Cryptography Reference
In-Depth Information
2.2 Key Updating Phase
After a successful mutual authentication, both the reader and the tag update
their keys and dynamic identifier (
A
(
i
)
)forthenextprotocolrun.
k
(
i
+1)
a
=
n
(
i
)
r
k
(
i
)
a
⊕
(7)
k
(
i
+1)
b
k
(
i
)
b
k
(
i
)
u
+(
n
(
i
)
≡
⊕
)
mod p
(8)
k
(
i
+1)
c
k
(
i
u
×
(
n
(
i
)
k
(
i
)
c
≡
⊕
)
mod p
(9)
k
(
i
+1)
d
k
(
i
)
d
=
n
(
i
)
r
⊕
(10)
k
(
i
+1)
u
k
(
i
u
×
n
(
i
)
mod p
≡
(11)
n
(
i
)
l
A
(
i
+1)
+
k
(
i
+1)
a
mod
2
N
≡
(12)
It should be noted that the dynamic values have been proved to preserve their
properties of independency and uniformity after updating[17].
3Ob r on
In this section, we shed more light on a weakness in the UCS-RFID protocol
which becomes the origin of our proposed attack presented in the subsequent
section.
By xoring (7) and (10), we have:
k
i
+1
a
k
i
+1
d
=
k
a
⊕
k
d
⊕
(13)
Equation (13) shows that the difference between
k
a
and
k
d
remains the same for
two consecutive runs of the protocol. This statement can also be generalized for
every
r
arbitrary run of the protocol the as following:
k
r
+1
a
k
r
+1
d
=
k
a
⊕
k
d
=
...
=
k
a
⊕
k
d
=
L
⊕
(14)
By using (14), for outputs
A
and
D
in
m
consecutive runs of the protocol, we
have:
n
(
i−
1)
l
A
(
i
)
+
k
(
i
)
a
mod
2
N
≡
(15)
D
(
i
)
=
n
(
i
)
l
(
k
(
i
)
a
⊕
⊕
L
)
(16)
n
(
i
)
l
A
(
i
+1)
+(
k
(
i
)
a
n
(
i
)
r
)
mod
2
N
≡
⊕
(17)
D
(
i
+1)
=
n
(
i
+1)
l
(
k
(
i
)
a
n
(
i
)
r
⊕
⊕
L
⊕
)
(18)
.
i
+
m−
2
n
(
i
+
m−
2)
l
A
(
i
+
m−
1)
+(
k
(
i
)
a
n
(
j
)
r
)
mod
2
N
≡
(19)
j
=
i
i
+
m−
2
D
(
i
+
m−
1)
=
n
(
i
+
m−
1)
l
(
k
(
i
)
a
n
(
j
)
r
⊕
⊕
L
)
(20)
j
=
i
Search WWH ::
Custom Search