CRYPTANALYSIS OF RADIO FREQUENCY

IDENTIFICATION SYSTEM MUTUAL

AUTHENTICATION PROTOCOL
MADIHA KHALID, UMAR MUJAHID, ANIQA TAHIR, HYESUNG PARK

1
TABLE OF CONTENTS
 Overview of Internet of Things
 Ultralightweight Mutual Authentication Protocols
 Proposed Work
 Conclusion
 References

2-42
TABLE OF CONTENTS
 Overview of Internet of Things
 Ultralightweight Mutual Authentication Protocols
 Proposed Work
 Conclusion
 References

3-42
OVERVIEW OF INTERNET OF THINGS (IOTS)
IoT is a combination of
embedded systems and smart
sensors working in
collaboration to achieve user
defined objective.

OVERVIEW OF INTERNET OF THINGS 3-42

IOT WORKFLOW

IDENTIFICATION SENSING COMMUNICATION COMPUTATION SERVICES

SEMANTICS

OVERVIEW OF INTERNET OF THINGS 4-42

ENABLING TECHNOLOGIES FOR IOT NETWORK

• Embedded Systems
• Bluetooth
• Wireless Sensor Networks (WSN)
IoT Enabling

•
Technologies
General Packet Radio Service (GPRS)
• Radio Frequency Identification (RFID)
System

OVERVIEW OF INTERNET OF THINGS 5-42

 RFID ENABLED IOT NETWORKS
Tag’s 𝑰𝑫 and Sensor
data

Unencrypted 𝑰𝑫 is transmitted
to the reader by the tag

OVERVIEW OF INTERNET OF THINGS 6-42

LIMITATION OF LOW COST PASSIVE NODES

Traditional Cryptographic Protocols:

• Data Encryption Standard (DES)
• Advanced Encryption Standard (AES)
• Kerberos

In RFID enabled IoT nodes only 250 to 4K gates are available for security protocols [Peris-
Lopez,2006].

OVERVIEW OF INTERNET OF THINGS 7-42

TABLE OF CONTENTS
 Overview of Internet of Things
 Ultralightweight Mutual Authentication Protocols
 Proposed Work
 Conclusion
 References

9-42
ULTRALIGHTWEIGHT MUTUAL AUTHENTICATION
PROTOCOL (UMAP)
UMAPs provide identity verification services within the gate count of 4𝐾.

UMAP
(4K Gate equivalent)

Triangular UMAPs Non-Triangular UMAPs

LMAP[1] EMAP[2] M2AP[3] SASI[4] RCIA[5] SLAP[6]

ULTRALIGHTWEIGHT MUTUAL AUTHENTICATION PROTOCOL 9-42

TABLE OF CONTENTS
 Overview of Internet of Things
 Ultralightweight Mutual Authentication Protocols
 Proposed Work
 Conclusion
 References

12-42
PROPOSED WORK
In this paper we have targeted the confidentiality offered by a non-triangular
UMAP ,the Gossamer’s protocol. We have implemented Tango Cryptanalysis to
estimate the identification number 𝐼𝐷 of the tag by eavesdropping the public
messages.
 WORKING PRINCIPLE OF GOSSARM’S PROTOCOL
Reader (𝑰𝑫, 𝐼𝐷𝑆, 𝐾) Tag (𝑰𝑫, 𝐼𝐷𝑆, 𝐼𝐷𝑆 𝑜𝑙𝑑 , 𝐾, 𝐾 𝑜𝑙𝑑 )
ℎ𝑒𝑙𝑙𝑜 Tag
Reader send 𝐼𝐷𝑆 Tag sends 𝐼𝐷𝑆 Identification
“ℎ𝑒𝑙𝑙𝑜”
1. Extracts private
key.
Mutual 𝑅𝑒𝑎𝑑𝑒𝑟 𝑎𝑢𝑡ℎ𝑒𝑛𝑡𝑖𝑐𝑎𝑡𝑖𝑜𝑛 2. Verify reader by
Authenticati 1. Generates 𝑐ℎ𝑎𝑙𝑙𝑎𝑛𝑔𝑒 𝑚𝑒𝑠𝑠𝑎𝑔𝑒 generating
on Phase Private key. 𝐴| 𝐵 |𝐶 response
2. Sends challenge message.
message. 3. Sends Challenge
𝐷
𝑇𝑎𝑔 𝑎𝑢𝑡ℎ𝑒𝑛𝑡𝑖𝑐𝑎𝑡𝑖𝑜𝑛 message.
Dynamic
Verify tag and 𝑐ℎ𝑎𝑙𝑙𝑎𝑛𝑔𝑒 𝑚𝑒𝑠𝑠𝑎𝑔𝑒
variable
update Dynamic Update Dynamic
update
values values

ULTRALIGHTWEIGHT MUTUAL AUTHENTICATION PROTOCOL 10-42

TANGO CRYPTANALYSIS MODEL
The model consists of two step: Tango Cryptanalysis
 Derivation of Good Approximation (GA)
equations. GA equation derivation
 Estimations of tag’s 𝐼𝐷

Tag’s 𝐼𝐷 estimation

PROPOSED SOLUTION 19-42

 TANGO CRYPTANALYSIS– STEP I
The Adversary executes the protocol on the basis of randomly initialized values
of Tag’s 𝐼𝐷 and dynamic variables to obtain public messages.

Linear Hamming
Combinations Distance
Start GA Hamming
𝐴⊕𝐷 31.64 Equations Distance
𝐴⊕𝐵⊕𝐷 31.38 31.64
𝑨⊕𝑫
𝐵⊕𝐶 31.32
Public Messages 𝑨⊕𝑩 31.38
𝐴⊕𝐵 45.59
(𝐴, 𝐵, 𝐶, 𝐷) ⊕𝑫
𝐶⊕𝐷 31.36 31.32
𝑩⊕𝑪
𝐷⊕𝐵 31.41
𝐴⊕𝐶 45.58 𝑪⊕𝑫 31.36
Hamming Distance ˂ 𝐿Τ2 𝐴⊕𝐷 45.79 𝑫⊕𝑩 31.41
(𝐿 = 64 = # 𝑜𝑓 𝑏𝑖𝑡𝑠 𝑜𝑓 𝐼𝐷) 𝐴⊕𝐵⊕𝐶⊕𝐷 56.38

PROPOSED SOLUTION 20-42

GOOD APPROXIMATION EQUATION– TEWARI &
GUPTA PROTOCOL
The protocol is executed for 1500 sessions to obtain public messages 𝐴, 𝐵, 𝐶 and 𝐷.
Eleven linear combinations with minimum hamming distance are derived.

GOOD APPROXIMATION
TARGET
𝐺𝐴 − 𝐼𝐷
= { 𝐴 ⊕ 𝐷 , 𝐴 ⊕ 𝐵 ⊕ 𝐷 , 𝐵 ⊕ 𝐶 , ሺ𝐶
𝑰𝑫

PROPOSED SOLUTION 21-42

 TANGO CRYPTANALYSIS– STEP II
Consider a valid tag subjected to tango full disclosure attack. The adversary aims to
retrieve the tag’s 𝐼𝐷. The values associated with the tag under attack are as follows:

Concealed Values
Variables
For successful full 𝐼𝐷 0 x 𝐶7 11000111
disclosure attack the 𝐼𝐷𝑆 0 x 𝐶0 11000000
adversary should be able to
retrieve the tag’s 𝐼𝐷 𝐾1 0 x 𝐸0 11100000
𝐾2 0 x 34 00110100
𝒏𝟏 0 x 91 10010001
𝒏𝟐 0 x 20 00100000

PROPOSED SOLUTION 22-42

TANGO CRYPTANALYSIS– STEP II
Eavesdrop the public messages of valid authentication session and calculate GA equations.

Good approximation Good approximation

equation (session i) equation (session i+1)
𝐴⊕𝐷 11100110 𝐴⊕𝐷 01010100
𝐴⊕𝐵⊕𝐷 10000001 𝐴⊕𝐵⊕𝐷 11100101
𝐵⊕𝐶 01000110 𝐵⊕𝐶 11110101
𝐶⊕𝐷 11001011 𝐶⊕𝐷 10001110
Vector A 12 14 10 8 8 12 12 11
𝐷⊕𝐵 01110010 𝐷⊕𝐵 10000100
𝐴⊕𝐶 11010010 𝐴⊕𝐶 00100101
𝐴⊕𝐶⊕𝐷 11000111 𝐴⊕𝐶⊕𝐷 00010000
𝐶⊕𝐵⊕𝐷 01010011 𝐶⊕𝐵⊕𝐷 11000000
𝐴⊕𝐷⊕𝐶 00111000 𝐴⊕𝐷⊕𝐶 11101111
𝐴⊕𝐶 00101101 𝐴⊕𝐶 11011010
𝐵⊕𝐴 01101011 𝐵⊕𝐴 00101111

PROPOSED SOLUTION 23-42

TANGO CRYPTANALYSIS– STEP II
Vector A 12 14 10 8 8 12 12 11

𝛾 = 0.5 ∗ # 𝑜𝑓 𝐺𝐴 ∗ # 𝑜𝑓 𝑠𝑒𝑠𝑠𝑖𝑜𝑛𝑠
𝛾 = 0.5 ∗ 11 ∗ 2 = 11
𝑓𝑜𝑟 𝑖 = 𝐿 − 1 , 𝑖 < 0, 𝑖 − −
{
𝑖𝑓 𝐴𝑖 ≥ 𝛾
𝐴𝑖 = 1
𝑒𝑙𝑠𝑒
𝐴𝑖 = 0}

Conjecture ID 𝟏 𝟏 𝟎 𝟎 𝟎 𝟏 𝟏 𝟏 = 𝟎 𝒙 𝑪𝟕
Tag’s 𝑰𝑫 𝟏 𝟏 𝟎 𝟎 𝟎 𝟏 𝟏 𝟏 = 𝟎 𝐱 𝑪𝟕

PROPOSED SOLUTION 24-42

 TANGO CRYPTANALYSIS– PERFORMANCE
ANALYSIS
 More than 82.81% of the tag’s 𝐼𝐷
can be retrieved in 15 sessions

# recovered bits of ID
 Results can be improved with Genetic
Algorithm

# Eavesdropped Sessions

PROPOSED SOLUTION 25-42

TABLE OF CONTENTS
 Overview of Internet of Things
 Ultralightweight Mutual Authentication Protocols
 Proposed Work
 Conclusion
 References

22-42
CONCLUSION
The cryptanalysis of the Gossamer’s protocol highlights some of the common weaknesses of the
protocol.
 Large number of public messages
 Linear behavior of the UMAP’s primitives
 Weak diffusion capabilities of non-triangular primitives
By addressing the above stated weaknesses a robust UMAP can be designed for the
authentication of recourse constraint IoT network’s perception layer.
TABLE OF CONTENTS
 Overview of Internet of Things
 Ultralightweight Mutual Authentication Protocols
 Proposed Work
 Conclusion
 References

24-42
REFERENCES
1. Peris-Lopez, Pedro, et al. "LMAP: A real lightweight mutual authentication protocol for low-
cost RFID tags." Workshop on RFID security. 2006.
2. Peris-Lopez, Pedro, et al. "EMAP: An efficient mutual-authentication protocol for low-cost
RFID tags." OTM Confederated International Conferences" On the Move to Meaningful
Internet Systems". Springer Berlin Heidelberg, 2006.
3. Peris-Lopez, Pedro, et al. "M2AP: A minimalist mutual-authentication protocol for low-cost
RFID tags." International Conference on Ubiquitous Intelligence and Computing. Springer
Berlin Heidelberg, 2006.
4. Chien, Hung-Yu. "SASI: A new ultralightweight RFID authentication protocol providing strong
authentication and strong integrity." IEEE Transactions on Dependable and Secure Computing
4.4 (2007): 337-340.
5. Tian, Yun, Gongliang Chen, and Jianhua Li. "A new ultralightweight RFID authentication
protocol with permutation." IEEE Communications Letters 16.5 (2012): 702-705.
6. Luo, Hanguang, et al. "SLAP: Succinct and Lightweight Authentication Protocol for low-cost
RFID system." Wireless Networks 24.1 (2018): 69-78.

41-42
QUERIES

42-42