Proceedings of International Conference on Innovation in Electronics and Communication Engineering

RFID Security Issues - An Overview

(Invited Paper) Saravanan Sundaresan, Robin Doss and Wanlei Zhou
School of Information Technology, Deakin University, Australia Email: ssundare@deakin.edu.au

AbstractRadio Frequency Identication (RFID) is a technology that enables the non-contact, automatic and unique identication of objects using radio waves. Its use for commercial applications has recently become attractive with RFID technology seen as the replacement for the optical barcode system that is currently in widespread use. RFID has many advantages over the traditional barcode and these advantages have the potential to signicantly increase the efciency of decentralised business environments such as logistics and supply chain management. The large-scale implementation of RFID is curtailed mainly due to security/privacy issues. Security plays a signicant role in areas of RFID such as mutual authentication, secure search and tag ownership/delegation to name a few. It is also quite challenging to implement security features in low-cost passive RFID tags which are highly resource constrained. Many of the schemes that claim to meet the necessary security requirements, do not comply with the EPC Class-1 Gen-2 standards as these protocols use expensive hash operations or sophisticated encryption schemes that the passive tags cannot handle. Here in this article, we discuss the general security issues in RFID and also cover some of the key contributions made in these areas.

effective thereby enabling large-scale application. A. Need for Security It is noted in [5] that due to the privacy concerns arising from RFID usage, the Consumers Against Supermarket Privacy Invasion and Numbering - CASPIAN, Electronic Privacy Information Center (EPIC) and American Civil Liberties Union (ACLU) rally against the use of RFID technology especially in retail environments. One classic example for the security needs noted in [4] is when the location privacy of the tag holder should not be compromised. When an unauthorized reader obtains a constant reply from a tag, this information can be used to track the movements of the holder of the tag. For example, consider a tag attached to a passport. An unauthorized reader queries the tag and obtains a constant encrypted reply. Even though the contents could not be deciphered by the adversary, it can compare tag replies at different locations and times. When the same tag reply is obtained in two different locations, the adversary can infer that the person holding the passport has been to those two locations. Thus the location privacy of this person is compromised. It is noted in [6] that the traceability problem is considered as the biggest security challenge to general acceptability and wide-scale deployment of RFID technology. Thus, in order for it to be successful, RFID systems should be robust, safe and secure. B. Security Challenges and Constraints Passive tags are highly resource constrained and cannot perform hash operations or handle any complex encryption schemes. Hence meeting security requirements is one of the biggest challenges when developing protocols for passive tags. It is observed in [7] that if radio waves can pass through some materials they can also be blocked and interfered with. The problem is solved using blocker tags which are designed to transmit an interfering signal especially to confound the singulation process. But this strategy may be defeated if the reader does not follow the singulation protocol. Two main security issues are discussed in [8] - The rst concerns the attacks that aim to wipe out the functioning of the system (DoS attack for example). The second category relates to privacy which includes both information leakage and also traceability. Avoine [8] argues that ensuring privacy in RFID without using any cryptographic functions would only be a pipedream. It is also noted that designing and analyzing RFID protocols remains a real challenge since no universal model has been dened. It is observed in [9] that passive tags can broadcast information

I. INTRODUCTION The history of RFID can be traced back to World War II when several countries started using radar technology - that was discovered by a Scottish Physicist Sir Robert Alexander Watson-Watt in 1935 - to warn approaching planes while they were still miles away. It was under Watson-Watt, the British developed the rst active Identify Friend or Foe (IFF) system. UHF RFID got its boost in late 1990s when low-cost tags were deployed on all products to track them through the supply chain [1]. The global RFID industry will be valued at 9.7 billion US dollars by 2013 with an annual growth rate at about 15 percent and the total volume of tags used worldwide was estimated to be 10.6 billion pieces by 2011 of which 80 percent were UHF passive tags [2]. The three key elements of an RFID system are the tags, readers and the backend server. Tags are physically attached to objects, readers (wired or mobile) are devices that recognizes the presence of objects in its range and the server maintains all the crucial information about the IDs for the tags, readers, their secrets, information about the object attached to the tag and so on. There are three types of RFID Tags - active tags, semi-active tags and passive tags [3], [4]. Active tags have their own battery to power its internal circuitry and transmission components. Semi-active tags also have their own power source which is used only for powering the internal circuitry but not for transmission. Passive tags have no internal battery to power themselves. They use electromagnetic signal from the reader as the power source. This makes the passive tags highly cost20-21, July 2012, GNI Hyderabad

Proceedings of International Conference on Innovation in Electronics and Communication Engineering

when powered and queried by a reader without the tag owner being aware of this action. It is also stated that most passive tags can even transmit a static serial number in response to a readers query thus allowing tracking of the tags and in turn the individuals. According to [10] Tag Killing is a concern for companies and customers. The aim is to cut out the functionality of the tags when deactivation is necessary (ex: demand from the customer at the point-of-sale). This idea protects the customers when properly used by giving them the privacy they need but an adversary can use it maliciously to cause DoS attacks making the tag useless and inoperative. Lei and Cao (2007) cited in [10] solve the tag killing problem by adding complexity to the tag. The solution requires additional PRNG, chip area for storing this random number. Also, the identier is concatenated with the random number prior to hashing which causes the hash function to be run twice. This results in slowing down even the commonly performed tasks such as reading a tag and also increases the energy consumption of the tag thereby questioning the feasibility of the solution as pointed out by Trcek and Kovac (2008) and Feldhofer and Wolkerstorfer (2007) cited in [10]. According to [4], when searching for a particular tag, tags should only respond to authenticated readers. Also, the readers should only query authenticated tags. This creates a chickenand-egg problem - since readers want to query authenticated tags but tags will only respond to authenticated readers. Thus, given the resource constraints of passive tags, it is apparent that implementing security in such tags can be quite challenging. The rest of the paper is organized as follows. Section II discusses the required security properties in RFID. Sections III, IV, V discuss the existing literature and issues related to mutual authentication, secure search and tag ownership/delegation areas respectively. section VI discusses the open research problems in RFID and section VII concludes the paper. II. R EQUIRED S ECURITY P ROPERTIES IN RFID The required security properties to achieve authentication and privacy in RFID systems can be summarized as follows [11], [12]. Tag Anonymity (P1): The protocol should protect against information leakage that can lead to disclosure of a tags real identier. This is important as otherwise an attacker may be able to clone a valid tag. Tag Location Privacy (P2): The protocol should ensure that the message contents are sufciently randomized to ensure that they cannot be used to track the location(s) of the tags and thereby glean social information about the wearer of the tag. Forward Secrecy (P3): The protocol should ensure that on compromise of the internal secrets of the tag, its previous communications cannot be traced by the attacker. This requires that previous messages are not dependent on current resident data on the tag. Reader Anonymity (P4): The protocol should protect against information leakage that can lead to disclosure of
20-21, July 2012, GNI Hyderabad

a readers real identier. This is important as otherwise an attacker may be able to clone a valid reader. Reader Location Privacy (P5): The protocol should ensure that the message contents are sufciently randomized to ensure that they cannot be used to track the location(s) of the readers and thereby glean social information about the owner. Replay Attacks (A1): The protocol should be able to resist compromise by an attacker through the replay of messages that have been collected by an attacker during previous protocol sequences. This requires that protocol messages in each round of the protocol are unique. De-synchronization Attack (A2): The protocol should be able to recover from incomplete protocol sequences that can occur due to an attacker selectively blocking messages. Importantly, such blocking of messages by an attacker should not lead to de-synchronization between the tag and the server/reader. Server Impersonation (A3): The protocol should ensure that the server cannot be impersonated by an attacker. This requires that the tag/reader challenges a server to prove its legitimacy thereby achieving mutual authentication.

III. M UTUAL AUTHENTICATION The need for security and privacy in RFID systems is well recognized and there has been a signicant amount of work in this area [13], [12], [14]. However, the practical implementation of most schemes are limited by three main factors. Firstly, many schemes do not achieve conformance to EPC Class 1 Gen-2 standards and hence cannot be implemented on low cost tags which cannot support complex computation (such as hash functions). Secondly, schemes that are compliant to EPC Class 1 Gen-2 standards do not provide robust security in terms of authentication and privacy. Thirdly, most schemes assume that the channel between the back-end server and the reader is secure and hence they are not suitable in mobile/wireless reader environments where this assumption does not hold. Early approaches to deal with the security problem in RFID systems include the use of shared secrets with the use of a pseudorandom function ensemble; hash chains to update a shared random identier; monotonically increasing session hashes to prevent replay attacks; shared secrets and random nonces; monotonically increasing timestamps; and the use of XOR (exclusive OR), hash chains and a shared secret key between the reader and the back end server for reader tag authentication. Security aws and protocol vulnerabilities have been identied in [15] in the schemes employing one or more of these techniques. [16] identies that the scheme proposed in Jules (2004) (a Yoking proof based on keyed hash functions and message authentication code (MAC) functions for pharmaceutical applications) fails to provide tag anonymity and is not resistant to replay attacks and chosen plain-text attacks. [16] also identies that the scheme proposed in Wong (2005) (hash-lock scheme) does not provide location privacy and is not resistant to replay and server impersonation attacks. Further, since both schemes

Proceedings of International Conference on Innovation in Electronics and Communication Engineering

require the implementation of hash functions on the tags they are not EPC Class-1 Gen-2 compliant. In 2007, Chien et al. [17], proposed a mutual authentication protocol that achieves EPC Class-1 Gen-2 compliance and is based on random nonces and CRC calculations. However, it suffers from signicant security drawbacks. Cryptanalysis of Chiens scheme by Peris-Lopez et al. [18], shows that it cannot guarantee the unequivocal identication of tags, forward secrecy and location privacy of tags. It is also observed that it is not robust to resist tag impersonation and auto desynchronization attacks. Lo et al. [19] proposed an improvement to Chiens scheme but it still does not address the location privacy concern and can be compromised by collaborating readers [2]. Chen and Dengs scheme [20] is based on CRC and PRNG functions and suitable for implementation on EPC Class-1 Gen-2 tags. However, the use of CRC functions makes it possible for attackers to exploit the completely linear property of the CRC function [18] and Kapoor et al. [21] have recently shown that Chen and Dengs scheme is vulnerable to impersonation attacks. In [22] Liu and Bailey have proposed the privacy and authentication protocol (PAP) specically for a retail environment. It is based on a shared key between the reader and the tag, a privacy state and hash value computation by the tag and the reader. Variations of the protocol are proposed for check-out, in-store, out-store and return actions that are common in a retail environment. However, PAP fails to provide tag anonymity as the tag identier is transmitted in the clear. The authors argue that this is acceptable since the protocol is designed specically for a controlled environment. In addition, PAP fails to comply with EPC Class-1 Gen-2 standards. Further, vulnerability analysis of PAP by Nasser et al [23] shows that PAP suffers from traceability and impersonation attacks. In [16], Chen et al. proposed the rst mutual authentication scheme based on quadratic residues. The scheme was designed to achieve mutual authentication, tag privacy and resistance to replay and de-synchronization attacks. However, cryptanalysis of this scheme by Cao and Shen [24] shows that the scheme is vulnerable to tag impersonation attacks, replay attacks and tag location disclosure. Chens scheme was improved by Yeh and Wu [25] by having the tag generate an additional random number. Both Chens original quadratic residue based scheme and Yehs improved version require the tag to compute multiple hash functions. Hence both schemes are not suitable for EPC Class-1 Gen-2 tags. IV. S ECURE S EARCH While there has been a signicant amount of work done in the areas of RFID mutual authentication and tag ownership/delegation [11], [25], [22], [2], it is not the case for secure search. For the search to be secure, a tag should authenticate the reader before replying and the reader should also ensure that only legitimate tags receive the query which prevents an adversary from learning the content of the query. As noted in [4], the problem statement can be simply put as: readers
20-21, July 2012, GNI Hyderabad

want to query authenticated tags but tags will only respond to authenticated readers. Huang and Shieh propose a Secret Search Protocol in [29] which solves the privacy problem by offering a search mechanism over encrypted data. The protocol conducts search directly on ciphertexts without the need to decrypt them which gives enhanced performance. Won et al [30] propose a search protocol utilizing AES-128 block cipher and timestamps without the need of a central database. The authors claim that the timestamp generated by a portable reader protects from illegal tag-tracking by an adversary. The protocol also protects a portable readers privacy even in an insecure channel by encrypting the Reader ID using AES-128 block-cipher. Both of these schemes by Huang et al. and Won et al. require tags to compute oneway hash functions or perform expensive encryptions such as AES-128 and hence are not compliant with the EPC C1G2 standard. Tan et al [31] propose a serverless secure search protocol considering the security for both the reader and the tag. A reader broadcasts h(f (ri , tj ) nr ) idj , nr , ri . The tag use its secret tj to obtain idj and if it matches with its own id then it sends back a response h(f (ri , tj ) nt ) nr ) idj , nt . However it is noted in [30] that Tan et als scheme does not completely solve the illegal tag tracking problem and also does not consider a reader holders privacy. Zuo [32] proposes a similar secure search protocol using a pseudo-random function with a seed and one-way hash function. The reader broadcasts N Fki (idi H(n1 )) n1 Fki (idi H(n1 )) n1 and the tag responds back with H(idi Fki (n1 ). The tag then updates its secret key ki . However, there are security issues with this scheme relating to reader compromise as noted in [4]. Kim et al [33] propose a serverless search protocol by providing the readers with unique access lists with a group of tags that they are authorized to search. In the search phase, the reader broadcasts the group id Gk , Si,k and random number nR . Tags receiving the search request check to see if they belong to the group. If so, and if the intended tag exists in the group it generates a random number nT and sends h(h(Si,k tj ) nR nT ) along with the random number. A vulnerability noted by the authors in their protocol is that the tags should send their group identity to a querying reader. Also, the tags reply to a search query for a specic group. Thus, a simple eavesdropping leads to knowing the group identity of the tags. We further note that the broadcasting group-ids and also the pseudonyms in the clear is not advisable since these two pieces of information are vital to providing security to the tags and the readers. Ahamed et al [34] propose a serverless forward secure, anonymous search protocol using a pseudorandom number generator P () that takes a seed as an argument and a function M () that generates the next pseudorandom number. The reader generates and broadcasts k the random number nk desired using P (seeddesired ) to nd out the desired tag Tdesired . Tags receiving the random number compares it with its own nk and if there is a match, it knows i that the query is for itself and also authenticates the reader since only a legitimate reader can know its seed. The tag replies

Proceedings of International Conference on Innovation in Electronics and Communication Engineering

Table I C OMPARISON OF S ECURITY AND P RIVACY P ROPERTIES (M UTUAL AUTHENTICATION ) Scheme Juels [26] Wong et al. [27] Chien et al. [17] Chen et al. [16] Yeh et al [25] Lo et al. [19] Yeh et al. [2] Chen and Deng [20] Liu et al. [22] Cho et al. [28] P1 No P2 No No No No No No No No No No P3 P4 P5 A1 No No No No A2 No No No No No No No No No No No A3 No

No

: Fully satised; : partially satised under certain assumptions; : not applicable. P1: Tag anonymity; P2: Tag location privacy; P3: Forward secrecy; P4: Reader privacy; P5: Reader location privacy; A1: Resistant to replay attacks; A2: Resistant to desynchronisation attacks; A3: Resistant to impersonation attacks.

with nk+1 and updates its seed. After receiving the response i k+1 the reader computes nk+1 and desired and compares it with ni if there is a match it can be sure that the tag is valid as only a legitimate tag can generate this. Kulseng et al [35] propose a secure search protocol based on Physically Unclonable Functions (PUF) and Linear Feedback Shift Register (LFSR). The authors claim that their protocol requires not more than 1400 hardware gates to implement the security features which is well within the limits of low-cost passive RFID tags. LFSR is used to generate random numbers and PUF is used to authenticate the tags. The protocol addresses physical attacks and replay attacks. The protocol provides security from eavesdropping attacks since all secrets are XORed with some random numbers which are changed every round of the search. Also the implementation of the P function based on the PUF circuit can protect the tag from physical attacks. A probe on the wire of the PUF will change the resistance in the link that is being probed and therefore render the PUF to alter its behavior. Also, the P function is unclonable. If the content of the tag is somehow copied to another tag, the new tag will not be able to mimic the behavior of the original tag, because no two PUF circuits behave exactly the same. Replay attacks are also not possible since the greeting numbers are updated after each authentication/search. An improvement of the protocol is suggested by the authors to prevent desynchronization attacks. Here, the reader and the tag do not share any secret key K. Instead, the tag stores the greeting numbers from the previous round and the currently expected greeting number. All tags maintain a predened probability and decide whether to generate a fake response based on this probability to provide tag location privacy and prevent tracking attacks. Now, we present our protocol proposed in [36] that is based on simple XOR and PRNG operations. A blind-factor () is used to hide the random numbers during all transmissions to provide additional security. The scheme is designed to conform with EPC C1G2 standards since we do not employ any encryption or hash functions while meeting the necessary security requirements. The protocol has two phases. In the rst
20-21, July 2012, GNI Hyderabad

Table II C OMPARISON OF S ECURITY AND P RIVACY P ROPERTIES (S ECURE S EARCH ) Scheme Huang et al [29] Won et al [30] Tan et al [31] Zuo [32] Kulseng et al [35] Kim et al [33] Our Scheme P1 P2 No P3 P4 NA No NA No P5 No No P6 NA No NA NA No A1 A2 NA

P1: Basic Privacy P2: Mutual Authentication P3: Tag Anonymity P4: Reader Anonymity C1: EPC Class-1 Gen-2 Compliance - Fully Satised - Partially Satised

P5: Tag Location Privacy P6: Reader Location Privacy A1: Replay Attack A2: DoS/De-synchronization Attack

NA - Not Applicable - Fully Satised under certain assumptions

phase the backend server setups all the tags and the readers with the necessary information such as IDs, private/shared secrets and so on. The second phase is where the search is conducted using the proposed protocol. Reader computes M 1 using idj , reader-tag shared secret rtsj and the random number as M 1 = idj P RN G(rtsj rr ). M 2 is computed as M 2 = rr . The tags compute their own , extracts rr from M 2, computes x = id P RN G(rts rr ) or x = id P RN G(rts1 rr ), compares it with M 1 and if there is a match, computes M 3 = rts P RN G(id tr ) (or) M 3 = rts1 P RN G(id tr ) and M 4 = tr and sends it back to the reader. Reader veries the response to see if the tag is present. V. TAG OWNERSHIP Lopez et al [37] and Cai et al [38] discuss the vulnerability in Song et als ownership transfer scheme. It is shown that the secret update protocol is vulnerable to de-synchronization attack by blocking the rst message (r1 , M1 , M2 ) from reaching the tag. The adversary then forges a second message (r1 , M1 , M2 ) that will be accepted by the tag which results

Proceedings of International Conference on Innovation in Electronics and Communication Engineering

Figure 1.

Our Secure Search Protocol from [36]

in the tags secret be updated to a value that the legitimate server does not know. Henceforth the legitimate server cannot access the tag resulting in de-synchronization. As a x, it is suggested that M2 be modied from si(new) (ti >> l/2) to si(new) h(ti ) on the server side. Then on the tag side, si M2 (ti >> l/2) is revised to si M2 h(ti ). Song et al [39] provide a further revised version of the protocol in which M2 = ft (r1 r2 ) remains the same as in [38] and M3 is changed to s ft (r2 r1 ). Zhou et al [40] propose a tag ownership transfer protocol which considers third party logistics (TPL) provider and the Trusted Third Party (TTP) and their roles in the ownership transfer in a distributed supply chain environment. The scheme uses two keys one main key for the owner and a sub-key for the third-party logistics provider. The sequence of events are: 1) The current owner possesses or obtains from the TTP the main key K, to the item of interest; 2) The tag, current owner and the TPL provider (if any) obtain sub-key ki , for the item at the origin location; 3) The item is transported from the origin to the destination location; 4) The new owner obtains the main key from TTP. 5) The new owner, TPL provider and tag obtain the updated sub-key from the TTP. The owners have to have knowledge of both the main and sub-keys to communicate with the tag and the composite key is represented by K ki . It is noted by the authors that the protocol: 1) does not guarantee forward secrecy since none of the messages are encrypted by any hash function and 2) does not protect from relay attacks (which is when an attacker simply relay messages between an honest reader and honest tag with or without the knowledge of the other party) due to the absence of cryptographic manipulations by the attacker.
20-21, July 2012, GNI Hyderabad

Song et al discuss a RFID pseudonym protocol in [39] that uses a pre-computed lookup table for tag authentication resulting in O(1) work to identify and authenticate a tag as opposed to O(n) in some other protocols. The look-up table contains a number of entries (determined by the hash-chain length m) for each tag, one for each element of a tag-specic hash-chain. Elements from this hash-chain are used as tag identiers. In the init phase the server S chooses l (bit-length of tag identier), lr (bit-length of a random string), lm (bit-length of integer m), e, f and g as keyed-hash functions and h a hash function. To build the look-up table, S chooses l-bit string s and computes the key k= h(s). S chooses a random l-bit string x0 and computes the hash-chain xi = ek (xi1 ) for 1 i m . Each value in the hash-chain is used as a one-time tag identier. S stores s, k and the identiers x0 , x1 ... xm as the entries for T in the lookup table. Following the tag authentication, the secret update takes places if x = xm where the secrets are updated from (s1 , k 1 , s, k, x0 , x1 , ..., xm ) to (s, k, s , k , x, x1 , x2 , ..., xm ). Tag delegation is pretty straightforward. When S wants to delegate tag T to an entity, it transfers the secret k and the identiers x0 , x1 ... xm to the entity via a secure channel. Then the entity can authenticate the tag a maximum of m times but cannot update the tag secrets since it does not know s. For the tag ownership transfer the secret update is accomplished as follows: Server S chooses new secret s , a random string r and an integer m . It then computes k = h(s ) and Ms = gk (x r) (s k m ) and sends r, Ms to tag T . T computes (s k m ) = Ms gk (x r). If h(s) = k, S is authenticated and T updates its secret from k to k and its counter c to m . T then computes MT = fk (r x) using the new secret k and sends MT to S. If MT = fk (r x), S

Proceedings of International Conference on Innovation in Electronics and Communication Engineering

now knows that T has received the new secret k , and updates secrets s and k for T to s and k respectively. S computes the hash-chain values, xi = ek (xi1 ) for 1 i m , where x0 is set to x. Otherwise, S starts over again. Fouldagar and A [9] propose two privacy preserving scheme for ownership transfer based on hash functions and symmetric key cryptographic functions. As noted earlier the use of hash function or keyed encryption functions is not in compliance with EPC Class-1 Gen-2 standards. Besides this however, in both the schemes the update of the secret keys KU and KP is not protected against de-synchronization. An attacker can easily achieve DoS by blocking the nal ACK message to the tag leading to the tag and the backend database having different keys. The authors claim that this is an issue that is not inherent to the scheme but rather due to the nature of the wireless channel. However, no solution is proposed. One possible solution is to store previous key values in the database. Seo et al. [41] propose a scheme based on a Public Key Infrastructure (PKI) with the tags computation moved to a proxy that manages each tag and is within the backward channel range of each tag. In our opinion, the infrastructure overhead of the scheme and the notion of a proxy makes the scheme impractical. Kapoor and Piramuthu [42] propose two schemes with both a TTP and without a TTP to enable ownership transfer. The schemes are based on keyed hash and keyed encryption functions. The protocol with TTP suffers from de-synchronization as the tag updates its secret even before the new secret is given to the new owner by the TTP. This means that the attacker can cause de-synchronization by blocking any of the following messages. The non-TTP version also suffers from vulnerabilities that can lead to forward secrecy compromise and tag cloning attacks. In [43] a lightweight ownership transfer protocol that is based on physically unclonable functions (PUF) and linear feedback shift registers (LFSR) is proposed. The authors propose two protocols, one with a TTP and another without a TTP. However, on analysis both the protocols fail to provide the required security properties. As noted in [43] the protocol with TTP suffers from permanent de-synchronization when an attacker selectively blocks messages; while the protocol without a TTP is designed based on the assumption that an attacker is not able to eavesdrop on the transmission over the wireless channel. This is not a valid assumption as noted by Kapoor et al. [44]. VI. O PEN R ESEARCH P ROBLEMS RFID security and privacy research is broadly categorized into two areas [4]. The rst is protocol based which emphasize on designing protocols using lightweight primitives. The second category is hardware based emphasizing on improving tag hardware to provide additional security primitives like elliptic curve cryptography. Several existing research problems in the RFID arena are discussed below as given in [28]. Intended or Meaningless Request: This type of attack is used in tag location tracking and trafc analysis. Here an adversary transmits intended or meaningless requests to a tag instead of eavesdropping the communication. The weaknesses in some
20-21, July 2012, GNI Hyderabad

Table III C OMPARISON OF S ECURITY AND P RIVACY P ROPERTIES (TAG OWNERSHIP ) Scheme Osaka et al. [45] Fouldagar and A [9] Kulseng et al (with TTP). [43] Kulseng et al (without TTP). [43] Dimitriou [46] Song and Mitchell [39] Kapoor and Piramuthu (with TTP). [44] Kapoor and Piramuthu (without TTP). [44] P1 P2 No P3 No P4 A1 A2 No No No A3

No No No No No No No No No No

: Fully satised : partially satised under certain assumptions.

protocols enables the adversary to anticipate the response message of the tag that can be used to perform location tracking. Acquisition of tag information with complexity equal to the backend server: A hash based protocol generally has a computational complexity of O(n) where n is the number of tags and if the cost of an adversary to obtain the tag information via brute-force attack is the same then the attack is considered to be effective. Excessive growth of computational complexity of backend server to recognize a tag: If tag identication by the backend server has excessive computational complexity then the efciency of the overall system declines thereby making the protocol unrealistic for realtime applications. Over Dependency of response message of tag on random number: Random numbers that are used in the operations are exposed during the transmission. An adversary can use this to perform a trafc analysis and brute-force attack. VII. CONCLUSION In this paper, we have discussed - RFID and its role in our everyday lives; the security/privacy threats posed by RFID and how security plays a signicant role in areas such as mutual authentication, secure search and tag ownership/delegation; the challenges in implementing security features in low-cost passive RFID tags which are highly resource constrained; how, many of the schemes that claim to meet the necessary security requirements do not comply with the EPC Class-1 Gen-2 standards due to the use expensive hash operations or sophisticated encryption schemes that passive tags cannot handle. Our future work involves the development of such C1G2 compliant protocols for passive tags in the area of ownership transfer/delegation. R EFERENCES
[1] M. Roberti, The history of rd technology, RFID Journal LLC. [Online]. Available: http://www.rdjournal.com/article/view/1338 [2] T.-C. Yeh, Y.-J. Wang, T.-C. Kuo, and S.-S. Wang, Securing RFID systems conforming to EPC Class 1 Generation 2 standard, Expert Systems with Applications, vol. 37, no. 12, pp. 76787683, Dec. 2010. [3] C. Lee, S. Park, K. Lee, and D. Won, An Attack on an RFID Authentication Protocol Conforming to EPC Class 1 Generation 2 Standard, International Conference on Hybrid Information Technology, pp. 488 495, 2011.

Proceedings of International Conference on Innovation in Electronics and Communication Engineering

[4] C. Tan, B. Sheng, and Q. Li, Secure and Serverless RFID Authentication and Search Protocols, IEEE Transactions on Wireless Communications, vol. 7, no. 4, pp. 14001407, Apr. 2008. [5] H. Pagey and K. A. Hua, TagPay: A Payment Atomic RFID Ownership Transfer Protocol, 2010 IEEE 12th Conference on Commerce and Enterprise Computing, pp. 196203, Nov. 2010. [6] C. H. Lim and T. Kwon, Strong and Robust RFID Authentication Enabling Perfect Ownership Transfer, International Conference on Information and Communications Security ICICS06, vol. 4307, pp. 120, 2006. [7] L. Leinweber, F. G. Wolff, C. Papachristou, and F. L. Merat, A minimal protocol with public key cryptography for identication and privacy in RFID tags, 2009 International Symposium on Signals, Circuits and Systems, pp. 14, Jul. 2009. [8] G. Avoine, Adversarial Model for Radio Frequency Identication, Cryptology ePrint Archive, Report 2005/049, 2005. [9] S. Fouladgar and H. A, A Simple Privacy Protecting Scheme Enabling Delegation and Ownership Transfer for RFID Tags, Journal of Communications, vol. 2, no. 6, pp. 613, Nov. 2007. [10] P. Japinnen and H. Hamalainen, Enhanced RFID security method with ownership transfer, in Proc. of International Conference on Computational Intelligence and Security, 2008. [11] H.-Y. Chien and C.-S. Laih, ECC-based lightweight authentication protocol with untraceability for low-cost RFID, Journal of Parallel and Distributed Computing, vol. 69, pp. 848853, 2009. [12] R. D. Pietro and R. Molva, An optimal probabilistic solution for information connement, privacy and security in RFID systems, Journal of Network and Computer Applications, 2010. [13] T. van Deursen and S. Radomirovic, On a new formal proof for RFID Location Privacy, Information Processing Letters, vol. 110, pp. 5761, 2009. [14] E. Choi, D. H. Lee, and J. I. Lim, Anti-cloning protocol suitable for EPCglobal Class-1 Generation-2 RFID systems, Computer Standards and Interfaces, vol. 31, pp. 11241130, 2009. [15] S. Piramuthu, Protocols for RFID tag/reader authentication, Decision Support Systems, vol. 43, pp. 897914, 2007. [16] Y. Chen, J.-S. Chou, and H.-M. Sun, A novel mutual authentication scheme based on quadratic residues for RFID systems, Computer Networks, vol. 52, pp. 23732380, April 2008. [17] H.-Y. Chien and C.-H. Chen, Mutual Authentication Protocol for RFID conforming to EPC Class 1 Generation 2 Standards, Computer Standards and Interfaces, vol. 29, no. 2, pp. 254259, April 2007. [18] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, Cryptanalysis of a novel authentication protocol conforming to epc-c1g2 standard, Computer Standards and Interfaces, vol. 31, no. 2, pp. 372 380, 2009. [19] N. Lo and K. Yeh, An efcient mutual authentication scheme for EPCglobal Class-1 Generation-2 RFID systems, in Intenational Conference on Embedded and Ubiquitous Computing, 2007. [20] C.-L. Chen and Y.-Y. Deng, Conformation of EPC Class-1 Generation 2 standards RFID system with mutual authentication and privacy protection, Engineering Applications of Articial Intelligence, vol. 22, pp. 12841291, January 2009. [21] G. Kapoor and S. Piramuthu, Vulnerabilities in chen and dengs rd mutual authentication and privacy protection protocol, Engineering Applications of Articial Intelligence, vol. 24, no. 7, pp. 1300 1302, 2011. [22] A. Liu and L. Bailey, PAP: Privacy and authentication protocol for passive RFID tags, Computer Communications, vol. 32, pp. 11941199, 2009. [23] M. Nasser, P. Peris-Lopez, P. Rae, and M. J. van der Lubbe, Vulnerability analysis of pap for rd tags, ArXiv e-prints, August 2010. [24] T. Cao and P. Shen, Cryptanalysis of some RFID authentication protocols, Journal of Communications, vol. 3, no. 7, pp. 2027, December 2008. [25] T.-C. Yeh, C.-H. Wu, and Y.-M. Tseng, Improvement of the RFID authentication scheme based on quadratic residues, Computer Communications, 2010. [26] A. Juels, Yoking-Proofs for RFID Tags, in International Workshop on Pervasive Computing and Communication Security PerSec 2004, 2004, pp. 138143. [27] K. Wong, P. Hui, and A. Chan, Cryptography and authentication on RFID tags for apparels, Computer in Industry, vol. 57, pp. 342349, 2005.

[28] J.-S. Cho, S.-S. Yeo, and S. K. Kim, Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value, Computer Communications, vol. 34, no. 3, pp. 391397, Mar. 2011. [29] S.-I. Huang and S. Shieh, Authentication and secret search mechanisms for RFID-aware wireless sensor networks, Int. J. Security and Networks, vol. 5, no. 1, pp. 1525, 2010. [30] T. Y. Won, J. Y. Chun, and D. H. Lee, Strong Authentication Protocol for Secure RFID Tag Search without Help of Central Database, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing, pp. 153158, Dec. 2008. [31] C. C. Tan, B. Sheng, and Q. Li, Serverless Search and Authentication Protocols for RFID, International Conference on Pervasive Computing and Communications PerCom 2007, pp. 312, 2007. [32] Y. Zuo, Secure and private search protocols for RFID systems, Information Systems Frontiers, vol. 12, no. 5, pp. 507519, Aug. 2009. [33] Z. Kim, J. Kim, K. Kim, I. Choi, and T. Shon, Untraceable and Serverless RFID Authentication and Search Protocols, 2011 IEEE Ninth International Symposium on Parallel and Distributed Processing with Applications Workshops, pp. 278283, May 2011. [34] S. I. Ahamed, F. Rahman, E. Hoque, F. Kawsar, and T. Nakajima, S3PR: Secure Serverless Search Protocols for RFID, 2008 International Conference on Information Security and Assurance (isa 2008), pp. 187 192, Apr. 2008. [35] L. Kulseng, Z. Yu, Y. Wei, and Y. Guan, Lightweight Secure Search Protocols for Low-cost RFID Systems, 2009 29th IEEE International Conference on Distributed Computing Systems, pp. 4048, Jun. 2009. [36] S. Sundaresan, R. Doss, and W. Zhou, A serverless ultra-lightweight secure search protocol for epc class-1 gen-2 uhf rd tags, 2012 International Conference on Computer and Information Sciences, To appear, 2012. [37] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Tapiador, T. Li, and Y. Li, Vulnerability analysis of RFID protocols for tag ownership transfer, Computer Networks, vol. 54, no. 9, pp. 15021508, Jun. 2010. [38] C. Shaoying, Y. Li, T. Li, and R. H. Deng, Attacks and Improvements to an RFID Mutual Authentication Protocol and its Extensions, Proceedings of the 2nd ACM Conference on Wireless Network Security WiSec09, pp. 5158, 2009. [39] B. Song and C. J. Mitchell, Scalable RFID security protocols supporting tag ownership transfer, Computer Communications, vol. 34, no. 4, pp. 556566, Apr. 2011. [40] W. Zhou, E. J. Yoon, and S. Piramuthu, Varying Levels of RFID Tag Ownership in Supply Chains, On the Move to Meaningful Internet Systems OTM 2011, pp. 228235, 2011. [41] Y. Seo, T. Asano, H. Lee, and K. Kim, A lightweight protocol enabling ownership transfer and granular data access of RFID tags, the 2007 Symposium on Cryptography and Information Security Sasebo, pp. 23 26, 2007. [42] G. Kapoor and S. Piramuthu, Single RFID Tag Ownership Transfer Protocols, IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews, vol. 99, pp. 110, 2011. [43] L. Kuseng, Z. Yu, Y. Wei, and Y. Guan, Lighweight Mutual Authentication and Ownership Transfer for RFID Systems, in INFOCOM 2010, 2010. [44] G. Kapoor and S. Piramuthu, Vulnerabilities in some recently proposed RFID ownership transfer protocols, IEEE Communications Letters, vol. 14, no. 3, pp. 260262, Mar. 2010. [45] K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi, An Efcient and Secure RFID Security Method with Ownership Transfer, in 2006 International Conference on Computational Intelligence and Security. Ieee, nov 2006, pp. 10901095. [46] T. Dimitriou, RFIDDOT: RFID Delegation and Ownership Transfer made simple, in SecureComm, 2008.

20-21, July 2012, GNI Hyderabad