Security Analysis of RAPP: An RFID Authentication Protocol based on Permutation



Similar documents
The Digital Signature Scheme MQQ-SIG

IDENTIFICATION OF THE DYNAMICS OF THE GOOGLE S RANKING ALGORITHM. A. Khaki Sedigh, Mehdi Roudaki

ADAPTATION OF SHAPIRO-WILK TEST TO THE CASE OF KNOWN MEAN

Maintenance Scheduling of Distribution System with Optimal Economy and Reliability

An Approach to Evaluating the Computer Network Security with Hesitant Fuzzy Information

APPENDIX III THE ENVELOPE PROPERTY

A New Bayesian Network Method for Computing Bottom Event's Structural Importance Degree using Jointree

Optimal multi-degree reduction of Bézier curves with constraints of endpoints continuity

Green Master based on MapReduce Cluster

Preprocess a planar map S. Given a query point p, report the face of S containing p. Goal: O(n)-size data structure that enables O(log n) query time.

Projection model for Computer Network Security Evaluation with interval-valued intuitionistic fuzzy information. Qingxiang Li

Applications of Support Vector Machine Based on Boolean Kernel to Spam Filtering

Average Price Ratios

Fractal-Structured Karatsuba`s Algorithm for Binary Field Multiplication: FK

6.7 Network analysis Introduction. References - Network analysis. Topological analysis

Chapter 3. AMORTIZATION OF LOAN. SINKING FUNDS R =

A Study of Unrelated Parallel-Machine Scheduling with Deteriorating Maintenance Activities to Minimize the Total Completion Time

Chapter Eight. f : R R

On formula to compute primes and the n th prime

STATISTICAL PROPERTIES OF LEAST SQUARES ESTIMATORS. x, where. = y - ˆ " 1

Optimal Packetization Interval for VoIP Applications Over IEEE Networks

SHAPIRO-WILK TEST FOR NORMALITY WITH KNOWN MEAN

Numerical Methods with MS Excel

A Parallel Transmission Remote Backup System

Fast, Secure Encryption for Indexing in a Column-Oriented DBMS

10.5 Future Value and Present Value of a General Annuity Due

Abraham Zaks. Technion I.I.T. Haifa ISRAEL. and. University of Haifa, Haifa ISRAEL. Abstract

Credibility Premium Calculation in Motor Third-Party Liability Insurance

Automated Event Registration System in Corporation

The analysis of annuities relies on the formula for geometric sums: r k = rn+1 1 r 1. (2.1) k=0

T = 1/freq, T = 2/freq, T = i/freq, T = n (number of cash flows = freq n) are :

AN ALGORITHM ABOUT PARTNER SELECTION PROBLEM ON CLOUD SERVICE PROVIDER BASED ON GENETIC

Study on prediction of network security situation based on fuzzy neutral network

An IG-RS-SVM classifier for analyzing reviews of E-commerce product

A particle swarm optimization to vehicle routing problem with fuzzy demands

Statistical Pattern Recognition (CE-725) Department of Computer Engineering Sharif University of Technology

Constrained Cubic Spline Interpolation for Chemical Engineering Applications

Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks

IP Network Topology Link Prediction Based on Improved Local Information Similarity Algorithm

Proceedings of the 2010 Winter Simulation Conference B. Johansson, S. Jain, J. Montoya-Torres, J. Hugan, and E. Yücesan, eds.

Load Balancing Algorithm based Virtual Machine Dynamic Migration Scheme for Datacenter Application with Optical Networks

The Gompertz-Makeham distribution. Fredrik Norström. Supervisor: Yuri Belyaev

Classic Problems at a Glance using the TVM Solver

The impact of service-oriented architecture on the scheduling algorithm in cloud computing

Fault Tree Analysis of Software Reliability Allocation

The simple linear Regression Model

Approximation Algorithms for Scheduling with Rejection on Two Unrelated Parallel Machines

ANOVA Notes Page 1. Analysis of Variance for a One-Way Classification of Data

Compressive Sensing over Strongly Connected Digraph and Its Application in Traffic Monitoring

THE McELIECE CRYPTOSYSTEM WITH ARRAY CODES. MATRİS KODLAR İLE McELIECE ŞİFRELEME SİSTEMİ

Integrating Production Scheduling and Maintenance: Practical Implications

Software Reliability Index Reasonable Allocation Based on UML

Curve Fitting and Solution of Equation

Banking (Early Repayment of Housing Loans) Order,

A DISTRIBUTED REPUTATION BROKER FRAMEWORK FOR WEB SERVICE APPLICATIONS

Simple Linear Regression

Proactive Detection of DDoS Attacks Utilizing k-nn Classifier in an Anti-DDos Framework

Suspicious Transaction Detection for Anti-Money Laundering

Application of Grey Relational Analysis in Computer Communication

Web Service Composition Optimization Based on Improved Artificial Bee Colony Algorithm

How To Balance Load On A Weght-Based Metadata Server Cluster

An Application of Graph Theory in the Process of Mutual Debt Compensation

Efficient Traceback of DoS Attacks using Small Worlds in MANET

FINANCIAL MATHEMATICS 12 MARCH 2014

of the relationship between time and the value of money.

Numerical Comparisons of Quality Control Charts for Variables

A Fair Non-repudiation Protocol without TTP on Conic Curve over Ring

ON SLANT HELICES AND GENERAL HELICES IN EUCLIDEAN n -SPACE. Yusuf YAYLI 1, Evren ZIPLAR 2. yayli@science.ankara.edu.tr. evrenziplar@yahoo.

On Error Detection with Block Codes

MDM 4U PRACTICE EXAMINATION

ANALYTICAL MODEL FOR TCP FILE TRANSFERS OVER UMTS. Janne Peisa Ericsson Research Jorvas, Finland. Michael Meyer Ericsson Research, Germany

1. The Time Value of Money

DIGITAL AUDIO WATERMARKING: SURVEY

VIDEO REPLICA PLACEMENT STRATEGY FOR STORAGE CLOUD-BASED CDN

Bayesian Network Representation

How To Value An Annuity

STOCHASTIC approximation algorithms have several

Report 52 Fixed Maturity EUR Industrial Bond Funds

Impact of Interference on the GPRS Multislot Link Level Performance

OPTIMAL KNOWLEDGE FLOW ON THE INTERNET

TESTING AND SECURITY IN DISTRIBUTED ECONOMETRIC APPLICATIONS REENGINEERING VIA SOFTWARE EVOLUTION

Managing Interdependent Information Security Risks: Cyberinsurance, Managed Security Services, and Risk Pooling Arrangements

Capacitated Production Planning and Inventory Control when Demand is Unpredictable for Most Items: The No B/C Strategy

Chapter = 3000 ( ( 1 ) Present Value of an Annuity. Section 4 Present Value of an Annuity; Amortization

Transcription:

Securty Aalyss of RAPP: A RFID Authetcato Protocol based o Permutato Wag Shao-hu,,, Ha Zhje,, Lu Sujua,, Che Da-we, {College of Computer, Najg Uversty of Posts ad Telecommucatos, Najg 004, Cha Jagsu Hgh Techology Research ey Laboratory for Wreless Sesor Networks, Najg, Jagsu 000, Cha Network ad Data Securty ey Laboratory of Schua Provce } Abstract Oe of the key problems Rado Frequecy IdetfcatoRFID s securty ad prvacy May RFID authetcato protocols have bee proposed to preserve securty ad prvacy of the system Nevertheless, most of these protocols are aalyzed ad t s show that they ca ot provde securty agast some RFID attacks RAPP s a ew ultralghtweght authetcato protocol wth permutato I RAPP, oly three operatos are volved: btwse XOR, left rotato ad permutato I ths paper, we gve a actve attack o RAPP We frst collect some authetcato messages through mpersoatg vald tag ad readers; 0 The we forge vald reader to commucate wth the tag about tmes Usg the property of the left rotato ad permutato operato, we ca deduce the relatoshp of bts of radom umber or secret keys at dfferet postos, thus obta all the secret shared by the reader ad the tag eywords: RFID; Lghtweght Authetcato; Permutato; Prvacy; Actve Attack Itroducto Rado Frequecy Idetfcato RFID systems are used for automated detfcato of objects ad people Applcatos that use RFID techology clude warehouse maagemet, logstcs, ralroad car trackg, product detfcato, lbrary books check-/check-out, asset trackg, passport ad credt cards, etc Most of the RFID systems comprse of three ettes: the tag, the reader ad the back-ed database The tag s a hghly costraed mcrochp wth atea that stores the uque tag detfer ad other related formato about a object The reader s a devce that ca read/modfy the stored formato of the tags ad trasfer these data to a back-ed database, wth or wthout modfcato Back ed database stores ths formato ad wll keep track of the data echaged by the reader [ Oe of the key problems RFID s prvacy ad securty It s typcally crtcal to the commucato betwee the reader ad the tag because wreless trasmssos are more vulerable to malcous adversares The possble securty threats to RFID systems clude deal of servce DoS, ma the mddle MIM, couterfetg, spoofg, eavesdroppg, traffc aalyss, traceablty, de-sychrozato etc A effectve ad fleble way to assure prvacy ad securty s to adopt authetcato protocols The low cost deploymet demad for RFID tags forces the lack of resources for performg true cryptographc operatos to provde securty It s worthwhle to study ultralghtweght authetcato protocols whch requre tags to volve oly smple btwse operatos such as btwse XOR, btwse OR, btwse AND ad rotato Provdg lght weght securty RFID systems s ot a trval task Several ultralghtweght protocols have already bee proposed However, they all have certa flaws ad vulerabltes Vajda ad LButtya [ have proposed a set of etremely lghtweght challege respose authetcato algorthms These ca be used for authetcatg the tags, but they may be easly attacked by a powerful adversary Juels [ proposed a soluto based o the use of pseudoyms, wthout usg ay hash fucto But after a set of authetcato sessos, the lst of pseudoyms wll eed to be reused or updated through a out-of-bad chael, whch lmts the practcalty of ths scheme Pers-Lopez et al proposed a famly of ultralghtweght mutual authetcato protocols eg, [4 ad [ But later t was reported that these protocols are vulerable to desychrozato attack ad full-dsclosure attack [ I addto to ths there are other lghtweght mutual authetcato protocols proposed the lterature ad attacks have bee successfully mouted o all of these as demostrated lterature [-0 Che troduced aother ultralghtweght protocol called SASI [ to provde strog authetcato ad strog tegrty However, vulerabltes have also bee llustrated such as tag traceablty, de-sychrozato ad secret dsclosure attack [- [ preseted Gossamer protocol whch s spred by SASI ad tres to be devod of the weakess of SASI Noetheless, the de-sychrozato attack [4 stll works Recetly, Yu Ta etal[ propose a ew ultralghtweght RFID authetcato protocol wth permutato called RAPP They troduce the permutato operato to break the orders of the bts Moreover, ther scheme, the last messages are set by the reader rather tha by the tag to resst de-sychrozato attacks Ths also ecoomzes the storage of the tag Tags RAPP volve three operatos: btwse XOR, left rotato ad permutato I ths paper, we gve a securty aalyss of ths ew proposed protocol RAPP A actve attack s proposed, whch we frst collect some authetcato messages through mpersoatg vald tag ad reader; The we forge vald

0 reader to commucate wth the tag The aalyss shows whe queryg about tmes wth the tag, we ca deduce all the secrets shared by the reader ad the tag utlzg the property of the left rotato ad permutato operatos The rest of the paper s orgazed as follows: RAPP s brefly llustrated secto Secto descrbes the detal securty aalyss of ths ew protocol wth permutato, ad shows how to etract all the secrets shared by the reader ad the tag Secto 4 gves the complety of the attack ad a eample of our attack wth reduced legth s preseted Cocluso s gve secto RAPP Scheme I ths secto, we gve a bref descrpto of RAPP I ths protocol, costly operatos such as multplcatos ad hash evaluatos are ot used at all, ad radom umber geerato s oly doe at the reader s sde All the varables the protocol are 9 bt Frequetly used otatos ths paper are lsted below: ID : Tag s uque detfer IDS : th Tag s dyamc pseudoym at the successful ru of protocol th,, : Secret keys shared at the successful ru of protocol, : Pseudoradom umbers geerated by Reader A, B, C, D, E : Messages trasferred betwee Reader ad Tag Btwse XOR operato I RAPP, the tags ad readers oly volve operatos: btwse XOR, left rotato Rot, y ad permutato Per, y Suppose ad y are two 9-bt strgs, Rot, y s defed to left rotate by wty bts, where wty s the Hammg weght of y The permutato operato Per, y s defed as follows: Defto : Suppose ad y are two 9-bt strgs, where, 9 { 0,},,,, 9; y y yy, 9 y { 0,},,,, 9 Moreover, the Hammg weght of y, wty, s m 0 m 9 ad y y y, y 0 k k k m k y + k y, m m+ k 9 where k 9 ad < k < < km km + < km+ < < k9 9 The, the permutato of accordg to y, deoted as Per, y, s Pert, y k k k m k 9 k 9 k m+ k m + th I RAPP, every tag shares a fed ad uque detfer ID wth the reader At the authetcato, the tag + ad the reader share a pseudoym IDS ad three secrets,,, whch wll update to IDS, + + +,, f authetcato s successful Every authetcato cotas three rouds: tag detfcato, mutual authetcato ad IDS, secrets updatg, whch s preseted as follows: I Tag Idetfcato After recevg the Hello message from the reader, the tag seds the IDS to the reader, whch wll look up the tags the database wth the same pseudoym ad get the correspodg formato II Mutual Authetcato The reader ad tag wll authetcate to each other through the followg step: Step Reader frst geerates a radom umber, computes ad seds the tag the messages A, B as equato ad The tag ca deduce the radom umber through message A, ad make sure whether the reader s vald va checkg the correctess of message B : A Per, B Per, Rot, Per, Step If the reader s vald, the tag seds back the aswer message C to authetcate hmself: C Per, ID Step After authetcatg the valdty of the tag, Reader geerates aother radom umber, computes ad seds the tag the messages D, E as follow The tag ca deduce the radom umber through message D, ad make sure that s ot chaged va checkg the correctess of message E : D Per, 4 E Per, Rot, Per, III IDS ad Secrets Updatg After authetcatg successfully, the reader ad tag wll update the pseudoym IDS ad secrets the follow way: IDS Per IDS, Per, Per, Per, IDS 9

Securty Aalyss of RAPP I the secto, we gve the securty aalyss of the RAPP ad some superscrpts are omtted for coveece the followg paper We deote by [ the bt at posto ad, the strg wth the same bt as 0 + ecept for the bts posto ad +, meas the strg wth all the bts are 0 ecept that the bt posto ad + s As to the operatos Per, ad Rot,, we ca get the followg observatos: Observato As to ay two 9-bt strgs, y ad z, t s easy to see that operato Per, has the property: Per, y Per z, y Per z, y Observato As to ay,,,9, f ad are dfferet, ad have the same hammg [ [,, wt + [ [, wt, wt [ [,,, Rot, 0s, s+ weght If [ [ 0, wt ; ad f Observato As to ay,,,9, f ad are dfferet, Rot for some bt posto s That s to say Rot,,, s almost the same as Rot, ecept for the bts posto s ad s + I addto, there s oly oe dfferet umber the sequece of umber satsfyg [ Rot,,, from that of [ Rot,, ad also oe dfferet posto umber the sequece of umber j satsfyg [ + j Rot,,, 0 from that of [ Rot, 0 j Observato 4 From the observato, we ca see as to ay,,, 9, f [ ad [ are dfferet, Per y, Rot,,, ether equals to Per y, Rot,, or has dfferet bts postos, e Per y, Rot,,, Per y, Rot, 0s, t wth bt posto s ad t Eample: Gve 000, we ca get, 000, 4, 0, wt, wt, wt 4, wt + Rot, 000, Rot,,, 000 ad Rot 4,, 4, 0 Rot,,, has the dfferet bts from Rot, at bt posto ad, whle Rot 4,, 4, has 4 dfferet bts from Rot, At posto,,, 4,, the bt of Rot,,, s, ad posto,,, the bt of Rot,,, s 0; whle the bt of Rot, s at the posto,,,4,, ad 0 at the posto,, I the followg, we wll llustrate how to deduce all the secrets shared betwee the tag ad reader Our attack belogs to actve attack, that the adversary ca mpersoate a legal tag or reader to commucate wth the correspodg reader or tag We frst show how to recover the radom umber geerated by the reader; The the secret key s deduced ad secret key s obtaed by aalyzg some lear equatos; All the other secrets cludg ad ID ca be recovered the ed Recovery of radom umber I our attack, the adversary frst forges a legal reader to commucate wth the tag to obta ts pseudoym IDS ; The he forges as the legal tag to authetcate hmself After recevg the pseudoym IDS, the reader geerates radom umber to compute messages A ad B as equato ad : A Per ; B Per, Rot, Per, To recover the radom umber, the adversary forge a legal reader to lauch the authetcato wth the vald tag Ad for ay umber used by adversary s,,,,9, the adversary calculates the message A ' A,,, ad t s easy to kow the radom From the observato, we ca see the vald message B ' must satsfy: B' B Per, Rot, Per, Per, Rot, Per,,,, Per, Rot, Per, Rot, Per0,,,, From the observato, ad 4, we ca see: If [ ad [ are dfferet, Per, Rot, Per,, ether equals Rot,, to 0 or 0 s, t wth ukow posto s ad t, ad Per 0,, equals to 0 u, v wth ukow bt posto u ad v That s to say, ths codtos, wt B' B 4 If [ ad [ are the same, the permutato of accordg to Rot, behaves,, radomly compared wth Rot, So t s hard to predcate the chages ad wll be bgger wt B' B tha 4 wth overwhelmg probablty

From the above aalyss, we proceed the followg algorthm to deduce the radom umber : Algorthm Recovery of the radom umber for to 9 wth all the possble u < v < 9, the adversary seds the tag A', B' A,, B 0u, v f tag seds back the message ', we coclude [ C [ Otherwse A', B' A,, B 0s, t 0u, v s sed wth all the possble s < t < 9, u < v < 9 f tag seds back the message ', we coclude [ [ Otherwse we coclude [ Recovery of secret key C [ It s easy to see we do ot deduce the actual value of radom umber but the relatoshp of adjog bt So we ca always obta possble radom umbers, oe startg wth the bt, ad the other wth bt 0 I fact, the two possble radom umbers are ad After obtag the radom umber, we ca get Per, A To recover the secret key, we use the followg observato: Observato As to ay,,,9, f [ ad [ are dfferet, Per y,, ether equals to Per y,, or has dfferet bts at postos The adversary frst seds the actual message A, B to the tag, ad receves the respose message C From the Algorthm, f [ ad [ are dfferet, the adversary ca forge vald message A', B' ad tag seds back message C', whch satsfes: C C Per, ID Per, ID Per, ',,,, Per, Per, Per,,, [ [ wt C C' [ [ C C' From the observato, we ca see f ad are dfferet, must equal to ; whle f equals to, wt wll be larger tha wth overwhelmg probablty However, as show Algorthm, we ca ot obta all the relatoshp of adjog bt of, because f [ ad [ are the same, we ca ot forge vald message to obta So, the adversary ca forge A ', B' C' tag ad the reader aga to commucate wth the correspodg vald oes obta other authetcato messages r r r A, B, C, r,,, l The value of l wll be dscussed secto 4 Because Per, s kow, the radom umbers r r r, r,,, l ca be computed as A Per, Thus we preset the followg Algorthm to recover the secret key Algorthm Recovery of the secret key for to 9 f [ [ f wt C C', we coclude [, whch meas [ Otherwse, we coclude [, whch meas [ [ t t Otherwse fd the value t : [ [, ad call the Algorthm to obta f wt C t C t ', we coclude [ [ Otherwse, we coclude [ [ [ [ [ t C ' Recovery of secret key We should ote that just as Algorthm, Algorthm s utlzed to obta the relatoshp of adjog bt of As to each possble radom umber ad, there are possble secret key ad So there are 4 possble combatos,,,,, ad, We should try all these 4 possble combatos We use the varable ad to show how to recover the secret key From the equato C, we ca obta: C Per, ID Per, Per, ID

e Per, C Per, ID As to dfferet s ad t, we ca get : s t t s s s t t Per, Per, C C Per, Per, Secret key ad all the radom umbers are kow, so the rght part of the above equato,,,, l s t ca be computed Per ad are two dfferet permutatos of secret key, Per, Thus the left part of the equato volves the relatoshp of bt at dfferet bt posto ad the lear equatos ca be set up However we do ot solve the lear equatos, we ca obta the relatoshp of bt of at dfferet postos from the equatos 4 Recovery of all the other secrets After obtag the radom umber ad secret keys ad, the detfer ID ca be deduced usg equato, ad the secret key of ca be computed through the equato I addto, we ca use the r r r messages A, B, C, r,,, m to check whether the possble guessg s rght or ot 4 Epermet Results I ths secto, we frst gve a attack eample wth all the varables havg 4 bts, ad the the geeral complety of our attack s aalyzed 4 A Eample wth Reduced Legth Here we gve a eample wth reduced legth We take the detfer ID 0ca, three secrets keys a a e f b, ad the frst radom umber chose Thus we ca 0 49 0, 0 4, 0 49 0cb compute: Per, 00000000000000, 0000000000000 Rot, 00000000000, Per, 00000000000 Per, Rot, 0000000000000 So the messages the reader geerated are: A 00000000000, B 000000000000, The attack procedure s preset brefly as follows: Step Recovery the radom umber whe, we kow ow 00b, Rot,,,, 0000000000000, Per, Rot, 0000000000000, ad Per,,,, 0000000000000 The message B ' should equal to 0000000000000000, ad wt B B' So as to the Algorthm, the adversary ca ot compute the vald B ' to authetcate hmself We ca coclude [ [ I the table, as from to, we lst the correspodg values wth the ew radom umber We ca, see whe,,,,, wt B B' 4, ad we ca forge a vald B ' from the Algorthm So [ [ whe,,,, Table part of the values wth ew radom umber, Per,,, Rot, Per,,, 00b 0000000000000 00000 00000000 0ab 0000000000000 000 00000000 0fb 0000000000000 000 000000 4 0deb 0000000000000 0000 00000 0cab 0000000000000 00000 000000 0c0b 0000000000000 000000 0000000 B ' wt B B' 00000000 00000000 00000000 00 000000 000000 00000000 000000 0000000000 0000 00000000 0000 4 4

0cb 0000000000000 00000 000000 0c9b 0000000000000 0000 00000 9 0cdb 0000000000000 000 000000 0 0cb 0000000000000 000 000000 0cb 0000000000000 0000 0000000 0c0fb 0000000000000 000 00000000 00000000 0000 000000000 0000000 0000000 000000000 0000000 000000000 000000000 00000 00000000 000000 4 4 Fally We ca coclude that [ [ [ [ 4 [ [ [ [ [ 9 [ 0 [ [ [ [ [ [ [ [ [ [ [ [ [ [ So the two 4 9 0 4 possble radom umbers are 00000000000 ad 0000000000000 Step Recovery the secret key As to the orgal message A ad B, we kow 00000000000000, 000000000000, Per, 000000000 00000,ad the respose message sed by the tag s C 00000000000000 As to the algorthm, we kow whe,,,,, the adversary ca forge vald authetcato message A ' ad B ', ad the tag wll sed back C' Take,, as a eample, we show how to deduce the relatoshp of : : 000000000000, 0000000000000000,,,,, Per, 0000000000000000, ad C' 0000000000000000 Because wt C C', we coclude [ Because, [ [ [ [ [ : 0000000000, 000000000000,,,,, Per, 0000000000000, ad C' 000000000000 Because wt C C', we coclude [ Because, [ [ [ [ [ : 00000000000000, 000000000000,,,,, Per, 000000000000, ad C' 0000000000 Because wt C C', we coclude [ Because, [ [ [ [ [ To obta all the relatoshp of bt cojog posto, we eed to collect other radom umbers ad we do ot show ths detal here The relatoshp of bt at dfferet posto that we ca get s: [ [ [ [ [ [ [ [ [ [ [ 4 9 0 [ [ [ 4 [ [ [ [ [ 9 [ 0 [ [ [ [ 4 So the two possble secret key are 00000000000 ad 0000000000000 Step Recovery the secret key Here we get 4 possble combatos,,,,, ad, Suppose we get aother authetcato messages A, B ad C from the vald reader ad tag The ew radom umber chose s r 049a, ad A 00000000000, B 00000000 ad C 0000000000000000 We oly choose, as a eample Now We kow Per, 00000000000000, ad we ca get the ew radom umber s r 049a Set ad r, the we have: C C' Per, Per, r,,4,,,9,0,,,,9,,4,,,0,,,4,,,,,,4,,,9,0,,,,,9,4,,,,0,4,,,,,,, 000000000000 meas the permutato of accordg to,,4,,,,, So we ca,,4,,,9,0,,,,9,,4,,,0,,,4,,,,, get [, Because, so Thus we ca [ [ [ [ r [ [,[ r [ [ get the relatoshp of bt at dfferet postos the same way Usually we ca ot get all the relatoshp we eed I the eample, we ca ot get the relatoshp of bt wth posto 9 ad 0 At that tme, we eed to choose aother messages to try the above procedure to get the relatoshp of bt posto 9 or 0 wth other bt postos As the computato of the other secret ad detfer s straghtforward, we do ot dscuss here

4 Complety Aalyss of the Attack Here we wll aalyss the complety of our attack There are two factors we should cosder: The umber l of authetcato messages that the adversary eed to collect through mpersoatg vald tag or reader If the umber s chose radomly, we kow for ay,,, 9, pr [ [ 0 For l radom l umber, the probablty that the bt at posto equals to the bt at posto + s 0 Take l 0, 0 l 00009 That s to say, whe collectg 0 authetcato messages, we ca fd [ wth [ overwhelmg probablty for ay,,,9 the umber we eed to query the tag To recover the radom umber ad secret key, we eed to sed the forged messages A', B' to the tag to deduce the relatoshp of bt dfferet postos From the Algorthm ad 0 algorthm, we ca coclude the umber s about 4 C C 9 9 Cocluso I ths paper, we gve a actve attack o RAPP, a ew ultralghtweght authetcato protocol wth permutato We frst collect some authetcato messages through mpersoatg vald tag ad readers; The we forge vald reader to 0 commucate wth the tag about tmes Usg the property of the left rotato ad permutato operato, we ca deduce relatoshp of bts of radom umber or secret keys at dfferet postos, thus obta all the secret shared by the reader ad the tag I practce, the umber eeded to query the tag s much larger How to reduce the aalyss complety wll be cosdered the future work Ackowledgemets Ths work s supported by the Prorty Academc Program Developmet of Jagsu Hgher Educato IsttutosPAPD, Natoal Natural Scece Fuds Grat No090 ad Najg Uversty of Post ad Telecommucato Fuds Grat NoNY00 REFERENCE Hut, VD, Pugla, A, Pugla, M: RFID: A Gude to Rado Frequecy Idetfcato Wley-Iter scece 00 Vajda, I, Buttya, L: Lghtweght authetcato protocols for low-cost RFID tags I: Proc of UBICOMP 00 00 Juels, A: Mmalst Cryptography for Low-Cost RFID Tags Eteded Abstract I: Bludo, C, Cmato, S eds SCN 004 LNCS, vol, pp 49 4 Sprger, Hedelberg 00 4 P Pers-Lopez, J C Heradez-Castro, J M E Tapador, ad A Rbagorda LMAP: a real lghtweght mutual authetcato protocol for low-cost RFID tags Proc 00 Workshop RFID Securty P Pers-Lopez, J C Heradez-Castro, J M E Tapador, ad A Rbagorda MAP: a mmalst mutualauthetcato protocol for lowcost RFID tags Proc 00 Iteratoal Coferece o Ubqutous Itellgece ad Computg, pp 9 9 T L ad G Wag Securty aalyss of two ultra-lghtweght RFID authetcato protocols Proc 00 IFIP RC- Iteratoal Iformato Securty Coferece, pp 09 0 Sadgha, Jall, R: Afmap: Aoymous forward-secure mutual authetcato protocols for rfd systems I: Thrd IEEE Iteratoal Coferece o Emergg Securty Iformato, Systems ad Techologes SECURWARE 009, pp 009 Sadgha, Jall, R: Flmap: A fast lghtweght mutual authetcato protocol for rfd systems I: th IEEE Iteratoal Coferece o Networks ICON 00, New Delh, Ida, pp 00 9 Safkha, M, Nader, M, Bagher, N: Cryptaalyss of AFMAP IEICE Electrocs Epress, 40 4 00 0 Bárász, M, Boros, B, Lget, P, Lója,, Nagy, D: Passve Attack Agast the MAP Mutual Authetcato Protocol for RFID Tags I: Frst Iteratoal EURASIP Workshop o RFID Techology, Vea, Austra 00 Che, H-Y: SASI: A New Ultralghtweght RFID Authetcato Protocol Provdg Strog Authetcato ad Strog Itegrty IEEE Trasactos o Depedable ad Secure Computg 44, 40 00 T Cao, E Berto, ad H Le Securty aalyss of the SASI protocol IEEE Tras Depedable ad Secure Computg, vol, o, pp, Ja-Mar 009 R C-W Pha Cryptaalyss of a ew ultralghtweght RFID authetcao protocol SASI IEEE Tras Depedable ad Secure Computg, vol, o 4, pp 0, Oct-Dec 009 4 H-M Su, W-C Tg, ad -H Wag O the securty of Che s ultralghtweght RFID authetcato protocol IEEE Tras Depedable ad Secure Computg, vol, o, pp, Mar-Apr 0 P D Arco ad A De Sats O ultralghtweght RFID authetcato protocols IEEE Tras Depedable ad Secure Computg, vol, o 4, pp 4, July-Aug 0 P Pers-Lopez, J C Heradez-Castro, J M E Tapador, ad A Rbagorda, Advaces ultralghtweght cryptography for low-cost RFID tags: Gossamer protocol, Proc 00 Iteratoal Workshop o Iformato Securty Applcatos, pp Y Ta, G Che, ad J L A New Ultralghtweght RFID Authetcato Protocol wth Permutato IEEE Commucatos Letters, Vol, No, May 0, pp0-0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information