Cryptanalysis of the SASI Ultralightweight RFID Authentication Protocol with Modular Rotations

Cryptanaly sis of the SASI Ultrali gh t w eigh t RFID Authen tication Pr oto col with Mo dular Rotatio ns Julio Cesar Hernandez-Castro † Juan M. E. T apiador † , P edro P eris-Lop ez † and Jean-Jacques Quisquater ‡ ‡ Crypto Group, DICE,Univ ersite Lo uv ain-la- Neuv e Place du Lev an t, 1 B-13 48 Louv ain-la- Neuv e, Belgium † Computer Science D epartmen t, Carlos I I I Univ ersity Avda. de la Univers idad, 30, 28911 Lega nes, Madrid, Spain No v ember 4, 20 18 Abstract In this w ork we pres ent the first passiv e attac k ov er the SASI ligh tw eight authentication protocol with modular rota tions. This can b e u sed to fully reco ver the secret I D of the RFID ta g, which is th e v alue the proto col is designed t o conceal. The attac k is d escribed initially for recove ring ⌊ log 2 (96) ⌋ = 6 bits of t he secret v alue I D , a result that by itself allows to mount traceability attacks on any given tag. How ever, the p roposed sc h eme can b e extended to obtain any amount of bits of the secret I D , provided a sufficien tly large n umb er of successf ul consecutive sessio n s are ea vesdropp ed. W e also presen t results on the attack’s efficiency , and some ideas to secure this versi on of the SAS I protocol. Index T erms – Cryptanalysis, RFID, authentication, SASI, protocol. 1 In tro du ction In 2007 Hung-Y u Chien published a very interesting ultralig h tw eig ht authen- tication pro to c ol providing Strong Authen ticatio n and Strong Integrity (SASI) for very low-cost RFID tags [1]. This w as a muc h needed answer to the increa sing need for schemes providing such prop erties in very constrained e n vir onments like RFID sy s tems. As the previous attempts to design ultralight weigh t proto cols ha ve failed (all propos a ls hav e been broken), this new scheme w as sp ecially interesting. As we will se e later, the ma jor difference b etw een this prop os al and existing ones is the inclusion o f the rotation op eration. There has bee n, how ever, some confusion over the c o ncrete type of rotation recommended by the author . It is 1 impo rtant to note that the wa y in which r otations should b e per formed is not sp ecified at a ll in the original pap er [1]. So the first resea rchers to publish some weaknesses (t wo desynchronization attacks) a gainst the proto co l [10] needed to contact the author to clarify this issue. After a priv ate communication, the author stated that the rota tion he intended to use in the pr oto col was Rot ( A, B ) = A << wt ( B ), where wt ( B ) stands for the Hamming weigh t of vector B . That turned out to b e a wise decision, as if he had decided to use the mor e common rotation definition of Rot ( A, B ) = A << B mo d N , he would ha ve run int o the attack descr ibed in this pap er. This la tter version of the proto col, with a mo dula r ro tation ins tea d of a ha mming weight ro tation, is the one which is analyzed in this work. The rest of the pa per is or ganized a s follo ws. In the next section we describe the SASI proto c o l, then in Sectio n 3 w e intro duce o ur attack. Finally , in Sec tion 4 we extra ct s ome conclusions that c ould help in devising new and s tr onger versions o f this v ar iant of the SASI proto col. The sourc e co de of a very simple implemen ta tio n of the attack can be found in the Appendix. 2 Description of the SASI Proto c ol The SASI proto col is briefly des c rib ed in the following, wher e R represe n ts the reader, T repres ent s the tag, I D S stands for a n index pseudonym, I D is tag’s priv ate identifier, K i represent tag’s s ecret keys and n 1 and n 2 are nonces. The I D is the most v aluable information allowing the unequivocally identification o f tagged items, a prop erty that is not provided b y other co nsolidated identification systems such a s ba rco des. 1. R → T : hell o 2. T → R : I D S 3. With I D S , the reader finds in the back end database the ta g ’s secret v alues I D , K 1 , and K 2 . 4. R generates nonces n 1 and n 2 to construc t messages A , B and C as follo ws A = I D S ⊕ K 1 ⊕ n 1 B = ( I D S ∨ K 2 ) + n 2 C = ( K 1 ⊕ ¯ K 2 ) + ( K 2 ⊕ ¯ K 1 ), where ¯ K 1 = Rot ( K 1 ⊕ n 2 , K 1 ) ¯ K 2 = Rot ( K 2 ⊕ n 1 , K 2 ) 2 where ⊕ stands for the usual addition mo dulo 2, + r epresents addition mo dulo 2 96 , and ∨ is the usua l bitwise or op eration. Finally , the rea der sends to the tag the concatenation of A , B and C R → T : A k B k C 5. F rom A and B , r esp ectively , the tag can obtain v a lues n 1 and n 2 . Then, it lo cally co mputes C a nd chec ks if the r esult of its lo cal computation is equal to the s en t v alue. If this w ere the case, it up dates the v alues of I D S , K 1 and K 2 in the following manner: I D S next = ( I D S + I D ) ⊕ ( n 2 ⊕ ¯ K 1 ) K next 1 = ¯ K 1 K next 2 = ¯ K 2 6. T → R : D with D = ( ¯ K 2 + I D ) ⊕ (( K 1 ⊕ K 2 ) ∨ ¯ K 1 ) 7. R verifies D and, if it is equal to the result of its lo cal co mputatio n, it upda tes I D S, K 1 and K 2 just as the tag. 3 Cryptanalysis of SASI with Mo dular Rot a- tions Before presenting the cryptana ly sis of SASI with mo dular rotatio ns, we explain the background and general assumptions in whic h the proto col is based. 3.1 Bac kground In 200 6, Peris et al. propose d a family o f Ultralight weight Mutual Authen- tication Pro to cols (hencefor th refer r ed to as the UMAP family o f proto cols). Chronolog ically , M 2 AP [2] was the first pr op osal, follow ed by EMAP [3] and LMAP [4]. Although some vulnera bilities w er e discov ered (active a ttacks [5, 6] and later on passive attacks [7, 8]) which render ed those fir st pr op osals inse- cure, they were an interesting a dv ance in the field of light weigh t cryptog raphy for low-cost RFID ta gs. The SASI proto co l is highly reminiscent o f the UMAP family , and more concretely , of the LMAP proto co l. Before the SASI pro po sal, how e ver, all the messa g es ex ch a nged ov er the inse- cure radio ch a nnel w er e computed b y the comp osition of very simple opera tio ns such as addition modulo 2, addition modulo 2 96 , and bit wise op erations lik e OR 3 and AND. This presented a ma jor dr awbac k, as all of these op eratio ns are tri- angular functions (T- functions) [9]. That is, these functions hav e the prop erty that output bits o nly dep end of the leftmost input bits, instead o f all input bits. F urthermore, the comp osition of tria ng ular op erations alwa ys results in a trian- gular function. This undesirable c ha racteristic greatly facilita ted the a nalysis of the messag e s trans mitted in the UMAP family o f pro to cols, and thus the work of the cryptanaly st. The main difference b etw een LMAP and SASI is the inclusion o f a no n- triangular function, such that the compos ition of all oper ations w ould no longer be triangular . Sp e cifically , ro tation is now included in the set o f o pe r ations suppo rted by the tag , which is reasona ble assumption, as it can be p erfo rmed quite efficiently . 3.2 Analytical Results The natural wa y of attacking this proto col is to co nsider what happ ens when mo dular rotations are not p erfor med, that is, when the amount of ro tation given by the second argument is zero modulo 96. F or these cases, the pr op osed proto col uses exactly the sa me set of op erations that lea d to the attacks over the previo us ultra lig h tw eig ht proto cols , that is, no triangular functions. This should ease any analysis. There fore: ¯ K 1 = Rot ( K 1 ⊕ n 2 , K 1 ) = R ot ( K 1 ⊕ n 2 , K 1 mo d 96) = Rot ( K 1 ⊕ n 2 , 0) = K 1 ⊕ n 2 (1) Similarly , ¯ K 2 = Rot ( K 2 ⊕ n 1 , K 2 ) = K 2 ⊕ n 1 (2) This has a particularly nasty impa ct in the pr o cess of index pseudonym ( I D S ) upda te, since I D S next = ( I D S + I D ) ⊕ ( n 2 ⊕ ¯ K 1 ) = ( I D S + I D ) ⊕ ( n 2 ⊕ K 1 ⊕ n 2 ) = ( I D S + I D ) ⊕ K 1 (3) So w e ha ve that I D = I D S next ⊕ K 1 − I DS and we can take full adv antage of the knowledge that K 1 = K 2 = 0 mo d 96 to conclude that, with a probability depicted in T able 1, o nly dep ending o n the v a lue of N ( N = 96 in this case, but other v alues could b e used fo r recov er ing more bits) it holds that I D mo d 96 ≈ ( I D S next − I D S ) mo d 96 (4) As both v alues I D S next and I D S are public and ea s ily o bserv able by s no op- ing at tw o co ns ecutive a uthen tica tio n sessions, this relation allows us to recover the ⌊ l og 2 (96) ⌋ = 6 less significa n t bits o f the secret I D and, analogously , to per form a tracea bilit y attack o ver the . 4 The only question that r emains is how to recogniz e when the conditions K 1 = 0 mo d 9 6 and K 2 = 0 mo d 9 6 hold simult a neously , since K 1 and K 2 are secrets that only the tag and the reader sho uld know. F ortunately , this is p os- sible by checking if certa in relations (that only inv o lve public v alues) hold. Let us supp os e that K 1 = K 2 = 0 mod 96 then ¯ K 1 = Rot ( K 1 ⊕ n 2 , K 1 ) = R ot ( K 1 ⊕ n 2 , 0) = K 1 ⊕ n 2 (5) ¯ K 2 = Rot ( K 2 ⊕ n 1 , K 2 ) = R ot ( K 2 ⊕ n 1 , 0) = K 2 ⊕ n 1 (6) So C = ( K 1 ⊕ ¯ K 2 ) + ( K 2 ⊕ ¯ K 1 ) = K 1 ⊕ K 2 ⊕ n 1 + K 2 ⊕ K 1 ⊕ n 2 (7) which implies that C mo d 96 = K 1 ⊕ K 2 ⊕ n 1 + K 2 ⊕ K 1 ⊕ n 2 mo d 96 ≈ n 1 + n 2 mo d 96 . (8) The v alue of n 1 + n 2 mo d 96 can also b e probabilis tically obtained from the observed v alues of public message s A , B and I DS b eca us e: A = I D S ⊕ K 1 ⊕ n 1 ⇒ n 1 = A ⊕ I D S ⊕ K 1 (9) and then we can get that n 1 mo d 96 = A ⊕ I D S ⊕ K 1 mo d 96 ≈ A ⊕ I D S mo d 96 (10) bec ause, by hypothesis , K 1 = 0 mod 96 Similarly , we can obta in that, as B = ( I D S ∨ K 2 ) + n 2 , then n 2 ≈ ( B − I D S ) mo d 96 (11) All in all, we can conclude tha t if K 1 = K 2 = 0 mod 96 then, with a probability given in T able 1 C mo d 96 ≈ n 1 + n 2 mo d 96 ≈ ( A ⊕ I D S ) + ( B − I D S ) mo d 9 6 (12) so what is only left is to passively sno op multiple authentication sessions and, for each one, verify if the ab ove condition holds. If this is the cas e, one should compute the v alue ( I D S next − I DS ) mo d 96 and from this, approxi- mate I D mo d 96. Only one las t tw eak is needed to p er form a success ful attack: Just b y chance, the abov e relation will be true even if the tw o preconditions K 1 = 0 mod 96 a nd K 2 = 0 mo d 96 a re not simultaneously true, and this will lead us to a po ssibly wrong estimation for I D mo d 9 6. 5 T able 1 : Pro babilities of E quations 4, 8, 10, 11 and 12 simultaneously holding for different v alues of N , given that K 1 = K 2 = 0 mod N N 2 t 3 · 2 t 4 · t + 10 2 · t + 5 Probability 1 . 00 0 . 33 2 · N − 1 N − 1 1. F or i = 0 to 96 2. Ob s erv ations [ i ] = 0 3. Repe a t a sufficiently high n umber of times N the following steps: 4. Observe an a uthen ticatio n session and get I D S , A , B a nd C 5. Check if for these v alues it holds that C = ( A ⊕ I D S ) + ( B − I D S ) mo d 96 6. If this is not the ca se, go to step 4. 7. Perform the following tasks: 8. W ait for the authentication session to finish. 9. Send the tag a hello messag e to o btain I D S next . 10. Compute c = ( I D S next − I D S ) mo d 9 6 11. Increment O bser v ations [ c ] 12. Find m , the maximum of the v alues in O bser v ations [ i ]. 13. Conjecture that m = I D mo d 96 . Fig. 2 . Outline of the attack. This is, how ever, eas ily fixa ble by simply observing many v a lues of ( I D S next − I D S ) mod 96 when equation (12) holds, b ecause the true v alue of I D mo d 96 will likely be the most common. This fact ha s been exp erimentally verified and leads to the a ttack schemat- ically describ ed in Fig. 2 . 3.3 Efficiency analysis The attack presented could be p e rformed not only for recov ering ⌊ log 2 (96) ⌋ bits of the secret v alue I D , but also works for other mo dulus, with v a rying pro b- abilities as shown in T able 1. In particula r , the set of probabilistic equa tio ns (i.e. equa tions 4, 8 , 10, 11 , 12) all hold with proba bility o ne for mo dulus that are a p ow er of 2, so this allows for more efficient attac ks able of obtaining m uch more bits (i.e. l og 2 (256) = 8 , l og 2 (512) = 9 , l og 2 (1024) = 10, e tc.) if needed. In these cases, we naturally need to o bserve more authentication sess ions for recov er ing more I D bits. As a r ule of thum b we hav e concluded, after extensive exp e r iment a tion, that a n attack er following this pr o cedure is on av erag e able of recov er ing the ⌊ l og 2 ( S ) ⌋ least sig nificant bits of I D after observing a round θ ( S ) authent ica tion sessions. 6 4 Concluding Remarks In this ar ticle w e ha ve pres ent ed an attac k against a v ar iant of a nov el and quite int er esting ultralight weight authen tication proto col. W e analy ze the SASI proto co l under the a ssumption that the most common rotation definition (i.e. mo dular rotation) is employed. This ana lysis p oints out tha t the inclus ion o f the ro tation o pe ration (a no n-triangular function) is a necessary but b y itself not s ufficien t condition to achiev e security in light weigh t proto cols. It als o hig hlig ht s the adv antages of the hamming rota tio n ov e r the mo dular rotation her e explored, namely that the former is m uch le ss likely to behave like the ident ity . This co uld b e a go o d rea son to lea d future designers of ultralig ht w e ig ht proto cols towards a preference for the hamming ov er the mo dular rotatio n. W e ha ve to ackno wledge, how ever, that the propo sed attack is not successful against the ha mming rotation as advocated by the author of the pro to col. T o day , author s do not know a n y other passive a ttack aga inst the SASI proto col or its modula r v a riant. Active attacks, on the other ha nd, ab ound both against the hamming and against the mo dular version of the proto col. First, Sun et al. prop osed to desynchronization attacks. Then, in [11] it w as pr op osaed a denial- of-service and tra ceability a ttack. Recen tly , D’Arco et al. prop osed ano ther desynchronization attack [12], an identit y disclos ur e attack, and fina lly a full disclosure attack against modular SASI. Some different design decis io ns would, on the other hand, hav e considera bly harden our attack, a nd we will briefly describ e then in the following: • The I D S up dating could be impr ov ed a s it is dep endant of n 2 and ¯ K 1 which is again a function of n 2 . This is instrumental in our attack and, in any ca s e, leads to all so rts of bad statistical prop erties . • The definitions of ¯ K 1 and ¯ K 2 should b e r ethought, as in the current wa y there is a kind o f distributive pr op erty ( ¯ K 1 = Rot ( K 1 ⊕ n 2 , K 1 ) = Rot ( K 1 , K 1 ) ⊕ R ot ( n 2 , K 1 ) ) that could ea se attac k s. This can be av oided by , for example, using addition instead of xor as the inner oper ator, although part of the problem still remains. The ideal solu- tion should be to devise a more complex k ey sc heduling, but of cour s e this will hav e an a dditional cost in terms of gate equiv alents and per formance. • The use o f the bit wis e OR op eration should b e p erformed with extreme care, as the r esulting message s are strong ly biased. As an ex a mple, in the current proto col definitio n n 2 could b e appr oxi- mated simply by computing n 2 ≈ B − 1 . Message D suffers from a similar problem. The use of a bitwise AND op eration would produce similar undesira ble effects. Past exper ience with other light weigh t pro to cols ha s shown that these tw o op erators should o nly be included in the inner parts of the algorithm, and e very effort should be made to disg uise their output into seemingly random output when constructing public mess ages such as B and D . 7 In fact, an even more general version of this attack is p ossible. This alter- native is, on the other hand, s ignificantly less efficient than the attack scheme describ ed here. It consists simply in obser ving and storing the different v alues of equation 4 (regular rotations is assumed again). In a w ell-de s igned proto col, these should approximately follow a uniform distribution, but we have exp eri- men ta lly observed that this is far fro m b eing the c ase. F ollowing this extremely simple a pproach, with no approximations nor preconditions, we are able to re- cov er up to 4 bits of the se c r et I D after a r ound 2 10 authentication sess io ns with a 1 0 0% success proba bilit y , a fact that could lead to a very str aightforw ar d tracking attack. Finally , w e can conclude that the SASI proto col is indeed an interesting step in the right dire c tio n tow a r ds fully secure ultralight weigh t pr oto cols, and that the decision ab out w ha t type of rotations to employ was a correc t one b eca us e if mo dular ro tations were use d instead, the resulting proto col will fall s hort of the security re q uirements typically needed in these schemes. App endix A: A ttac k’s source co de This is the so urce co de of our attack, implemen ted in Python #Trace abili ty & re covery attack against the Modular SASI #Ultra light weight Au thenti cation Proto col from rando m imp ort * from scipy import * NumExp erime nts=2**18 def wt(a): w=0 while a: if a%2: w=w+1 a=a>>1 return w def rot(a, b): return ((((a << b) % 2**96) | (a >> (96-b) ) % 2* *96)) % 2**96 def sasipr otocol (L): IDS, SID, N1, N2, K1, K2 = L[0], L[1], L[2], L[3], L[4], L[5] A=IDS^ K1^N1 B=((ID S | K2 )+ N2) % 2**96 K1hat= rot(K 1^N2, K 1%96) K2hat= rot(K 2^N1, K 2%96) C=((K1 ^K2ha t)+(K2^K1hat)) % 2* *96 8 D=((K2 hat+S ID)% 2* *96)^( (K1^K2 )|K1hat) IDSnex t=((I DS+SID)%2**96)^(N2^K1hat) O = [A%2** 96, B%2 **96, C%2**96 , D%2** 96, ID Snext% 2**96, K1ha t%2**9 6, K2hat% 2**96] return O #The secre t val ue we will try to obtain is I[1]=SID I=[] for i in range( 6): I.appe nd(ra ndint(0,(2**96)-1)) #Keep the value of I for the future , so copy it on nI and on ly manipula te wI wI=I Observ ation s=[] for i in range( 96): Observ ation s.append(0) j=0 for i in range( NumExp eriments): O=sasi proto col(wI) #Get IDS IDS=wI [0] #Get A, B, C A=O[0] B=O[1] C=O[2] #Check if it holds that C=(A^I DS)+(B -IDS)%96 if (C%96== ((A^ID S)+(B-IDS))%96): j=j+1 #Obtai n the val ue of IDSnext IDSnex t=O[4 ] #Compu te c=( IDSnex t-IDS) %96 c=(IDS next- IDS)%96 Observ ation s[c]=Observations[c]+1 #Then, a new protoco l se ssion begins wI=[O[ 4],wI [1],randint(0,(2**96)-1),randint(0,(2**96)-1),O[5],O[6]] #Print Observ ations & Co mpute the maximum max=0 for i in range( 96): print "The value ", i, "has been observ ed ", Obs ervati ons[i] , "time s" if (Observ ations [i]>max): max=Ob serva tions[i] maxind ex=i print "The probabi lity of a use ful session is, approx.=1/ ",Num Experiments/j*(1.0) 9 print "The maximum value, and our guess for SID%9 6 is ", max index print "The correct value of SID%96 is ", I[1]%9 6 print "The differe nce be tween this values is", abs(I[1]%9 6-max index) #This differe nce is alwa ys a power of two meaning that #the least signifi cant bits of our gues s were correct References [1] Hung-Y u Chien. “SASI: A New Ultralig h tw eig ht RFID Authentication Proto col Providing Strong Authentication and Strong Integrity”. IEEE T r ansactions on D ep endable and Se cure Computing 4(4 ):337–3 4 0. Oct.- Dec. 200 7 . [2] P . P er is-Lop ez, J. C. Herna ndez - Castro, J. M. Estevez-T apiador , a nd A. Ribag orda. M2AP: A minimalist mutual-authen ticatio n pr oto col fo r low-cost RFID tags. In Pr o c. of UIC’06 , volume 4159 of LNCS , pages 912–9 23. Spr inger-V erlag, 2006. [3] P . P er is-Lop ez, J. C. Herna ndez - Castro, J. M. Estevez-T apiador , a nd A. Ribagorda. LMAP: A r eal lig ht weight mutual authen tica tion proto - col for low-cost RFID tags . Hand. o f W orkshop on RFID and Light weigh t Crypto, 200 6. [4] P . P er is-Lop ez, J. C. Herna ndez - Castro, J. M. Estevez-T apiador , a nd A. Ribagor da. EMAP: An efficient m utual authentication protoco l for low- cost RFID ta g s. In Pr o c. of IS’06 , volume 4277 of LNCS , pages 3 52–36 1. Springer-V erla g , 2 006. [5] T. Li and G. W ang. Security ana ly sis of tw o ultra -light weigh t RFID a u- then tica tion proto co ls. In Pr o c. of IFIP-SEC’07 , 2 007. [6] C. Hung-Y u and H. Chen-W ei. Security of ultra-light weight RFID au- then tica tion pro to c ols and its impr ovemen ts. S IGOPS Op er. Syst. Rev . , 41(4):83– 86, 2 007. [7] M. B´ ar´ asz, B. Boro s, P . Ligeti, K. L´ oja, and D. Nagy . “ Breaking LMAP”, Pr o c. of RFIDSe c’07 , 200 7. [8] M. B´ ar´ asz, B. Boros, P . Ligeti, K. L´ oja, and D. Nagy . “Passive A ttack Against the M2AP Mutual Authen tication Pr oto col for RFID T ags ”, Pr o c. of First International EURAS IP Workshop on RFID T e chnolo gy , 2007 . [9] A. K limov and A. Shamir. “New Applications of T- functions in Blo ck Ci- phers and Hash F unctions”. Pr o c. of FSE’05 , L NCS vol. 3557 , pp. 1 8–31. Springer-V erla g , 2 005. [10] Hung-Min Sun, W ei-Chih Ting, and King-Hang W ang. “On the Sec urity of Chien’s Ultralight weight RFID Authentication P roto col”. Cryptolog y ePrint Archive. ht tp://e print. iacr.org/2008/083 , 200 8. 10 [11] Tianjie Ca o, Elisa Ber tino, and Hong Lei. “ Security Analysis of the SASI Proto col” . IEEE T r ansactions on Dep en dable and Se cur e Computing , 2008. [12] Paolo D’Arco and Alfredo De Santis. “F rom W eaknes ses to Secr et Disclo - sure in a Recen t Ultra-Light weigh t RFID Authen tication Proto col” . Cryp- tology ePr int Archiv e. http: //epri nt.iacr.org/2008/470 , 2008. 11