Privacy of Recent RFID Authentication Protocols

Transcription

1 Privacy of Recent RFID Authentication Protocols Khale Ouafi 1 an Raphael C.-W. Phan 2 1 Laboratoire e sécurité et e cryptographie (LASEC), Ecole Polytechnique Féérale e Lausanne (EPFL), CH-1015, Switzerlan khale.ouafi@epfl.ch 2 Electronic & Electrical Engineering, Loughborough University, LE11 3TU, Leics, Unite Kingom r.phan@lboro.ac.uk Abstract. Privacy is a major concern in RFID systems, especially with wiesprea eployment of wireless-enable interconnecte personal evices e.g. PDAs an mobile phones, creit cars, e-passports, even clothing an tires. An RFID authentication protocol shoul not only allow a legitimate reaer to authenticate a tag but it shoul also protect the privacy of the tag against unauthorize tracing: an aversary shoul not be able to get any useful information about the tag for tracking or iscovering the tag s ientity. In this paper, we analyze the privacy of some recently propose RFID authentication protocols (2006 an 2007) an show attacks on them that compromise their privacy. Our attacks consier the simplest aversaries that o not corrupt nor open the tags. We escribe our attacks against a general untraceability moel; from experience we view this eneavour as a goo practice to keep in min when esigning an analyzing security protocols. Keywors: RFID, authentication protocols, privacy, untraceability, provably secure. 1 Introuction RFIDs are wiely use in inventory control an supply chain management [1, 7, 18, 19, 25], in e-passports [12, 6, 11, 15, 20] e.g. for US visa waiver policies, in contactless creit cars [10]. Thus the aily ealings of the present ay iniviual is in fact a wireless interconnecte network involving interactions both within his connecte personal area network (PAN) among the things carrie in his bag or pocket, an between the PAN an the servers proviing the services an connectivitiy to those things. Among the things that the iniviual is carrying on him woul inclue those that are RFID enable i.e. items he bought from a retail chain, the creit cars in his wallet that he uses to purchase the items, an his e-passport to ientify himself to authorities. Privacy, both in terms of tag anonymity an tag untraceability (or unlinkability), is a significant concern that nees to be aresse if RFIDs are to be as wiely eploye as conceive by proponents. To ate, a rigorous treatment of privacy for RFID moels is still being evelope, notably the work of Avoine [2], Juels an Weis [13], Le, Burmester an e Meeiros [16]; an Vauenay [27, Work one while the author was with LASEC, EPFL.

2 28]. These moels iffer mainly in their treatment of the aversary s ability to corrupt tags. In fact, the recent privacy moels [13, 27, 16, 28] efine privacy in the untraceability sense. This is intuitive since untraceabile privacy (UPriv) is a strictly stronger notion (i.e. it implies) than anonymous privacy (APriv). To see this, note that if there exists an aversary breaking APriv then he can easily also break UPriv; while the converse is not necessarily true. In this paper, we analyze the privacy issues of recently (in 2006 an 2007) propose RFID protocols, namely [8, 14, 24, 4, 9]. Our attacks o not even nee the strong requirement of corrupting tags [26, 13, 27, 17, 16, 28, 22]. To the best of our knowlege, attacks presente here are the first known analyses of ProbIP [8], MARP [14], Auth2 [24], YA-TRAP+ [4], O-TRAP [4] an RIPP-FS [9]. 2 RFID Privacy Moels We escribe for completeness, the general untraceable privacy (UPriv) moel that will be the setting in which we use in later sections to emonstrate how to trace tags an thus show that the schemes o not achieve the notion of untraceable privacy. It is also goo practice to esign an analyze security protocols with reference to a clearly-efine moel [23]. We o not claim to efine a new moel, for our emphasis in this paper is instea on the analysis of the privacy an security issues of recent RFID protocols. In fact, the moel efine herein can be seen as an alternative efinition of the Juels-Weis moel [13] with some ifferences e.g. in constraints put on the aversary (see the iscussion in section 6.1) in a style that is more in line with the Bellare et al. [3] moels for authenticate key exchange (AKE) protocols, for which RFID protocols have close relationship with. A protocol party is a T T ags or R Reaers interacting in protocol sessions as per the protocol specifications until the en of the session upon which each party outputs Accept if it feels the protocol has been normally execute with the correct parties. Aversary A controls the communications between all protocol parties (tag an reaer) by interacting with them as efine by the protocol, formally capture by A s ability to issue queries of the following form: Execute(R, T, i) query. This moels passive attacks, where aversary A gets access to an honest execution of the protocol session i between R an T by eavesropping. Sen(U 1, U 2, i, m) query. This query moels active attacks by allowing the aversary A to impersonate some reaer U 1 Reaers (resp. tag U 1 T ags) in some protocol session i an sen a message m of its choice to an instance of some tag U 2 T ags (resp. reaer U 2 Reaers). This query subsumes the TagInit an ReaerInit queries as well as challenge an response messages in the Juels-Weis moel. Corrupt(T, K) query. This query allows the aversary A to learn the store secret K of the tag T T ags, an which further sets the store secret to K. It captures the notion of forwar security or forwar privacy an the extent of the amage cause by the compromise of the tag s store secret. This is the analog of the SetKey query of the Juels-Weis moel. Test UPriv (U, i) query. This query is the only query that oes not correspon to any of A s abilities or any real-worl event. This query allows to efine the 2

3 inistinguishability-base notion of untraceable privacy (UPriv). If the party has accepte an is being aske a Test query, then epening on a ranomly chosen bit b {0, 1}, A is given T b from the set {T 0, T 1 }. Informally, A succees if it can guess the bit b. In orer for the notion to be meaningful, a Test session must be fresh in the sense of Definition 2. Definition 1 (Partnership & Session Completion) A reaer instance R j an a tag instance T i are partners if, an only if, both have output Accept(T i ) an Accept(R j ) respectively, signifying the completion of the protocol session. Definition 2 (Freshness) A party instance is fresh at the en of execution if, an only if, 1. it has output Accept with or without a partner instance, 2. both the instance an its partner instance (if such a partner exists) have not been sent a Corrupt query. Definition 3 (Untraceable Privacy (UPriv)) Untraceable privacy (UPriv) is efine using the game G playe between a malicious aversary A an a collection of reaer an tag instances. A runs the game G whose setting is as follows. Phase 1 (Learning): A is able to sen any Execute, Sen, an Corrupt queries at will. Phase 2 (Challenge): 1. At some point uring G, A will choose a fresh session on which to be teste an sen a Test query corresponing to the test session. Note that the test session chosen must be fresh in the sense of Definition 2. Depening on a ranomly chosen bit b {0, 1}, A is given a tag T b from the set {T 0, T 1 }. 2. A continues making any Execute, Sen, an Corrupt queries at will, subjecte to the restrictions that the efinition of freshness escribe in Definition 2 is not violate. Phase 3 (Guess): Eventually, A terminates the game simulation an outputs a bit b, which is its guess of the value of b. The success of A in winning G an thus breaking the notion of UPriv is quantifie in terms of A s avantage in istinguishing whether A receive T 0 or T 1, i.e. it correctly guessing b. This is enote by AvA UPriv (k) where k is the security parameter. It remains to remark on the moels other than Juels-Weis, namely the Le- Burmester-e Meeiros (LBM) moel an the Vauenay moel. The LBM moel similarly allows the corruption of tags. Nevertheless, proof of security is in the universal composability (UC) moel [5]. The Vauenay moel [27, 28] is stronger than both the Juels-Weis an Le- Burmester-e Meeiros moels in terms of the aversary s corruption ability. In more etail, it is stronger than the Juels-Weis moel in the sense that it allows corruption even of the two tags use in the challenge phase. It is stronger than the Le-Burmester-e Meeiros moel in the sense that it consiers all its privacy notions even for corrupte tags, in contrast to the Le-Burmester-e Meeiros moel that only consiers corruption for its forwar privacy notion. 3

4 Our choice to escribe our tracing attacks in later sections with reference to a efine moel is for more uniformity between similar attacks on ifferent RFID protocols, an for better clarity to illustrate how an aversary can circumvent the protocols using precise types of interactions that he exploits, as capture by his oracle queries. This will facilitate the task of a esigner when an attempt is mae to reesign an attacke protocol. 3 ProbIP At RFIDSec 07, Castellucia an Soos [8] propose an RFID protocol (ProbIP) that allows tag ientification by legitimate reaers. Its security is base on the SAT problem, which is proven to be in the N P class of complexity. See Fig. 1, where the symbols in bol beneath each evice enotes the store state, an K[a i ] represents the a i -th bit of the l-bit length secret K. The authors of ProbIP gave arguments [8] for its security in the Juels-Weis moel. For simplicity, we assume, an for the rest of this paper, that the reaer an backen atabase server (if it exists) are one entity. This is soun since it is commonly assume by RFID protocol esigners that the channel between the reaer an server are secure. Reaer Database: {..., (ID, K),... } Tag Share Secret: K hello Do P times: generate a i, b i for i = 1... L s.t. a 1,b 1,...,a Fin (ID, K) s.t. L,b L P L i=1 K[ai] bi = L. 2 K satisfies all the equations Fig. 1. The ProIP protocol 3.1 Violation of Anonymous Privacy We first start by two remarks: 1. The tag oes not upate its secret key so at each authentication, some information is leake from the same key. 2. The tag oes not check the authenticity of the reaer, i.e. an aversary can query the tag as many times as he likes. From an information-theoretic point of view, a severe consequence of these two statements is that at one point an aversary will gather enough information to extract the key K from the responses of the tag. Let us consier an aversary that will keep sening hello messages via Sen queries to the tag until he gets l equations. Since at each request tags generate P equations, an aversary woul nee to query the tag n P times. After that, she obtains the following system in which v j i enotes a boolean variable that is set to 1 if the K[i]-th bit of K is present in the j-th equation: 4

5 L i=1 v1 i (K[i] b1 i ) = L 2 L i=1 v2 i (K[i] b2 i ) = L 2... L i=1 vl i (K[i] bl i ) = L 2 (1) As for any boolean v we can write v + v = 1, we replace any K[i] by the value 1 K[i]. As a consequence we can euce that there are as many as 3 n possible equations because every variable K[i] can have three coefficients: 0, 1, 1. This way, the aversary gets a linear system of n equations an n variables that can be solve using stanar methos such as the Gaussian elimination metho. In the case where the n equations are not linearly inepenant, the aversary can still can obtain more equations from the tag by sening Hello messages until she gets enough equations. 3.2 Countermeasure The weakness of this authentication protocol comes from the fact that each roun the avesary gets some information from the same key. So a quick way to counter our attack is to inclue a key-upating mechanism similar to OSK[21] at the en of the protocol using a one-way function. In this case, aversaries o not get more than P equations for each key so that the security proof an reuction to the SAT problem become soun. The resulting protocol is even forwar-private proviing that aversaries o not get sie-channel information from the reaer [28]. 4 MARP MARP is propose by Kim et al. [14] at CARDIS 06. They first escribe a scheme consisting of separate phases, an then escribe a more integrate one. For lack of better names, we enote these as MARP-1 an MARP-2, respectively. Here, a MARP is like a PDA to which several tags coul be attache. The channels between reaer an MARP, an between MARP an tag, are assume by Kim et al. to be insecure. We summarize these schemes in Figs. 2 an 3, which show only the bare minimal etail for unerstaning of our attacks. It suffices to note that K g, Kg e (resp. K m, Km e ) is the private-public key pair of the reaer (resp. MARP). Key t an P IN t are store secrets of the tag. The reaer is referre to [14] for more etaile escriptions. 4.1 Cryptanalysis of MARP-1 Tracing. Note that a 2 is fixe per tag, being a function of a particular tag T t s unique ientifier Ui t an secret key Key t. As the channel between the reaer an the MARP is not confiential, an aversary via Execute queries (i.e. eavesropping) can easily track the movement of T t by checking for matches of a 2 with previously capture values, as long as the encryption is eterministic. 5

6 Reaer MARP Tag (Ientifier Ri g, (K m, Ke m, (Ui t, key pair K g, Kg e ) Ri g, Ke g, Ui t, Key t, P IN t) h(key t), P IN t) h(p IN t ) P IN t Ui t P IN t h(key t ) Pick R r. Pick R. Query E K g e (Ri g R r) a 1 =E g K (E e K m (R r R m)) Pick R m. a r=e K m (E g e K (R m)) a 2 =E g K (E e K m (Ui t E h(keyt ) (Ui t))) E g K (R) E(a t ) R a t =h(r Key t ) Fig. 2. The MARP-1 protocol, comprising 3 phases: setup, privacy protection, an authentication Reaer MARP Tag (Ri g, (K m, Ke m, (Ui t, K g, Kg e ) Ri g, Ke g, Ui t, Key t, P IN t) h(key t), P IN t) Pick R r. Pick R s. Query E g K (Ri g R r) a 1 =E K g e (E K m (R r R )) Pick R. a r=e K m (E g e K (R )) a 2 =E g K (E e K m (Ui t E h(keyt ) (Ui t))) h(key t ) R s a 3 a s=r h(r h(p IN t )) h(p IN t ) R s a 3 =h(key t R s) Fig. 3. The MARP-2 protocol, comprising 2 phases: MARP authentication an tag authentication 6

7 Alternatively, the aversary can replay an ol R from MARP to the tag via Sen queries, an check if the response a t matches the ol value of a t corresponing to the replaye R. We remark that these attacks have less requirement than the ones performe by Juels an Weis [13] on some other oler RFID protocols that require Corrupt queries. Violating the anonymous privacy. Note that the initial setup messages allow to compute z = [P IN t Ui t ] [P IN t h(key t )] = Ui t h(key t ). Then the aversary simply issues Execute queries to be able to compute z, an then issues a Sen query to replace the message R from MARP to the tag with R = 0, an so the tag respons with a t = h(key t ). This allows to compute: z a t = [Ui t h(key t )] h(key t ) = Ui t, an so reveals a potential unique ientifier of the tag, which can be cross-checke against the possible list of ientifiers for a match. 4.2 Tracing MARP-2 MARP-2 also allows tracing. By eavesropping both messages via Execute queries between the reaer an the MARP an between the MARP an the tag, an aversary gets h(key t ) R s an h(p IN t ) R s. By XOR-ing these two values, the aversary gets h(p IN t ) h(key t ) which oes not epen on the session parameters an can be use to trace a tag. This scheme is also vulnerable to a replay attack since the response of the tag oes only epen on the parameters sent by the MARP. So if an aversary sens twice the same message a s via Sen queries, she will get the same response a 3 which can also be use for tracing. 5 Auth2 At PerCom 07, Tan et al. [24] propose two RFID protocols. We are intereste here in the secon protocol, an more exactly to the first variant escribe therein. For lack of better names we simply call it Auth2, see Fig. 4 for a complete escription of the protocol, where r j is a unique ientifier of the reaer, f an h are two collisions-resistant hash functions an h(.) m enotes the function that truncates the output of h to its m first bits. 5.1 Cryptanalysis of Auth2 Definite tracing. It was note by Auth2 esigners that inefinite tracing is possible but not a concern since many tags coul result in the same h(f(r j t i )) m value. We show how this tracing can be mae efinite, i.e. it can precisely track a unique tag, not just a group of them that have the same h(f(r j t i )) m. 7

8 Reaer R j Database: {..., (ID i, t i, f(r j t i)),... } request n i Pick ni. Tag T i Share secret: t i Pick n j. h 1 = h(f(r j t i)). h Check t i s.t. h(f(r j t i)) m = h 1,h 2 1. h2 = h(f(r j t i) n j n i) ID i. Compute ID i = h 2 h(f(r j t i) n j n i). n j,r i Fig. 4. The Auth2 protocol 1. Learning: The aversary eavesrops via Execute queries for a short perio uring the protocol sessions involving tag T 0 an two reaers R 1, R 2 to obtain r 1, h(f(r 1 t 0 )) m an r 2, h(f(r 2 t 0 )) m. 2. Challenge: Some time later, when the aversary wishes to track the tag T 0, he starts a session with the challenge tag T b {T 0, T 1 } replaying r 1 via a Sen query an checks the response from the tag for a match on the first message component with h(f(r 1 t 0 )) m. He starts another session replaying r 2 via a Sen query an checks the response from the tag for a match on the first message component with h(f(r 2 t 0 )) m. With both matches, it is highly likely that this is the same tag whose session he ha initially eavesroppe on, i.e. T b = T 0. Else T b = T 1. Violating the anonymous privacy. When analyzing the anonymous privacy of their Auth2 scheme, the authors [24] assume that the aversary has access to the reaer s list L of ata corresponing to targete tags, i.e. each entry in L is of the form ID i, f(r j t i ). The aversary only nees two entries in L corresponing to the targete tag T i, i.e. ID i, f(r 1 t i ) an ID i, f(r 2 t i ). Issue a Sen query with r 1 in a session, an then another Sen query with r 2 in another session to T i. Check if both responses match f(r 1 t i ) an f(r 2 t i ) respectively. 6 YA-TRAP, YA-TRAP+ an O-TRAP At SecureComm 06, Burmester et al. [4] propose two RFID protocols with formal proofs of security in the universal composability moel [5], namely YA- TRAP+ an O-TRAP. These were inspire by YA-TRAP propose at PerCom 06 by Tsuik [26]. 6.1 YA-TRAP The steps of YA-TRAP [26] are given in Fig. 5, where HMAC is a message authentication coe an PRNG is a pseuo-ranom number generator. It works as follows: a tag is initialize with an initial timestamp t 0 an the top timestamp value t max, as well as with a unique secret value K i. Tags are also assume to be able to compute a PRNG, where PRNG j i enotes the jth invocation by the tag T i of its own PRNG. 8

9 Reaer R j Tag T i Database L: {..., (t j, HMAC Ki (t j)),... } Share secret: K i, t 0, t i, t max t j if (t j < t i) or (t j > t max) h j = PRNG j i. else h j = HMAC Ki (t j) an h j upate t i t j. check t j s.t. (t j, h j) L. Fig. 5. The YA-TRAP protocol The main goal of YA-TRAP s esign was to achieve untraceable privacy (UPriv) with aversaries assume to be able to corrupt tags. Two operating moes were propose [26] for YA-TRAP, namely real-time an batch. The ifference is that for batch moe, responses from tags are collecte by the reaer in batches for later communication to the server for offline processing an ientification. This latter moe is suite for settings e.g. inventory control where tags are assume honest, since they will only be authenticate later in batches rather than online. Thus, this moe is not suitable for applications where feeback is require on the spot, e.g. library check-outs, or retail outlets for both tags in purchase items as well as tags in creit cars. Tsuik observe that it was possible for enial of service (DoS) attacks to be launche towars YA-TRAP, an remarks that DoS resistance is not among the key goals of YA-TRAP. What is more subtile, however, is the fact that a enial-of-service kin of attack coul lea to an aversary being able to track a tag in the YA-TRAP protocol. Tracing tags in real time. In the YA-TRAP specification, it was suggeste [26] that the top value t max of a tag s timestamp nee not be unique but coul instea be share by a batch of tags. Consier a scenario where tags have ifferent t max, operating in real-time moe. Inee, acknowleging the fact that tags are prouce by ifferent manufacturers for iverse applications, it seems inevitable that some tags will have iffering t max. An aversary can trace a tag, i.e. istinguish between two tags (corresponing to a break of the privacy notion in the Juels-Weis moel [13] an the UPriv notion we escribe in Section 2), as follows. For simplicity, assume two tags T 0 an T 1 with respective t max0 an t max1, where t max0 < t max1. 1. Learning: Issue a Sen query with t j = t max0 to a tag T {T 0, T 1 }. Since t max0 is much into the future than current t i value, a response h j = HMAC Ki (t j ) is expecte, irrespective of which tag it is. Furthermore, the tag will upate its local time counter as t i = t max0. This action serves to sen the tag into the future by marking it for future tracing. 2. Challenge: Some time later, when it is esire to trace the tag, issue a Sen query with t j for t max0 < t j < t max1. If T = T 0, it will respon h j = PRNG j i an will not successfully pass the valiation check by the reaer. If T = T 1, it will respon h j = HMAC Ki (t j ) an will successfully pass the valiation 9

10 check. Thus by observing the reaer-tag interaction via Execute queries, an aversary can istinguish between T 0 an T 1 an win the privacy game. Juels an Weis [13] gave two tracing attacks on YA-TRAP that are vali in their privacy moel, thus showing YA-TRAP oes not meet their efinition of strong privacy. Nevertheless, their tracing attacks woul no longer apply in a weaker privacy moel, an in fact one which better moels the practical setting, where the aversary is further restricte by limiting its access to the TagInit message [13] as follows: when the TagInit message is issue to its two selecte tags T 0 an T 1 use uring the challenge phase, the aversary oes not know which one of them was issue the message. This better moels the practical privacy setting as the aversary is unaware uring the learning phase which tag it has querie. In contrast, our attack still applies in this weakene-aversary setting, an thus our result shows that setting a common t max for tags offers more avantage over having iniviual t max for each tag. YA-TRAP was esigne to specifically output a ranom response even if the tag oes not want to be valiate by the reaer, such that an aversary is unable to istinguish between that ranom response an a proper response. Yet, by observing the output of the reaer-tag interaction, i.e. seeing if the tag passes the valiation or not, still allows the istinguishing. In this sense, using the YA-TRAP approach of generating ranom responses by itself is not sufficient to prevent tracing. To reiterate, our attack can be prevente if the aversary is unable to observe the output of the reaer-tag interaction, i.e. it oes not know if the tag successfully passes the reaer s valiation check. This inability in fact correspons to the narrow aversary moel efine in Vauenay s privacy moel [28]. One example setting that fits this narrow moel is the batch moe suggeste by Tsuik [26] for YA-TRAP. Nevertheless, it is worth recalling here that batch moe is not relevant for applications where immeiate feeback is require e.g. retail an library check-outs, an furthermore is only meaningful in the setting where tags are assume to be honest (not usually the case) since they are not authenticate on the spot but later. Cloning. An aversary can issue Sen queries to the tag with arbitrarily many values of t j an obtain the corresponing responses h j. These values allow the tag to be clone so that when the clone tag is querie a particular t j value, it will reply with the capture response h j. The problem here stems from the fact that tag responses h j are pre-computable only with the presence of the tag an not the reaer since the suppose reaer-supplie challenge is a preictable monotonically increasing timestamp t j. 6.2 Tracing YA-TRAP+ with Secon Pass The steps of YA-TRAP+ are shown in Fig. 6, where H K ( ) enotes a keye hash function an the steps preceee by [ ] are optional, an only meant to be use by the reaer if it is felt that DoS attacks are rampant. Legitimate reaers share with the tags their secret keys K i. It turns out that the tracing attack of subsection 6.1 is simpler when applie to YA-TRAP+ if its optional secon pass (preceee in Fig. 6 by [ ]) is mae compulsory. 10

11 Reaer R j Tag T i Database L: {..., (t j, HMAC Ki (t j)),... } Share secret: K i, t 0, t i t,r t Pick r i. if (t > t i) h 1 = H Ki (00 t r t) else r i,h 1 h1 = H Ki (01 r i r t) if (t t i). [ ] r i,h 2 [ ] Calculate h 2 = H Ki (10 r i t) check (t j, HMAC Ki (t j)) L s.t. [ ]check h 2 = H Ki (10 r i t). h 1 = H Ki (00 t r t), if (t > t i) or h 1 = H Ki (01 r i r t). Upate t i t. Fig. 6. The YA-TRAP+ protocol 1. Learning: An aversary first issues Sen queries to the tag T 0 with some r t an a value t that is preictably much larger than the tag s t i, obtaining the response r i, h 1 = H K (00 t r t ). It then intentionally moifies via a Sen query the message h 2 from reaer to tag such that the tag oes not successfully authenticate the reaer an thus the tag oes not upate its internal time counter t i to t. 2. Challenge: Issue a Sen query to the tag in future (i.e. let the challenge tag T b {T 0, T 1 } uring the challenge phase) with the same r t an t. Since t > t i, it will return the response r i, h 1 = H K (00 t r t ) for which h 1 is the same if the challenge tag T b = T 0. Otherwise, the aversary knows T b = T 1. This allows to track the tag an win the privacy game. Note that YA-TRAP+ was specifically esigne to resist the kin of tracing attack on its preecessor YA-TRAP that we mounte in subsection 6.1, an yet this result shows that the optional secon pass of YA-TRAP+ that requires to check h 2 before upating the store secret, although meant to provie aitional security to resist enial of service attacks, will in fact cause the protocol to fall to tracing. 6.3 Tracing O-TRAP The steps of O-TRAP are shown in Fig. 7. The reaer contains a hash table inexe by r i with entries r i, K i where r i an K i correspon to secrets of tags to which it has legitimate access. 1. Learning: An aversary can issue a Sen query to the tag T 0 with ranom values r t repeately, causing the tag to upate its r i each time such that it is way into the future compare to its synchronization with the reaer. 2. Challenge: The aversary observes the future interaction between a tag T b {T 0, T 1 } an a reaer via Execute queries to see if the reaer accepts the tag as vali. If not, then the aversary knows this was the tag that it marke uring the learning phase, i.e. T b = T 0. Else, T b = T 1. Note that this kin of attack has been inepenently applie by Juels an Weis [13] to a couple of other oler RFID protocols. Yet what is interesting as has been 11

12 Reaer R j Database L: {..., (r i, K i),... } check (r i, K i) in DB: s.t. h = H Ki (r t, r i) or h = H Ki (r t, r i). Upate r i H Ki (r i) L. Tag T i Share secret: r i, K i r t r i,h Compute h = H Ki (r t, r i). Fig. 7. The O-TRAP protocol Upate r i H Ki (r i). emonstrate here, is that recent provably secure protocols like YA-TRAP+ an O-TRAP in some sense still allow for tracing. 7 RIPP-FS RIPP-FS was propose by Conti et al. [9] at PerCom 07. The steps of RIPP-FS are given in Fig. 8. Each tag T i is initialize with a tag key KT 0 i that it shares with the reaer, as well as the initial value-pair (K 0, t 0 ) generate by the reaer, where K 0 is the last value in a hash chain K l = w K i = H(K i+1 ) = H l 1 (w), i = 0,..., l 1 for w a see, an t j (j = 0,..., l) is a time interval counter. A tag is also assume to be able to compute a pseuo-ranom number generator (PRNG), where PRNG j i enotes the jth invocation by the tag T i of its own PRNG. One of the goals of RIPP-FS s esign was to achieve untraceable privacy (UPriv) against aersaries able to corrupt tgs, an it is claime to offer more security properties than YA-TRAP, YA-TRAP+ an O-TRAP. Reaer R j Database L: {..., (T i, K j T i, HMAC j K (t j)),... } T i Tag T i Share secret: K j, t j K j,t j δt = t j t j if (δt > 0) an (H δt (K j) = K j) t j = t j, K j = K j, K Ti = H δt (K Ti ), h j = HMAC KTi (t j). else h j = PRNG j i. h j check T i, h j : T i, K j T i, h j L. Fig. 8. The RIPP-FS protocol 12

13 7.1 Tracing Tags We show how to trace tags in the RIPP-FS protocol. 1. Learning: (a) Query Sen to the reaer to initiate two protocol sessions, obtaining (K j, t j ) an (K j+1, t j+1 ), where t j+1 > t j, an K j = H(K j+1 ). (b) Make a Sen query to a tag T 0 with the value (K j+1, t j+1 ). Since this is a vali message generate from the reaer, a response h j = HMAC KTi (t j+1 ) is expecte. More importantly, the tag will upate its time interval counter as t j = t j+1, as well as the other secrets K j = K j+1 an K Ti = H t j+1 tj (K Ti ). 2. Challenge: Some time later, when it is esire to trace the tag, issue a Sen query with (K j, t j ) to the challenge tag T b, an pass the response h j+1 to the reaer. If T b = T 0, it will respon h j+1 = PRNG j i an will not successfully pass the valiation check by the reaer. If T b = T 1, it will respon h j+1 = HMAC Ki (t j ) an will successfully pass the valiation check. Thus by observing the reaer-tag interaction via Execute queries, an aversary can istinguish between T 0 an T 1 an win the privacy game. 8 Concluing Remarks We first provie an alternative escription of privacy moels that captures the notion of untraceable privacy (UPriv) an iscusse its relation to existing moels. This was to pave the way for our analysis results in later sections. We showe how the notion of UPriv cannot be achieve by some recent RFID protocols. Our emphasis in this paper was to analyze the level of untraceable privacy offere by the protocols. We only iscusse reasons why our attacks worke an intentionally i not propose any tweaks nor fixes on the protocols; mainly because there are alreay many available in literature, an so we feel this was not necessary unless there is a serious voi of well esigne provably secure RFID protocols. Final remarks: while a uniformly accepte privacy moel for RFID protocols is still being evelope by the community, the results here serve to strengthen the nee for such a stanar moel to facilitate better esign of RFID protocols that offer both privacy an security. This has to be fulfille if RFIDs are ever to be wiely use by each iniviual within his network space of interconnecte things. References 1. Albertsons Announces Manate, RFID Journal, 5 March, Available online at 2. G. Avoine, Aversarial Moel for Raio Frequency Ientification, Cryptology eprint Archive, report 2005/049, 20 February, Available at IACR eprint Archive, 3. M. Bellare, D. Pointcheval an P. Rogaway, Authenticate Key Exchange Secure against Dictionary Attacks, Avances in Cryptology - EUROCRYPT 00, LNCS 1807, pp ,

14 4. M. Burmester, T.V. Le an B. e Meeiros, Provably Secure Ubiquitous Systems: Universally Composable RFID Authentication Protocols, Proceeings of Securecomm 06, pp. 1 9, Full version available at IACR eprint Archive, last revise 5 December R. Canetti, Universally Composable Security: A New Paraigm for Cryptographic Protocols, Proc. IEEE FOCS 01, pp , Full version available at IACR eprint Archive, last revise 13 December D. Carluccio, K. Lemke an C. Paar, E-Passport: The Global Traceability or How to Feel Like a UPS Package, Proceeings of WISA 06, LNCS 4298, pp , CASPIAN, Boycott Benetton, accesse 19 September Available online at 8. C. Castelluccia an M. Soos, Secret Shuffling: A Novel Approach to RFID Private Ientification, Proceeings of RFIDSec 07, pp , M. Conti, R. Di Petro, L.V. Mancini an A. Spognari, RIPP-FS: An RFID Ientification, Privacy Preserving Protocol with Forwar Secrecy, Proceeings of PerCom 07, pp , T.S. Heyt-Benjamin, D.V. Bailey, K. Fu, A. Juels an T. O Hare, Vulnerabilities in First-Generation RFID-enable Creit Cars, Proceeings of Financial Cryptography 07, LNCS, to appear. 11. J.-H. Hoepman, E. Hubbers, B. Jacobs, M. Oostijk an R.W. Schreur, Crossing Borers: Security an Privacy Issues of the European e-passport, Proceeings of IWSEC 06, LNCS 4266, pp , A. Juels, D. Molnar an D. Wagner, Security an Privacy Issues in E-Passports, Proceeings of SecureComm 05, pp , Full version available at IACR eprint Archive, last revise 18 September A. Juels an S.A. Weis, Defining Strong Privacy for RFID, Proceeings of PerCom 07, pp , Full version available at IACR eprint Archive, 7 April S.-C. Kim, S.-S. Yeo an S.K. Kim, MARP: Mobile Agent for RFID Privacy Protection, Proceeings of CARDIS 06, LNCS 3928, pp , E. Kosta, M. Meints, M. Hensen an M. Gasson, An Analysis of Security an Privacy Issues Relating to RFID Enable epassports, Proceeings of IFIP-SEC 07, LNCS, to appear. 16. T.V. Le, M. Burmester an B. e Meeiros, Universally Composable an Forwar- Secure RFID Authentication an Authenticate Key Exchange, Proceeings of ASIACCS 07, pp , Full version available at IACR eprint Archive, 14 February C.H. Lim an T. Kwon, Strong an Robust RFID Authentication Enabling Perfect Ownership Transfer, Proceeings of ICICS 06, LNCS 4307, pp. 1 20, Michelin Embes RFID Tags in Tires, RFID Journal, 17 January, Available online at Mitsubishi Electric Asia Switches on RFID, RFID Journal, 11 September, Available online at J. Monnerat, S. Vauenay an M. Vuagnoux, About Machine-Reaable Travel Documents: Privacy Enhancement using (Weakly) Non-Transferable Data Authentication, Proceeings of RFIDSec 07, pp , M. Ohkubo, K. Suzuki an S. Kinoshita, RFID Privacy Issues an Technical Challenges, Communications of the ACM, Vol. 48, No. 9, pp , R.-I. Paise an S. Vauenay, Mutual Authentication in RFID: Security an Privacy, Proceeings of AsiaCCS 08, to appear. 23. P. Rogaway, On the Role Definitions in an Beyon Cryptography, Proceeings of Asian Computing Science Conference (Asian 2004), LNCS 3321, pp ,

15 24. C.C. Tan, B. Sheng an Q. Li, Serverless Search an Authentication Protocols for RFID, Proceeings of PerCom 07, pp. 3 12, Target, Wal-Mart Share EPC Data, RFID Journal, 17 October, Available online at G. Tsuik, YA-TRAP: Yet Another Trivial RFID Authentication Protocol, Proceeings of PerCom 06, pp , S. Vauenay, RFID Privacy base on Public-Key Cryptography, Proceeings of ICISC 06, LNCS 4296, pp. 1 6, S. Vauenay, On Privacy Moels for RFID, Avances in Cryptology - Asiacrypt 07, LNCS 4833, pp ,