Engineering Applications of Artificial Intelligence 24 (2011) 1300–1302

Contents lists available at ScienceDirect

Engineering Applications of Artificial Intelligence

0952-19

doi:10.1

� Corr

Univers

E-m

selwyn@

journal homepage: www.elsevier.com/locate/engappai

Brief paper

Vulnerabilities in Chen and Deng’s RFID mutual authentication andprivacy protection protocol

Gaurav Kapoor a, Selwyn Piramuthu a,b,�

a Information Systems and Operations Management, University of Florida, Gainesville, FL 32611-7169, USAb RFID European Lab, Paris, France

a r t i c l e i n f o

Article history:

Received 7 April 2011

Accepted 23 June 2011Available online 8 July 2011

Keywords:

RFID

Cryptography

Protocol

Mutual authentication

Vulnerability

76/$ - see front matter & 2011 Elsevier Ltd. A

016/j.engappai.2011.06.011

esponding author at: Information Systems a

ity of Florida, Gainesville, FL 32611-7169, US

ail addresses: gkapoorumkc@gmail.com (G. K

ufl.edu (S. Piramuthu).

a b s t r a c t

As incorporation of RFID (Radio Frequency IDentification) tags in a wide variety of applications increase,

there is a need to ensure the security and privacy of the entity to which these tags are attached. Not

surprisingly, this is a very active area as attested by the large number of related published research

literature. Recently, the journal engineering applications of artificial intelligence published a paper by

Chen and Deng (2009) where the authors propose a mutual authentication protocol for RFID. This

protocol has fundamental flaws that can be readily taken advantage by a resourceful adversary. We

identify and discuss these vulnerabilities and point out the characteristics of this protocol that exposes

it to these vulnerabilities.

& 2011 Elsevier Ltd. All rights reserved.

1. Introduction

RFID tags are increasingly being deployed in a wide variety ofapplication domains (e.g., Totty, 2009). Although RFID tags havebeen in existence for over seven decades, recent developments ininformation systems technology, the availability of relativelycheap RFID tags, and the need to utilize as much information asis available to make intelligent decisions or automate systemshave resulted in its explosive growth during the past decade.Unlike bar codes where scanning needs to occur from closeproximity, RFID tags are capable of communicating with readersthat are not necessarily nearby and in direct line-of-sight. Whilethis capability is clearly advantageous in automated systemswhere the need to visually or manually check for the existenceof any given entity is minimal, there may be related conse-quences. For example, an adversary can take advantage of thisdynamic which could possibly lead to associated security andprivacy violations as well as degradation in competitive advan-tage for firms.

Not surprisingly, this is a very active research area. For themost part, security and privacy issues related to RFID tags arehandled through cryptography. Security protocols are used toauthenticate RFID tags. While this seems to be operable inprinciple, there is a lack of robust and secure authentication

ll rights reserved.

nd Operations Management,

A.

apoor),

protocols that can be used to secure RFID-tagged entities fromattacks from resourceful adversaries. Authentication protocolsvary depending on application needs. A majority of authenticationprotocols are one-way in the sense that the reader generallyauthenticates the tag and not vice versa. However, there is a needfor two-way authentication where both the reader and thetag authenticate each other to ensure that both the parties arecommunicating with the intended parties and not with anadversary.

Extant literature has several mutual authentication protocols.Unfortunately, quite a few of these protocols are vulnerable toattacks from a resourceful and active adversary (e.g., Piramuthu,2010). Any given vulnerability in an RFID authentication protocolhas the potential to violate privacy and security of the taggedobject as well as hide the existence of the tagged object from theview of an automated system. Recently, the Engineering Applica-tions of Artificial Intelligence Journal published a paper dealingwith RFID authentication protocols. The mutual authenticationprotocol introduced in this paper, however, is vulnerable toattacks from an active adversary. We identify some existingvulnerabilities in this authentication protocol. We also discusssome of the characteristics that renders this protocol to be opento preventable vulnerabilities. We do not attempt to present orpropose a modified version of the Chen and Deng protocol sincethat is not the purpose of this paper.

The remainder of this paper is organized as follows: weconsider the Chen and Deng protocol and identify some vulner-abilities in this protocol in the next section. We conclude thepaper with a brief discussion in the last section.

G. Kapoor, S. Piramuthu / Engineering Applications of Artificial Intelligence 24 (2011) 1300–1302 1301

2. Mutual authentication protocol

We first introduce the notations used in this paper, followedby the protocol presented in the paper considered and theidentification of some of its inherent vulnerabilities. Sincedetailed information is available in Chen and Deng (2009), weonly provide a sketch of the protocol in this paper. The interestedreader may consult the original paper (i.e., Chen and Deng, 2009)for further details.

Notations used in this paper:

�

rT ,rR: random l-bit vectors; � ki: l-bit shared secret key; � Ni: nonce associated with tag Ti; � �: Exclusive-OR (XOR); � CRC: cyclic redundancy check; � IDRj

: jth reader’s identification;

� EPCTi

: EPC for tag Ti;

� x’y: value y assigned to x; � Mreq: reader’s request message; � Mresp: reader’s response message.

2.1. Chen and Deng protocol

Chen and Deng (2009) propose a protocol for mutual authen-tication. In this mutual authentication protocol, each tag Ti isassigned a fixed set of ðNi,kiÞ values (where i represents the indexfor tag Ti) and these are maintained in a database. The process ofassigning these values occurs during the registration phase. Also,each of the readers in this setting is assigned a set of tags andtheir secret values (i.e., N,k) are transferred from the database tothese readers during the registration phase. These values arenever updated in the protocol. A sketch of their protocol is givenin Fig. 1.

The vulnerabilities identified in this protocol are, in part, dueto the constant Mreq, Mresp, and rT � X values. In general, it isdifficult to design and develop authentication protocols usingcryptography that are devoid of vulnerabilities when the variablesand all parameters used in the protocol remain static. Freshlygenerated nonce are generally used in every authentication roundto decrease the probability of encountering vulnerabilities inthese protocols.

Vulnerabilities in RFID authentication protocols take severalforms including DoS (Denial of Service), impersonation, amongothers. Impersonation vulnerabilities in this context include tagimpersonation and reader impersonation. Tag impersonationsignifies the presence of an adversary that can completelyimpersonate the tag to authentic and honest readers. I.e., a honest

Fig. 1. Protocol of Chen and Deng (2009).

reader will not be able to distinguish responses it receives fromthe honest and authentic tag from those that it receives from anadversary impersonating this tag. Since most automated systemsdo not visually verify the existence of the RFID-tagged entities,the adversary can easily get away with impersonating the tag.Reader impersonation works the other way around whereby thetag is unable to differentiate messages it receives from a honestreader vs. those that it receives from the reader-impersonatingadversary. Impersonation is a serious problem in automatedsystems especially when critical, sensitive, or expensive entitiesare the subject of impersonation.

We have identified two major vulnerabilities in the Chen andDeng protocol—one where a resourceful adversary may imperso-nate the reader to the tag and one where the adversary mayimpersonate the tag to the reader. The former could result in theadversary being able to track the tag. The ability to be tracked andtraced violates security and privacy of the tagged entity. The lattercould result in the adversary being able to clone the tag from thereader’s perspective.

We now present the identified vulnerabilities and list thesteps an adversary could possibly follow to take advantage of thevulnerabilities present in this protocol.

Impersonate reader to tag and track tag:

Round-1

/Passively observe and copy communication betweentag Ti and reader Rj (Fig. 1)S;

Round-2

/Send Mreq,rR,CRCðNi � rRÞ to tag TiS;/Observe Y from tag Ti to track this tag S (see discus-sion below);/Send Mresp to tag TiS;/Tag Ti validates reader RjS.

Here, Y ¼ CRCðrT � Ni � XÞ ¼ CRCðrT � Ni � Ki � EPCTi� rT Þ, which

is just CRCðNi � Ki � EPCTiÞ. Since Ni,Ki,EPCTi

are fixed for each tag,Y is constant. An adversary passively observes a round of theauthentication protocol between a given tag and reader andcopies all communication between these two entities. The attackcan be instantiated any time from now on. This attack is not aone-shot event in the sense that this can be carried out indefi-nitely for the adversary to track and trace this tag even withoutthe presence of this particular reader in the immediate vicinity.Once the adversary has all the messages from an authenticationround of this protocol, the adversary can just send the firstmessage whenever it wants to track the tag. Since Y is constant,the adversary can confirm the presence of this specific tag fromits response. The adversary can then send Mresp to the tag tocomplete the protocol. During this process, the tag is not aware ofthe presence of the adversary since the messages are as if they arefrom a trusted reader.

Impersonate tag to reader:

Round-1

/Passively observe and copy communication betweentag Ti and reader Rj (Fig. 1)S;

Round-2

/When reader Rj sends Mreq,rR,CRCðNi � rRÞ to tag Ti,reply with (rT � d, X � d, Y) to RjS;/Reader Rj validates tag TiS.

This is a serious vulnerability since the adversary can imper-sonate the tag. The vulnerability is very similar to that of cloning atag. Here, the adversary again passively observes a round of themutual authentication protocol between a given pair of tag andreader and copies all the messages between tag and reader. Theattack occurs when the reader tries to authenticate the tag anytime in the future. When that happens, the tag can just XOR any dto the previously observed rT (the nonce generated by the tag) aswell as XOR this same d to X that was previously saved from the

G. Kapoor, S. Piramuthu / Engineering Applications of Artificial Intelligence 24 (2011) 1300–13021302

same earlier run of the protocol. Since Y is constant, the adversarycan send the same Y that it had copied earlier. The reader willthen validate the tag. The d value is used to modify the messagefrom tag to reader so that the reader does not observe the sameresponse from the tag over time. This attack can be mountedforever from now on since none of the secret values are updatedin this protocol.

2.2. Some vulnerable characteristics of Chen and Deng protocol

Given that the Chen and Deng RFID authentication protocolhas serious flaws, we discuss a few of its characteristics thatexposes it to such vulnerabilities. In general, these characteristicsare to be avoided when developing strong protocols that areimmune to such attacks from resourceful adversaries.

The main cause for concern in the Chen and Deng protocol isthe complete absence of any variability and the validation of suchvariability in the messages sent between tag and reader. In theabsence of variability, it is relatively straight-forward to mountattacks on such protocols. Although both the reader and taggenerate fresh nonce during each authentication round, they arenot utilized appropriately in the protocol. For example, the readergenerates fresh nonce rR at the beginning of each authenticationround. The reader even sends this nonce to the tag, whichcompletely ignores it. Since this nonce (rR) is not used by thetag in any way, its purpose in the protocol is unclear. Ideally, thetag should use it as a part of its response so the reader knowsthat the tag indeed received its previous message. The tag cannotjust reply with an earlier message from the reader.

Similarly, the tag generates its own fresh nonce (rT) duringevery authentication round. However, the structure of X and Y itgenerates nullify the effect of rT’s randomness since rT � X is aconstant and this constant is used in both X and Y. This vulner-ability could be alleviated through proper design of X and Y such

that both X and Y show some variability in addition to thoseprovided by rT alone. Yet another possibility of preventing theseimpersonation attacks would be by updating the ðNi,KiÞ valuesafter each authentication round.

3. Discussion

Privacy and security are serious issues that demand immediateattention from researchers and practitioners in the area of RFIDauthentication protocols. As RFID tags become ubiquitous, there isa need to address issues related to security and privacy ofdeveloped protocols (e.g., Piramuthu, 2007). We identified vul-nerabilities in the mutual authentication protocol proposed inChen and Deng (2009). The protocol is shown to be unsecure intwo different ways, with an adversary having the ability toimpersonate both the tag and the reader. Therefore, this protocolcannot guarantee its stated goals of secure authentication. Giventhe precipitous rise in RFID implementations over the pastdecade, there is an urgent need to develop mutual authenticationprotocols that are secure and lightweight. While the Chen andDeng protocol is not secure as is, we hope researchers in this areaare encouraged to develop protocols that are secure.

References

Chen, C.-L., Deng, Y.-Y., 2009. Conformation of EPC class 1 generation 2 standardsRFID system with mutual authentication and privacy protection. EngineeringApplications of Artificial Intelligence 22, 1284–1291.

Piramuthu, S., 2007. Protocols for RFID tag/reader authentication. Decision Sup-port Systems 43 (3), 897–914.

Piramuthu, S., 2010. RFID mutual authentication protocols. Decision SupportSystems 50 (2), 387–393.

Totty, M., 2009. Business Solutions – New Ways to Use RFID. The Wall StreetJournal, June 2.