Cryptography Reference
In-Depth Information
primitives. The HB-family(HB
+
,HB
++
, HB*,etc.) [1,2,3,4,5,7,6,8] and the MAP-
family(LMAP,EMAP,M2AP,etc)[9,10,11] authentication protocols, are some ex-
amples of this kind. However, proposed lightweight protocols so far have been
targeted to various successful attacks and therefore, the search for a concrete
lightweight solution for authentication in low-cost RFID tags still continues.
Recently, Alomair et al. embarked on the notion of UnConditionally Secure
mutual authentication protocol for RFID systems (UCS-RFID)[17]. UCS-RFID's
security relies mainly on the freshness of five secret keys rather than the hard-
ness of solving mathematical problems. Freshness in the keys is guaranteed with
a
key updating
phase at every protocol run by means of a fresh random number
(nonce). This nonce is generated at the reader side due to low-cost tags con-
straints, and delivered to the tag secretly. This allows the tags to benefit from
the functionalities of random numbers without the hardware to generate them.
Our Contribution.
In this paper, we present a three-phase probabilistic pas-
sive attack against the UCS-RFID protocol to recover all the secret keys in
the protocol. Our attack is mainly based on a weakness observed in the proto-
col(section 3). To put in a nutshell, the weakness implies that the more outputs
we have from consecutive runs of the protocol, the more knowledge we will ob-
tain on the nonces in these protocol runs. In other words, having more number
of protocol run outputs observed, we are able to determine some of the nonces
(
victim
nonces) with higher probability. It should be noted that this weakness
has also been tackled by the authors in [17]. Nevertheless we will show that the
security margin they expected from the protocol has been overestimated. Find-
ing the victim nonce in the protocol paves the way toward adopting an attacking
scenario to achieve all of the five secret keys in the system.
Outline.
The remainder of this paper is organized as follows. In section 2, we
briefly describe the UCS-RFID protocol. In section 3 the weakness of the protocol
is investigated thoroughly. Section 4 and 5 describes our attacking scenario to
recover the keys, and trace the tag in the protocol. Finally, section 6 concludes
the paper.
2 Description of the UCS-RFID Protocol
The UCS-RFID authentication protocol consists of two phases: the
mutual au-
thentication phase
and the
key updating phase
. The former phase mutually au-
thenticates an RFID reader and a tag. In the latter phase both the reader and
the tag update their dynamic secret keys for next protocol runs.
In this protocol, first the security parameter,
N
, is specified and a 2
N
-bit
prime integer,
p
, is chosen. Then, each tag
T
is loaded with an
N
-bit long iden-
tifier,
A
(0)
, and five secret keys,
k
(0
a
,k
(0)
b
,k
(0
c
,k
(0)
d
and
k
(0
u
chosen independently
and uniformly from
Z
2
N
,
Z
p
,
Z
p
\{
0
}
,
Z
2
N
and
Z
p
\{
0
}
respectively.
Notation
-
N
: security parameter.
-
p
: a prime number in
Z
2
N
Search WWH ::
Custom Search