Secret Disclosure Attacks on a Recent Ultralightweight Mutual RFID Authentication Protocol for Blockchain-Enabled Supply Chains

Abstract

Radio Frequency Identification (RFID) technology has emerged as a suitable technology for various applications of the Internet of Things (IoT). Two types of components, tiny labels called tags and small devices called readers, enable them to associate identifying information to objects (through the tags), which can be automatically read and identified (through the readers). Hence, RFID authentication protocols, needed by each entity to be sure of the identity of the other entity with whom it is interacting, play a crucial role in the deployment of secure IoT applications. Many efforts have been devoted in recent years to the design of efficient and secure protocols. However, these protocols usually need a server to maintain a database of sensitive information for all the tags used in the application, making such a server more vulnerable to security attacks. Several blockchain-based authentication protocols have been developed to take advantage of some blockchain capabilities, e.g. decentralization and immutability, to address this issue and design secure authentication protocols. In this paper, we focus on one of these: we analyze the security vulnerabilities of a recent ultra-lightweight mutual RFID authentication protocol for blockchain-enabled supply chains. Despite the detailed formal security analysis provided by the authors, carried out by using the Gong, Needham and Yahalom logic, and by using automatic validation security tools, we present two secret disclosure attacks against the protocol. The first one is an active attack, while the second is a fully passive attack.