Information Technology Reference
In-Depth Information
Request
(1)
n
j
(2)
n
,
r
i
i
(3)
h
(
f
(
r
,
t
))
i
j
m
(4)
h
(
f
(
r
,
t
)
||
n
||
n
)
id
i
j
i
j
j
Reader
Tag
Fig. 4.
The server-less protocol proposed by Tan
et al.
[3]
2. In step (4) of this scheme,
h
(
f
(
r
i
,t
j
))
m
is sent by the tag. This is a static
form of data which can be used by malicious users to track the tag.
3. It is possible that an attacker captures a tag, repeatedly sends the re-
quest message along with fixed values of
r
i
and
n
i
, and then stores the
{
responses received for different val-
ues of
n
j
. This way, the attacker can make a table of responses and use this
table in a fake tag to impersonate it as a real one.
h
(
f
(
r
i
,t
j
))
m
,h
(
f
(
r
i
,t
j
)
||
n
i
||
n
j
)
⊕
id
j
}
2
+
RFID Protocol
5 Sun
et al. Gen
In order to solve the security issues of the EPCglobal Class-1 Generation-2 (
Gen
2)
protocol, Sun
et al.
propose an improved version of
Gen
2 called the
Gen
2
+
proto-
col[4].Atypical
Gen
2 tag contains a pseudorandom number generator (PRNG)
and takes advantage of a cyclic redundancy code (CRC-16) to protect the mes-
sage integrity [4]. The
Gen
2
+
protocol uses the same PRNG and CRC-16 tools
for privacy preserving. Sun
et al.
assume that each tag shares an
l
-word-long ran-
dom string, called “keypool”, with the back-end database. This string is randomly
generated by the back-end database and is written into the tag before deployment
[4]. A threshold
t
is also set in each tag to tolerate error bits in the received val-
ues and to boost the reading speed. Sun
et al.
assume that it is possible to design
and add an extra Hamming distance calculator to each
Gen
2 tag [4]. The
Gen
2
+
protocol is depicted in Fig. 5. Although the
Gen
2
+
protocol is easy to implement
and inexpensive, it has some security problems as follow:
1. To obtain the
EPC data
, an attacker needs to be able to provide an accept-
able
ck
for each
RN
16 and
check
it receives in step (2). It was proven in
[4] that if an attacker records approximately 16,384 failed sessions between
a reader and a tag and analyzes them, it may be able to track the tag using
the additional information provided by the
check
bits. Moreover, a passive
Search WWH ::
Custom Search