Vulnerability Analysis of PAP for RFID Tags

In this paper, we analyze the security of an RFID authentication protocol proposed by Liu and Bailey [1], called Privacy and Authentication Protocol (PAP), and show its vulnerabilities and faulty assumptions. PAP is a privacy and authentication protocol designed for passive tags. The authors claim that the protocol, being resistant to commonly assumed attacks, requires little computation and provides privacy protection and authentication. Nevertheless, we propose two traceability attacks and an impersonation attack, in which the revealing of secret information (i.e., secret key and static identifier) shared between the tag and the reader is unnecessary. Moreover, we review all basic assumptions on which the design of the protocol resides, and show how many of them are incorrect and are contrary to the common assumptions in RFID systems.

💡 Research Summary

The paper conducts a thorough security assessment of the Privacy and Authentication Protocol (PAP) originally proposed by Liu and Bailey for passive RFID tags. PAP claims to provide both privacy protection and mutual authentication while keeping computational overhead low, relying on a pre‑shared secret key K and a static identifier ID between tag and reader. Each session the reader sends a random nonce r, the tag computes a hash h = H(K‖r) and returns (h, r). The authors first enumerate the protocol’s underlying assumptions: (1) the radio channel is free from eavesdropping or tampering, (2) the secret key and static ID never leak, and (3) the nonce is freshly generated for every interaction. They argue that these premises are unrealistic in typical RFID deployments, where power fluctuations, electromagnetic interference, and physical access can expose tag memory, and low‑cost random number generators often produce predictable or repeated values.

Building on this critique, the paper demonstrates three concrete attacks that do not require knowledge of K or ID. The first traceability attack captures a reader‑issued nonce r, replays it to the same tag, and observes that the tag returns the identical hash h. Because h is deterministic for a given (K, r), the attacker can link multiple protocol runs to the same tag, breaking anonymity. The second traceability attack stores a previously observed hash h and later checks whether a new reader’s nonce r yields the same h, again enabling tag linking without any secret exposure. The third attack is an impersonation (or replay) attack: an adversary selects an arbitrary nonce r′, reuses a previously captured hash h, and sends (h, r′) to the reader. The reader, trusting the hash’s validity, accepts the tag as authentic. These attacks exploit the protocol’s failure to enforce nonce freshness and to bind the hash to the specific session, revealing that the hash function alone does not guarantee unforgeability when the attacker can manipulate or replay nonces.

The authors also scrutinize PAP’s privacy claim that the static identifier is concealed. In practice, the hash h leaks enough information to uniquely identify a tag across sessions, rendering the concealment ineffective. Moreover, the protocol’s reliance on a single hash operation to keep computational cost low overlooks the fact that even lightweight hash functions can be costly for ultra‑low‑power passive tags, potentially increasing latency and power consumption.

Finally, the paper contrasts PAP’s design assumptions with the broader threat model accepted in RFID research. Real‑world RFID systems routinely face passive eavesdropping, active jamming, tag tampering, and weak randomness. By ignoring these factors, PAP offers an over‑optimistic security guarantee. The authors conclude that future RFID authentication schemes must incorporate realistic adversarial capabilities, enforce strict nonce freshness, provide strong integrity checks, and consider the trade‑off between computational load and security. They recommend redesigning PAP or adopting alternative protocols that have been formally proven secure under standard RFID threat models.