It is well-known that protocols that satisfy a security property when
executed in isolation do not necessarily satisfy the same security
property when they are executed in an environment containing other
protocols.

We demonstrate this fact on a family of recently proposed RFID
protocols by Lee, Batina, and Verbauwhede. We invalidate the authentication and untraceability claims made for several of the family\u27s protocols.

We also present man-in-the-middle attacks on untraceability in all of the protocols in the family. Similar attacks can be carried out on some other protocols in the literature, as well.

We briefly indicate how to repair the protocols

Radomirović, Saša

van Deursen, Ton

It is well-known that protocols that satisfy a security property when executed in isolation do not necessarily satisfy the same security property when they are executed in an environment containing other protocols.We demonstrate this fact on a family of recently proposed RFID protocols by Lee, Batina, and Verbauwhede. We invalidate the authentication and untraceability claims made for several of the family's protocols.We also present man-in-the-middle attacks on untraceability in all of the protocols in the family. Similar attacks can be carried out on some other protocols in the literature, as well.We briefly indicate how to repair the protocols

University of Dundee Online Publications

                                                              University of DundeeUntraceable RFID protocols are not trivially composablevan Deursen, Ton; Radomirovi, SašaPublished in:Cryptology ePrint ArchivePublication date:2009Document VersionPublisher's PDF, also known as Version of recordLink to publication in Discovery Research PortalCitation for published version (APA):van Deursen, T., & Radomirovi, S. (2009). Untraceable RFID protocols are not trivially composable: Attacks onthe revision of EC-RAC. Cryptology ePrint Archive, 2009(332), 1-8.General rightsCopyright and moral rights for the publications made accessible in Discovery Research Portal are retained by the authors and/or othercopyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated withthese rights. • Users may download and print one copy of any publication from Discovery Research Portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain. • You may freely distribute the URL identifying the publication in the public portal.Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.Download date: 07. Nov. 2017Untraceable RFID protocols are not triviallycomposable:Attacks on the revision of EC-RACTon van Deursen⋆ and Sasˇa Radomirovic´University of LuxembourgAbstract. It is well-known that protocols that satisfy a security prop-erty when executed in isolation do not necessarily satisfy the same se-curity property when they are executed in an environment containingother protocols.We demonstrate this fact on a family of recently proposed RFID proto-cols by Lee, Batina, and Verbauwhede. We invalidate the authenticationand untraceability claims made for several of the family’s protocols.We also present man-in-the-middle attacks on untraceability in all of theprotocols in the family. Similar attacks can be carried out on some otherprotocols in the literature, as well.We briefly indicate how to repair the protocols.1 IntroductionIt is well-known [1–5] that protocols satisfying a security property when executedin isolation do not necessarily satisfy the same security property when they areexecuted in an environment containing other protocols.In particular, it has been shown that composition of two secrecy-preservingprotocols may introduce attacks [6]. Similar results have been obtained for thecomposition of authentication protocols [7]. It is easy to see that the same holdstrue for untraceability. Consider for instance the two protocols shown in Figure 1.Each of the protocols can be shown to be untraceable in isolation. But if anRFID tag implements both protocols, it becomes traceable. An attacker selectsprotocol A to obtain nt, h(nt, ID) from any tag he is interested in tracing. Totest whether a random tag is a tag the attacker is interested in, the attackerselects protocol B and sends the challenge nt to the tag. The tag answers withnt′, h(nt′, h(nt, ID ′)). The attacker can then obviously test whether ID = ID ′.While the protocols in Figure 1 can be considered as specially crafted pro-tocols, we show that the protocols of Lee, Batina, and Verbauwhede [8] sufferfrom the same type of problem. These protocols are a revision of EC-RAC [9]which has been shown to be flawed with respect to authentication and untrace-ability [10–12].⋆ Ton van Deursen was supported by a grant from the Fonds National de la Recherche(Luxembourg).IDRIDTQuerynonce ntnt, h(nt, ID)(a) Protocol AIDRIDTnonce nrnrnonce ntnt, h(nt, h(nr, ID))(b) Protocol BFig. 1: Protocols untraceable in isolation, but not in common environment.2 The proposed family of protocolsThe protocols proposed by Lee, Batina, and Verbauwhede are constructed fromfour components. Proof sketches for the authentication property of the indi-vidual components have been given, then the components have been composedleading to the six protocols shown in Figures 2 and 3. We note that no proof ofuntraceability has been given.The protocols are based on a fixed, system-wide elliptic curve over a finitefield. The points P and Y = yP on the elliptic curve are publicly known, thescalar y and the points x1P and x2P are only known to the server, and thescalars x1, x2 are unique to each tag and only known to the tag. For scalabilityreasons, the server additionally knows x1 in protocols 2, 3, 5, and 6. The ellipticcurve is assumed to have been chosen such that the computational Diffie-Hellmanproblem is hard, that is, given only the points xP , yP , and P on the ellipticcurve, it is hard to compute xyP .All the protocols follow the same commitment-challenge-response structure.More precisely, in all protocols the tag sends a random point on the elliptic curvewhich serves as a commitment. The server challenges the tag with a randominteger upon which the tag answers with a point depending on the commitmentand the challenge. The idea of such schemes is that anybody able to produce thecorrect response can also compute a particular secret, thus successful completionof the protocol constitutes a proof of knowledge for the secret. A moment’sthought shows that for the present protocols, the secrets in question are thepoints x1Y and x2Y .Protocols 4 through 6 additionally include a challenge-response loop wherethe tag challenges the server and the server proves knowledge of its secret key y.3 Attacks on the protocolsThe main flaw in protocols 4 through 6 is that the challenge-response loop whichis supposed to prove the server’s authenticity can be abused as an oracle in orderto impersonate a tag to a server. This flaw is not surprising, since the sameS Trt1 ∈R Zrs1 ∈R ZT1 := rt1Prs1T2 := (rt1 + rs1x1)Yfind x1P = (y−1T2 − T1)r−1s1(a) Protocol 1S Trt1 ∈R Zrs1 ∈R ZT1 := rt1Prs1T2:=(rt1+rs1x1)YT3:=(rt1x1+rs1x2)Yfind x1P = (y−1T2 − T1)r−1s1x2P = (y−1T3 − x1T1)r−1s1(b) Protocol 2S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2Prs1T3:=(rt1+rs1x1)YT4:=(rt2x1+rs1x2)Yfind x1P = (y−1T3 − T1)r−1s1x2P = (y−1T4 − x1T2)r−1s1(c) Protocol 3Fig. 2: Protocols 1 through 3secret key y is being used for two different purposes. Both the tag-to-serverauthentication and the server-to-tag authentication depend on it. Thus the twocomponents are not independent of each other (in the sense of [3]) and hence thesecurity of the two components in isolation does not imply their security whenthey are composed.To use the first two messages of protocols 4, 5, and 6 as an oracle, theadversary submits any non-zero point on the system’s elliptic curve and receivesthe multiple of the point by the server’s secret key y. In the following we willrefer to this oracle as the function P → O(P ) = yP .3.1 Untraceability attacks on protocols 4, 5, and 6Consider the messages rt2P , rs1, (rt2 + rs1x1)Y an attacker learns from proto-cols 4, 5, and 6 by eavesdropping on a communication between a server and atag. In order to trace the tag, the attacker needs to be able to decide whethera tag presented to him is the same as the one he eavesdropped on earlier. Byeavesdropping on another communication of a tag and server (or by querying atag himself) the attacker learns r′t2P , r′s1, (r′t2 + r′s1x′1)Y . He then computesrs1 r′t2P − r′s1 rt2P = (rs1r′t2 − r′s1rt2)Pandrs1(r′t2 + r′s1x′1)Y − r′s1(rt2 + rs1x1)Y (1)For rs1, r′s1 6= 0, the term in (1) is equal to (rs1r′t2 − r′s1rt2)Y if and only ifx1 = x′1, that is, if the tag being queried by the attacker is the same tag as theone that was observed earlier. The attacker uses the oracle to decide whether thisis the case or not: On submitting (rs1r′t2 − r′s1rt2)P to the oracle, the attackerreceives (rs1r′t2− r′s1rt2)Y . This equals the term in (1) if and only if the tag hasbeen observed before.Thus none of the protocols 4, 5, and 6 are untraceable. In particular, pro-tocols 4 and 6 do not satisfy the claimed forward and backward untraceabilityproperties either.3.2 Authentication attacks on protocols 4, 5, and 6In order to break tag-to-server authentication in these protocols, an adversaryneeds to know the term x1Y , and the term x2Y (in protocols 5 and 6). The ad-versary learns these two terms from the tag’s public keys x1P , x2P by computingO(xiP1) = xiY , (i = 1, 2). According to the attacker model specified for theseprotocols, an attacker is initially only allowed to know Y , P , and the order of thesystem’s elliptic curve, but not the tags’ public keys. Under this restriction, onlya rogue server in the system is able to impersonate tags. Protocol 4, however,is even vulnerable if the adversary does not know the tag’s public keys. In thiscase the adversary can learn x1Y by eavesdropping on one protocol executionbetween a tag and a server and performing the following computation.By eavesdropping on one communication between a tag and a server, anattacker obtains rt2P , the challenge rs1, and (rt2 + rs1x1)Y . He then computesr−1s1 rt2P and r−1s1 (rt2 + rs1x1)Y = (r−1s1 rt2 +x1)Y . Using the oracle, the attackerobtains O(r−1s1 rt2P ) = r−1s1 rt2Y and computes the difference (r−1s1 rt2 + x1)Y −r−1s1 rt2Y = x1Y . After learning x1Y and x2Y by using the oracles as describedabove, an attacker can impersonate a tag as follows.Protocol 4. The attacker chooses a random integer rt1, submits rt1P to theserver, and is challenged by rs1. To answer this challenge, the attacker computesrs1x1Y , and rt2Y and sends back the sum of these two points.Protocol 5. The attacker chooses random integers rt1, rt2, submits T1, T2 tothe server, and is challenged by rs1. To answer this challenge, the attacker com-putes T3 from the sum of rs1x1Y , and rt2Y . To compute T4, the attacker mul-tiplies x1Y by rt2 and x2Y by rs1 and computes the sum of these two points.Protocol 6. The attacker chooses random integers rt1, rt2, rt3, submits T1, T2, T3to the server, and is challenged by rs1. To answer this challenge, the attackercomputes T4 from the sum of rs1x1Y , and rt2Y . To compute T5, the attackermultiplies x1Y by rt3 and x2Y by rs1 and computes the sum of these two points.S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2PT1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T3 := (rt2 + rs1x1)Yfind x1P = (y−1T3 − T2)r−1s1(a) Protocol 4S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2PT1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T3:=(rt2+rs1x1)YT4:=(rt2x1+rs1x2)Yfind x1P = (y−1T3 − T1)r−1s1x2P = (y−1T4 − x1T2)r−1s1(b) Protocol 5S Trs1 ∈R Z rt1, rt2, rt3 ∈R ZTi := rtiP , (i = 1, 2, 3)T1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T4:=(rt2+rs1x1)YT5:=(rt3x1+rs1x2)Yfind x1P = (y−1T4 − T2)r−1s1x2P = (y−1T5 − x1T3)r−1s1(c) Protocol 6Fig. 3: Protocols 4 through 63.3 Untraceability attacks on all protocolsWe demonstrate a man-in-the-middle attack on the ID-transfer component thatallows a wide-strong adversary of (in the sense of Vaudenay [13]) to trace a tagin all of the six protocols.S E Tr′t1 ∈R Zr′s1 ∈R ZT ′1 := r′t1PT ′1 := r′t1P + rt1Pr′s1r′s1 − rs1T ′2 := (r′t1 + (r′s1 − rs1)x′1)YT ′2 := ((r′t1 + rt1) + r′s1x′1)Yfind x′1P = (y−1T ′2 − T′1)r′−1s1Fig. 4: Man-in-the-middle attack on Protocol 1By eavesdropping on protocol 1, the adversary obtains the messages rt1P ,rs1, and (rt1+rs1x1)Y . He then mounts a man-in-the-middle attack on a secondcommunication to test whether the same tag is present as shown in Figure 4.The adversary adds the previously observed rt1P to the commitment r′t1P andsubtracts rs1 from the new commitment r′s1. The new and old responses areadded and sent to the server:T ′2 = (rt1 + rs1x1)Y + (r′t1 + (r′s1 − rs1)x′1)Y= ((rt1 + r′t1) + rs1x1 + (r′s1 − rs1)x′1)YThis response is accepted by the server if and only if x1 = x′1, i.e. if the tagis the same as the one that was previously observed. Therefore, a wide-strongadversary can trace tags. The same attack is possible on protocols 2 through 6since they are extensions of protocol 1.Note that a wide-strong adversary can also trace tags in the protocol proposedby Bringer et al. [11] using the same method. This protocol has, however, onlybeen claimed and proven secure against narrow-strong adversaries.4 Repairing the flawsThe protocol compositions can be improved by assuring that one component inthe composition cannot be used as an oracle for another. For protocol 4, this canbe achieved without compromising efficiency of the scheme. We equip the serverwith a second secret y2, generated randomly and independently of y, and storethe point y2P in every tag. In the second message, the server sends y2T1 insteadof yT1, to prove server authenticity to the tag. A similar approach improvesprotocols 5 and 6.To defend against the man-in-the-middle attacks, a stronger form of authen-tication seems to be unavoidable. In its current form, protocol 1 provides recentaliveness [14]: the server is guaranteed that the tag has recently produced a mes-sage. However, agreement [14] is clearly not satisfied as shown by the attack inFigure 4. At the end of the run, the server believes the following messages wereexchanged(r′t1 + rt1)P r′s1 ((r′t1 + rt1) + r′s1x′1)Y,while for the tag the transcript readsr′t1P r′s1 − rs1 (r′t1 + (r′s1 − rs1)x′1)Y.As shown above, the adversary abuses this discrepancy and the reader’s reactionto it to trace tags. To foil the attack, we need to make sure that reader and tagagree on the contents of all messages.The simplest solution is to use message authentication codes based on ashared secret. The last message would then include a hash of the previous mes-sages (including the payload of the current message) and a secret known only toserver and tag. A suitable candidate would be h(rt1P, rs1, (rt1 + rs1x1)Y, xyP ).Since (rt1 + rs1x1)Y is uniquely determined by the other three components ofthe hash it does not have to be included, reducing the message authenticationcode to h(rt1P, rs1, xyP ).Although this solution prevents these particular man-in-the-middle attacks,it is more resource intensive since it additionally requires a cryptographic hashfunction to be implemented (and computed) on the tag. We conjecture thatprotocol 5 can also be made resistant to man-in-the-middle attacks by modifyingthe computation of T4 in the third message. Replacing T4 by (rt2x1 − rs1x2)Yprevents the presented man-in-the-middle attack and obvious derivatives thereof.It is unclear, however, whether this introduces new vulnerabilities.References1. Canetti, R.: Universally composable security: A new paradigm for cryptographicprotocols. In: FOCS. (2001) 136–1452. Canetti, R.: Universally composable security: A new paradigm for cryp-tographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000)http://eprint.iacr.org/.3. Andova, S., Cremers, C., Gjøsteen, K., Mauw, S., Mjølsnes, S., Radomirovic´, S.:A framework for compositional verification of security protocols. Information andComputation 206 (February-April 2008) 425–4594. Heintze, N., Tygar, J.D.: A model for secure protocols and their compositions.IEEE Trans. Software Eng. 22(1) (1996) 16–305. Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocolattack. In: Security Protocols Workshop. (1997) 91–1046. Cremers, C.: Feasibility of multi-protocol attacks. In: Proc. of The First In-ternational Conference on Availability, Reliability and Security (ARES), Vienna,Austria, IEEE Computer Society (April 2006) 287–2947. Tzeng, W.G., Hu, C.M.: Inter-protocol interleaving attacks on some authenticationand key distribution protocols. Inf. Process. Lett. 69(6) (1999) 297–3028. Lee, Y., Batina, L., Verbauwhede, I.: Untraceable RFID authentication protocols:Revision of EC-RAC. In: IEEE International Conference on RFID – RFID 2009,Orlando, Florida, USA (April 2009)9. Lee, Y.K., Batina, L., Verbauwhede, I.: EC-RAC (ECDLP based randomizedaccess control): Provably secure RFID authentication protocol. In: Proceedings ofthe 2008 IEEE International Conference on RFID. (2008) 97–10410. van Deursen, T., Radomirovic´, S.: Attacks on RFID protocols (ver-sion 1.0). Cryptology ePrint Archive, Report 2008/310 (July 2008)http://eprint.iacr.org/2008/310.11. Bringer, J., Chabanne, H., Icart, T.: Cryptanalysis of EC-RAC, a RFID identifi-cation protocol. In: CANS. (2008) 149–16112. van Deursen, T., Radomirovic´, S.: Algebraic attacks on RFID protocols. In: In-formation Security Theory and Practices. Smart Devices, Pervasive Systems, andUbiquitous Networks (to appear). Lecture Notes in Computer Science, Brussels,Belgium, Springer (2009)13. Vaudenay, S.: On privacy models for RFID. In: Advances in Cryptology - ASI-ACRYPT 2007. Volume 4833 of Lecture Notes in Computer Science., Kuching,Malaysia, Springer-Verlag (December 2007) 68–8714. Lowe, G.: A hierarchy of authentication specifications. In: CSFW. (1997) 31–44

Untraceable RFID protocols are not trivially composable:Attacks on the revision of EC-RAC

Ton van Deursen

Sasa Radomirovic

Cryptology ePrint Archive

Untraceable RFID protocols are not triviallycomposable:Attacks on the revision of EC-RACTon van Deursen⋆ and Saša RadomirovićUniversity of LuxembourgAbstract. It is well-known that protocols that satisfy a security prop-erty when executed in isolation do not necessarily satisfy the same se-curity property when they are executed in an environment containingother protocols.We demonstrate this fact on a family of recently proposed RFID proto-cols by Lee, Batina, and Verbauwhede. We invalidate the authenticationand untraceability claims made for several of the family’s protocols.We also present man-in-the-middle attacks on untraceability in all of theprotocols in the family. Similar attacks can be carried out on some otherprotocols in the literature, as well.We briefly indicate how to repair the protocols.1 IntroductionIt is well-known [1–5] that protocols satisfying a security property when executedin isolation do not necessarily satisfy the same security property when they areexecuted in an environment containing other protocols.In particular, it has been shown that composition of two secrecy-preservingprotocols may introduce attacks [6]. Similar results have been obtained for thecomposition of authentication protocols [7]. It is easy to see that the same holdstrue for untraceability. Consider for instance the two protocols shown in Figure 1.Each of the protocols can be shown to be untraceable in isolation. But if anRFID tag implements both protocols, it becomes traceable. An attacker selectsprotocol A to obtain nt, h(nt, ID) from any tag he is interested in tracing. Totest whether a random tag is a tag the attacker is interested in, the attackerselects protocol B and sends the challenge nt to the tag. The tag answers withnt′, h(nt′, h(nt, ID ′)). The attacker can then obviously test whether ID = ID ′.While the protocols in Figure 1 can be considered as specially crafted pro-tocols, we show that the protocols of Lee, Batina, and Verbauwhede [8] sufferfrom the same type of problem. These protocols are a revision of EC-RAC [9]which has been shown to be flawed with respect to authentication and untrace-ability [10–12].⋆ Ton van Deursen was supported by a grant from the Fonds National de la Recherche(Luxembourg).IDRIDTQuerynonce ntnt, h(nt, ID)(a) Protocol AIDRIDTnonce nrnrnonce ntnt, h(nt, h(nr, ID))(b) Protocol BFig. 1: Protocols untraceable in isolation, but not in common environment.2 The proposed family of protocolsThe protocols proposed by Lee, Batina, and Verbauwhede are constructed fromfour components. Proof sketches for the authentication property of the indi-vidual components have been given, then the components have been composedleading to the six protocols shown in Figures 2 and 3. We note that no proof ofuntraceability has been given.The protocols are based on a fixed, system-wide elliptic curve over a finitefield. The points P and Y = yP on the elliptic curve are publicly known, thescalar y and the points x1P and x2P are only known to the server, and thescalars x1, x2 are unique to each tag and only known to the tag. For scalabilityreasons, the server additionally knows x1 in protocols 2, 3, 5, and 6. The ellipticcurve is assumed to have been chosen such that the computational Diffie-Hellmanproblem is hard, that is, given only the points xP , yP , and P on the ellipticcurve, it is hard to compute xyP .All the protocols follow the same commitment-challenge-response structure.More precisely, in all protocols the tag sends a random point on the elliptic curvewhich serves as a commitment. The server challenges the tag with a randominteger upon which the tag answers with a point depending on the commitmentand the challenge. The idea of such schemes is that anybody able to produce thecorrect response can also compute a particular secret, thus successful completionof the protocol constitutes a proof of knowledge for the secret. A moment’sthought shows that for the present protocols, the secrets in question are thepoints x1Y and x2Y .Protocols 4 through 6 additionally include a challenge-response loop wherethe tag challenges the server and the server proves knowledge of its secret key y.3 Attacks on the protocolsThe main flaw in protocols 4 through 6 is that the challenge-response loop whichis supposed to prove the server’s authenticity can be abused as an oracle in orderto impersonate a tag to a server. This flaw is not surprising, since the sameS Trt1 ∈R Zrs1 ∈R ZT1 := rt1Prs1T2 := (rt1 + rs1x1)Yfind x1P = (y−1T2 − T1)r−1s1(a) Protocol 1S Trt1 ∈R Zrs1 ∈R ZT1 := rt1Prs1T2:=(rt1+rs1x1)YT3:=(rt1x1+rs1x2)Yfind x1P = (y−1T2 − T1)r−1s1x2P = (y−1T3 − x1T1)r−1s1(b) Protocol 2S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2Prs1T3:=(rt1+rs1x1)YT4:=(rt2x1+rs1x2)Yfind x1P = (y−1T3 − T1)r−1s1x2P = (y−1T4 − x1T2)r−1s1(c) Protocol 3Fig. 2: Protocols 1 through 3secret key y is being used for two different purposes. Both the tag-to-serverauthentication and the server-to-tag authentication depend on it. Thus the twocomponents are not independent of each other (in the sense of [3]) and hence thesecurity of the two components in isolation does not imply their security whenthey are composed.To use the first two messages of protocols 4, 5, and 6 as an oracle, theadversary submits any non-zero point on the system’s elliptic curve and receivesthe multiple of the point by the server’s secret key y. In the following we willrefer to this oracle as the function P → O(P ) = yP .3.1 Untraceability attacks on protocols 4, 5, and 6Consider the messages rt2P , rs1, (rt2 + rs1x1)Y an attacker learns from proto-cols 4, 5, and 6 by eavesdropping on a communication between a server and atag. In order to trace the tag, the attacker needs to be able to decide whethera tag presented to him is the same as the one he eavesdropped on earlier. Byeavesdropping on another communication of a tag and server (or by querying atag himself) the attacker learns r′t2P , r′s1, (r′t2 + r′s1x′1)Y . He then computesrs1 r′t2P − r′s1 rt2P = (rs1r′t2 − r′s1rt2)Pandrs1(r′t2 + r′s1x′1)Y − r′s1(rt2 + rs1x1)Y (1)For rs1, r′s1 6= 0, the term in (1) is equal to (rs1r′t2 − r′s1rt2)Y if and only ifx1 = x′1, that is, if the tag being queried by the attacker is the same tag as theone that was observed earlier. The attacker uses the oracle to decide whether thisis the case or not: On submitting (rs1r′t2 − r′s1rt2)P to the oracle, the attackerreceives (rs1r′t2 − r′s1rt2)Y . This equals the term in (1) if and only if the tag hasbeen observed before.Thus none of the protocols 4, 5, and 6 are untraceable. In particular, pro-tocols 4 and 6 do not satisfy the claimed forward and backward untraceabilityproperties either.3.2 Authentication attacks on protocols 4, 5, and 6In order to break tag-to-server authentication in these protocols, an adversaryneeds to know the term x1Y , and the term x2Y (in protocols 5 and 6). The ad-versary learns these two terms from the tag’s public keys x1P , x2P by computingO(xiP1) = xiY , (i = 1, 2). According to the attacker model specified for theseprotocols, an attacker is initially only allowed to know Y , P , and the order of thesystem’s elliptic curve, but not the tags’ public keys. Under this restriction, onlya rogue server in the system is able to impersonate tags. Protocol 4, however,is even vulnerable if the adversary does not know the tag’s public keys. In thiscase the adversary can learn x1Y by eavesdropping on one protocol executionbetween a tag and a server and performing the following computation.By eavesdropping on one communication between a tag and a server, anattacker obtains rt2P , the challenge rs1, and (rt2 + rs1x1)Y . He then computesr−1s1 rt2P and r−1s1 (rt2 + rs1x1)Y = (r−1s1 rt2 +x1)Y . Using the oracle, the attackerobtains O(r−1s1 rt2P ) = r−1s1 rt2Y and computes the difference (r−1s1 rt2 + x1)Y −r−1s1 rt2Y = x1Y . After learning x1Y and x2Y by using the oracles as describedabove, an attacker can impersonate a tag as follows.Protocol 4. The attacker chooses a random integer rt1, submits rt1P to theserver, and is challenged by rs1. To answer this challenge, the attacker computesrs1x1Y , and rt2Y and sends back the sum of these two points.Protocol 5. The attacker chooses random integers rt1, rt2, submits T1, T2 tothe server, and is challenged by rs1. To answer this challenge, the attacker com-putes T3 from the sum of rs1x1Y , and rt2Y . To compute T4, the attacker mul-tiplies x1Y by rt2 and x2Y by rs1 and computes the sum of these two points.Protocol 6. The attacker chooses random integers rt1, rt2, rt3, submits T1, T2, T3to the server, and is challenged by rs1. To answer this challenge, the attackercomputes T4 from the sum of rs1x1Y , and rt2Y . To compute T5, the attackermultiplies x1Y by rt3 and x2Y by rs1 and computes the sum of these two points.S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2PT1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T3 := (rt2 + rs1x1)Yfind x1P = (y−1T3 − T2)r−1s1(a) Protocol 4S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2PT1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T3:=(rt2+rs1x1)YT4:=(rt2x1+rs1x2)Yfind x1P = (y−1T3 − T1)r−1s1x2P = (y−1T4 − x1T2)r−1s1(b) Protocol 5S Trs1 ∈R Z rt1, rt2, rt3 ∈R ZTi := rtiP , (i = 1, 2, 3)T1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T4:=(rt2+rs1x1)YT5:=(rt3x1+rs1x2)Yfind x1P = (y−1T4 − T2)r−1s1x2P = (y−1T5 − x1T3)r−1s1(c) Protocol 6Fig. 3: Protocols 4 through 63.3 Untraceability attacks on all protocolsWe demonstrate a man-in-the-middle attack on the ID-transfer component thatallows a wide-strong adversary of (in the sense of Vaudenay [13]) to trace a tagin all of the six protocols.S E Tr′t1 ∈R Zr′s1 ∈R ZT ′1 := r′t1PT ′1 := r′t1P + rt1Pr′s1r′s1 − rs1T ′2 := (r′t1 + (r′s1 − rs1)x′1)YT ′2 := ((r′t1 + rt1) + r′s1x′1)Yfind x′1P = (y−1T ′2 − T′1)r′−1s1Fig. 4: Man-in-the-middle attack on Protocol 1By eavesdropping on protocol 1, the adversary obtains the messages rt1P ,rs1, and (rt1 +rs1x1)Y . He then mounts a man-in-the-middle attack on a secondcommunication to test whether the same tag is present as shown in Figure 4.The adversary adds the previously observed rt1P to the commitment r′t1P andsubtracts rs1 from the new commitment r′s1. The new and old responses areadded and sent to the server:T ′2 = (rt1 + rs1x1)Y + (r′t1 + (r′s1 − rs1)x′1)Y= ((rt1 + r′t1) + rs1x1 + (r′s1 − rs1)x′1)YThis response is accepted by the server if and only if x1 = x′1, i.e. if the tagis the same as the one that was previously observed. Therefore, a wide-strongadversary can trace tags. The same attack is possible on protocols 2 through 6since they are extensions of protocol 1.Note that a wide-strong adversary can also trace tags in the protocol proposedby Bringer et al. [11] using the same method. This protocol has, however, onlybeen claimed and proven secure against narrow-strong adversaries.4 Repairing the flawsThe protocol compositions can be improved by assuring that one component inthe composition cannot be used as an oracle for another. For protocol 4, this canbe achieved without compromising efficiency of the scheme. We equip the serverwith a second secret y2, generated randomly and independently of y, and storethe point y2P in every tag. In the second message, the server sends y2T1 insteadof yT1, to prove server authenticity to the tag. A similar approach improvesprotocols 5 and 6.To defend against the man-in-the-middle attacks, a stronger form of authen-tication seems to be unavoidable. In its current form, protocol 1 provides recentaliveness [14]: the server is guaranteed that the tag has recently produced a mes-sage. However, agreement [14] is clearly not satisfied as shown by the attack inFigure 4. At the end of the run, the server believes the following messages wereexchanged(r′t1 + rt1)P r′s1 ((r′t1 + rt1) + r′s1x′1)Y,while for the tag the transcript readsr′t1P r′s1 − rs1 (r′t1 + (r′s1 − rs1)x′1)Y.As shown above, the adversary abuses this discrepancy and the reader’s reactionto it to trace tags. To foil the attack, we need to make sure that reader and tagagree on the contents of all messages.The simplest solution is to use message authentication codes based on ashared secret. The last message would then include a hash of the previous mes-sages (including the payload of the current message) and a secret known only toserver and tag. A suitable candidate would be h(rt1P, rs1, (rt1 + rs1x1)Y, xyP ).Since (rt1 + rs1x1)Y is uniquely determined by the other three components ofthe hash it does not have to be included, reducing the message authenticationcode to h(rt1P, rs1, xyP ).Although this solution prevents these particular man-in-the-middle attacks,it is more resource intensive since it additionally requires a cryptographic hashfunction to be implemented (and computed) on the tag. We conjecture thatprotocol 5 can also be made resistant to man-in-the-middle attacks by modifyingthe computation of T4 in the third message. Replacing T4 by (rt2x1 − rs1x2)Yprevents the presented man-in-the-middle attack and obvious derivatives thereof.It is unclear, however, whether this introduces new vulnerabilities.References1. Canetti, R.: Universally composable security: A new paradigm for cryptographicprotocols. In: FOCS. (2001) 136–1452. Canetti, R.: Universally composable security: A new paradigm for cryp-tographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000)http://eprint.iacr.org/.3. Andova, S., Cremers, C., Gjøsteen, K., Mauw, S., Mjølsnes, S., Radomirović, S.:A framework for compositional verification of security protocols. Information andComputation 206 (February-April 2008) 425–4594. Heintze, N., Tygar, J.D.: A model for secure protocols and their compositions.IEEE Trans. Software Eng. 22(1) (1996) 16–305. Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocolattack. In: Security Protocols Workshop. (1997) 91–1046. Cremers, C.: Feasibility of multi-protocol attacks. In: Proc. of The First In-ternational Conference on Availability, Reliability and Security (ARES), Vienna,Austria, IEEE Computer Society (April 2006) 287–2947. Tzeng, W.G., Hu, C.M.: Inter-protocol interleaving attacks on some authenticationand key distribution protocols. Inf. Process. Lett. 69(6) (1999) 297–3028. Lee, Y., Batina, L., Verbauwhede, I.: Untraceable RFID authentication protocols:Revision of EC-RAC. In: IEEE International Conference on RFID – RFID 2009,Orlando, Florida, USA (April 2009)9. Lee, Y.K., Batina, L., Verbauwhede, I.: EC-RAC (ECDLP based randomizedaccess control): Provably secure RFID authentication protocol. In: Proceedings ofthe 2008 IEEE International Conference on RFID. (2008) 97–10410. van Deursen, T., Radomirović, S.: Attacks on RFID protocols (ver-sion 1.0). Cryptology ePrint Archive, Report 2008/310 (July 2008)http://eprint.iacr.org/2008/310.11. Bringer, J., Chabanne, H., Icart, T.: Cryptanalysis of EC-RAC, a RFID identifi-cation protocol. In: CANS. (2008) 149–16112. van Deursen, T., Radomirović, S.: Algebraic attacks on RFID protocols. In: In-formation Security Theory and Practices. Smart Devices, Pervasive Systems, andUbiquitous Networks (to appear). Lecture Notes in Computer Science, Brussels,Belgium, Springer (2009)13. Vaudenay, S.: On privacy models for RFID. In: Advances in Cryptology - ASI-ACRYPT 2007. Volume 4833 of Lecture Notes in Computer Science., Kuching,Malaysia, Springer-Verlag (December 2007) 68–8714. Lowe, G.: A hierarchy of authentication specifications. In: CSFW. (1997) 31–44

Untraceable RFID protocols are not trivially composable: Attacks on the revision of EC-RAC

                                                                    University of DundeeUntraceable RFID protocols are not trivially composablevan Deursen, Ton; Radomirović, SašaPublished in:Cryptology ePrint ArchivePublication date:2009Licence:CC BYDocument VersionPublisher's PDF, also known as Version of recordLink to publication in Discovery Research PortalCitation for published version (APA):van Deursen, T., & Radomirović, S. (2009). Untraceable RFID protocols are not trivially composable: Attacks onthe revision of EC-RAC. Cryptology ePrint Archive, 2009(332), 1-8.General rightsCopyright and moral rights for the publications made accessible in Discovery Research Portal are retained by the authors and/or othercopyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated withthese rights. • Users may download and print one copy of any publication from Discovery Research Portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain. • You may freely distribute the URL identifying the publication in the public portal.Take down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.Download date: 18. Apr. 2023Untraceable RFID protocols are not triviallycomposable:Attacks on the revision of EC-RACTon van Deursen⋆ and Saša RadomirovićUniversity of LuxembourgAbstract. It is well-known that protocols that satisfy a security prop-erty when executed in isolation do not necessarily satisfy the same se-curity property when they are executed in an environment containingother protocols.We demonstrate this fact on a family of recently proposed RFID proto-cols by Lee, Batina, and Verbauwhede. We invalidate the authenticationand untraceability claims made for several of the family’s protocols.We also present man-in-the-middle attacks on untraceability in all of theprotocols in the family. Similar attacks can be carried out on some otherprotocols in the literature, as well.We briefly indicate how to repair the protocols.1 IntroductionIt is well-known [1–5] that protocols satisfying a security property when executedin isolation do not necessarily satisfy the same security property when they areexecuted in an environment containing other protocols.In particular, it has been shown that composition of two secrecy-preservingprotocols may introduce attacks [6]. Similar results have been obtained for thecomposition of authentication protocols [7]. It is easy to see that the same holdstrue for untraceability. Consider for instance the two protocols shown in Figure 1.Each of the protocols can be shown to be untraceable in isolation. But if anRFID tag implements both protocols, it becomes traceable. An attacker selectsprotocol A to obtain nt, h(nt, ID) from any tag he is interested in tracing. Totest whether a random tag is a tag the attacker is interested in, the attackerselects protocol B and sends the challenge nt to the tag. The tag answers withnt′, h(nt′, h(nt, ID ′)). The attacker can then obviously test whether ID = ID ′.While the protocols in Figure 1 can be considered as specially crafted pro-tocols, we show that the protocols of Lee, Batina, and Verbauwhede [8] sufferfrom the same type of problem. These protocols are a revision of EC-RAC [9]which has been shown to be flawed with respect to authentication and untrace-ability [10–12].⋆ Ton van Deursen was supported by a grant from the Fonds National de la Recherche(Luxembourg).IDRIDTQuerynonce ntnt, h(nt, ID)(a) Protocol AIDRIDTnonce nrnrnonce ntnt, h(nt, h(nr, ID))(b) Protocol BFig. 1: Protocols untraceable in isolation, but not in common environment.2 The proposed family of protocolsThe protocols proposed by Lee, Batina, and Verbauwhede are constructed fromfour components. Proof sketches for the authentication property of the indi-vidual components have been given, then the components have been composedleading to the six protocols shown in Figures 2 and 3. We note that no proof ofuntraceability has been given.The protocols are based on a fixed, system-wide elliptic curve over a finitefield. The points P and Y = yP on the elliptic curve are publicly known, thescalar y and the points x1P and x2P are only known to the server, and thescalars x1, x2 are unique to each tag and only known to the tag. For scalabilityreasons, the server additionally knows x1 in protocols 2, 3, 5, and 6. The ellipticcurve is assumed to have been chosen such that the computational Diffie-Hellmanproblem is hard, that is, given only the points xP , yP , and P on the ellipticcurve, it is hard to compute xyP .All the protocols follow the same commitment-challenge-response structure.More precisely, in all protocols the tag sends a random point on the elliptic curvewhich serves as a commitment. The server challenges the tag with a randominteger upon which the tag answers with a point depending on the commitmentand the challenge. The idea of such schemes is that anybody able to produce thecorrect response can also compute a particular secret, thus successful completionof the protocol constitutes a proof of knowledge for the secret. A moment’sthought shows that for the present protocols, the secrets in question are thepoints x1Y and x2Y .Protocols 4 through 6 additionally include a challenge-response loop wherethe tag challenges the server and the server proves knowledge of its secret key y.3 Attacks on the protocolsThe main flaw in protocols 4 through 6 is that the challenge-response loop whichis supposed to prove the server’s authenticity can be abused as an oracle in orderto impersonate a tag to a server. This flaw is not surprising, since the sameS Trt1 ∈R Zrs1 ∈R ZT1 := rt1Prs1T2 := (rt1 + rs1x1)Yfind x1P = (y−1T2 − T1)r−1s1(a) Protocol 1S Trt1 ∈R Zrs1 ∈R ZT1 := rt1Prs1T2:=(rt1+rs1x1)YT3:=(rt1x1+rs1x2)Yfind x1P = (y−1T2 − T1)r−1s1x2P = (y−1T3 − x1T1)r−1s1(b) Protocol 2S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2Prs1T3:=(rt1+rs1x1)YT4:=(rt2x1+rs1x2)Yfind x1P = (y−1T3 − T1)r−1s1x2P = (y−1T4 − x1T2)r−1s1(c) Protocol 3Fig. 2: Protocols 1 through 3secret key y is being used for two different purposes. Both the tag-to-serverauthentication and the server-to-tag authentication depend on it. Thus the twocomponents are not independent of each other (in the sense of [3]) and hence thesecurity of the two components in isolation does not imply their security whenthey are composed.To use the first two messages of protocols 4, 5, and 6 as an oracle, theadversary submits any non-zero point on the system’s elliptic curve and receivesthe multiple of the point by the server’s secret key y. In the following we willrefer to this oracle as the function P → O(P ) = yP .3.1 Untraceability attacks on protocols 4, 5, and 6Consider the messages rt2P , rs1, (rt2 + rs1x1)Y an attacker learns from proto-cols 4, 5, and 6 by eavesdropping on a communication between a server and atag. In order to trace the tag, the attacker needs to be able to decide whethera tag presented to him is the same as the one he eavesdropped on earlier. Byeavesdropping on another communication of a tag and server (or by querying atag himself) the attacker learns r′t2P , r′s1, (r′t2 + r′s1x′1)Y . He then computesrs1 r′t2P − r′s1 rt2P = (rs1r′t2 − r′s1rt2)Pandrs1(r′t2 + r′s1x′1)Y − r′s1(rt2 + rs1x1)Y (1)For rs1, r′s1 6= 0, the term in (1) is equal to (rs1r′t2 − r′s1rt2)Y if and only ifx1 = x′1, that is, if the tag being queried by the attacker is the same tag as theone that was observed earlier. The attacker uses the oracle to decide whether thisis the case or not: On submitting (rs1r′t2 − r′s1rt2)P to the oracle, the attackerreceives (rs1r′t2 − r′s1rt2)Y . This equals the term in (1) if and only if the tag hasbeen observed before.Thus none of the protocols 4, 5, and 6 are untraceable. In particular, pro-tocols 4 and 6 do not satisfy the claimed forward and backward untraceabilityproperties either.3.2 Authentication attacks on protocols 4, 5, and 6In order to break tag-to-server authentication in these protocols, an adversaryneeds to know the term x1Y , and the term x2Y (in protocols 5 and 6). The ad-versary learns these two terms from the tag’s public keys x1P , x2P by computingO(xiP1) = xiY , (i = 1, 2). According to the attacker model specified for theseprotocols, an attacker is initially only allowed to know Y , P , and the order of thesystem’s elliptic curve, but not the tags’ public keys. Under this restriction, onlya rogue server in the system is able to impersonate tags. Protocol 4, however,is even vulnerable if the adversary does not know the tag’s public keys. In thiscase the adversary can learn x1Y by eavesdropping on one protocol executionbetween a tag and a server and performing the following computation.By eavesdropping on one communication between a tag and a server, anattacker obtains rt2P , the challenge rs1, and (rt2 + rs1x1)Y . He then computesr−1s1 rt2P and r−1s1 (rt2 + rs1x1)Y = (r−1s1 rt2 +x1)Y . Using the oracle, the attackerobtains O(r−1s1 rt2P ) = r−1s1 rt2Y and computes the difference (r−1s1 rt2 + x1)Y −r−1s1 rt2Y = x1Y . After learning x1Y and x2Y by using the oracles as describedabove, an attacker can impersonate a tag as follows.Protocol 4. The attacker chooses a random integer rt1, submits rt1P to theserver, and is challenged by rs1. To answer this challenge, the attacker computesrs1x1Y , and rt2Y and sends back the sum of these two points.Protocol 5. The attacker chooses random integers rt1, rt2, submits T1, T2 tothe server, and is challenged by rs1. To answer this challenge, the attacker com-putes T3 from the sum of rs1x1Y , and rt2Y . To compute T4, the attacker mul-tiplies x1Y by rt2 and x2Y by rs1 and computes the sum of these two points.Protocol 6. The attacker chooses random integers rt1, rt2, rt3, submits T1, T2, T3to the server, and is challenged by rs1. To answer this challenge, the attackercomputes T4 from the sum of rs1x1Y , and rt2Y . To compute T5, the attackermultiplies x1Y by rt3 and x2Y by rs1 and computes the sum of these two points.S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2PT1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T3 := (rt2 + rs1x1)Yfind x1P = (y−1T3 − T2)r−1s1(a) Protocol 4S Trs1 ∈R Z rt1, rt2 ∈R ZT1:=rt1PT2:=rt2PT1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T3:=(rt2+rs1x1)YT4:=(rt2x1+rs1x2)Yfind x1P = (y−1T3 − T1)r−1s1x2P = (y−1T4 − x1T2)r−1s1(b) Protocol 5S Trs1 ∈R Z rt1, rt2, rt3 ∈R ZTi := rtiP , (i = 1, 2, 3)T1 on EC, T1 6= Ors1S1:=yT1rt1Y = S1T4:=(rt2+rs1x1)YT5:=(rt3x1+rs1x2)Yfind x1P = (y−1T4 − T2)r−1s1x2P = (y−1T5 − x1T3)r−1s1(c) Protocol 6Fig. 3: Protocols 4 through 63.3 Untraceability attacks on all protocolsWe demonstrate a man-in-the-middle attack on the ID-transfer component thatallows a wide-strong adversary of (in the sense of Vaudenay [13]) to trace a tagin all of the six protocols.S E Tr′t1 ∈R Zr′s1 ∈R ZT ′1 := r′t1PT ′1 := r′t1P + rt1Pr′s1r′s1 − rs1T ′2 := (r′t1 + (r′s1 − rs1)x′1)YT ′2 := ((r′t1 + rt1) + r′s1x′1)Yfind x′1P = (y−1T ′2 − T′1)r′−1s1Fig. 4: Man-in-the-middle attack on Protocol 1By eavesdropping on protocol 1, the adversary obtains the messages rt1P ,rs1, and (rt1 +rs1x1)Y . He then mounts a man-in-the-middle attack on a secondcommunication to test whether the same tag is present as shown in Figure 4.The adversary adds the previously observed rt1P to the commitment r′t1P andsubtracts rs1 from the new commitment r′s1. The new and old responses areadded and sent to the server:T ′2 = (rt1 + rs1x1)Y + (r′t1 + (r′s1 − rs1)x′1)Y= ((rt1 + r′t1) + rs1x1 + (r′s1 − rs1)x′1)YThis response is accepted by the server if and only if x1 = x′1, i.e. if the tagis the same as the one that was previously observed. Therefore, a wide-strongadversary can trace tags. The same attack is possible on protocols 2 through 6since they are extensions of protocol 1.Note that a wide-strong adversary can also trace tags in the protocol proposedby Bringer et al. [11] using the same method. This protocol has, however, onlybeen claimed and proven secure against narrow-strong adversaries.4 Repairing the flawsThe protocol compositions can be improved by assuring that one component inthe composition cannot be used as an oracle for another. For protocol 4, this canbe achieved without compromising efficiency of the scheme. We equip the serverwith a second secret y2, generated randomly and independently of y, and storethe point y2P in every tag. In the second message, the server sends y2T1 insteadof yT1, to prove server authenticity to the tag. A similar approach improvesprotocols 5 and 6.To defend against the man-in-the-middle attacks, a stronger form of authen-tication seems to be unavoidable. In its current form, protocol 1 provides recentaliveness [14]: the server is guaranteed that the tag has recently produced a mes-sage. However, agreement [14] is clearly not satisfied as shown by the attack inFigure 4. At the end of the run, the server believes the following messages wereexchanged(r′t1 + rt1)P r′s1 ((r′t1 + rt1) + r′s1x′1)Y,while for the tag the transcript readsr′t1P r′s1 − rs1 (r′t1 + (r′s1 − rs1)x′1)Y.As shown above, the adversary abuses this discrepancy and the reader’s reactionto it to trace tags. To foil the attack, we need to make sure that reader and tagagree on the contents of all messages.The simplest solution is to use message authentication codes based on ashared secret. The last message would then include a hash of the previous mes-sages (including the payload of the current message) and a secret known only toserver and tag. A suitable candidate would be h(rt1P, rs1, (rt1 + rs1x1)Y, xyP ).Since (rt1 + rs1x1)Y is uniquely determined by the other three components ofthe hash it does not have to be included, reducing the message authenticationcode to h(rt1P, rs1, xyP ).Although this solution prevents these particular man-in-the-middle attacks,it is more resource intensive since it additionally requires a cryptographic hashfunction to be implemented (and computed) on the tag. We conjecture thatprotocol 5 can also be made resistant to man-in-the-middle attacks by modifyingthe computation of T4 in the third message. Replacing T4 by (rt2x1 − rs1x2)Yprevents the presented man-in-the-middle attack and obvious derivatives thereof.It is unclear, however, whether this introduces new vulnerabilities.References1. Canetti, R.: Universally composable security: A new paradigm for cryptographicprotocols. In: FOCS. (2001) 136–1452. Canetti, R.: Universally composable security: A new paradigm for cryp-tographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000)http://eprint.iacr.org/.3. Andova, S., Cremers, C., Gjøsteen, K., Mauw, S., Mjølsnes, S., Radomirović, S.:A framework for compositional verification of security protocols. Information andComputation 206 (February-April 2008) 425–4594. Heintze, N., Tygar, J.D.: A model for secure protocols and their compositions.IEEE Trans. Software Eng. 22(1) (1996) 16–305. Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocolattack. In: Security Protocols Workshop. (1997) 91–1046. Cremers, C.: Feasibility of multi-protocol attacks. In: Proc. of The First In-ternational Conference on Availability, Reliability and Security (ARES), Vienna,Austria, IEEE Computer Society (April 2006) 287–2947. Tzeng, W.G., Hu, C.M.: Inter-protocol interleaving attacks on some authenticationand key distribution protocols. Inf. Process. Lett. 69(6) (1999) 297–3028. Lee, Y., Batina, L., Verbauwhede, I.: Untraceable RFID authentication protocols:Revision of EC-RAC. In: IEEE International Conference on RFID – RFID 2009,Orlando, Florida, USA (April 2009)9. Lee, Y.K., Batina, L., Verbauwhede, I.: EC-RAC (ECDLP based randomizedaccess control): Provably secure RFID authentication protocol. In: Proceedings ofthe 2008 IEEE International Conference on RFID. (2008) 97–10410. van Deursen, T., Radomirović, S.: Attacks on RFID protocols (ver-sion 1.0). Cryptology ePrint Archive, Report 2008/310 (July 2008)http://eprint.iacr.org/2008/310.11. Bringer, J., Chabanne, H., Icart, T.: Cryptanalysis of EC-RAC, a RFID identifi-cation protocol. In: CANS. (2008) 149–16112. van Deursen, T., Radomirović, S.: Algebraic attacks on RFID protocols. In: In-formation Security Theory and Practices. Smart Devices, Pervasive Systems, andUbiquitous Networks (to appear). Lecture Notes in Computer Science, Brussels,Belgium, Springer (2009)13. Vaudenay, S.: On privacy models for RFID. In: Advances in Cryptology - ASI-ACRYPT 2007. Volume 4833 of Lecture Notes in Computer Science., Kuching,Malaysia, Springer-Verlag (December 2007) 68–8714. Lowe, G.: A hierarchy of authentication specifications. In: CSFW. (1997) 31–44

English

https://discovery.dundee.ac.uk/files/17172873/332.pdf

Untraceable RFID protocols are not trivially composable:Attacks on the revision of EC-RAC

Abstract

Similar works

Full text

Available Versions

University of Dundee Online Publications

Cryptology ePrint Archive

University of Dundee Online Publications