Cryptanalysis and Improvement of Mutual Authentication Protocol for EPC C1G2 passive RFID Tag

Transcription

1 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): Cryptanalyss and Improvement of Mutual Authentcaton Protocol for EPC C1G passve RFID Tag Ahmed Maarof 1, Mohamed Senhad1, Zouher Labb 3 and Mostafa Belkasm 4 1 Laboratory of Informaton, Communcaton and Embedded Systems(ICES), Mohammed V Unversty, ENSIAS Rabat, Morocco Laboratory of Informaton, Communcaton and Embedded Systems(ICES), Mohammed V Unversty, ENSIAS Rabat, Morocco 3 Laboratory of Informaton, Communcaton and Embedded Systems(ICES), Mohammed V Unversty, ENSIAS Rabat, Morocco 4 Laboratory of Informaton, Communcaton and Embedded Systems(ICES), Mohammed V Unversty, ENSIAS Rabat, Morocco Abstract A Rado Frequency Identfcaton (RFID) system s a contactless automatc dentfcaton system that uses small and low-cost tags. The restrcted computaton ablty and lmted memory capacty of low-cost tags make exstng RFID systems vulnerable. EPC Class 1 Generaton (EPC-C1G) s the most popular standard for low cost passve RFID tags, for mprovng securty of ths standard; many securty schemes are desgned snce the release of the EPC-C1G. In 013 Pang et al. s, proposed an mproved authentcaton protocol for low cost RFID systems. They clamed that ths protocol s secure aganst varous attacks. In ths paper, we show that ths protocol s stll vulnerable aganst other attacks whch ddn t dscussed by Bezhad et al. Then, an mproved protocol s proposed to fx the vulnerabltes, moreover we show that the proposed protocol s conforms to EPC-C1G. Keywords: RFID Securty, Lghtweght, Authentcaton Protocol, Prvacy, Low Cost RFID, EPC Class-1 Generaton- Standard. 1. Introducton RFID technology has many applcatons such as nventory control to supply chan management, traffc control, stock control, lbrares and so on. As t s shown n Fg. 1, RFID systems nvolve three man parts: back-end server, reader and tag. In general terms, the tag comprses a wreless mcrochp wth a very lmted computatonal and storage capabltes, and a couplng element, such as an antenna col for communcaton that can be used to dentfy the obects t s attached to. The reader s composed of a rado frequency (RF) module, a control unt and a couplng element. The reader communcates to the server and the tag. The reader can carry out some complex cryptographc operatons nstead of the tag. The Server s usually composed of a database and a processng logc. It receves data from the readers, stores data nto a database, and provdes access to the data. Furthermore, the Server s assumed to have an nfnte computatonal power [1], [], [3]. ISO and the Electronc Product Code (EPC) standard proposed by EPC global has become the man domnant RFID technology on global logstcs market n the world. ISO [4] has ratfed and publshed EPC-C1G standard as an amendment to ISO/IEC The low-cost passve tags do not have a battery, as they obtaned ther power source from the reader. Among all of the dfferent types of RFID tags, the passve tags are low cost, and t runs very smple functons whch does not support cryptographc. In order to acheve the low-cost manufacture requrement, EPC-C1G RFID tag can only authorze a very prmtve computaton capablty and arthmetc functons. However, the EPC-C1G RFID tag specfcaton dd not take much account to user prvacy and data securty ssue, so the desgn of a secure mutual authentcaton protocol has become one of the most mportant key factors for the success of EPC- C1G RFID systems. The securty analyss that carred out on the authentcaton protocol proposed n the EPC-C1 G specfcaton have showed several securty vulnerabltes n ths standard [5,6]. So, the researchers have been motved to propose new EPCcomplant schemes, or to correct the weaknesses and mprove ts securty level, whch s also our concern n ths paper. In the hstory of RFID securty research, numerous authentcaton protocols conformng to EPC-C1G standards had been developed. However, all of them are vulnerable to securty and prvacy threat and do not mantan low computatonal and communcaton cost and cannot be ntegrated nto the EPC-C1G tag. 017 Internatonal Journal of Computer Scence Issues

2 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): The RFID system conssts of followng components (as shown n Fgure1) [7]: Tag (attached wth an obect, unque dentfcaton). Antenna (tag detector, creates magnetc feld). Reader (recever of tag nformaton, manpulator). Communcaton nfrastructure (enable reader/rfid to work through IT nfrastructure). Applcaton software (user database/applcaton/ nterface). Fg. 1 Model of RFID systems. The rest of ths paper s organzed as follows. secton covers the related work n ths area. Secton 3 provdes an overvew about the EPC-C1G standard and securty threats related to low cost RFID technology. We revew Pang et al. s protocol and we nvestgate ther vulnerabltes n Secton 4. In secton 5, the new proposed protocol s presented. The proposed protocol s analyzed n terms of securty and performance n Secton 6. Fnally, conclusons are gven n Secton 7.. Related Work Motvated by the release of EPC-C1G specfcaton, some researchers have recently proposed a lot of schemes [7-11] tryng to solve the practcal problems due to the fact that the EPC-C1G only provdes a low securty level. In ths secton, we wll summarze some related proposals n ths feld. In 007 Chen et al.[8] proposed a mutual authentcaton protocol conformng to EPC-C1G standard, the securty of ther scheme heavly reled on the abuse of the cyclc redundancy code (CRC). However, Pers-Lopez et al.[9]showed that the protocol cannot resst to tag mpersonaton, desynchronzaton attackng and locaton trackng. So the Chen et al. s protocol not only s vulnerable to such attacks, but also does not provde tag prvacy. Chen and Deng [10] proposed an EPC-frendly mutual authentcaton scheme by usng a pseudo-random number generator (PRNG) and CRC whch s conformed to the EPC-C1G standard. Ther protocol tred to apply CRC as cryptographc hash functon for message authentcaton. However, CRC functons are lnear and should not be used for any cryptographc purpose only for detecton of random errors n the channel [9]. So attacker s able to mpersonate a tag or a reader, to trace a tag, and even to launch a DoS attack. These securty vulnerabltes are all due to the msuse of the CRC functon. In 010 Yeh et al.[11] also proposed a RFID mutual authentcaton protocol conformng to EPC-C1G standard whch allows us free from the assumpton of the channel s securty. The nformaton transmtted between reader and back-end database may also eavesdropped and ntercepted by the attacker n actual envronment, so the protocol appled a one-way hash functon to guarantee the communcaton securty between reader and back-end database. Nevertheless, Yoon [1] ponted out that Yeh et al. s protocol stll had two serous securty problems such as DATA ntegrty problem and forward secrecy problem. In 013, Pang et al.[13] proposed a mutual authentcaton protocol to enhance the securty for RFID systems whch s conformng RFID systems, but ther protocols stll suffers from some weaknesses whch are dscussed by Behzad et al.[14] and other wll be dscussed n ths paper. Behzad et al. proposed to add a hash functon to mprove the protocol, but the EPC C1G s tag only support CRC, PRNG functons, smple logc operatons and generate random number, then ts proposton s not supported by EPC C1G s Tag. In ths study, we nvestgate other securty and prvacy weaknesses of Pang et al. that have not been dscussed by Behzad et al. and then, n order to ncrease the securty and prvacy of Pang et al. and to elmnate the exstng weaknesses, we apply some modfcatons on the analyzed protocol and proposed an mproved lghtweght mutual authentcaton protocol conformng to EPC C1G standard. For more evaluaton, the mproved protocol s analyzed n terms of securty and we show that all exstng attacks are removed also t s secure aganst dfferent attacks. We brefly revew some related work and examne ther weaknesses. 3. EPC-C1G Standard and Securty Requrements 3.1 EPC-C1G Requrements RFID Class 1 Generaton (C1G) standard has been ssued by EPCglobal [4]. It defnes RFID standards as follows: 017 Internatonal Journal of Computer Scence Issues

3 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): RFID tag s passve. - RFID tag communcates on the UHF band ( MHz) and t communcates n the range from m to 10 m. - A Pseudo-Random Number Generator (PRNG) functon. - A Cyclc Redundancy Code (CRC) functon, to produce checksum code to verfy the ntegrty of the transmtted nformaton. - XOR: Exclusve OR. - Reserved memory that contans a 3-bt kll password (KP) to permanently dsable the tag and a 3-bt access password (AP). As an EPC-C1G tag has very lmted resources, thus t s ncapable of supportng complex operatons lke symmetrc encrypton, publc encrypton, and hash functon. 3. Securty Requrements of EPC-C1G System Low cost RFID systems generate sgnfcant securty rsks, manly due to ther cost constraned mplementatons and the nsecure communcaton channels over whch tags and readers communcate. The followng securty ssues are frequently dscussed for low cost RFID systems: - Secret Parameters Reveal - Replay attack - Forward secrecy - De-synchronzaton (Dos) Attack - Traceablty Attack - Tag Impersonaton Attack - Server Impersonaton Attack 4. Revew of Pang s Protocol In ths secton we brefly revew Pang s protocol. The scenaro of the protocol s dvded nto the ntalzaton and the authentcaton phases. 4.1 Intalzaton phase RFID For each tag, the nformaton kept wthn the database are [K old,c old,,k new,c new,epc s,d ]. The ntal nformaton K 0, P 0 and C 0 of tag and database are randomly generated by the manufacturer. Then, we set K old = K new = K 0, and C old = C new = C 0. Each tag records the nformaton [K = K 0, C = C 0, EPC s ], whose values are equal to those recorded n the database. The reader does not need any stored dentty nformaton, because the communcaton channel s supposed secure between server and reader. 4. Authentcaton phase The dfferent steps of authentcaton phase are as descrbed below: 1) Reader Tag: The reader R generates a random number N 1 and sends t as a query to the tag T. ) Tag Reader: The tag T generates a random number N, and computes M1 = EPCs N1 K, CN = N PRNG(K), and M = CRC(EPCs N C) K and forwards them to the reader. 3) Reader Server: The reader R forwards (C, M 1, CN, M, N1) to the server. 4) Server Reader: After recevng (C, M1, CN, M, N1), the server performs the followng operatons: () Accordng to the receved value C, the server uses C new or C old equal to C and pcks up EPCs of the correct tag, and then computes K = EPCs N 1 M 1. If K =K old or K new, the server computes also N = CN PRNG (K ) and checks f the equaton M K =CRC (EPCs N C ) holds or not. The process s repeated for each entry untl the matched tag s found. Otherwse, the server aborts the process. () Once the tag s authentcated successfully by the server, t computes M 3 =CRC (EPCs (N l/4)) K, and sends (D, M 3 ) to the reader R. () The server proceeds to update ts records as follows: K K, K K N l / 4 (1) old new C C, C PRNG ( N N ) K () old new 1 5) Reader Tag: The reader R receves (D, M3) from server and then forwards M 3 to the tag T. 6) Tag : The tag T computes CRC (EPCs (N l/4)) K and checks whether M3 K = CRC (EPCs (N >> l/4)) s correct, If yes, then the tag authentcates the server successfully and updates the records as follows: C PRNG ( N N ) K (3) 1 K / 4 K N l (4) If t does not hold, the tag T stops the sesson 4.3 Securty Analyss 017 Internatonal Journal of Computer Scence Issues

4 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): In addton to the dscussed attacks by Bezhad et al., we present an effcent and passve attack that retreves all secret nformaton of the tag nclude EPCs,K, C. Moreover, we prove by other way, whch s dfferent from the one dscussed by Bezhad et al, that ths scheme s vulnerable to de-synchronzaton. a) Secret Informaton Dsclosure Attack Pang et al. clamed that ther protocol attempt a complexty of exhaustve search attack equal to O ( 3 ) but n ths subsecton we am to show that the complexty s ust O ( 16 ), by consequently the Pang s protocol cannot resst aganst the secret nformaton dsclosure attack. The attacker acts as follows: Learnng phase: Eavesdrops one successful sesson of the protocol between tag and reader and stores the exchanged messages ncludng M 3, C, M 1, CN, M and N 1. Attack phase: Based on the calculated equaton M 1, M and M 3 the length of EPCs s 16-bt, Let α = {α 1, α, α 3, α 16 } be the set of all bt strng of length 16 and EPCs α, the attacker runs the followng algorthm: Algorthm 1: attack senaro For 1 16 Choose: EPCs α Computes: K = M 1 N 1 EPCs N = CN PRNG (K ) If (M K = CRC (EPs N C ) and M 3 = CRC (EPCs (N >> (l/4))) K ) Return K and EPCs End For The attacker obtans the secret values EPCs and K correspondng to a tag. Concernng the complexty of the gven attack, t can be concluded that the attacker needs ust one sesson to collect the exchanged messages between reader and tag, and he/she needs at most 16 PRNG and 16 CRC computatons. Then ths attack can be easly performed by an ordnary attacker. After obtanng the secrets values of the tag, t wll be easy that an attacker launches others attacks such as reader mpersonaton attack, tag mpersonaton attack, traceablty attack and DoS attack. b) De-synchronzaton Attack Usng CRC lnear property, we show how an attacker performs de-synchronzaton attack between the tag and the server and cause DoS. The proposed cryptanalyss s descrbed as follows: Theorem 1: For any CRC and for any values of x and y F CRC ( x y ) CRC ( x ) CRC y (5) Based on the above property, the attacker can launch the DoS attack: Learnng phase: In step when the tag sent (M 1, M,C,, CN ) to reader, the attacker ntercepts them and generates and random value RN. Attack phase: Attacker replaces the ntercepted messages by (M 1, M,C, CN ) and send them to reader where: ' M M CRC RN (6) CN CN RN (7) ' The server proceeds to authentcate the forged tag, for that t computes and checks:? M K CRC ( EPCs N C ) (8) Where N CN PRNG K (9) and CN CN RN (10) Then equaton (8) becomes as follow: M CRC RN K CRC ( EPCs CN RN PRNG K C ) By applyng the theorem 1, the equaton (11) becomes: ( ) M CRC RN K CRC EPCs CN PRNG K C CRC RN Then M K CRC ( EPCs CN PRNG K C (11) (1) (13) As these parameters are legal, then the above equalty holds. As consequently, the server authentcates the forged tag, and t wll update ts secrets parameters K and C usng RN N. 017 Internatonal Journal of Computer Scence Issues

5 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): In the same way, we show how an attacker spoofs a tag to pass ts authentcty. When reader forwards M 3 to tag, and attacker can ntercepts t by eavesdroppng the communcaton channel and replaces M3 by: M3 M3 CRC ( RN ( l /4)) (14) Where: M CRC ( EPCs (( N RN) ( l / 4)))) K 3 (15) Then the tag computes and verfes:? M K CRC ( EPCs ( N ( l / 4))) (16) 3 M CRC( RN ( l /4)) K CRC ( EPCs 3 (( N RN) ( l /4)))) K CRC ( RN ( l /4) ) K By applyng the theorem 1, the equaton (17) becomes: M CRC ( RN ( l / 4))) K 3 CRC( EPCs ( N ( l / 4 ))) K CRC ( RN ( l / 4 )) CRC ( RN ( l / 4) ) K (17) (18) The proposed protocol does not use hash functons or other complex encrypton schemes, we use only PRNG and XOR operatons. The << shft operaton appled by Pang et al. and Bezhad et al wll not appled n our protocol because ths operaton do not conform to EPC-C1G standard. Moreover, to avod the de-synchronzaton attack due to the lnear property of CRC operaton, the proposed scenaro wll not appled CRC operaton. We assume that the communcaton channel between the reader and the backend server s secure, because a reader has much more resources, such as memory, energy and computaton power, than a tag. For the channel communcaton between reader and tag, we assume that t s nsecure. In order to prevent from exhaustve search attack durng the proposed protocol, some exchanged messages are computed by applyng separated PRNG functons. For any PRNG (A) and PRNG (B), f A = B, to determne A and B we needs O ( 16 ) executons of PRNG functon, but t s not possble to fnd A and B after O ( 16 ) PRNG executons for gven PRNG (A) PRNG (B), so we needs O ( 16 ) PRNG executons possble for each A and B, then at least 3 executons. Moreover to avod easly retreve of secret dentfcaton parameters, t s necessary to randomze the PRNG functon. Notatons used n ths paper are defned as follows: Then the above equaton holds. As consequently, the tag authentcates the forged reader, and t updates ts secrets parameters K and C usng N. As showed before the tag and server uses N and RN N respectvely to update ther secrets parameters K and C,, then the shared secret between the tag and the server wll not be the same, whch can cause a de-synchronzaton between them. 5. Improved Protocol Our man contrbutons can be summarzed as follows: In order to elmnate the mentoned vulnerabltes and the one dscussed by Bezhad et al., we propose an mproved RFID authentcaton protocol conformng to the EPC- C1G standard. As EPC-C1G standard authorze smple operatons whch can be performed by a tag, such as Cyclc Redundancy check Code (CRC), Pseudo Random Number Generator (PRNG), and btwse XOR, an EPCC1G tag could not perform the hash functon, so the proposed suggeston by Bezhad et al. that used hash functon are too complcated and doesn t conform to EPC-C1G tags. Notaton EPCs SK SP SK old SK new SP old SP new I Table 1: Notatons Descrpton The 96 bts of EPC code are dvded nto sx 16-bt blocks, and then the sx blocks are XORed to get EPCs The authentcaton key stored n the tag for the database to authentcate the tag at the ( + 1)th authentcaton phase The access key stored n the tag for the tag to authentcate the database at the ( + 1)th authentcaton phase The old authentcaton key stored n the database The new authentcaton key stored n the database The old access key stored n the database The new access key stored n the database The database ndex stored n 017 Internatonal Journal of Computer Scence Issues

6 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): SM EPCs the tag to fnd the correspondng record of the tag n the database Exchanged messages The 96 bts of EPC code are dvded nto sx 16-bt blocks, and then the sx blocks are XORed to get EPCs The stored nformaton n each entty: Database: (SK old, SK new,sp old, SP new, I old, I new, EPC ) Tag: (SK, SP,I,EPCs) 5.1 Intalzaton phase Durng the ntalzaton phase, the records stored prevously n each party s memory are assumed secure. Intal nformaton SP0, SK0 and I0 of tag and database are generated by the constructor, and set the correspondng record n the tag (SP =SP0, SK = SK0, I =I 0 ) and n the database (SP old = SP new =SP0, SK old = SK new =SK0, I old = I new =I 0 ). 5. Mutual Authentcaton phase The authentcaton protocol operates as follows: Step 1- Reader Tag: The reader generates random number RN R and sends t as a query to the tag. Step - Tag Reader: After recevng the message, the tag generates RN T and computes SM 1 = PRNG (EPCs RN R ) PRNG (SK RN T ) and SM = PRNG (SK EPCs I ) RN T usng the local secret parameters. Then the tag sends SM 1, SM and I to the reader. Step 3- Reader Server: The reader forwards SM 1, SM, RN R and I to the tag. Step 4- Reader Server: After recevng (SM 1, SM, RN R and I ), the database performs the followng operatons: a) Authentcaton phase: the server uses I as an ndex to fnd the correspondng record n the database and t wll extracts RN T from SM PRNG (SK EPCs I ) and computes SM 1 = PRNG (EPCs RN R ) PRNG (SK, x RN T ) to authentcate the tag, where x = old or new. When a matchng s found, the server set x as old or new accordng to authentcaton key SK new or SK old n the record s found matched wth the one n the tag. If the two values RN T and SM 1 match, then the tag s authentcated successfully by Server, otherwse the sesson aborts. Now the Server proves ts authentcty to tag by computng SM 3 = PRNG (EPCs RN T ) PRNG (SP RN R ) and sends t to the reader. b) Updatng phase: If x = new, then the database wll update the record as follows: SK S K, S K PRNG SK (19) old new new SP SP, SP PRNG SP (0) I old old new new I PRNG ( RN SP ) PRNG ( RN SK new I ), new T x R x I If x = old, then the server ust updates: I PRNG ( RN SP ) PRNG( RN new SK x I ) T x R (1) () Step 6: After recevng SM 3, the tag uses ts saved parameters to compute PRNG (EPCs RN R ) PRNG (SP RN T ) and compares t wth receved SM 3, f a match s found, then the server s authentcated successfully by tag and the content kept nsde s updated as SK +1 PRNG (SK), SP +1 PRNG (SP ), and I +1 PRNG (RN T SP x ) (RN R SK x I ) for next sesson. 6. Securty Analyss In ths secton, we gve securty analyss of our scheme aganst dfferent common possble attacks n low cost RFID system. In order to ncrease the securty level n our protocol, the messages SM 1, SM, SM 3 and I have been computed from at least three unknown parameters and all lnear combnatons between at least two of SM 1, SM, SM 3 and I,new are assocated at least three unknown parameters. 6.1 Parameters Reveal For desgnng a RFID authentcaton protocols, t s necessary to keep the secret nformaton (EPCs, SP, SK ) of tag secure. We show how the proposed protocol ressts the exhaustve research wth complexty O ( 3 ). To retreve the secret parameters the attacker needs to ntercepts the exchanged messages RN R,SM 1, SM, SM 3 and I and performs the followng algorthm: 017 Internatonal Journal of Computer Scence Issues

7 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): Algorthm : attack senaro For EPCs : For Sk,h : 0 h 16 1 Computes: RN T =PRNG (SK,h EPCs I ) SM The attacker need to check: If SM 1 = PRNG (EPCs RN R ) PRNG(SK,h RN T ) s correct Return SK,h and EPCs End for End For From the above scenaro we conclude that the attacker needs to travers at least two varable from 0 to 16-1, as consequently the proposed protocol can resst to exhaustve search attack wth complexty O ( 3 ). 6. Replay Attack Durng the authentcaton phase, new par of random numbers RN T and RN R have been generated n each sesson, and these random are used to protect the exchanged nformaton from replay attacks n the next sesson of the authentcaton. 6.3 Forward Secrecy In the proposed protocol, f an attacker gets the secret nformaton of the tag n the current sesson, he/she wll not be able to obtan the secret nformaton of prevous sesson, because at the end of each successful sesson, the authentcaton and access keys stored n the tag are updated usng the PRNG functon. If attacker needs to trace the tag s prevous communcatons, he/she should ntercept SM 1 and SM and XOR them to obtan PRNG (EPCs RN R ) PRNG (SK RN T ) PRNG (SK EPCs I ) RN T. Even wth the compromsed EPCs and ntercepted RN R and I, he stll needs RN T and SK to pass the verfcaton. However, RN T and SK are transmtted wth the protecton of the prevous authentcaton key. Then the attacker cannot fnd the prevous secret. So, the forward secrecy s satsfed. 6.4 De-synchronzaton Attack If attacker blocks the last message, he/she does not desynchronze the tag and the server, because the server keeps the old and new values (SK new,sk old,sp new,sp old, I new, I old ) whch are matched wth the tag, and t s stll allowed to communcate wth the reader n the next sesson. Hence, the proposed protocol ressts aganst the de-synchronzaton attack. 6.5 Traceablty Attack In our scheme, the shared secret parameters between the server and tag are updated at the end of every successful sesson, moreover new random numbers RN T and RN R are generated for every sesson. Then an attacker cannot track a tag based on the ntercepted messages, so the proposed resst aganst traceablty attack. 6.6 Tag Impersonaton Attack In the proposed protocol, f an attacker try to lunch tag mpersonaton attacks, he/she needs to compute a vald messages SM 1 and SM of tag, usng EPCs, SK, I, RN R, RN T.snce SK and I are protected and updated at the end of each sesson, moreover RN R and RN T are refreshed n next sesson, an attacker cannot mpersonate the tag. As a result the proposed protocol s secure aganst tag mpersonaton attacks. 6.7 Server Impersonaton Attack In the proposed protocol, f an attacker try to lunch server mpersonaton attacks, he/she needs to compute a vald messages SM 3 of server, usng EPCs, SP, RN R,RN T.snce SP s protected and updated at the end of each sesson,moreover RN R and RN T are refreshed n next sesson, an attacker cannot mpersonate the server. As a result the proposed protocol s secure aganst sever mpersonaton attacks. 7. Performance Analyss The performance of the proposed protocol s evaluated n dfferent aspects whch are securty analyss, computaton cost and communcaton cost. 7.1 Computaton Cost The man problem n desgnng a secure authentcaton protocol conformng to RFID EPC-C1G standard s the computaton restrcton on the tags. The proposed protocol only requres lghtweght operatons on the tag whch are btwse XOR and PRNG functons. These functons are low-cost and can be effcently mplement n hardware. 7. Communcaton Cost Durng the mutual authentcaton phase, the tag transmt 3 messages (SM 1, SM and I ) n our protocol aganst 4 messages (C, M 1, CN and M ) n Pang et.al protocol. Then, the tag send 3Ɩ (48 bts) aganst 4Ɩ (64 bts) n Pang et. al protocol, wth the length of one message s Ɩ, n our 017 Internatonal Journal of Computer Scence Issues

8 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): case Ɩ equal 16bts. As consequently, the proposed protocol provdes a low communcaton cost. 7.3 Database Loadng In the proposed protocol, the ndex I s used to access the database, ths allows the server to retreve the data record correspondng to tag n the database, as consequently the performance of the system has not been changed. 8. Conclusons In ths paper, we have shown that Pang et.al s protocol does not acheve the clamed securty and not conform to EPC-C1G. As EPC-C1G low-cost tags have lmted storage capabltes and computaton power, we have desgned a novel lghtweght mutual authentcaton protocol conformng to EPC-C1 G standard. Our scheme provdes hgh securty level and used smple operator (XOR and PRNG) on the tag, whch are sutable for current EPC-C1 G standard. References [1] Frank B. Song and C. J. Mtchell, Scalable rfd securty protocols supportng tag ownershp transfer, (011) Comput. Commun, vol. 34, pp , Aprl. [] K. Ouaf and R. C.-W. Phan, Prvacy of Recent RFID Authentcaton Protocols, 4th Internatonal Conference on Informaton Securty Practce and Experence ISPEC 008, ser. Lecture Notes n Computer Scence, L. Chen, Y. Mu, and W. Suslo, Eds., vol Sydney,Australa: Sprnger, Aprl 008, pp [3] T. Dmtrou, A lghtweght rfd protocol to protect aganst traceablty and clonng attacks, Proceedngs of the 1st Internatonal Conference on Securty and Prvacy for Emergng Areas n Communcatons Networks, ser. SECURECOMM 05. Washngton, DC, USA: IEEE Computer Socety, 005, pp [4] EPCglobal, EPC rado-frequency dentty protocols class-1 generaton- UHF RFID protocol for communcatons at 860 MHz 960 MHz, Verson 1..0, Specfcaton for RFID Ar Interface, EPCglobal, 008. [5] D.V. Baley, and A. Juels, Shoehornng securty nto the EPC tag standard, In R. D. Prsco, and M. Yung, edtors, SCN, of Lecture Notes n Computer Scence, Sprnger, 006, Vol. 4116, pp [6] P. Pers-Lopez, J. C. Hernandez-Castro, J. M. Estevez-T apador, and A. Rbagorda, RFID specfcaton revsted, In The nternet of thngs: From RFID to The Next Generaton Pervasve Networked Systems, Taylor & Francs Group, 008, pp [7] Chen HY, Chen CH. Mutual authentcaton protocol for RFID conformng to EPC Class 1 Generaton standards. Computer Standards & Interface Journal 007; 9: [8] K. Ahsan, and H. Shah, P. Kngston, " RFID Applcatons: An Introductory and Exploratory Study", IJCSI Internatonal Journal of Computer Scence Issues, Vol. 7, Issue 1, No. 3, pp. 1-7, 010. [9] P. Pers-Lopez, T. L, T.L. Lm, J.C. Hernandez-Castro,and J.M. Estevez-Tapador, Practcal attacks on a mutual authentcaton scheme under the EPCClass-1Generaton- standard, Computer Communcatons,vol.3, No7,pp ,008. [10] Chen CL, Deng YY. Conformaton of EPC Class 1 Generaton standards RFID system wth mutual authentcaton and prvacy protecton. Engneerng Applcatons of Artfcal Intellgence 009; [11] T. C. Yeh, Y. J Wang, T. C. Kuo and S. S. Wang, Securng RFID systems conformng to EPC Class 1 Generaton standard, Expert Systems wth Applcatons, vol.37,no 1, pp ,011 [1] E.-J. Yoon, Improvement of the securng rfd systems conformng to epc class 1 generaton standard, Expert Syst. Appl., vol. 39, no. 1, pp , Dec. 01. [13] Pang, L. J., He, L., Pe, Q., & Wang, Y. Secure and effcent mutual authentcaton protocol for RFID conformng to the EPC C-1 G- Standard, In 013 IEEE wreless communcatons and networkng conference (WCNC): NETWORKS (pp ). IEEE Computer Socety. [14] B. Abdolmalek, H. Bakhs, K. Baghery, and M. R. Aref, Analyss of an RFID authentcaton protocol n accordance wth EPC standards, (014) Internatonal Journal of Informaton & Communcaton Technology Research, vol. 6, pp Ahmed Maarof has receved M.S. degrees n Telecommuncatons and Mcroelectroncs from FSTF (Faculty of Scence and Technology), Fez, Morocco n 005. Snce 01, he s workng toward a Ph.D. degree at college of Engneerng, Ecole Natonale Supéreure d'informatque et d'analyse des Systèmes (ENSIAS), Mohammed V Unversty. Hs nterests are securty n low cost RFID securty and Lghtweght cryptography for Internet of thngs (IoTs), low power crcut desgn technques for passve tags. Snce 006, Ahmed Maarof has worked as sub-contractor hardware and software engneer for several company such as Texas nstruments, ON-semconductor, Wolfson,ST-Ercsson,Zodac Aerospace and Freescale, now he s a sub-contractor hardware engneer for NXP. Mohamed Senhad s currently an Assstant Professor at the communcaton networks department of Ecole Natonale Supéreure d'informatque et d'analyse des Systèmes (ENSIAS), Mohammed V - Souss Unversty, Morocco. He gves several courses at ENSIAS school such Computer Archtecture, Assembly, Mcroprocessors and Implementaton Networks, Physcal securty and smart card. Hs research nterests le wth the feld of wreless networkng, RFID technologes, Internet of Thngs (IoTs) and Ad-hoc networks. Zouher Labb has receved M.S. degrees n Telecommuncatons and Mcroelectroncs from FSTF (Faculty of Scence and Technology), Fez, Morocco n 005. Snce 01, he s workng toward a Ph.D. degree at college of Engneerng, Ecole Natonale Supéreure d'informatque et d'analyse des Systèmes (ENSIAS), Mohammed V Unversty. Hs nterests are securty n low cost RFID and applcaton of RFID technologes n Internet of thngs (IoTs). Snce 006, Zouher Labb has worked as support and software engneer for Alcatel-Lucent, now he s as software 017 Internatonal Journal of Computer Scence Issues

9 IJCSI Internatonal Journal of Computer Scence Issues, Volume 14, Issue 6, November 017 ISSN (Prnt): ISSN (Onlne): engneer at NOKIA. Mostafa Belkasm s a professor at ENSIAS (Ecole Natonale Supéreure d Informatque et d Analyse des Systèmes, Rabat); head of Telecom and Embedded Systems Team at SIME Lab. He had PhD at Toulouse Unversty n 1991(France). Hs current research nterests nclude, RFID technologes, Internet of Thngs (IoTs), moble and wreless communcatons, nterconnectons for 3G and 4G, and Informaton and Codng Theory. 017 Internatonal Journal of Computer Scence Issues