Abstract
Radio Frequency Identification (RFID) is a technology increasingly used in many applications for object identification. Ownership transfer of RFID tags is also another important requirement for some applications. Namely, the owner of an RFID tag may be required to change several times during its life-cycle. For an ownership transfer, the server of the new owner takes over tag authorization in order to have a secure communication with the tag by obtaining necessary private information from the old owner. Security and privacy are two major concerns for these applications, and they are definitely critical points when tags are required to provide a proof of identity. However, it is a challenging task to design an authentication protocol due to the limited resource of low-cost RFID tags. Kulseng \textit{et al.} recently proposed a lightweight RFID authentication protocol at INFOCOM 2010. They also extended this scheme to secure the ownership transfer of RFID tags. Both protocols use a combination of Physically Unclonable Functions (PUFs) and Linear Feedback Shift Registers (LFSRs). They claim that in this way the number of gates can be significantly decreased and the most efficient protocol can be obtained with respect to the existing protocols. In this paper, we revisit their protocol and show that there are actually several serious protocol issues which compromises the overall security. First of all, they claim that the message blocking attack works only if the final message is blocked. However, we show that this attack still works between the reader and the tag even if the third message is blocked or dropped. Secondly, we show that their protocols are not resistant message injection attack due to the lack of message integrity. We also highlight that the LFSR has been misused in their scheme which yields a vulnerability of privacy. Finally, their ownership transfer protocol does not provide tag privacy against the old owner of the tag.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
