RAPP (RFID Authentication Protocol with Permutation) is a recently proposed efficient ultralightweight authentication protocol. The operation used in this protocol is totally different from the other existing ultralightweight protocols due to the use of new introduced data dependent permutations and avoidances of modular arithmetic operations and biased logical operations such as AND and OR. The designers of RAPP claimed that this protocol resists against desynchronization attacks since the last messages of the protocol is sent by the reader and not by the tag. This letter challenges this assumption and shows that RAPP is vulnerable against desynchronization attack. This attack has a remarkable probability of success and is effective whether Hamming weight-based or modular-based rotations are used by the protocol

Mahmoud Salmasizadeh

Mohammad Reza Aref

Zahra Ahmadian

Cryptology ePrint Archive

1Desynchronization Attack on RAPPUltralightweight Authentication ProtocolZahra Ahmadian, Mahmoud Salmasizadeh, and Mohammad Reza ArefAbstract—RAPP (RFID Authentication Protocol with Permu-tation) is a recently proposed efficient ultralightweight authen-tication protocol. The operation used in this protocol is totallydifferent from the other existing ultralightweight protocols dueto the use of new introduced data dependent permutations andavoidances of modular arithmetic operations and biased logicaloperations such as AND and OR. The designers of RAPP claimedthat this protocol resists against desynchronization attacks sincethe last messages of the protocol is sent by the reader and notby the tag. This letter challenges this assumption and shows thatRAPP is vulnerable against desynchronization attack. This attackhas a remarkable probability of success and is effective whetherHamming weight-based or modular-based rotations are used bythe protocol.Index Terms—RAPP, RFID security, Ultralightweight proto-cols, desynchronization attack.I. INTRODUCTIONULTRALIGHTWEIGHT authentication protocols are animportant class of lightweight authentication protocols inwhich the operations used in the tag side is restricted to simplebitwise operations (like XOR, AND, OR, rotation, modularaddition, etc.). Since the introduction of this class by Peris-Lopez et al. [1], [2], [3] all of the proposals put forward inthis area such as SASI [4], Gossamer [5], LMAP++ [6] andYeh et al. [7] have made use of the mentioned operations.The exclusive or wide use of T-functions in these protocols iswidely criticized since it makes some successful cryptanalysispossible [8], [9] and [10].Recently, Tian et al. proposed a new ultraligthweight au-thentication protocol [11] whose operations is totally differentfrom the other existing ultralightweight protocols. This proto-col avoids modular arithmetic operations and biased logicaloperations such as AND and OR any more. Instead, theauthors introduced a new data dependent permutation as anultralightweight operation which is unbalanced and breaks theorders of the bits. In fact, one of the most important features ofthis operation is its completely non-triangular property whichis highly recommended in [8].So far two attacks have been proposed on RAPP. The firstone [12] is a traceability attack which exploits Hammingweight-invariant property of the foregoing permutation. Thenext one [13] is an active full disclosure attack which requiresabout 230 counterfeit authentication session with the victimtag.Zahra Ahmadian and Mohammad Reza Aref are with Department ofElectrical Engineering, Sharif University of Technology, Tehran, Iran. Mah-moud Salmasizadeh is with Electronic Research Center, Sharif Universityof Technology, Tehran, Iran. (E-mail: ahmadian@ee.sharif.edu, {salmasi,aref}@sharif.edu)In [11] the authors claimed that RAPP resists againstdesynchronization attacks since the last messages exchangedis transmitted by the reader rather than by the tag. So, boththe old and new states of the protocol should be stored in thereader rather than the tag. We show that this assumption isnot valid and the attacker can still force the tag to stay it itsprevious state by blocking the last messages of the protocol.Then convince it to update its state to a different state fromthe reader’s new and old states, resulting a desynchronizationbetween two parties. This attack works for the both definitionof the rotation (hamming weight-based and modular-based).II. RAPP SPECIFICATIONSWe first introduce two function used in the RAPP protocol.Definition 1. Let X be a L-bit word, Xi be the ith bit of Xwhere 0 ≤ i ≤ L − 1, and X0 and XL−1 be the LSB andMSB of the word X , respectively. (X = XL−1 . . . X1X0).Suppose A and B are two L-bit words and Hw(B) = mwhere Hw(·) is the Hamming weight function. Moreover Bi =1 if i ∈ I1 = {k1, k2, . . . km} and Bi = 0 if i ∈ I0 ={km+1, km+2, . . . kL}, wherekm > km−1 > . . . > k2 > k1kL > kL−1 > . . . > km+2 > km+1The permutation of A according to B, denoted as Per(A,B),is defined as:Per(A,B) =AkmAkm−1 . . . Ak2Ak1Akm+1Akm+2 , . . . AkL−1AkLFor example for A = 1101101 and B = 0110111,m = 5, I0 = {6, 3, 0}, I1 = {5, 4, 2, 1} thus Per(A,B) =A5A4A2A1A0A3A6 = 1010111.Definition 2. Suppose A and B are two L-bit words, wedefine Hamming weight-based rotation by Rot(A,B) = A ≪Hw(B) and modular-based rotation by Rot(A,B) = A ≪(B mod L) where ≪ is left rotation.In [11] it is stated that between these two options, Hammingweight-based rotation is selected for RAPP, since despite themodular-rotation, the parameter that controls the rotation isuniform in this case.In RAPP, each tag has a unique identity ID which isshared with the reader as well as its index pseudonym, IDSand three session keys, K1,K2,K3. All variables are L-bit length. Although the exact value of L is not specifiedin [11], we assume L = 96 whenever required, which isthe most common bit length value for the variables of a tag2(e.g GID-96, SGTIN-96, GIAI-96, etc.) [14]. The state of theprotocol, (IDS,K1,K2,K3), is updated at the end of eachsuccessful authentication session in both parties. In order toresist desynchronization attacks, the reader keeps the backupof its previous state (IDSold,K1old,K2old,K3old), too. Theprotocol works as follows:1. Reader → Tag : Hello2. Tag → Reader : IDSThe reader uses the received IDS as a search index toto extract the secret information linked to the tag, i.e.(ID,K1,K2,K3). Then the reader generates a L-bit nonce,n1 and computes messages A and B as follows.3. Reader → Tag : A,BA = Per(K2,K1)⊕ n1B = Per(K1⊕K2, Rot(n1, n1))⊕ Per(n1,K1)Upon receiving the messages A and B, the tag first extractsn1 from A then verifies the value of B. If the verificationsucceeds, the reader is authenticated and the tag computes theresponse value C as follows.4. Reader → Tag : CC = Per(n1⊕K1, n1⊕K3)⊕ IDUpon receiving C, the reader uses its local values to verifyits correctness. If the tag is authenticated, the reader generatesL-bit nonce n2 and sends the messages D and E as follows.It updates its pseudonym and secret keys while keeping itscurrent state as well.5. Reader → Tag : D,ED = Per(K3,K2)⊕ n2E = Per(K3, Rot(n2, n2))⊕ Per(n1,K3⊕K2)The tag extracts n2 and verifies E. If it is correct, the tagupdates its state in the same vein as the reader (but it doesnot keep the current state any more). For more details of thepseudonym and key updating see the specification of RAPP[11].III. A DESYNCHRONIZATION ATTACK ON RAPPIt is claimed in [11] that RAPP resists desynchronizationattack since despite other existing ultralightweight protocols,the last messages exchanged in this protocol are sent bythe reader rather than the tag. In this section we outlinea desynchronization attack on this protocol that is effectivewhether the protocol uses Hamming weight-based or modular-based rotation.A. Attack descriptionFirst, assume two parties are synchronized in the state S(1).To resist possible desynchronization attacks, the reader keepsalso the previous state S(0). The aim of the attacker is to forcethe tag to update its state to, say S(2′) while the reader hasupdated its state to S(2) and keeping S(1) as its old state. Theattack is outlined as follows:The attacker allows the two parties to run a genuine sessionexcept the last messages D and E and saves all the messagesof this session, i.e. IDS,A,B,C,D,E. She blocks ?? the lastmessages to prevent the tag updating its state. Thus, the tagstays at S(1) while the reader has updated its states to S(2)and keeping S(1) as its old state. Now, the attacker shouldconvince the tag to update its state to any value other thanS(2).in the next phase, the attacker runs counterfeit sessions withthe victim tag. She uses the same messages as the previousincomplete session except D which is replaced by D′ = D⊕ei ⊕ ei+1 for some appropriate i, where ei is zero vector oflength n that contains a 1 in the ith position (i.e. ei = 2i). Inmore details, the attacker first sends a ”Hello” message to thetag to which the tag answers with its IDS. Then the attackertransmits A and B which is definitely accepted by the tag andthe tag replies with the same C again. In fourth message, theattacker sends D′ and E to the tag.Upon receiving D′ and E, the tag extracts n2′ = n2 ⊕ei ⊕ ei+1 and checks the correctness of E. E is ac-cepted if Per(K3, Rot(n2′, n2′)) = Per(K3, Rot(n2, n2)).If Rot(n2, n2) = Rot(n2′, n2′) ⊕ e0 ⊕ e1. i.e. Rot(n2, n2)and Rot(n2′, n2′) differ only in the two LSBs, we havePer(K3, Rot(n2′, n2′)) = Per(K3, Rot(n2, n2)) with prob-ability of 12 (this will be discussed more precisely in thefollowing subsections).To achieve such situation, the attacker repeats this scenariofor some appropriate i, depending on the definition of rotation,and stops till she receives a new IDS in the next querymeaning that the tag has accepted the invalid message D′ andits state has been updated to the wrong state S(2′).The success probability the attack is considered separatelyfor the two definitions of rotation.B. Hamming weight-based rotation: Rot(X,Y ) = X ≪Hw(Y )In the following, we discuss the success ratio of the attackerto desynchronize the tag when the rotation operation is definedas Rot(X,Y ) = X ≪ Hw(Y ). We first state some lemmas.Lemma 1. Let X be a L-bit word. Then, Pr(Hw(X) =Hw(X ⊕ ei ⊕ ei+1)) = 12 . This happens if Xi 6= Xi+1.Proof: This can easily be verified.Lemma 2. Let Z = Per(X,Y ) and Z ′ = Per(X,Y ′) whereY ′ = Y ⊕ e1 ⊕ e0. Then Pr(Z = Z ′) = 12 . This happens ifX0 = X1.Proof: Let I1 = {k1, k2, . . . km} and I0 ={km+1, km+2, . . . kL} be the set of indexes whose correspond-ing bits in Y are equal to 1 and 0 respectively, as defined in3Definition 1. Then,Z = Per(X,Y ) =XkmXkm−1 . . . Xk2Xk1Xkm+1Xkm+2 . . . XkL−1XkLLet’s consider three separate cases:• If the two last bits of Y are not the same, i.e. Y1Y0 = 01in which k1 = 0, km+1 = 1 or Y1Y0 = 10 in whichk1 = 1, km+1 = 0. in both cases we can conclude thatI ′1 = {km+1, k2, . . . km}I ′0 = {k1, km+2, . . . kL}where I ′0 and I′1 are the two sets of indexes correspondingto Y ′. Moreover km+1 < k2 and k1 < km+2. Thus,Z ′ = Per(X,Y ′) =XkmXkm−1 . . . Xk2Xkm+1Xk1Xkm+2 . . . XkL−1XkL• If Y1Y0 = 11, then k1 = 0, k2 = 1, and we can concludethatI ′1 = {k3, . . . km}I ′0 = {k1, k2, km+1, . . . kL}Moreover k1 < k2 < km+1 < km+2. Thus,Z ′ = Per(X,Y ′) =XkmXkm−1 . . . Xk1Xk2Xkm+1Xkm+2 . . . XkL−1XkL• If Y1Y0 = 00, then km+1 = 0, km+2 = 1. ThusI ′1 = {km+1, km+2, k1, . . . km}I ′0 = {km+3, . . . kL}Moreover km+1 < km+2 < k1 < k2. Thus,Z ′ = Per(X,Y ′) =XkmXkm−1 . . . Xk2Xk1Xkm+2Xkm+1 . . . XkL−1XkLTherefore, in the all three cases the two edge parts of Z ′ donot change and in the middle part, the positions of two bits ofX are exchanged. (Xkm+1 , Xk1 in the first case, Xk1 , Xk2 inthe second case, and Xkm+1 , Xkm+2 in the third case whichare the two LSBs of X in the all cases, i.e. X0 and X1).Therefore, Z = Z ′ if X0 = X1, which holds withprobability of 12 .Now we turn to our main problem. D′ = D ⊕ ei ⊕ ei+1implies that n2′ = n2⊕ei⊕ei+1, where n2′ is the nonce thatvictim tag extracts from the last messages of the counterfeitauthentication session.Let r = Hw(n2) and r′ = Hw(n2′) be the quantities whichcontrols the amount of rotations in genuine and counterfeitauthentication sessions respectively. According to Lemma 1,Pr(r = r′) = 12 .Now we can conclude:Rot(n2′, n2′) = (n2⊕ ei ⊕ ei+1) ≪ r′= (n2 ≪ r)⊕ ei+r ⊕ ei+1+r (1)provided that r = r′. The subscripts in (1) are takenin modulo L. Therefore, when the attacker tries all i, ityields i = −r mod L for some 0 ≤ i ≤ L − 1. Thiscauses Rot(n2′, n2′) = Rot(n2, n2) ⊕ e0 ⊕ e1 implyingPer(K3, Rot(n2′, n2′)) = Per(K3, Rot(n2, n2)) with prob-ability of 12 , according to Lemma 2.To summarize, the attacker succeeds to desynchronize thetag, if the following events occur:A : n2i = n2i+1 which implies r′ = r;B : K30 = K31 which impliesPer(K3, Rot(n2, n2)⊕ e0 ⊕ e1) = Per(K3, Rot(n2, n2)).Thus, the success probability, Psucc,Hw, is equal to:Psucc,Hw = P (A) · P (B) =14C. Modular-based rotation: Rot(X,Y ) = X ≪ (Y mod n)In this subsection we show that the attack is successful evenif the rotation operation is defined as Rot(X,Y ) = X ≪(Y mod L). First, some lemmas are stated.Lemma 3. Let X be a L-bit word. Then,X ⊕ ei ={X + 2i if Xi = 0,X − 2i if Xi = 1,Proof: This can easily be verified.Lemma 4. Let L = 96 and 5 ≤ i ≤ L− 1. Then,2i mod L ={32 if i is odd,64 if i is even,Proof: This can easily be proved by induction on i.Corollary 1. Let X be a L-bit word and 5 ≤ i ≤ L − 2.Then (X + 2i + 2i+1) mod L = X mod L.Here, we have again n2′ = n2 ⊕ ei ⊕ ei+1 since D′ =D ⊕ ei ⊕ ei+1. Let r = n2 mod L be the quantity whichcontrols the amount of rotation. r depends on all bits of n2since n = 96 is not an integer power of 2. Thus, flipping bit iwill affect the amount of rotation. In the counterfeit session:r′ = n2′ mod L= (n2⊕ ei ⊕ ei+1) mod L= (n2± 2i ± 2i+1) mod L= r + (±2i ± 2i+1) mod L (2)By Lemma 3, if n2i = n2i+1, the second term of (2), ±2i ±2i+1 will be equal to either 2i+2i+1 or −2i−2i+1, where inboth cases is equal to zero in modulo L, according to Corollary1. Thus we have Pr(r = r′) = 12 and we can conclude again:Rot(n2′, n2′) = (n2⊕ ei ⊕ ei+1) ≪ r′= (n2 ≪ r)⊕ ei+r ⊕ ei+1+r (3)provided that r = r′. Therefore, when the attacker tries all 5 ≤i ≤ L−2, Pr(i = −r mod L) = L−6L = 0.94. If this happens,it holds that Rot(n2′, n2′) = Rot(n2, n2) ⊕ e0 ⊕ e1 whichimplies Per(K3, Rot(n2′, n2′)) = Per(K3, Rot(n2, n2))with probability of 12 , according to Lemma 2.4To summarize, the attacker succeeds to desynchronize thetag, if the following event occurs in addition to events A andB,C : i = −r mod L for some i, 5 ≤ i ≤ L− 2;Thus, the success probability, Psucc,mod, becomes:Psucc,mod = P (A) · P (B) · P (C)=12× 12× 0.94= 0.23.Which shows that with a slight reduction in the probabilityof success, the desynchronization attack still works on RAPPwith the modular-based rotation.IV. CONCLUSIONIn this letter, we proposed a desynchronization attack onthe recently proposed ultralightweight authentication protocolRAPP [11]. The attack is effective for both definitions of rota-tions (i.e. Hamming weight-based and modular-based rotation)and its probability of success is about 14 .Though this work shows a weakness of this protocol, themain contribution of [11], i.e. the introduction the randompermutation as a new ultralightweight operation opens up newhorizons in design of ultralightweight authentication protocols.One may achieve stronger properties by combining the tradi-tional operations with this new one.REFERENCES[1] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A.Ribagorda, ”LMAP: A Real Lightweight Mutual Authentication Protocolfor Low-Cost RFID Tags,” Proc. Second Workshop RFID Security, July2006.[2] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A.Ribagorda, ”M2AP: A Minimalist Mutual-Authentication Protocol forLow-Cost RFID Tags,” Proc. Ubiquitous Intelligence and Computing, pp.912-923, 2006.[3] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, and A.Ribagorda, ”EMAP: An Efficient Mutual-Authentication Protocol forLow-Cost RFID Tags,” Proc. OTM 06 Workshop, pp. 352-361, 2006.[4] H. Chien, ”SASI: A New Ultralightweight RFID Authentication ProtocolProviding Strong Authentication and Strong Integrity, IEEE Trans. De-pendable and Secure Computing, vol. 4, no. 4, pp. 337-340, Oct.-Dec.2007.[5] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, and A. Rib-agorda, ”Advances in ultralightweight cryptography for low-cost RFIDtags: Gossamer protocol,” in Proc. International Workshop on InformationSecurity Applications 2008, pp. 5668, 2008.[6] T. Li, ”Employing lightweight primitives on low-cost rfid tags for authen-tication,” Proc. IEEE Vehicular Technology Conference, (VTC ’08), pp.1-5, Sept. 2008.[7] K.H. Yeh, N.W. Lo, and E. Winata, ”An Efficient UltralightweightAuthentication Protocol for RFID Systems,” In Proc. of RFIDSec Asia2010, Cryptology and Information Security Series, vol. 4, pp. 4960, 2010.[8] Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, ”Recursive Linear andDifferential Cryptanalysis of Ultralightweight Authentication Protocols,”Cryptology ePrint Archive, Report 2012/489.[9] G. Avoine, X. Carpent, and B. Martin,”Privacy-Friendly Synchronized Ul-tralightweight Authentication Protocols in the Storm,” Journal of Networkand Computer Applications, vol. 35, pp. 826-843, 2012.[10] P. D’ Arco and A. De Santis, ”On Ultralightweight RFID AuthenticationProtocols,” IEEE IEEE Trans. Dependable and Secure Computing, vol.8, no. 4, Jul.-Aug. 2011.[11] Y. Tian, G. Chen, and J. Li. A New Ultralightweight RFID Authentica-tion Protocol with Permutation. IEEE Communications Letters, Vol. 16,No. 5, May 2012, pp.702-705.[12] G. Avoine, X. Carpent, ”Yet Another Ultralightweight AuthenticationProtocol that is Broken,” in pre-proceeding of RFIDsec 2012.[13] W. Shao-hui, H. Zhijie, L. Sujuan, C. Dan-wei, ”Security Analysisof RAPP An RFID Authentication Protocol based on Permutation,”Cryptology ePrint Archive, Report 2012/327, 2012.[14] GS1 EPCglobal. EPCglobal Tag Data Standards Version 1.4,http://www.epcglobalinc.org/standards/

Desynchronization Attack on RAPP Ultralightweight Authentication Protocol

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.300.1135

Desynchronization Attack on RAPP Ultralightweight Authentication Protocol

Abstract

Similar works

Full text

Available Versions

Cryptology ePrint Archive