-
Security Flaws in a Recent Ultralightweight RFID Protocol
Authors:
Pedro Peris-Lopez,
Julio C. Hernandez-Castro,
J. M. E. Tapiador,
Jan C. A. van der Lubbe
Abstract:
In 2006, Peris-Lopez et al. [1, 2, 3] initiated the design of ultralightweight RFID protocols -with the UMAP family of protocols- involving only simple bitwise logical or arithmetic operations such as bitwise XOR, OR, AND, and addition. This combination of operations was revealed later to be insufficient for security. Then, Chien et al. proposed the SASI protocol [4] with the aim of offering bet…
▽ More
In 2006, Peris-Lopez et al. [1, 2, 3] initiated the design of ultralightweight RFID protocols -with the UMAP family of protocols- involving only simple bitwise logical or arithmetic operations such as bitwise XOR, OR, AND, and addition. This combination of operations was revealed later to be insufficient for security. Then, Chien et al. proposed the SASI protocol [4] with the aim of offering better security, by adding the bitwise rotation to the set of supported operations. The SASI protocol represented a milestone in the design of ultralightweight protocols, although certain attacks have been published against this scheme [5, 6, 7]. In 2008, a new protocol, named Gossamer [8], was proposed that can be considered a further development of both the UMAP family and SASI. Although no attacks have been published against Gossamer, Lee et al. [9] have recently published an alternative scheme that is highly reminiscent of SASI. In this paper, we show that Lee et al.'s scheme fails short of many of its security objectives, being vulnerable to several important attacks like traceability, full disclosure, cloning and desynchronization.
△ Less
Submitted 12 October, 2009;
originally announced October 2009.
-
Shedding Light on RFID Distance Bounding Protocols and Terrorist Fraud Attacks
Authors:
Pedro Peris-Lopez,
Julio C. Hernandez-Castro,
Christos Dimitrakakis,
Aikaterini Mitrokotsa,
Juan M. E. Tapiador
Abstract:
The vast majority of RFID authentication protocols assume the proximity between readers and tags due to the limited range of the radio channel. However, in real scenarios an intruder can be located between the prover (tag) and the verifier (reader) and trick this last one into thinking that the prover is in close proximity. This attack is generally known as a relay attack in which scope distance f…
▽ More
The vast majority of RFID authentication protocols assume the proximity between readers and tags due to the limited range of the radio channel. However, in real scenarios an intruder can be located between the prover (tag) and the verifier (reader) and trick this last one into thinking that the prover is in close proximity. This attack is generally known as a relay attack in which scope distance fraud, mafia fraud and terrorist attacks are included. Distance bounding protocols represent a promising countermeasure to hinder relay attacks. Several protocols have been proposed during the last years but vulnerabilities of major or minor relevance have been identified in most of them. In 2008, Kim et al. [1] proposed a new distance bounding protocol with the objective of being the best in terms of security, privacy, tag computational overhead and fault tolerance. In this paper, we analyze this protocol and we present a passive full disclosure attack, which allows an adversary to discover the long-term secret key of the tag. The presented attack is very relevant, since no security objectives are met in Kim et al.'s protocol. Then, design guidelines are introduced with the aim of facilitating protocol designers the stimulating task of designing secure and efficient schemes against relay attacks. Finally a new protocol, named Hitomi and inspired by [1], is designed conforming the guidelines proposed previously.
△ Less
Submitted 20 June, 2010; v1 submitted 25 June, 2009;
originally announced June 2009.
-
Cryptanalysis of the RSA-CEGD protocol
Authors:
Juan M. E. Tapiador,
Almudena Alcaide,
Julio C. Hernandez-Castro,
Arturo Ribagorda
Abstract:
Recently, Nenadić et al. (2004) proposed the RSA-CEGD protocol for certified delivery of e-goods. This is a relatively complex scheme based on verifiable and recoverable encrypted signatures (VRES) to guarantee properties such as strong fairness and non-repudiation, among others. In this paper, we demonstrate how this protocol cannot achieve fairness by presenting a severe attack and also pointi…
▽ More
Recently, Nenadić et al. (2004) proposed the RSA-CEGD protocol for certified delivery of e-goods. This is a relatively complex scheme based on verifiable and recoverable encrypted signatures (VRES) to guarantee properties such as strong fairness and non-repudiation, among others. In this paper, we demonstrate how this protocol cannot achieve fairness by presenting a severe attack and also pointing out some other weaknesses.
△ Less
Submitted 3 December, 2008;
originally announced December 2008.
-
Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations
Authors:
Julio C. Hernandez-Castro,
Juan M. E. Tapiador,
Pedro Peris-Lopez,
Jean-Jacques Quisquater
Abstract:
In this work we present the first passive attack over the SASI lightweight authentication protocol with modular rotations. This can be used to fully recover the secret $ID$ of the RFID tag, which is the value the protocol is designed to conceal. The attack is described initially for recovering $\lfloor log_2(96) \rfloor=6$ bits of the secret value $ID$, a result that by itself allows to mount tr…
▽ More
In this work we present the first passive attack over the SASI lightweight authentication protocol with modular rotations. This can be used to fully recover the secret $ID$ of the RFID tag, which is the value the protocol is designed to conceal. The attack is described initially for recovering $\lfloor log_2(96) \rfloor=6$ bits of the secret value $ID$, a result that by itself allows to mount traceability attacks on any given tag. However, the proposed scheme can be extended to obtain any amount of bits of the secret $ID$, provided a sufficiently large number of successful consecutive sessions are eavesdropped. We also present results on the attack's efficiency, and some ideas to secure this version of the SASI protocol.
△ Less
Submitted 26 November, 2008;
originally announced November 2008.
