Security Issues of a Recent Rfid Multi Tagging Protocol

—RFID is now a widespread method used for identifying people and objects. But, not all communication protocols can provide the same rigorous confidentiality to RFID technology. In return, unsafe protocols put individuals and organizations into jeopardy. In this paper, a scheme that uses multiple low cost tags for identifying a single object is studied. Through algebraic analysis on chronologically ordered messages, the proposed multi tag arrangement is shown to fail to provide the claimed security. The weaknesses are discussed and previously proven precautions are recommended to increase the security of the protocol, and thus the safety of its users.


INTRODUCTION
Radio Frequency Identification (RFID) is the second widespread tool used in object identification and tracking, after paper barcodes.But, barcodes require a line of sight and can identify only one object at a time.Meanwhile, RFID does not require line of sight and as many as hundreds of objects can be identified within a second [1].Therefore, it is not surprising to see RFID gradually replacing traditional barcodes in one of the biggest chain stores of the U.S.A. [2].RFID has also proven itself in analysis of animal behavior [3], anti-counterfeiting [4], business automation [5], asset management [6], and recently in healthcare [7].Indications are such that RFID will be one of the leading identification tools, in the near future.
Simply, RFID is a set-up of an electronic identification sticker (tag), a reader and a server.The tag has an integrated circuit with a unique identification number (ID) in its memory.An antenna attached to the integrated circuit is used to energize it through electromagnetism.The reader supplies the required electromagnetic energy to activate the tag.After activating the tag, the reader requests the ID of the tag [8].A tag energized through the reader's electromagnetic field is called a passive tag.Other battery operated tags are called active tags and are not within the scope of the present work.In this study, a special type of passive tags ˗ the low cost Ultra-High Frequency (UHF) tags ˗ that are preferred due to their long reading distance are focused on.Unfortunately, their limited resources cause UHF tags to lack strong security primitives.Capturing the Electronic Product Code (EPC, i.e. the ID) of some tags is very easy [9].It is possible to track an item with an exposed ID, anywhere it goes on earth [1].Therefore, it is necessary to look for a standard beyond the security supported in the ISO 18000-6 [10] and EPC Global Class 1 Generation 2 version 2 (Gen-2) [11] standards of the UHF tags.But, it should be noted that high security levels increase the cost of the tags.Therefore, the common goal of the researchers is to obtain a method with a balanced costsecurity ratio.
In the rest of this paper, Section 2 summarizes previous work.Section 3 demonstrates weaknesses of a latest proposal.Section 4 contains authentication and security analysis of the proposal and four correction recommendations.In Section 5, the main conclusions and future work are presented.

II. RELATED WORK
Being pervasive yet insecure, early UHF tags have triggered many authentication proposals to be made.The proposals have been categorized according to the functions used for obscuring the tag ID [12].The proposed protocols are grouped under four categories:  Ultra-lightweight: Support only bitwise operation functions like AND, OR, XOR (⊕), Shift, Rotate etc.
 Lightweight: Support random number generation and simple functions like cyclic redundancy check (CRC), but not hash functions.
 Simple: Support random number generation and oneway hash functions.
Lately, researchers tried to stretch the boundaries between the neighboring categories.The categorization arguments gradually subsided and the attention was turned towards implementation of "lightweight" versions of hash and www.ijacsa.thesai.orgcryptographic functions [13].But, most proposals involve the authentication of a single tag, identifying a single object.There are of course the grouping proof protocols of multiple tags [14], but still each object is identified by a single tag.
Recently, identifying an object with multiple tags based on an ultra-lightweight authentication protocol has been proposed [15].The proposal will be named Dhal and Gupta's Multi-Tag Authentication Protocol (DGMTAP).DGMTAP places multiple tags on an object as in Figure 1, each with an individual secret shared with the server.As always, the ultimate security goal is preventing the capture of the ID or the shared secret of the tag.The authors claim that DGMTAP resists known RFID attacks of listening adversaries.
Using the notation of Figure 1, m number of objects are marked by n number of tags.Each tag's index IN j , shared secret key SK j (2b bits long), old and new ID j old , ID j new are in the server's database.The index provides fast access to the tag record.The protocol assumes that the reader-server channel is secure, but the tag-reader channel is not.Therefore, the attackers can only use r r (2b bits long), IN j , M j , P1 j , P2 j that go between the reader and the tags.The equations and functions (Figure 1) used in the protocol are public; therefore available to malicious users as well.The mutual authentication of the server and the tag proceeds as follows: The reader triggers an identification session by sending a request and a random number (nonce) to a tag.Nonces are used for message freshness.No other secret or data is shared with the reader.
The server has all the information of the tags in an indexed database, as shown in Figure 1.One or multiple tags receiving the request, prepare their version of message M j (equation 1), using their own secret SK j .Next, M j is sent to the reader preceded by the tag's index IN j .The reader acts as a mediator to relay the replies of the tags together with its nonce, to the server.Using the index of the tag, the server finds the shared secret key SK j of the tag and uses it with r r in equation 2 to extract (ID j ʹr j || r j ).The apostrophe sign indicates that this is the received value.From here, the concatenated tag nonce r j is obtained.With r j , the server calculates (ID j newr j ) and checks if it equals the received (IDjʹr j ) value.If it is a match, the tag is authenticated and the object is identified.If not, the server checks if (ID j oldr j ) equals (ID j ʹr j ) value.If it is a match, the tag is authenticated and the object is identified.If not, the tag is rejected.After tag authentication is complete, a new tag ID j newʹ is calculated and sent to the tag via the reader, hidden in messages P1 j , P2 j .The reader merely relays the messages together with the tag index.Tags check the index to decide if the broadcast is intended for itself.If it is, the tag carries out the XOR operation on P1 j (equation 6).Next, the tag obtains tag ID j newʹ by adding its own nonce to the result of equation 6 (equation 7).Using ID j newʹ , the tag analyses message P2 j to verify if the sent ID j ʹ matches its present ID j (equations 8 and 9).If it is a match, authentication of the server is complete and the tag saves the new tag ID j newʹ .The tag finishes and does not acknowledge the server about the completion of mutual authentication.The presence of malicious wireless equipment users and dishonest readers is a common assumption, in radio frequency communications [14].Adversaries are encouraged especially if a reply to every challenge is guaranteed.Due to the nature of RFID technology, every request is replied by a tag.Therefore, challenging from a distance and recording the replies of a tag is very popular among RFID hackers [16].The replies are accumulated and analyzed, at a later time.In DGMTAP, although the presence of dishonest readers is assumed and no secrets are shared with the reader; the identity or the nonce (r r ) of the reader are not checked.The absence of the checks opens the way to a serious attack on DGMTAP.As a result of the attack, it becomes obvious that the claimed security properties of the protocol do not exist.Here is the attack scenario in detail: An attacker challenges the tags of an object using the same bogus nonce r c = 0 twice, and saves the replies.Observe that neither the tag nor the server checks for a zero r c value.Denoting the first and second challenges with superscripts 1 and 2, respectively, from equation 1 of Figure 1: XORing equations ( 1) and ( 2): Because (SK jr c ) ⊕ (SK jr c ) = 0 and A ⊕ 0 = A. Equation ( 3) is an XOR operation which can be divided into XORing the lower and upper bits: Lower bits of (M j 1 ⊕ M j 2 ) = r j 1 ⊕ r j 2 (5) In mathematics, the XOR function is known as the modulo 2 addition without carry [17].Therefore, the XOR operation can be approximated to addition.The trivial justification is left to the reader, while the XOR operations on the right hand side of equations ( 4) and ( 5) are approximated to addition: LoM = r j 1 + r j 2 (7) Where LoM denotes the Lower bits of (M j 1 ⊕ M j 2 ) and UoM denotes the Upper bits of (M j 1 ⊕ M j 2 ). Adding equations ( 6) and ( 7): The ID j of the tag is obtained using equation ( 8), since M j 1 and M j 2 are passed in cleartext, during the message exchange.Now the attacker has the index IN j and the ID j of the tag.Next, the attacker uses the same dishonest reader to send the saved messages M j 1 and M j 2 to the server.Observe that, the server never checks the identity or the legitimacy of a reader.The attacker does not allow the replies of the server to reach the tag, but just plays M j 1 and M j 2 and saves the replies.The server believes that the tag used IDjʹ, because it has not updated in the previous authentication session.
Therefore, the server uses the same IDjʹ value in its database, for preparing its replies.As a result of the two sessions with the server, the following replies are received by the reader: P2 j 1 = (ID j new1 -SK j ʹ) ⊕ (ID j ʹ -SK j ʹʹ) (10) XORing ( 9) and ( 11), then (10) and ( 11) yields: Approximating the XOR operations in equations ( 13) and ( 14) to addition and subtracting ( 14) from ( 13) gives: Using equation ( 7) and rearranging equation ( 15): All of the terms on the right hand side of equation ( 16) are cleartext messages saved by the attacker.Therefore, now the lower b bits (notation table of Figure 1) of the shared secret SK j are captured.The captured values (ID j and SK j ʹ) can now be used to break down the whole DGMTAP protocol.The attacker returns to equation (1) for a bitwise analysis and since r c = 0, equation ( 1) reduces to: Separating the upper and lower b bits of the XOR operation, equation ( 17) can be broken into two equations: LoM j 1 = SK j ʹ ⊕ r j

(19)
From equation ( 19), the value of r j 1 is captured, because SK j ʹ was already exposed.Substituting the captured r j 1 value in (18), the value of SK j ʹʹ is also obtained.Now, the whole 2b bits of the shared secret SK j are in the hands of the attacker.Inserting SK j in equation 2, the second tag nonce r j 2 is isolated.Now, by inserting the captured r j 1 , SK j ʹ, ID j ʹ values in (9) and r j 2 , SK j ʹ, ID j ʹ values in (11); both ID j new1 and ID j new2 are calculated.The tag's record in the database is now completely exposed.The capture of the full record of a tag is called a full-disclosure attack [9] and it has serious ramifications for the user of the tag.

IV. DISCUSSIONS
Authentication protocol proposals are as good as their claims.In other words, when the security of a proposed protocol is proven to be short of what it claims to be, it is immediately abandoned.As demonstrated, full record of DGMTAP tag can be exposed.An exposed RFID tag is not different than a barcode paper sticker on a commodity.The consequences of such a security breach are more critical than just revealing the secret identification of an object, as it will become apparent next.www.ijacsa.thesai.org

A. Authentication Analysis
The authors of DGMTAP make four critical errors in their security analysis.First, since the reader ˗ server channel is assumed to be secure, the backend server does not check the authenticity of the reader.The price paid is the giveaway of the two replies to the two bogus messages, in the full disclosure attack demonstrated, in the previous section.Secondly, the number of server replies with the old tag ID is not counted.Thus, blocking the replies of the server can go unnoticed.Hence, the server can be tricked to send multiple replies, using the same tag ID.The adversary simply accumulates the replies and exposes the repeated ID.Third error is the server's failure to check the nonce (r r ) of the reader.As observed in the attack above, a zero valued nonce facilitates the analysis of the DGMTAP messages.Finally, although multiple tags are used to identify an object, each tag's authentication does not add up to a more secure protocol, as in a grouping proof protocol [14].As demonstrated in our full disclosure attack, the secrets of each tag can be exposed by carrying out the same analysis individually on each tag.

B. Security Analysis
Proposed protocols are normally expected to provide the basic security properties like message confidentiality, message integrity and privacy.Failing to do so, opens the way to the following known attacks.
1) Eavesdropping: Eavesdropping on messages going through air cannot be prevented and contrary to authors' claims, the secrets of DGMTAP tags are not secured enough to go through the air.
2) Man-In-The-Middle Attack: There is no need for this type of attack on DGMTAP, since the secrets can be obtained otherwise.But, after full acquisition of tag secrets, false messages can be formed and the server can be fooled by a man in the middle, using an unchecked dishonest reader.
3) Replay Attack: It has been demonstrated that replaying the same zero-valued reader's nonce, resulted in a full disclosure attack on DGMTAP.

4) Location Tracing:
As the present and next identity values of a tag are exposed, by analyzing the exchange between a tag and a reader, an attacker can find out which object a tag belongs to.By recording the locations of the identified objects, tracing an object becomes easy.
5) Forward Security: This property cannot be provided by DGMTAP, because all coming identification values ID j new of the tag can be calculated, once the shared secret and the present identification ID j are captured.
6) Backward Security: DGMTAP cannot provide this property, because by inserting the constant value of SK j and the captured present identification ID j in the saved message exchanges, all of the old ID j values can be calculated.
7) Synchronization Attack: This attack is also possible, because a dishonest tag can be created with the captured secrets.The dishonest tag can communicate with the server because it can formulate M j messages.The server is tricked to update ID j twice.The authentic tag has no knowledge of the clandestine session between the server and the dishonest tag.
Hence, while the identity value in the authentic tag is unchanged, that value has been dropped out of the server's database.Consequently, the server will fail to recognize the authentic tag when it tries to authenticate with the server, because now it has no match in the database.
8) Physical Attack: This type of attack is in another category.Its prevention requires hardware sophistication such as secure memory and memory fuse architectures, which are beyond the scope of this work.

C. Some Recommendations for Correcting DGMTAP
DGMTAP can be improved easily by a number of precautions.First, the server should authenticate the reader and bind its use to a well-proven user.The user must have a secret login password and a unique feature of the reader; like the CPU ID, must be used.A detailed example can be found in work [18].Such safety precautions eliminate the danger of malicious attacks via dishonest readers.Secondly, the server must check the reader nonce r r , before evaluating any tag messages."If r r == 0  abort" operation would suffice.Such a check eliminates the danger of simplifying the decryption of exchanged messages.Third, a further XOR operation after the concatenation operation in equation ( 1) can complicate the algebraic analysis of DGMTAP.Concatenation by itself is a weak operation, which can be easily reversed by breaking up a message at the point where it was concatenated.Therefore, concatenation should not be the last operation in an equation.Finally, a grouping proof protocol covering the tags attached on the same object can improve the security, as advised in work [14].Grouping proof protocols usually challenge the first tag in the group (tag 1), next challenge tag 2 with the reply of tag 1, next challenge tag 3 with the reply of tag 2 and so on.At the end, the replies of the tags are packed and encrypted with the reader's user password.The server receives the resultant data package and verifies the reply of each tag.Any disagreement in the verification causes a fault in the authentication of the chain.Hence, the authentication of the object(s) is dependent on a more sophisticated protocol.DGMTAP has the multi tag basis for a grouping proof protocol, but does not use it.

V. CONCLUSION
A protocol attempting to bring security to RFID identification by introducing multiple tags per object has been analyzed.Full disclosure of the sensitive tag secrets was possible through an algebraic attack on the exchanged messages.The attack demonstrated that merely multiplying tags for identification can result in the breakdown of the claimed protocol's security features.Four recommendations have been made for improving the security of the analyzed protocol.But, it is best to start with the previous work, recommending lightweight cryptography for RFID tags [13].
Future work must try to comply with the new RFID standards aimed at popular UHF RFID tags [11].Such intentions lead the research into introducing the Advanced Encryption Standard and Elliptic Curve Cryptography for secure channel initiation, in low cost RFID tags.Strong cryptographic tools are needed even in low cost tags, because www.ijacsa.thesai.org the captured messages are analyzed using computationally powerful computers.