Security Analysis of an EPC Class-1 Generation-2 Compliant RFID Authentication Protocol

Transcription

1 July 2016, Volume 3, Number 3 (pp ) Journal of Computng and Securty Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID Authentcaton Protocol Feredoun Morad a,, Hamd Mala a, Behrouz Tork Ladan a, Farba Morad b a Faculty of Computer Engneerng, Unversty of Isfahan, Hezar Jerb Avenue, Isfahan , Iran. b Faculty of Computer Engneerng, Hamedan Unversty of Technology, Hamedan, Iran. A R T I C L E I N F O. Artcle hstory: Receved: 16 March 2016 Revsed: 04 December 2016 Accepted: 29 October 2017 Publshed Onlne: 10 February 2018 Keywords: RFID, EPC-C1G2 Standard, Mutual Authentcaton, Impersonaton, De-Synchronzaton. A B S T R A C T Desgn of secure authentcaton solutons for low-cost RFID tags s stll an open and qute challengng problem, though many protocols have been publshed n the last decade. In 2013, We and Zhang proposed a new lghtweght RFID authentcaton protocol that conforms to the EPC-C1G2 standard and clamed that the protocol would be mmune aganst all known attacks on RFID systems. In ths paper, we consder the securty of ths protocol and show that t cannot provde secure authentcaton for RFID users. An attacker, by followng our suggested approach, wll be able to mpersonate server/reader, and destroy synchronzaton between the back-end server and the tag. Fnally, we enhance ths protocol, and by usng formal and nformal securty analyss we show that the enhanced protocol strongly nhbts the securty flaws of ts predecessor. c 2016 JComSec. All rghts reserved. 1 Introducton Rado Frequency Identfcaton (RFID) s a promsng new technology that s wdely deployed for supply chan and nventory management, retal operatons and more generally, automatc dentfcaton. An RFID tag s small and low-cost, and a large number of RFID tags can be smultaneously recognzed wth rado frequency communcaton. Therefore, the RFID system s expected to replace the current barcode system. Generally, the advantage of RFID over barcode technology s that t does not requre drect lne of sght readng. Furthermore, compared wth barcode readers, RFID readers can nterrogate tags concurrently, faster and at greater dstances [1, 2]. Correspondng author. Emal addresses: feredoun.morad@eng.u.ac.r (F. Morad), h.mala@eng.u.ac.r (H. Mala), ladan@eng.u.ac.r(b. Tork Ladan), farba.mrd@gmal.com(f. Morad) ISSN: c 2016 JComSec. All rghts reserved. However, RFID system has two fatal securty rsks; the prvacy problem [1] and the forgery problem [2, 3]. These problems are results of hardware specfcatons of ths system, characterstcs of the tag nformaton, method used to transfer the nformaton from the tag to reader, and communcaton attrbutes. They can be easly solved f the proper cryptographc algorthms are appled durng communcaton between the tag and the reader [3, 4]. However, as a tag s small and low-cost, ts hardware resources are nadequate to mplement tradtonal cryptographc algorthms on RFID tags [1]. There are many researches amng to solve the prvacy and forgery problems wth RFID system characterstcs [5 7]. EPCglobal s an organzaton set up to acheve worldwde adopton and standardzaton of Electronc Product Code (EPC) technology. Currently, ts man focus s to both create a worldwde standard for RFID and to facltate usng the nternet to share data va the EPCglobal network. It has recently approved

2 164 Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID... F. Morad, H. Mala, et al. the EPC Class 1 Gen 2 (EPC-C1G2) standard for RFID deployments [8]. Ths standard defnes the functonalty of a passve RFID tag, and supports basc relablty guarantees, provded by an on-chp 16-bt pseudo-random number generator (P RN G) and a 16-bt Cyclc Redundancy Code (CRC). Ths standard s desgned to strke a balance between cost and functonalty, wth less attenton pad to securty. The securty level of EPC-C1G2 standard s very weak. Amng to ncrease ths securty level, many proposals have been publshed [9 12]. However, almost all of them were soon followed by cryptanalyss attacks [13 16]. In ths paper, we show how We and Zhang s scheme [17] suffers the same fate as prevous proposals. We wll call ths protocol WZ-LRAP (We and Zhang s Lghtweght RFID Authentcaton Protocol). The rest of the paper s organzed as follows. The related works s revewed n Secton 2. We and Zhang s protocol s brefly descrbed n Secton 3. The propertes of CRC functons are studed n Secton 4. We present our attacks n Secton 5. In Secton 6, we propose a modfcaton to WZ-LRAP and ts securty s formally verfed usng BAN logc. Fnally, the paper s concluded n Secton 7. 2 Related Works In ths secton, we brefly revew some attempts to rase the securty level of authentcaton schemes related to EPC-C1G2 authentcaton protocols. In 2007, Chen et al. proposed an authentcaton soluton whch heavly reled on the abuse of CRC [18]. However, Pers-Lopez et al. showed that the protocol cannot resst to tag mpersonaton, de-synchronzaton attackng and locaton trackng [19]. Ths way, ther protocol not only s vulnerable to such attacks, but also does not provde tag prvacy. Duc et al. proposed an RFID authentcaton protocol n EPC platform [20]. The securty of Duc et al. s protocol s based on key synchronzaton between tags and back-end server. The last message of the protocol s comprsed of an EndSesson command, whch s sent to both tags and readers. Intercepton of one of these messages wll cause a synchronzaton loss between the tag and the server. Ths stuaton allows an attacker to trace back all past communcatons. Chen and Deng proposed a mutual authentcaton scheme by usng P RNG and CRC functons. Ther protocol tred to apply CRC as a cryptographc hash functon for message authentcaton [21]. However, Pers-Lopez et al. exploted the lnearty of CRC functon to show that the protocol fals to provde ts securty objectves [13]. Yeh et al. proposed an RFID mutual authentcaton protocol conformng to the EPC-C1G2 standard [9]. The nformaton transmtted between reader and back-end server may also be eavesdropped and ntercepted by the attacker n actual envronment. Thus, the protocol appled a one-way hash functon to guarantee the communcaton securty between reader and back-end server. However, t was ponted out that the protocol has data ntegrty problem and forward secrecy problem [22]. In 2012, Y et al. analyzed the securty of Chen s authentcaton protocol [18] and proposed an mproved desgn based on a set of clear securty requrements [11]. But, Safkhan et al. scrutnzed the protocol and showed a smple approach to de-synchronze protocol s partes. Moreover, they presented a tag and reader mpersonaton attack wth neglgble assocated computatonal requrements [14]. In 2015, Yu-Jehn studed Chen and Chen s protocol and proposed a new mutual authentcaton scheme for EPC-C1G2 RFID tags [23]. But, Yu-Jehn mssed these notes ncludng defnton of a new and randomzed quantty as a secret value and wpng the smlarty between the transmtted messages. Soon after n 2016, Ghaemmagham et al. [24] showed that the proposed protocol does not provde prvacy and the scheme s susceptble to traceablty attack. Then, n order to enhance the prvacy of the protocol, they presented an mproved verson to prevent the mentoned attack. In 2016, Abdolmalek et al. [25] cryptanalyzed an RFID mutual authentcaton scheme whch had been proposed by Xao et al. [26]. They frst presented four attacks aganst ths protocol ncludng secret parameters reveal, tag mpersonaton, backward traceablty and forward traceablty. Then, they proposed an effcent and secure RFID authentcaton protocol. In 2017, through applyng the Ouaf-Phan prvacy model [27] Abdolmalek et al. [28] revealed some weaknesses and presented varous traceablty attacks on the prvacy of three RFID authentcaton protocols proposed by Wang et al. [29], Safkhan et al. [30], and Sun-Zhong [31]. Abdolmalek et al. ponted out that these protocols suffer from two man problems of dependency between tag s responses and updatng procedure. Then, n order to overcome the exstng weaknesses of these protocols, they appled some modfcatons and proposed an mproved verson of each one. Eyad Taqeddn [32] provded a new nvestgaton of the mproper use of CRC functon for cryptographc purposes n RFID systems whch presents full

3 July 2016, Volume 3, Number 3 (pp ) 165 dsclosure attacks aganst Gao et al. scheme [33] and then offers suggestons for desgnng more secure protocols. 3 We and Zhang s Protocol In 2013, We and Zhang [17] proposed WZ-LRAP as an EPC-C1G2 authentcaton protocol. We wll outlne the WZ-LRAP n bref, whch conssts of two phases: the ntalzaton phase and the authentcaton phase. The defntons of notatons used by authors are shown n Table 1 and Fgure 1 depcts the protocol steps. Intalzaton Phase: For each tag T the back-end server randomly selects metaid, K 1, K 2. The back-end server mantans a record of (metaid old, Kold 2, metaid new, Knew 2 ). A Flag value s used to ndcate whether the old or the new secret parameters are used. The value K 1 s sent to the reader cache, and t s the same for all tags. Authentcaton Phase: The authentcaton between the tag (T ), the back-end server (S) and the reader (R) s descrbed as follows. (1) R T : Query, N r The reader generates a random number N r and sends a request message to the tag. (2) T R : M 1, N (N t [K 1 ] L) The tag T generates the random number N t, computes N = CRC([K 1 ] R N r ) N t and M 1 = [CRC(K 2 (N r N t )) CRC(K 2 N t)] metaid and sends the message M 1, N (N t [K 1 ] L) to the reader R. (3) R S : M 1, N t, N r After recevng the message by the reader, t decrypts N t [K 1] L to obtan N t, and computes the value N = CRC([K 1] R N r ) N t and checks whether N = N or not. If t holds, the reader transmts the message (M 1, N t, N r ) to the back-end server, otherwse the authentcaton process s stopped. (4) S R : M 2 The back-end server gets (M 1, N t, N r ), then teratvely pcks up an entry (metaid old, Kold 2, metaid new, Knew 2 ) from ts database, computes the value M 1 and checks whether t equals to the receved M 1 or not. The process s repeated untl a match s found n the database, thus mplyng a successful authentcaton of the tag. If no match s found, the authentcaton fals. The back-end server performs the followng steps at the same tme. If Flag=1, the match record s (metaid new, Knew 2 ). Then t computes M 2 = [CRC(Knew 2 N t) CRC(Knew 2 N r)] metaid new, and updates the secret parameters of tag T as follows: metaid old metaid new K 2 old K 2 new K 2 new P RNG(K 2 new) N t metaid new P RNG(metaID new ) CRC(metaID new ) N t N r If Flag=0, t does not change (metaid old, Kold 2 ), computes M 2 and updates (Knew 2, metaid new) of tag T. K 2 new P RNG(K 2 new) N t metaid new P RNG(metaID new ) CRC(metaID new ) N t N r Fnally, the back-end server sends the message M 2 to the reader. (5) R T : M 2 Upon recevng M 2, the tag verfes whether the equaton M 2 metaid = [CRC(K 2 N t) CRC(K 2 N r)] holds. If so, t updates K 2 and metaid. 4 Cyclc Redundancy Codes (CRCs) CRCs are error-detectng codes that check (non-malcous) errors caused by faults durng transmsson. They are addtve operators wth strong lnearty aspects (the modulo operator s homomorphc), and therefore ts use as a cryptographc tool s not approprate [34]. Defntons and Notatons. Let A be an m-bt strng n {0, 1} m, A = A m 1 A m 2... A 0. We defne A n as the m + n bt strng A resultng from left-shft of A by n-bts and nsertng n zeros from the rght [13, 35]. A 0 for 0 n 1 = for n n + m 1 A n Let B be an n-bt strng n {0, 1} n, where n m. We defne the exclusve-or operaton A B = B A as follows: A B for 0 n 1 (A B) = for n m 1 A

4 166 Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID... F. Morad, H. Mala, et al. Table 1. Notatons Symbol Descrpton N r 16-bt random number generated by the reader. N t 16-bt random number generated by the tag. K 1 32-bt key shared by the reader and the tag. K 2 16-bt key shared by the tag and the back-end server. metaid 32-bt ID pseudonym shared by the tag and the back-end server. metaid old, Kold 2 The prevous values of metaid and K 2 before update. metaid new, Knew 2 The values of metaid and K2 after update. The btwse XOR operaton. The concatenaton operaton. B A Assgnng the value of A to B. [x] L/R The left/rght half part of the strng x. CRC() The Cyclc Redundancy Code (CRC) functon wth 16-bt output length. P RNG() The pseudo random number generator wth 16-bt output length. S R T ❶ Query, N r M, N 1, r N t ❸ 1 1 t L M, N (N [K ] ) ❷ ❹ M 2 ❺ M 2 Fgure 1. We and Zhang s Lghtweght RFID Authentcaton Protocol Due to the lnearty, CRCs have the followng propertes. Let A be any bt strng and B be n-bt strng. Then, as proved n [13, 35], CRC satsfes the followng propertes. CRC(A B) = CRC(A) CRC(B) (1) CRC(A B) = CRC(A n ) CRC(B) (2) We wll take advantage of these propertes for attackng WZ-LRAP. 5 Vulnerabltes of We and Zhang s Protocol In ths secton, we present concrete attacks to WZ-LRAP. We use the standard Dolev-Yao ntruder model [36], n whch the adversary controls the network. In ths model, the adversary can eavesdrop, block, modfy, and nject messages n any communcaton between reader and tag. However, the channel between back-end server and reader s assumed to be secure, whch can be guaranteed by usng full-fledged cryptographc technologes. 5.1 Server/Reader Impersonaton Attack We show that an actve adversary can mpersonate a legtmate server/reader to a tag n WZ-LRAP even when the adversary has no access to any of the tag s secrets. The detal of ths attack s gven below. In ths case we focus on message M 2, generated by the back-end server. The adversary should be able to generate ths message n order to mpersonate the legtmate server/reader. For the adversary, t s enough to lsten an teraton between a legtmate tag and the reader n order to explot ths vulnerablty.

5 July 2016, Volume 3, Number 3 (pp ) 167 (1) R T : Query, N r (2) T R : M 1, N (N t [K 1 ] L) (3) R S : M 1, N t, N r (4) S R : M 2 (5) R T : M 2 The adversary has to block or dsturb rado channel to obstruct the correct recepton of message 5. The objectve of ths s to prevent the legtmate tag from updatng ts K 2 and metaid. At ths moment, the adversary could supplant the back-end server wthout knowng ts prvate nformaton. It chooses the random number N r from prevous sesson, and sends t to the tag. The tag generates a random number N t and reples wth M 1, N (N t [K 1] L). Then, the adversary usng the eavesdropped values (N r, M 1, M 2 ), calculates a new value M 2 = [M 1] L CRC(N r ) [M 2 ] R, and sends t to the tag. Fnally, the tag accepts M 2 and authentcates the adversary. We now prove that the tag wll accept M 2 and the adversary wll mpersonate as a legtmate server/reader. The adversary knows the followng values, M 1 = [CRC(K 2 (N r N t)) CRC(K 2 N t)] metaid M 2 = [CRC(K 2 N t ) CRC(K 2 N r )] metaid Thus, by usng CRC propertes shown n prevous secton teratvely, the followng equatons hold. From property (2), we can observe that M 1 = [CRC(K 2 16) CRC (N r N t) CRC(K 2 16) CRC(N t)] metaid and, usng the property (1), t s easy to see M 1 = [CRC(K 2 16) CRC(N r ) CRC(N t) CRC(K 2 16) CRC(N t)] metaid. Furthermore, the followng result can be acheved by separatng the metaid nto two parts. M 1 = [CRC(K 2 16) CRC(N r ) CRC(N t) [metaid ] L CRC(K 2 16) CRC(N t) [metaid ] R ] In the same as above va the property (1) and (2), we can rewrte M 2 equaton as follows. M 2 = [CRC(K 2 16) CRC(N t ) [metaid ] L CRC(K 2 16) CRC(N r ) [metaid ] R ] Snce adversary knows N r, t can calculate CRC(N r ) by defnton of CRC. From ths value and followng equatons, [M 1] L = CRC(K 2 16) CRC(N r ) CRC(N t) [metaid ] L [M 1] R = CRC(K 2 16) CRC(N r ) [metaid ] R [M 2 ] L = CRC(K 2 16) CRC(N t ) [metaid ] L [M 2 ] R = CRC(K 2 16) CRC(N r ) [metaid ] R t can calculate M 2 = [M 1] L CRC(N r ) [M 2 ] R = [CRC(K 2 16) CRC(N t) [metaid ] L CRC(K 2 16) CRC(N r ) [metaid ] R ] = [CRC(K 2 N t) CRC(K 2 N r )] metaid whch s the exact value a legtmate server/reader was expected to send to the tag. Therefore, the adversary can successfully mpersonate the server/reader. 5.2 De-synchronzaton Attack We and Zhang propose that the back-end server mantans old and new values {metaid, K 2 } for each tag to defend aganst a de-synchronzaton. Ths assumpton allows the back-end server to authentcate tags and re-synchronze these tags each tme they suffer a de-synchronzaton. However, our mpersonaton attack descrbed n Secton 5.1. results n synchronzaton loss between the back-end server and the tag due to update of the secret nformaton of the tag. The adversary forces the tag to update ts secret value such that t does not match the value that back-end server has stored n ts database. The tag uses N t to update K 2 and metaid as follows. K 2 P RNG(K 2 ) N t metaid P RNG(metaID ) CRC(metaID ) N t N r Therefore, after the tag updates ts secret parameters, the updated values K 2 and metaid of the tag wll be dfferent to the correspondng parameters stored n the database of the back-end server. Thus, de-synchronzaton happens, and the tag and the back-end server wll not authentcate each other anymore. 6 Countermeasure for the Securty Vulnerabltes on WZ-LRAP We now descrbe a countermeasure for WZ-LRAP to overcome the flaws mentoned n the prevous sectons and other attacks n the context. The man weakness of the protocol s that the computatonal smlarty between M 1 = [CRC(K 2 (N r N t)) CRC(K 2 N t)] metaid and M 2 =

6 168 Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID... F. Morad, H. Mala, et al. [CRC(K 2 N t) CRC(K 2 N r)] metaid gves the adversary an opportunty to forge a vald M 2 wthout knowng the secret values K 2 and metaid. The structure of messages should be altered n order to swtch the complexty over the reader and the back-end server whch s equpped wth stronger processors and also to provde quck and reasonable assurance of the ntegrty of messages delvered. CRC s an easly reversble functon, whch makes t unsutable for use n cryptographc operatons. Followng ths fact, we should try to reduce the number of calls to ths functon on the tag sde and change the constructon to protect secret values from revealng. To prevent the gven de-synchronzaton and server/reader mpersonaton attacks, we make some changes n generatng message M 1, that s generated by the tag. Frst, the structure of ths message s changed to apply P RNG functon n the places where the CRC functons are used. Ths alteraton elmnates the messages smlarty n authentcaton process but stll t s feasble for an adversary to mount exhaustve key search on ths constructon. Therefore, for nhbton of ths weakness we consder second operatonal change to supplant nner concatenaton operatons wth the exclusve-or. Manly, usng P RN G functon wth exclusve-or as ts nput operaton does not contradct wth each other. P RN G functon does not have lnearty propertes so t can be used as a one-way functon, therefore the followng defnton of M 1 can wpe out the aforementoned attacks. M 1 = [P RNG(K 2 N r ) P RNG(K 2 N t )] metaid 6.1 Securty Analyss Here, we present a detaled securty analyss of the proposed modfcatons to show that t meets resstance aganst the attacks presented n ths paper and the other known actve and passve attacks n the context. Our securty proof s carred out based on nformal method relyng on the heurstc opnons of securty experts and also the formal method relyng on the mathematcal rules to draw a concluson. Informal method manly reles on ntellgence of analyst. Snce the analyst may forget or gnore some ponts durng the analyss, so there s no way to understand f the analyss s complete or not. However, due to ts smplcty and lack of need for sophstcated tools, the nformal methods are wdely used n the protocol securty analyss. In the formal method, the target protocol and ts features are modeled based on algebra and logc. Several logc tools exst to prove the securty correctness of a cryptographc authentcaton protocol, for example, BAN logc [37], GNY logc [38], AVISPA tool [39], and ProVerf tool [40]. Furthermore, there are lmtatons n formalzng securty notons of cryptographc protocols whch are practcal and useful n real-lfe settng. For example, de-synchronzaton s needed for practcal sense for cryptographc protocols, whle we cannot easly formalze ths property. Thus, we combne these two nformal and formal methods to prove the securty correctness. In ths subsecton, frst we argue the securty mprovement through nformal method then we use BAN logc for modelng to prove the securty correctness of the revsed protocol. Resstance aganst Replay Attack. In the revsed scheme, the message M 1 lke other the authentcaton messages (.e. M 2, and N) s computed wth the random numbers, whch provdes freshness and resstance aganst replay attack. Resstance aganst Tag Impersonaton Attack. The resstance of WZ-LRAP aganst tag mpersonaton attack arses from ths fact that the tag s nformaton (metaid and K 2 ) s stored n the back-end server, whch s assumed to be secure, and ths assumpton that the communcaton channel between the back-end server and the reader s secure. Therefore, an adversary s not able to access the nformaton of a tag whch s stored n the back-end server. On the other hand, the adversary, who wants to mpersonate the vald tag, must be able to complete the authentcaton steps successfully. It needs to respond to the reader wth a vald M 1 whch s computed on the bass of the shared secret keys K 2 and metaid. Thus, t s not possble for the attacker to compute a vald M 1 wthout knowng secret values of K 2 and metaid. Resstance aganst Server/Reader Impersonaton Attack. In the revsed scheme, through message transformaton (P RN G generated message) such as M 1 or transmttng scrambled bts (XOR-ed) the revsed scheme data securty s acheved. In addton, M 1 and M 2 nvolve at least two secret values (metaid and K 2 ) that are well protected aganst eavesdroppers. Among the mutual communcaton perod, anonymty of the tags can be provded snce only transformed messages and vald random numbers are broadcasted. Hence, adversary cannot easly

7 July 2016, Volume 3, Number 3 (pp ) 169 mpersonate the server/reader. The best strategy for the adversary to mpersonate the server/reader could be sendng a random value to the tag. However, snce the tag has only one record of the secret parameter, the adversary s success probablty n each try s bounded by Resstance Aganst De-synchronzaton Attack. De-synchronzaton attack aganst WZ-LRAP happened after the adversary succeeded to mpose nvald random number on the tag for updatng parameters. Ths flaw s based on the lnear property of CRC functon whch s fxed by usng P RNG functon n usng M 1. Moreover, employment of a combned process orented mechansm (f lag = 0 or f lag = 1) n updatng the shared secret keys makes partes reman n synchronzed state even f the prevous sesson s not safely termnated. Ths desgn allows a tag wth non-synchronzed keys due to de-synchronzaton attack, to be stll authentcated by the back-end server and re-synchronze ts secret data wth the server database. Resstance Aganst Traceablty Attack. Traceablty attack aganst WZ-LRAP s accomplshed based on ths fact that an adversary can lnk two dfferent sessons of a tag. WZ-LRAP guarantees tag prvacy by refreshng the secret and the random number n tag for each sesson. Hence, adversary cannot easly trace a specfc tag snce there are no consstent clues revealed n each tag response. Furthermore, due to the freshness of random numbers N r and N t per sesson, our scheme can resst the replay attack. 6.2 Formal Logc Proof Followng, we use BAN logc to prove the securty correctness of the revsed scheme. We formally show that after one run of the protocol, the tag, the reader, and the server beleve the receved messages are from the expected sender, and these messages are fresh. Hence, they can be authentcated by each other properly. To prove the securty of a protocol formally wth BAN logc, the followng four steps should be followed [37]: a) The messages and the actons of the protocol partes should be represented by mathematcal relatons. b) The messages and the actons of the protocol partes should be converted nto BAN logc formulas and droppng the plan text messages from protocol messages. In ths step, the resultng protocol messages are called dealzed messages. c) The protocol ntal assumptons and securty goals should be explaned as BAN logc formulas. d) Fnally, the protocol securty goals should be deduced. In ths step, usng BAN logc rules, t s evaluated whether protocol securty goals are satsfed or not. We present only prncple rules and notatons n Table 2 whch are used n our proof. a) Expresson of the revsed scheme messages as mathematcal relatons. M1 : R T : Query, N r M2 : T R : [P RNG(K 2 N r ) P RNG(K 2 N t )] metaid, [CRC([K 1 ] R N r ) N t ] (N t [K 1 ] L )] M3 : R S : [P RNG(K 2 N r ) P RNG(K 2 N t )] metaid, N t, N r M4 : S R : [CRC(K 2 N t ) CRC(K 2 N r )] metaid M5 : R T : [CRC(K 2 N t ) CRC(K 2 N r )] metaid b) Messages dealzaton. In ths step, we transform each message nto an dealzed message, such as plantexts are omtted from protocol messages, and only encrypted message contents are relevant to ths step. We also use BAN logc notatons for representng these dealzed messages as follows. IM1 : R {{N r } K 2, {N t } K 2 } metaid IM2 : R {N t } [K 1 ] L IM3 : S {{N r } K 2, {N t } K 2 } metaid IM4 : T {N r, N t, K 2 } metaid c) Intal assumptons and securty goals. The explct assumptons of the revsed protocol are shown n the succeedng text. K 2 A1 : S T S A2 : T S K2 T A3 : T R K1 T K 1 A4 : R T R metaid A5 : S T S A6 : T S metaid T A7 : T #(N t ) A8 : R #(N r ) The assumptons A1 to A6 are related to secrets whch are shared between the protocol partes and the assumptons A7 and A8 are related to freshness of

8 170 Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID... F. Morad, H. Mala, et al. Table 2. Prncples and Notatons Prncples and Notatons Meanng P MSG1 : P MSG1 : #(X) : P #(MSG1) : P receves MSG1 (possbly after dong some decrypton). P sends MSG1. X s fresh. P beleves the freshness of MSG1. {X} K : Message X s encrypted wth the key of K. P P K Q : P beleves the secret K s shared between P and Q. R1 : P P K Q, P {X} K P Q X R2 : P Q {X, Y } P Q {X} : The message meanng rule of BAN logc that means f P beleves that t shares a secret key K wth and f P receves a message X encrypted wth K, then P s enttled to beleve that Q once sad X. In ths paper we called ths rule R1. : Ths s one rule of BAN logc that means f P beleves Q has sent X, Y then P s enttled to beleve that Q has sent X. In ths paper we called ths rule R2. random numbers whch are generated by the reader and the tag respectvely. The goals of the proposed scheme are as below. G1 : S T N t G2 : T S N r In the above, G1 means that the server beleves the tag T has sent the random number N t. Ths goal shows that the adversary does not have any control on ths random number, whch was generated by the tag and sent through the reader to the server. Therefore, the adversary cannot apply any attack on the protocol that requres any change on the random number. G2 means that the tag beleves that N r, whch s generated by the reader, s transmtted to the tag wthout any modfcaton. In other words, at the end of the last step of ths protocol run, ths random number reach to the tag wthout any tamperng by the adversary. d) Goals deductons. In ths step, we combne dealzed messages and the assumptons to construct numerator expressons of BAN logc rules. If such relatons are corresponded to the numerator expressons of BAN logc rules, t can be concluded that the denomnator expressons of BAN logc rules are correct. We show these deductons as below. D1:IM3, A5, R1 S T {{N r } K 2, {N t } K 2 } D2:D1, R2 S T {N t } K 2 As the IM1 and IM3 show, the encrypted messages are delvered drectly to the server through the reader n the secure communcaton channel. Therefore, the fnal result of D2 s S {N t } K 2. D3:D2, A1, R1 S T N t It s obvous that D3 s equals to G1. Smlarly, we have followng deductons to reach G2. D4: IM4, A6, R1 T S {N r, N t, K 2 } D5:D4, R2 T S N r Fnally, t also deduced that D5 s equals to G2. Hence, the securty goals of the revsed scheme, are satsfed. 6.3 Performance Analyss The proposed modfcaton does not ncrease computatonal cost of the protocol extensvely whle t provdes much better securty. It has only one more exclusve-or operaton on the both sde because of reducng the number of concatenaton operaton. The only ncreased cost s two calls of P RNG functon nstead of CRC functon. Table 3 shows performance comparson between WZ-LRAP and revsed scheme n detal. Now, we analyze the effcency of our revsed scheme through comparng t wth Ghaemmagham et al. [24] and Abdolmalek et al. [25, 28] protocols whch are based on the same framework. They succeeded n omttng the vulnarablty of lkeness between the transmtted messages and removed drawbacks n the updatng procedure. As shown n Table 4, Ghaemmagham et al. [24] and Abdolmalek et al. [25, 28] protocols store 4n and 3n parameters n the tag memores. Our revsed scheme stores 3n parameters that s an effcent value n storage areas. It s also shown that our countermeasure mpacts the protocol to nvolve CRC besdes P RNG functon on the tag sde. On the pont of mplementaton, these functons can employ LFSR-based operatons n the same hardware.

9 July 2016, Volume 3, Number 3 (pp ) 171 Table 3. Performance Comparson Server/Tag of Protocols #P RNG # #CRC # #Transfered bts Server of WZ-LRAP 2 6n 5 7 n Server of Revsed Scheme 4 7n 3 5 n Tag of WZ-LRAP 2 8n 6 9 2n Tag of Revsed Scheme 4 9n 4 7 2n n denotes the bt length of parameters. Table 4. Comparson of Revsed Scheme Wth Smlar Ones Protocols Comp. of Tag Comp. of Server/Reader Storage of Tag Storage of Server/Reader Rounds of Communcaton [24] 6P 7P + 2H 4n 9n 5 [25] 7P 7P + 4H 4n 9n 5 [28] 6P 7P 3n 5n 3 Ths scheme 4P + 4CRC 4P + 3CRC 3n 4n 4 n denotes the bt length of parameters. H: Hash functon. P : P RNG functon. Indeed, the dea of usng lnear feedback shft regsters (LFSR) n the constructon of cost-effectve operatons for RFID tags s wdely suggested [41]. LFSR functons are fast and effcent n hardware mplementatons as well as smple n terms of computatonal requrements. Therefore, the man functons of the revsed scheme are able to execute LFSR-based functons n the same hardware and are sutable for RFID applcatons. The requred hardware complexty of low-cost tags s consdered by ts number of equvalent logc gates (GEs). Based on the measurements presented by [42, 43], the number of GEs for LFSR-based P RNG s about 453 because of mplementng polynomal selector and decodng logc modules. In addton, LFSR can be measured wth approxmately 73 GEs. LFSR along wth a few logc gates are used to obtan CRC. Ths scheme versus the smlar protocols holds four calls of CRC rather than P RNG. Hence, the energy consumpton for operatng functons of ths scheme s almost 1.5 tmes lower than other comparng protocols. In terms of communcaton rounds, our revson assures a secure performance wthout ncreasng rounds rather than WZ-LRAP scheme. In all mentoned protocols, three of these rounds are related to connecton between the reader and the tag, whle others are assocated to connecton between the reader and the back-end server. Reducng the computatonal cost of the tag s the goal for desgnng mproved authentcaton protocols. Therefore, ths scheme has low communcaton complexty and computatonal cost. 7 Conclusons In ths paper we nvestgated the securty of a lghtweght RFID authentcaton protocol complant wth EPC-C1G2 whch has been proposed by We and Zhang [17]. We proved that, n contrary to the desgners clam, ths protocol does not provde resstance aganst server/reader mpersonaton and de-synchronzaton attacks. We showed that the securty weaknesses are due to the abuse of the CRC ncluded n protocol and computatonal smlarty between transferred messages. In addton, we proposed a modfcaton of ths protocol to wthstand the attacks presented n ths paper. We also analyzed the securty propertes of the proposed protocol as well as ts effcency. The proposed scheme also was compared wth the orgnal WZ-LRAP and two other smlar protocols. References [1] Ar Juels. RFID securty and prvacy: a research survey. IEEE Journal on Selected Areas n Communcatons, 24(2): , do: /jsac URL do.org/ /jsac [2] Tassos Dmtrou. A lghtweght RFID protocol to protect aganst traceablty and clonng attacks.

10 172 Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID... F. Morad, H. Mala, et al. In Securty and Prvacy for Emergng Areas n Communcatons Networks, SecureComm Frst Internatonal Conference on, pages IEEE, [3] Jeongkyu Yang, Jaemn Park, Hyunrok Lee, Ku Ren, and Kwangjo Km. Mutual authentcaton protocol. In Workshop on RFID and lghtweght crypto, [4] Sanjay E Sarma, Stephen A Wes, Danel W Engels, et al. RFID systems and securty and prvacy mplcatons. In CHES, volume 2, pages Sprnger, [5] Yung-Chn Chen, We-Ln Wang, and Mn-Shang Hwang. RFID authentcaton protocol for ant-counterfetng and prvacy protecton. In Advanced Communcaton Technology, The 9th Internatonal Conference on, volume 1, pages IEEE, [6] Y-C Lee, Y-C Hseh, P-S You, and T-C Chen. An mprovement on RFID authentcaton protocol wth prvacy protecton. In Convergence and Hybrd Informaton Technology, ICCIT 08. Thrd Internatonal Conference on, volume 2, pages IEEE, [7] Jung-Sk Cho, Sang-Soo Yeo, and Sung Kwon Km. An analyss of RFID tag authentcaton protocols usng secret value. In Future Generaton Communcaton and Networkng (FGCN 2007), volume 1, pages IEEE, [8] EPCglobal Ratfed Standard. EPC Rado Frequency Identty Protocols Class-1 Generaton-2 UHF RFID Protocol for Communcatons at 860MHz-960MHz Verson EPCglobal, US, [9] Eun-Jun Yoon. Improvement of the securng RFID systems conformng to EPC class 1 generaton 2 standard. Expert Systems wth Applcatons, 39(1): , [10] Tzu-Chang Yeh, Yan-Jun Wang, Tsa-Ch Kuo, and Sheng-Shh Wang. Securng rfd systems conformng to epc class 1 generaton 2 standard. Expert Systems wth Applcatons, 37 (12): , [11] Xaoluo Y, Langmn Wang, Dongme Mao, and Yongzhao Zhan. An gen2 based securty authentcaton protocol for RFID system. Physcs Proceda, 24: , [12] Jng Huey Khor, Wdad Ismal, Mohammed I Youns, MK Sulaman, and Mohammad Ghulam Rahman. Securty problems n an RFID system. Wreless Personal Communcatons, 59(1):17 26, [13] Pedro Pers-Lopez, Julo C Hernandez-Castro, Juan ME Tapador, and Jan CA Van der Lubbe. Cryptanalyss of an EPC class-1 generaton-2 standard complant authentcaton protocol. Engneerng Applcatons of Artfcal Intellgence, 24(6): , [14] Masoumeh Safkhan, Nasour Bagher, Pedro Pers-Lopez, Akatern Mtrokotsa, and Julo C Hernandez-Castro. Weaknesses n another gen2-based rfd authentcaton protocol. In RFID-Technologes and Applcatons (RFID-TA), 2012 IEEE Internatonal Conference on, pages IEEE, [15] Pablo Pcazo-Sanchez, Lara Ortz-Martn, Pedro Pers-Lopez, and Nasour Bagher. Weaknesses of fngerprnt-based mutual authentcaton protocol. Securty and Communcaton Networks, 8(12): , [16] Feredoun Morad, Hamd Mala, and Behrouz Tork Ladan. Securty analyss and strengthenng of an RFID lghtweght authentcaton protocol sutable for VANETs. Wreless Personal Communcatons, 83(4): , [17] Guoheng We and Huanguo Zhang. A lghtweght authentcaton protocol scheme for RFID securty. Wuhan Unversty Journal of Natural Scences, 18(6): , [18] Hung-Yu Chen and Che-Hao Chen. Mutual authentcaton protocol for RFID conformng to EPC Class 1 Generaton 2 standards. Computer Standards & Interfaces, 29(2): , [19] Pedro Pers-Lopez, Teyan L, Julo C Hernandez-Castro, and Juan ME Tapador. Practcal attacks on a mutual authentcaton scheme under the EPC Class-1 Generaton-2 standard. Computer Communcatons, 32(7): , [20] Dang Nguyen Duc, Hyunrok Lee, and Kwangjo Km. Enhancng securty of EPCglobal Gen-2 RFID aganst traceablty and clonng. Auto-ID Labs Informaton and Communcaton Unversty, Whte Paper, [21] Chn-Lng Chen and Yong-Yuan Deng. Conformaton of EPC Class 1 Generaton 2 standards RFID system wth mutual authentcaton and prvacy protecton. Engneerng Applcatons of Artfcal Intellgence, 22(8): , [22] Masoumeh Safkhan, Nasour Bagher, Somtra Kumar Sanadhya, and Majd Nader. Cryptanalyss of mproved Yeh et al. s authentcaton Protocol: An EPC Class-1 Generaton-2 standard complant protocol. IACR Cryptology eprnt Archve, 2011:426, [23] Yu-Chung Huang and Jehn-Ruey Jang. Ultralghtweght rfd reader-tag mutual authentcaton revsted. In Moble Servces (MS), 2015 IEEE Internatonal Conference on, pages IEEE, 2015.

11 July 2016, Volume 3, Number 3 (pp ) 173 [24] Seyed Salman Sajjad Ghaemmagham, Afrooz Haghbn, and Mahtab Mrmohsen. Traceablty mprovements of a new RFID protocol based on EPC C1 G2. The ISC Internatonal Journal of Informaton Securty, 8(2): , [25] Behzad Abdolmalek, Karm Baghery, Bahareh Akhbar, and Mohammad Reza Aref. Analyss of Xao et al. s authentcaton protocol conformng to EPC C1 G2 standard. In Telecommuncatons (IST), th Internatonal Symposum on, pages IEEE, [26] Feng Xao, Yajan Zhou, Jngxan Zhou, Honglang Zhu, and Xnxn Nu. Securty Protocol for RFID System Conformng to EPC-C1G2 Standard. JCP, 8(3): , [27] Khaled Ouaf and Raphael CW Phan. Prvacy of recent rfd authentcaton protocols. Lecture Notes n Computer Scence, 4991: , [28] Behzad Abdolmalek, Karm Baghery, Shahram Khazae, and Mohammad Reza Aref. Game-Based Prvacy Analyss of RFID Securty Schemes for Confdent Authentcaton n IoT. Wreless Personal Communcatons, 95(4): , [29] Shaohu Wang, Sujuan Lu, and Danwe Chen. Securty analyss and mprovement on two RFID authentcaton protocols. Wreless Personal Communcatons, 82(1):21 33, [30] Masoumeh Safkhan, Nasour Bagher, and Majd Nader. On the desgnng of a tamper resstant prescrpton rfd access control system. Journal of medcal systems, 36(6): , [31] Da-Zh Sun and J-Dong Zhong. A hash-based RFID securty protocol for strong prvacy protecton. IEEE Transactons on Consumer Electroncs, 58(4), [32] Eyad Taqeddn. On the Improper Use of CRC for Cryptographc Purposes n RFID Mutual Authentcaton Protocols. Internatonal Journal of Communcaton Networks and Informaton Securty, 9(2):230, [33] Ljun Gao, Maode Ma, Yanta Shu, and Yuhua We. An ultralghtweght RFID authentcaton protocol wth CRC and permutaton. Journal of Network and Computer Applcatons, 41:37 46, [34] B Westerbaan. Reversng CRC. Intrepd Blog, Posted Jul, 15, [35] Daewan Han and Daesung Kwon. Vulnerablty of an RFID authentcaton protocol conformng to EPC Class 1 Generaton 2 Standards. Computer Standards & Interfaces, 31(4): , [36] Danny Dolev and Andrew Yao. On the securty of publc key protocols. IEEE Transactons on nformaton theory, 29(2): , [37] Mchael Burrows, Martín Abad, and Roger M. Needham. A Logc of Authentcaton. ACM Trans. Comput. Syst., 8(1):18 36, do: / [38] L Gong, Roger Needham, and Raphael Yahalom. Reasonng about belef n cryptographc protocols. In Research n Securty and Prvacy, Proceedngs., 1990 IEEE Computer Socety Symposum on, pages IEEE, [39] AVISPA. avspa tool. Avalable from, 1th November URL org. [40] Bruno Blanchet and Avk Chaudhur. Automated formal analyss of a protocol for secure fle sharng on untrusted storage. In Securty and Prvacy, SP IEEE Symposum on, pages IEEE, [41] Peng-yu Cu. An Improved Ownershp Transfer and Mutual Authentcaton for Lghtweght RFID Protocols. IJ Network Securty, 18(6): , [42] Jageng Chen, Atsuko Myaj, Hroyuk Sato, and Chunhua Su. Improved lghtweght pseudo-random number generators for the low-cost rfd tags. In Trustcom/BgDataSE/ISPA, 2015 IEEE, volume 1, pages IEEE, [43] Joan Melà-Seguí, Joaqun Garca-Alfaro, and Jord Herrera-Joancomartí. Multple-polynomal LFSR based pseudorandom number generator for EPC Gen2 RFID tags. In IECON th Annual Conference on IEEE Industral Electroncs Socety, pages IEEE, 2011.

12 174 Securty Analyss of an EPC Class-1 Generaton-2 Complant RFID... F. Morad, H. Mala, et al. Feredoun Morad receved hs B.Sc. degree n Informaton Technology from Payame Noor Unversty of Hamedan n 2012 and he receved the M.Sc. degree n Informaton Securty at Unversty of Isfahan n Hs man research nterests nclude lghtweght cryptography and cryptanalyss, RFID securty, RFID authentcaton protocols, IoT securty and Data Center Infrastructure Management. Hamd Mala receved hs B.Sc., M.Sc. and Ph.D. degrees n Electrcal Engneerng from Isfahan Unversty of Technology (IUT) n 2003, 2006 and 2011, respectvely. He joned Unversty of Isfahan (UI) n September 2011 as an Assstant Professor n the Department of Informaton Technology Engneerng. Hs Research nterests nclude the desgn and cryptanalyss of block cphers, cryptographc protocols and secure multparty computaton. Behrouz Tork Ladan holds a bachelor n Computer Engneerng from Unversty of Isfahan, M.Sc. n Software Engneerng from Amr Kabr Unversty of Technology and a Ph.D. n Software Engneerng from the Unversty of Tarbat Modarres. Dr. Tork Ladan joned Unversty of Isfahan n Hs research nterests are n the areas of Cryptographc Protocols, Access Control, Trust, and Formal verfcaton. He s currently member of executve councl of Iranan Socety of Cryptology (ISC). Farba Morad currently s a B.Sc. student n Informaton Technology at Hamedan Unversty of Technology. Hs research nterests nclude IoT Systems and RFID Securty.