Cryptanalysis of a novel authentication protocol conforming to EPC-C1G2 standard

Authors:
Pedro Peris-Lopez;Julio Cesar Hernandez-Castro;Juan M. Estevez-Tapiador;Arturo Ribagorda
Affiliations:
Computer Science Department, Carlos III University of Madrid, Spain;Computer Science Department, Carlos III University of Madrid, Spain;Computer Science Department, Carlos III University of Madrid, Spain;Computer Science Department, Carlos III University of Madrid, Spain
Venue:
Computer Standards & Interfaces
Year:
2009

Citing 15
Cited 10

Computer Networks

Computer Networks
RFID Systems and Security and Privacy Implications

CHES '02 Revised Papers from the 4th International Workshop on Cryptographic Hardware and Embedded Systems
Hash-based Enhancement of Location Privacy for Radio-Frequency Identification Devices using Varying Identifiers

PERCOMW '04 Proceedings of the Second IEEE Annual Conference on Pervasive Computing and Communications Workshops
Strengthening EPC tags against cloning

Proceedings of the 4th ACM workshop on Wireless security
RFID security without extensive cryptography

Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks
A Lightweight RFID Protocol to protect against Traceability and Cloning attacks

SECURECOMM '05 Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks
Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards

Computer Standards & Interfaces
Protocols for RFID tag/reader authentication

Decision Support Systems
Security analysis of a cryptographically-enabled RFID device

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
An efficient authentication protocol for RFID systems resistant to active attacks

EUC'07 Proceedings of the 2007 conference on Emerging direction in embedded and ubiquitous computing
Low-cost and strong-security RFID authentication protocol

EUC'07 Proceedings of the 2007 conference on Emerging direction in embedded and ubiquitous computing
RFID systems: a survey on security threats and proposed solutions

PWC'06 Proceedings of the 11th IFIP TC6 international conference on Personal Wireless Communications
Efficient RFID authentication protocol for ubiquitous computing environment

EUC'05 Proceedings of the 2005 international conference on Embedded and Ubiquitous Computing
Shoehorning security into the EPC tag standard

SCN'06 Proceedings of the 5th international conference on Security and Cryptography for Networks
RFID security and privacy: a research survey

IEEE Journal on Selected Areas in Communications

Securing RFID systems conforming to EPC Class 1 Generation 2 standard

Expert Systems with Applications: An International Journal
Weaknesses in two recent lightweight RFID authentication protocols

Inscrypt'09 Proceedings of the 5th international conference on Information security and cryptology
Flaws on RFID grouping-proofs. Guidelines for future sound protocols

Journal of Network and Computer Applications
On the security of mutual authentication protocols for RFID systems: the case of wei et al.'s protocol

DPM'11 Proceedings of the 6th international conference, and 4th international conference on Data Privacy Management and Autonomous Spontaneus Security
A minimum disclosure approach to authentication and privacy in RFID systems

Computer Networks: The International Journal of Computer and Telecommunications Networking
Based on mobile RFID for membership stores system conforming EPC C1G2 standards

International Journal of Ad Hoc and Ubiquitous Computing
A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems

Ad Hoc Networks
An Ownership Transfer Scheme Using Mobile RFIDs

Wireless Personal Communications: An International Journal
Strengthening the Security of EPC C-1 G-2 RFID Standard

Wireless Personal Communications: An International Journal
Design of a secure RFID authentication scheme preceding market transactions

Mobile Information Systems - Emerging Wireless and Mobile Technologies

Quantified Score

Hi-index	0.00

Visualization

Abstract

In 2006, the standard EPC Class-1 Generation-2 (EPC-C1G2) was ratified both by EPCglobal and ISO. This standard can be considered as a ''universal'' specification for low-cost RFID tags. Although it represents a great advance for the consolidation of RFID technology, it does not pay due attention to security and, as expected, its security level is very low. In 2007, Chien et al. published a mutual authentication protocol conforming to EPC-C1G2 which tried to correct all its security shortcomings. In this article, we point out various major security flaws in Chien et al.'s proposal. We show that none of the authentication protocol objectives are met. Unequivocal identification of tagged items is not guaranteed because of possible birthday attacks. Furthermore, an attacker can impersonate not only legitimate tags, but also the back-end database. The protocol does not provide forward security either. Location privacy is easily jeopardized by a straightforward tracking attack. Finally, we show how a successful auto-desynchronization (DoS attack) can be accomplished in the back-end database despite the security measures taken against it.