enough information to reveal (n e 1 K 1 ) f (ID) m for any given e t and f, m l. The adversary can also retrieve K 1 as follows. If we assume that (K 1 ) 1 = 1 then (A j ) 1 = (K ) 1 (n j 1 ) 1. On the other hand, A already knows the value of (n j 1 ) 1 (K 3 ) 1. So it can determine (K ) 1 (K 3 ) 1 which should be the same for all j t. If all the values are equal then the guess is correct, with a probability of 1 t, and (K 1 ) 1 = 1; otherwise (K 1 ) 1 = 0. In addition, A discloses another bit of information of the form (K ) 1 (n 1 ) 1 or (K ) 1 (n 1 ) l. Next, for m l, given the location of (K ) m 1 in A j, there are two possible locations for (K ) m, i.e., e for (K 1 ) = 1 and f for (K 1 ) = 0 respectively. Assuming (K 1 ) m = 1 then (A j ) e = (K ) m (n j e). On the other hand, A already knows the value of (n j 1 ) e (K 3 ) e, so she can determine (K ) m (K 3 ) e too, which should be the same for all 1 j t when the guessed value for (K 1 ) m is correct. If all the values are equal, then the guess is correct with a probability of 1 t, and (K 1 ) m = 1; otherwise (K 1 ) = 0. This process can be repeated to retrieve all bits in K 1 and auxiliary equations can also be deduced (K ) 3 (K 3 ) e3,..., (K ) l (K 3 ) el, where e j {1,..., l}. The success probability of extracting a correct value for K 1 is (1 t ) l 1 l t. In the next step, the adversary combines the records of the form (n e 1 K 1 ) f (ID) m, for any given e t, f l and f l, and K 1 to determine the following information: {(n 1 1) 1 (n 1 1), (n 1 1) 1 (n 1 1),..., (n 1 1) 1 (n 1 1) l, (n 1 1) 1 (ID) 1,..., (n 1 1) 1 (ID) 1 }. Then A guesses (n 1 1) 1. Given (n 1 1) 1 A can determine (n 1 1),..., (n 1 1) l (i.e., she discloses all bits in n j 1 ) and ID from the above equations. Given that A knows K 3 n 1 l, she can easily get K 3 now. Then, from the auxiliary equations (K ) 1 (K 3 ) e1,..., (K ) l (K 3 ) el, A discloses K too. Finally, A uses the stored B j s to verify the correctness of the guessed value for (n 1 1) 1. If any B j does not pass the verification, then A should flip its guess for (n 1 1) 1 and repeat the process to determine n j 1 s, ID, K and K 3. Finally, A reveals all secrets. Assuming that the adversary has eavesdropped t ( sessions, ) the success probability of the given is 1 l t l (1 t ) l (1 l l t ) (1 l t ). For example, for l = 96 and t = l (which is much less than t = 30 eavesdropped sessions required in [5]), then the success probability is almost 1. V. CONCLUSIONS We have described desynchronization, traceability, and disclosure s against RAPP more powerful than those previously published. RAPP s major contribution is its function, which is clearly insufficient. While the traceability and disclosure s depend on the and might be fixed by proposing a stronger, our desynchronization works for any, showing that RAPP has major flaws that cannot be fixed just by replacing the. REFERENCES [1] Z. Ahmadian, M. Salmasizadeh, and M. R. Aref. Desynchronization on RAPP ultralightweight authentication protocol. Cryptology eprint Archive, Report 01/490, 01. [] G. Avoine and X. Carpent. Yet another ultralightweight authentication protocol that is broken. In Workshop on RFID Security RFIDSec 1, Nijmegen, Netherlands, June 01. [3] R. C.-W. Phan. Cryptanalysis of a new ultralightweight RFID authentication protocol - sasi. IEEE Transactions on Dependable and Secure Computing, 6(4):316 30, 009.

5 [4] Y. Tian, G. Chen, and J. Li. A new ultralightweight RFID authentication protocol with. IEEE Communications Letters, 16(5):70 705, 01. [5] S.-H. Wang, Z. Han, S. Liu, and D.-W. Chen. Security analysis of RAPP an rfid authentication protocol based on. Cryptology eprint Archive, Report 01/37, 01. 5