MUMAP: Modified Ultralightweight Mutual Authentication protocol for RFID enabled IoT networks

Flawed authentication protocols led to the need for a secured protocol for radio frequency identification (RFID) techniques. In this paper, an authentication protocol named Modified ultralightweight mutual authentication protocol (MUMAP) has been proposed and cryptanalysed by Juel-Weis challenge. The proposed protocol aimed to reduce memory requirements in the authentication process for low-cost RFID tags with limited resources. Lightweight operations like XOR and Left Rotation, are used to circumvent the flaws made in the other protocols. The proposed protocol has three-phase of authentication. Security analysis of the proposed protocol proves its resistivity against attacks like desynchronization, disclosure, tracking, and replay attack. On the other hand, performance analysis indicates that it is an effective protocol to use in low-cost RFID tags. Juel-Weis challenge verifies the proposed protocol where it shows insusceptibility against modular operations

Cryptanalysis of two recent ultra-lightweight authentication protocols

Radio Frequency Identification (RFID) technology is a critical part of many Internet of Things (IoT) systems, including Medical IoT (MIoT) for instance. On the other hand, the IoT devices’ numerous limitations (such as memory space, computing capability, and battery capacity) make it difficult to implement cost- and energy-efficient security solutions. As a result, several researchers attempted to address this problem, and several RFID-based security mechanisms for the MIoT and other constrained environments were proposed. In this vein, Wang et al. and Shariq et al. recently proposed CRUSAP and ESRAS ultra-lightweight authentication schemes. They demonstrated, both formally and informally, that their schemes meet the required security properties for RFID systems. In their proposed protocols, they have used a very lightweight operation called Cro(·) and Rank(·), respectively. However, in this paper, we show that those functions are not secure enough to provide the desired security. We show that Cro(·) is linear and reversible, and it is easy to obtain the secret values used in its calculation. Then, by exploiting the vulnerability of the Cro(·) function, we demonstrated that CRUSAP is vulnerable to secret disclosure attacks. The proposed attack has a success probability of "1" and is as simple as a CRUSAP protocol run. Other security attacks are obviously possible by obtaining the secret values of the tag and reader. In addition, we present a de-synchronization attack on the CRUSAP protocol. Furthermore, we provide a thorough examination of ESRAS and its Rank(·) function. We first present a de-synchronization attack that works for any desired Rank(·) function, including Shariq et al.’s proposed Rank(·) function. We also show that Rank(·) does not provide the desired confusion and diffusion that is claimed by the designers. Finally, we conduct a secret disclosure attack against ESRAS

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Survey: An overview of lightweight RFID authentication protocols suitable for the maritime internet of things

The maritime sector employs the Internet of Things (IoT) to exploit many of its benefits to maintain a competitive advantage and keep up with the growing demands of the global economy. The maritime IoT (MIoT) not only inherits similar security threats as the general IoT, it also faces cyber threats that do not exist in the traditional IoT due to factors such as the support for long-distance communication and low-bandwidth connectivity. Therefore, the MIoT presents a significant concern for the sustainability and security of the maritime industry, as a successful cyber attack can be detrimental to national security and have a flow-on effect on the global economy. A common component of maritime IoT systems is Radio Frequency Identification (RFID) technology. It has been revealed in previous studies that current RFID authentication protocols are insecure against a number of attacks. This paper provides an overview of vulnerabilities relating to maritime RFID systems and systematically reviews lightweight RFID authentication protocols and their impacts if they were to be used in the maritime sector. Specifically, this paper investigates the capabilities of lightweight RFID authentication protocols that could be used in a maritime environment by evaluating those authentication protocols in terms of the encryption system, authentication method, and resistance to various wireless attacks

Security of Ubiquitous Computing Systems

The chapters in this open access book arise out of the EU Cost Action project Cryptacus, the objective of which was to improve and adapt existent cryptanalysis methodologies and tools to the ubiquitous computing framework. The cryptanalysis implemented lies along four axes: cryptographic models, cryptanalysis of building blocks, hardware and software security engineering, and security assessment of real-world systems. The authors are top-class researchers in security and cryptography, and the contributions are of value to researchers and practitioners in these domains. This book is open access under a CC BY license

Breaking Anonymity of Some Recent Lightweight RFID Authentication Protocols

Due to their impressive advantages, Radio Frequency IDentification (RFID) systems are ubiquitously found in various novel applications. These applications are usually in need of quick and accurate authentication or identification. In many cases, it has been shown that if such systems are not properly designed, an adversary can cause security and privacy concerns for end-users. In order to deal with these concerns, impressive endeavors have been made which have resulted in various RFID authentications being proposed. In this study, we analyze three lightweight RFID authentication protocols proposed in Wireless Personal Communications (2014), Computers & Security (2015) and Wireless Networks (2016). We show that none of the studied protocols provides the desired security and privacy required by the end-users. We present various security and privacy attacks such as secret parameter reveal, impersonation, DoS, traceability, and forward traceability against the studied protocols. Our attacks are mounted in the Ouafi–Phan RFID formal privacy model which is a modified version of the well-known Juels–Weis privacy model

Toward designing a secure authentication protocol for IoT environments

Authentication protocol is a critical part of any application to manage the access control in many applications. A former research recently proposed a lightweight authentication scheme to transmit data in an IoT subsystem securely. Although the designers presented the first security analysis of the proposed protocol, that protocol has not been independently analyzed by third-party researchers, to the best of our knowledge. On the other hand, it is generally agreed that no cryptosystem should be used in a practical application unless its security has been verified through security analysis by third parties extensively, which is addressed in this paper. Although it is an efficient protocol by design compared to other related schemes, our security analysis identifies the non-ideal properties of this protocol. More specifically, we show that this protocol does not provide perfect forward secrecy. In addition, we show that it is vulnerable to an insider attacker, and an active insider adversary can successfully recover the shared keys between the protocol’s entities. In addition, such an adversary can impersonate the remote server to the user and vice versa. Next, the adversary can trace the target user using the extracted information. Finally, we redesign the protocol such that the enhanced protocol can withstand all the aforementioned attacks. The overhead of the proposed protocol compared to its predecessor is only 15.5% in terms of computational cost

Cost and Lightweight Modeling Analysis of RFID Authentication Protocols in Resource Constraint Internet of Things

Internet of Things (IoT) is a pervasive environment to interconnect the things like: smart objects, devices etc. in a structure like internet. Things can be interconnected in IoT if these are uniquely addressable and identifiable. Radio Frequency Identification (RFID) is one the important radio frequency based addressing scheme in IoT. Major security challenge in resource constraint RFID networks is how to achieve traditional CIA security i.e. Confidentiality, Integrity and Authentication. Computational and communication costs for Lightweight Mutual Authentication Protocol (LMAP), RFID mutual Authentication Protocol with Permutation (RAPP) and kazahaya authentication protocols are analyzed. These authentication protocols are modeled to analyze the delays using lightweight modeling language. Delay analysis is performed using alloy model over LMAP, RAPP and kazahaya authentication protocols where one datacenter (DC) is connected to different number of readers (1,5 or 10) with connectivity to 1, 5 or 25 tags associated with reader and its results show that for LMAP delay varies from 30-156 msec, for RAPP from 31-188 while for kazahaya from 61-374 msec. Further, performance of RFID authentication protocols is analyzed for group construction through more than one DC (1,5 or 10) with different number of readers (10, 50 or 100) and tags associated with these readers (50, 500, 1000) and results show that DC based binary tree topology with LMAP authentication protocol is having a minimum delay for 50 or 100 readers. Other authentication protocols fail to give authentication results because of large delays in the network. Thus, RAPP and Kazahaya are not suitable for scenarios where there is large amount of increase in number of tags or readers