An efficient and private RFID authentication protocol supporting ownership transfer

Radio Frequency IDentification (RFID) systems are getting pervasively deployed in many daily life applications. But this increased usage of RFID systems brings some serious problems together, security and privacy. In some applications, ownership transfer of RFID labels is sine qua non need. Specifically, the owner of RFID tag might be required to change several times during its lifetime. Besides, after ownership transfer, the authentication protocol should also prevent the old owner to trace the tags and disallow the new owner to trace old transactions of the tags. On the other hand, while achieving privacy and security concerns, the computation complexity should be considered. In order to resolve these issues, numerous authentication protocols have been proposed in the literature. Many of them failed and their computation load on the server side is very high. Motivated by this need, we propose an RFID mutual authentication protocol to provide ownership transfer. In our protocol, the server needs only a constant-time complexity for identification when the tag and server are synchronized. In case of ownership transfer, our protocol preserves both old and new owners’ privacy. Our protocol is backward untraceable against a strong adversary who compromise tag, and also forward untraceable under an assumption

Efficient and Low-Cost RFID Authentication Schemes

Security in passive resource-constrained Radio Frequency Identification (RFID) tags is of much interest nowadays. Resistance against illegal tracking, cloning, timing, and replay attacks are necessary for a secure RFID authentication scheme. Reader authentication is also necessary to thwart any illegal attempt to read the tags. With an objective to design a secure and low-cost RFID authentication protocol, Gene Tsudik proposed a timestamp-based protocol using symmetric keys, named YA-TRAP*. Although YA-TRAP* achieves its target security properties, it is susceptible to timing attacks, where the timestamp to be sent by the reader to the tag can be freely selected by an adversary. Moreover, in YA-TRAP*, reader authentication is not provided, and a tag can become inoperative after exceeding its pre-stored threshold timestamp value. In this paper, we propose two mutual RFID authentication protocols that aim to improve YA-TRAP* by preventing timing attack, and by providing reader authentication. Also, a tag is allowed to refresh its pre-stored threshold value in our protocols, so that it does not become inoperative after exceeding the threshold. Our protocols also achieve other security properties like forward security, resistance against cloning, replay, and tracking attacks. Moreover, the computation and communication costs are kept as low as possible for the tags. It is important to keep the communication cost as low as possible when many tags are authenticated in batch-mode. By introducing aggregate function for the reader-to-server communication, the communication cost is reduced. We also discuss different possible applications of our protocols. Our protocols thus capture more security properties and more efficiency than YA-TRAP*. Finally, we show that our protocols can be implemented using the current standard low-cost RFID infrastructures.Comment: 21 pages, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA), Vol 2, No 3, pp. 4-25, 201

Cryptanalysis of two mutual authentication protocols for low-cost RFID

Radio Frequency Identification (RFID) is appearing as a favorite technology for automated identification, which can be widely applied to many applications such as e-passport, supply chain management and ticketing. However, researchers have found many security and privacy problems along RFID technology. In recent years, many researchers are interested in RFID authentication protocols and their security flaws. In this paper, we analyze two of the newest RFID authentication protocols which proposed by Fu et al. and Li et al. from several security viewpoints. We present different attacks such as desynchronization attack and privacy analysis over these protocols.Comment: 17 pages, 2 figures, 1 table, International Journal of Distributed and Parallel system

A Privacy Preserving Framework for RFID Based Healthcare Systems

RFID (Radio Frequency IDentification) is anticipated to be a core technology that will be used in many practical applications of our life in near future. It has received considerable attention within the healthcare for almost a decade now. The technology’s promise to efficiently track hospital supplies, medical equipment, medications and patients is an attractive proposition to the healthcare industry. However, the prospect of wide spread use of RFID tags in the healthcare area has also triggered discussions regarding privacy, particularly because RFID data in transit may easily be intercepted and can be send to track its user (owner). In a nutshell, this technology has not really seen its true potential in healthcare industry since privacy concerns raised by the tag bearers are not properly addressed by existing identification techniques. There are two major types of privacy preservation techniques that are required in an RFID based healthcare system—(1) a privacy preserving authentication protocol is required while sensing RFID tags for different identification and monitoring purposes, and (2) a privacy preserving access control mechanism is required to restrict unauthorized access of private information while providing healthcare services using the tag ID. In this paper, we propose a framework (PriSens-HSAC) that makes an effort to address the above mentioned two privacy issues. To the best of our knowledge, it is the first framework to provide increased privacy in RFID based healthcare systems, using RFID authentication along with access control technique

Lightweight Mutual Authentication Protocol for Low Cost RFID Tags

Radio Frequency Identification (RFID) technology one of the most promising technologies in the field of ubiquitous computing. Indeed, RFID technology may well replace barcode technology. Although it offers many advantages over other identification systems, there are also associated security risks that are not easy to be addressed. When designing a real lightweight authentication protocol for low cost RFID tags, a number of challenges arise due to the extremely limited computational, storage and communication abilities of Low-cost RFID tags. This paper proposes a real mutual authentication protocol for low cost RFID tags. The proposed protocol prevents passive attacks as active attacks are discounted when designing a protocol to meet the requirements of low cost RFID tags. However the implementation of the protocol meets the limited abilities of low cost RFID tags.Comment: 11 Pages, IJNS

On the Privacy of Two Tag Ownership Transfer Protocols for RFIDs

In this paper, the privacy of two recent RFID tag ownership transfer protocols are investigated against the tag owners as adversaries. The first protocol called ROTIV is a scheme which provides a privacy-preserving ownership transfer by using an HMAC-based authentication with public key encryption. However, our passive attack on this protocol shows that any legitimate owner which has been the owner of a specific tag is able to trace it either in the past or in the future. Tracing the tag is also possible via an active attack for any adversary who is able to tamper the tag and extract its information. The second protocol called, Chen et al.'s protocol, is an ownership transfer protocol for passive RFID tags which conforms EPC Class1 Generation2 standard. Our attack on this protocol shows that the previous owners of a particular tag are able to trace it in future. Furthermore, they are able even to obtain the tag's secret information at any time in the future which makes them capable of impersonating the tag

A secure and private RFID authentication protocol based on quadratic residue

Radio Frequency IDentification based systems are getting pervasively deployed in many real-life applications in various settings for identification and authentication of remote objects. However, the messages that are transmitted over a insecure channel, are vulnerable to security and privacy concerns such as data privacy, location privacy of tag owner and etc. Recently, Yeh et al.'s proposed a RFID authentication protocol based on quadratic residue which is claimed to provide location privacy and prevent possible attacks. In this paper, we formally analyzed the protocol and we proved that the protocol provides destructive privacy according to Vaudenay privacy model. Moreover, we proposed a unilateral authentication protocol and we prove that our protocol satisfies higher privacy level such as narrow strong privacy. Besides, we proposed an enhanced version of our proposed protocol, which has same privacy level as Yeh at al protocol, but has reader authentication against stronger adversaries. Furthermore, the enhanced version of our protocol uses smaller number of cryptographic operations when compared to Yeh at al protocol and it is also cost efficient at the server and tag side and requires O(1) complexity to identify a RFID tag