Abstract
With the exponential increase of Internet of things (IoT) connected devices, important security risks are raised as any device could be used as an attack channel. This preoccupation is particularly important with devices featuring limited processing power and memory capabilities for security purposes. In line with this idea, Xu et al. (2018) proposed a lightweight Radio Frequency Identification (RFID) mutual authentication protocol based on Physical Unclonable Function (PUF)—ensuring mutual tag-reader verification and preventing clone attacks. While Xu et al. claim that their security protocol is efficient to protect RFID systems, we found it still vulnerable to a desynchronization attack and to a secret disclosure attack. Hence, guidelines for the improvements to the protocol are also suggested, for instance by changing the structure of the messages to avoid trivial attacks. In addition, we provide an explicit protocol for which our formal and informal security analysis have found no weaknesses.
Highlights
The Internet of things (IoT) concept finds its roots in the early 1990s with the vision of ubiquitous computing [1] and the underlying idea that any object can be equipped with technology to become a computing device
While Xu et al claimed that their security protocol is efficient to protect Radio Frequency Identification (RFID) systems, we found that their protocol is still at risk of being exposed to a desynchronization attack and to a secret disclosure attack
Since the commercial introduction by Verayo in the early 2008 of the first silicon chips equipped with Physical Unclonable Function (PUF), the market has seen some growth with other companies (e.g., Intrinsic ID, Quantum Trace, Invia) developing in this marketplace
Summary
The Internet of things (IoT) concept finds its roots in the early 1990s with the vision of ubiquitous computing [1] and the underlying idea that any object can be equipped with technology to become a computing device. RFID databases, encryption of radio signals, authentication of approved users, shielding of a reading zone to prevent unauthorized access, logging and time stamping to help in detecting security breaches, etc Another way of securing RFID tags to support authentication applications is to create hardware security at the silicon level, by using a unique digital signature for RFID silicon chips based on how electrons flow through different paths of the chip, creating a silicon “fingerprint”. While the authors claim that their three-stage protocol (tag recognition, mutual verification and update) is efficient to protect RFID systems, we found that Xu et al.’s protocol is still vulnerable to a desynchronization attack and to a secret disclosure attack since the mutual verification process has flaws These topics and arguments are addressed in this article.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
