Enhancements to A Lightweight RFID Authentication Protocol

Xiaowen Zhang1, Zhanyang Zhang1, Xinzhou Wei2

1Dept. of Computer Science, College of Staten Island / CUNY, Staten Island, NY 10314 2Dept. of ETET, New York City College of Technology / CUNY, Brooklyn, NY 11201 Abstract Vajda and Buttyan (VB) proposed a set of five lightweight RFID authentication protocols. Defend, Fu, and Juels (DFJ) did cryptanalysis on two of them – XOR and SUBSET. To the XOR protocol, DFJ proposed repeated keys attack and nibble attack. In this paper, we identify the vulnerability existed in the original VB’s successive session key permutation algorithm. We propose three enhancements to prevent DFJ’s attacks and make XOR protocol stronger without introducing extra resource cost. 1 INTRODUCTION

Along with the massive deployment of Radio Frequency Identification (RFID) systems in variety of applications, many security issues and privacy concerns have been brought up. Some consumer right protection organizations, like CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), are against the use of RFID [2].

In general an RFID system consists of three kinds of components: many (thousands to millions) RFID tags (or transponders), several RFID readers (or interrogators), and a few backend computer servers. A RFID tag is a tiny microchip equipped with radio frequency antenna. it is capable of emitting the identification and other related data for the tagged item. A reader is another electronic device located between tags and backend server. A reader gets information from or sends information to the tag. It communicates with (updates) the backend server. A backend server runs applications software, hosts databases, processes tag information received from a reader. A server acts as a gateway. It communicates (through wireless or wire) with readers on one end and with the enterprise network (the Internet) infrastructure on the other end. The wireless communication links between tags and readers are considered the most vulnerable to security and privacy threats. As documented in many literature [1, 7, 13], RFID and security experts have devoted a lot of efforts to address these threats. Among those efforts, new RFID authentication protocols and analysis are active areas of research [3, 5, 6, 8, 9, 10, 12].

Adding security features to low-cost RFID tags is a daunting and challenging task because these tags are extremely resource limited and cannot afford for strong cryptographic algorithms. Practical RFID authentication protocols should have the following characteristics: lightweight, anonymity (un-traceability), mutual authentication.

Vajda and Buttyan (VB) [14] proposed a set of five lightweight RFID authentication protocols and also gave a brief analysis. Each one of the protocols is extremely lightweight in terms of resources required, and is considered suitable for resource limited devices, like RFID tags.

1

Defend, Fu, and Juels (DFJ) [4] did cryptanalysis to two of them – XOR and SUBSET. DFJ proposed repeated keys attack and nibble attack to compromise the XOR protocol. In this paper, we identify the vulnerability existed in the original VB’s successive session key permutation algorithm. We propose three enhancements, removing bad shuffles, hopping the runs, and authenticating mutually, to prevent DFJ’s attacks and make XOR protocol stronger without introducing extra resource cost.

2 ORIGINAL XOR PROTOCOL AND REPEATED KEYS ATTACK The original XOR protocol by VB [14] is a challenge-response protocol. (see Figure 1). Providing the following assumptions, (1) the readers and tags share a piece of secret key k(0) initially, (2) both reader and tag are capable of calculating a permutation ∏ (given soon), (3) reader and tag maintain a synchronized counter i to indicate the current run of authentication,
the challenge-response process at the ith run can be described as: Reader –> Tag: a(i) = x(i) ⊕ k(i)

// Reader picks a random number x(i), calculates k(i), then sends a challenge a(i) = x(i) ⊕ k(i) to Tag. Tag –> Reader: b(i) = x(i) ⊕ k(0) // Tag calculates k(i), extracts the challenge x(i) by k(i) ⊕ a(i), then send a response b(i) = x(i) ⊕ k(0) to Reader. Then the Reader verifies the Tag, because only the Tag knows k(0).

Here k(i) = ∏(k(i-1)), and ∏: {0, 1}n –> {0, 1}n is a permutation starting from the initial secret key k(0). That is k(1) = ∏(k(0)), k(2) = ∏(k(1)), …, k(i-1) = ∏(k(i-2)), k(i) = ∏(k(i-1)), …. Because x(i) is random, so are a(i) = x(i) ⊕ k(i) and b(i) = x(i) ⊕ k(0). If the x(i) is truly random, no information about the secret k(0) are revealed from the communication.

Suppose n = 128 bit as key length, the steps of the permutation ∏ is given as follows:

• Step-1: In run (i-1), the session key k(i-1) is split into 16 bytes, then cut each byte into two nibbles of 4-bit each. Then concatenate all left nibb

…(Full text truncated)…