Journal of Computing and Security

July 2016, Volume 3, Number 3 (pp. 163–174)

http://www.jcomsec.org

Security Analysis of an EPC Class-1 Generation-2 Compliant

RFID Authentication Protocol

Fereidoun Moradi a,∗, Hamid Mala a, Behrouz Tork Ladani a, Fariba Moradi b

aFaculty of Computer Engineering, University of Isfahan, Hezar Jerib Avenue, Isfahan 81746-73441, Iran.bFaculty of Computer Engineering, Hamedan University of Technology, Hamedan, Iran.

A R T I C L E I N F O.

Article history:

Received: 16 March 2016

Revised: 04 December 2016

Accepted: 29 October 2017

Published Online: 10 February 2018

Keywords:

RFID, EPC-C1G2 Standard,Mutual Authentication,

Impersonation,

De-Synchronization.

A B S T R A C T

Design of secure authentication solutions for low-cost RFID tags is still an open

and quite challenging problem, though many protocols have been published in

the last decade. In 2013, Wei and Zhang proposed a new lightweight RFID

authentication protocol that conforms to the EPC-C1G2 standard and claimed

that the protocol would be immune against all known attacks on RFID

systems. In this paper, we consider the security of this protocol and show

that it cannot provide secure authentication for RFID users. An attacker, by

following our suggested approach, will be able to impersonate server/reader,

and destroy synchronization between the back-end server and the tag. Finally,

we enhance this protocol, and by using formal and informal security analysis

we show that the enhanced protocol strongly inhibits the security flaws of its

predecessor.

c© 2016 JComSec. All rights reserved.

1 Introduction

Radio Frequency Identification (RFID) is a promisingnew technology that is widely deployed for supplychain and inventory management, retail operationsand more generally, automatic identification. An RFIDtag is small and low-cost, and a large number ofRFID tags can be simultaneously recognized withradio frequency communication. Therefore, the RFIDsystem is expected to replace the current barcodesystem. Generally, the advantage of RFID overbarcode technology is that it does not require directline of sight reading. Furthermore, compared withbarcode readers, RFID readers can interrogate tagsconcurrently, faster and at greater distances [1, 2].

∗ Corresponding author.

Email addresses: fereidoun.moradi@eng.ui.ac.ir

(F. Moradi), h.mala@eng.ui.ac.ir (H. Mala),

ladani@eng.ui.ac.ir(B. Tork Ladani),fariba.mrd@gmail.com(F. Moradi)

ISSN: 2322-4460 c© 2016 JComSec. All rights reserved.

However, RFID system has two fatal security risks;the privacy problem [1] and the forgery problem [2, 3].These problems are results of hardware specificationsof this system, characteristics of the tag information,method used to transfer the information from the tagto reader, and communication attributes. They can beeasily solved if the proper cryptographic algorithmsare applied during communication between the tagand the reader [3, 4]. However, as a tag is small andlow-cost, its hardware resources are inadequate toimplement traditional cryptographic algorithms onRFID tags [1]. There are many researches aiming tosolve the privacy and forgery problems with RFIDsystem characteristics [5–7].

EPCglobal is an organization set up to achieveworldwide adoption and standardization of ElectronicProduct Code (EPC) technology. Currently, its mainfocus is to both create a worldwide standard for RFIDand to facilitate using the internet to share datavia the EPCglobal network. It has recently approved

164 Security Analysis of an EPC Class-1 Generation-2 Compliant RFID . . . — F. Moradi, H. Mala, et al.

the EPC Class 1 Gen 2 (EPC-C1G2) standard forRFID deployments [8]. This standard defines thefunctionality of a passive RFID tag, and supportsbasic reliability guarantees, provided by an on-chip16-bit pseudo-random number generator (PRNG)and a 16-bit Cyclic Redundancy Code (CRC). Thisstandard is designed to strike a balance between costand functionality, with less attention paid to security.

The security level of EPC-C1G2 standard is veryweak. Aiming to increase this security level, manyproposals have been published [9–12]. However, almostall of them were soon followed by cryptanalysisattacks [13–16]. In this paper, we show how Wei andZhang’s scheme [17] suffers the same fate as previousproposals. We will call this protocol WZ-LRAP(Wei and Zhang’s Lightweight RFID AuthenticationProtocol).

The rest of the paper is organized as follows. Therelated works is reviewed in Section 2. Wei andZhang’s protocol is briefly described in Section 3. Theproperties of CRC functions are studied in Section 4.We present our attacks in Section 5. In Section 6, wepropose a modification to WZ-LRAP and its securityis formally verified using BAN logic. Finally, the paperis concluded in Section 7.

2 Related Works

In this section, we briefly review some attempts to raisethe security level of authentication schemes related toEPC-C1G2 authentication protocols.

In 2007, Chien et al. proposed an authenticationsolution which heavily relied on the abuse of CRC [18].However, Peris-Lopez et al. showed that the protocolcannot resist to tag impersonation, de-synchronizationattacking and location tracking [19]. This way, theirprotocol not only is vulnerable to such attacks, butalso does not provide tag privacy.

Duc et al. proposed an RFID authenticationprotocol in EPC platform [20]. The security of Duc etal.’s protocol is based on key synchronization betweentags and back-end server. The last message of theprotocol is comprised of an EndSession command,which is sent to both tags and readers. Interception ofone of these messages will cause a synchronization lossbetween the tag and the server. This situation allowsan attacker to trace back all past communications.

Chen and Deng proposed a mutual authenticationscheme by using PRNG and CRC functions. Theirprotocol tried to apply CRC as a cryptographic hashfunction for message authentication [21]. However,Peris-Lopez et al. exploited the linearity of CRCfunction to show that the protocol fails to provide its

security objectives [13].

Yeh et al. proposed an RFID mutual authenticationprotocol conforming to the EPC-C1G2 standard [9].The information transmitted between reader andback-end server may also be eavesdropped andintercepted by the attacker in actual environment.Thus, the protocol applied a one-way hash function toguarantee the communication security between readerand back-end server. However, it was pointed out thatthe protocol has data integrity problem and forwardsecrecy problem [22].

In 2012, Yi et al. analyzed the security of Chien’sauthentication protocol [18] and proposed an improveddesign based on a set of clear security requirements [11].But, Safkhani et al. scrutinized the protocol andshowed a simple approach to de-synchronize protocol’sparties. Moreover, they presented a tag and readerimpersonation attack with negligible associatedcomputational requirements [14].

In 2015, Yu-Jehn studied Chien and Chen’s protocoland proposed a new mutual authentication scheme forEPC-C1G2 RFID tags [23]. But, Yu-Jehn missed thesenotes including definition of a new and randomizedquantity as a secret value and wiping the similaritybetween the transmitted messages. Soon after in 2016,Ghaemmaghami et al. [24] showed that the proposedprotocol does not provide privacy and the scheme issusceptible to traceability attack. Then, in order toenhance the privacy of the protocol, they presentedan improved version to prevent the mentioned attack.

In 2016, Abdolmaleki et al. [25] cryptanalyzed anRFID mutual authentication scheme which had beenproposed by Xiao et al. [26]. They first presentedfour attacks against this protocol including secretparameters reveal, tag impersonation, backwardtraceability and forward traceability. Then, theyproposed an efficient and secure RFID authenticationprotocol.

In 2017, through applying the Ouafi-Phan privacymodel [27] Abdolmaleki et al. [28] revealed someweaknesses and presented various traceability attackson the privacy of three RFID authentication protocolsproposed by Wang et al. [29], Safkhani et al. [30],and Sun-Zhong [31]. Abdolmaleki et al. pointed outthat these protocols suffer from two main problemsof dependency between tag’s responses and updatingprocedure. Then, in order to overcome the existingweaknesses of these protocols, they applied somemodifications and proposed an improved version ofeach one.

Eyad Taqieddin [32] provided a new investigation ofthe improper use of CRC function for cryptographicpurposes in RFID systems which presents full

July 2016, Volume 3, Number 3 (pp. 163–174) 165

disclosure attacks against Gao et al. scheme [33]and then offers suggestions for designing more secureprotocols.

3 Wei and Zhang’s Protocol

In 2013, Wei and Zhang [17] proposed WZ-LRAP as anEPC-C1G2 authentication protocol. We will outlinethe WZ-LRAP in brief, which consists of two phases:the initialization phase and the authentication phase.The definitions of notations used by authors are shownin Table 1 and Figure 1 depicts the protocol steps.

Initialization Phase: For each tag Ti theback-end server randomly selects metaIDi, K1

i ,K2

i . The back-end server maintains a recordof (metaIDiold,K

2iold,metaIDinew, K2

inew). A Flagvalue is used to indicate whether the old or the newsecret parameters are used. The value K1

i is sent tothe reader cache, and it is the same for all tags.

Authentication Phase: The authenticationbetween the tag (Ti), the back-end server (S ) and thereader (R) is described as follows.

(1) R→ Ti : Query,Nr

The reader generates a random number Nr andsends a request message to the tag.

(2) Ti → R : M1, N ||(Nt ⊕ [K1i ]L)

The tag Ti generates the random number Nt,computes N = CRC([K1

i ]R||Nr) ⊕ Nt andM1 = [CRC(K2

i ||(Nr⊕Nt))||CRC(K2i ||Nt)]⊕

metaIDi and sends the message M1, N ||(Nt ⊕[K1

i ]L) to the reader R.

(3) R→ S : M1, Nt, Nr

After receiving the message by the reader,it decrypts Nt ⊕ [K1

i ]L to obtain Nt, andcomputes the value N ′ = CRC([K1

i ]R||Nr)⊕Nt

and checks whether N ′ = N or not. If itholds, the reader transmits the message(M1, Nt, Nr) to the back-end server, otherwisethe authentication process is stopped.

(4) S → R : M2

The back-end server gets (M1, Nt, Nr), theniteratively picks up an entry (metaIDiold,K

2iold,

metaIDinew,K2inew) from its database,

computes the value M ′1 and checks whether itequals to the received M1 or not. The process isrepeated until a match is found in the database,thus implying a successful authentication of thetag. If no match is found, the authenticationfails. The back-end server performs the followingsteps at the same time.

• If Flag=1, the match record is(metaIDinew,K

2inew). Then it

computes M2 = [CRC(K2inew||Nt)||

CRC(K2inew||Nr)]⊕ metaIDinew , and

updates the secret parameters of tag Ti asfollows:

−metaIDiold ← metaIDinew

−K2iold ← K2

inew

−K2inew ← PRNG(K2

inew)⊕Nt

−metaIDinew ← PRNG(metaIDinew)||CRC(metaIDinew)⊕Nt ⊕Nr

• If Flag=0, it does not change(metaIDiold,K

2iold), computes M2 and

updates (K2inew, metaIDinew) of tag Ti.

−K2inew ← PRNG(K2

inew)⊕Nt

−metaIDinew ← PRNG(metaIDinew)||CRC(metaIDinew)⊕Nt ⊕Nr

Finally, the back-end server sends the messageM2 to the reader.

(5) R→ Ti : M2

Upon receiving M2, the tag verifieswhether the equation M2 ⊕ metaIDi =[CRC(K2

i ||Nt)||CRC(K2i ||Nr)] holds. If so, it

updates K2i and metaIDi.

4 Cyclic Redundancy Codes (CRCs)

CRCs are error-detecting codes that check(non-malicious) errors caused by faults duringtransmission. They are additive operators withstrong linearity aspects (the modulo operatoris homomorphic), and therefore its use as acryptographic tool is not appropriate [34].

Definitions and Notations.

Let A be an m-bit string in {0, 1}m , A =Am−1||Am−2|| . . . ||A0. We define A�n as the m + nbit string A′ resulting from left-shift of A by n-bitsand inserting n zeros from the right [13, 35].

A′i =

0

Ai−n

for

for

0 ≤ i ≤ n− 1

n ≤ i ≤ n + m− 1

Let B be an n-bit string in {0, 1}n, where n ≤ m .We define the exclusive-OR operation A⊕B = B⊕Aas follows:

(A⊕B)i =

Ai ⊕Bi

Ai

for

for

0 ≤ i ≤ n− 1

n ≤ i ≤ m− 1

166 Security Analysis of an EPC Class-1 Generation-2 Compliant RFID . . . — F. Moradi, H. Mala, et al.

Table 1. Notations

Symbol Description

Nr 16-bit random number generated by the reader.

Nt 16-bit random number generated by the tag.

K1 32-bit key shared by the reader and the tag.

K2 16-bit key shared by the tag and the back-end server.

metaID 32-bit ID pseudonym shared by the tag and the back-end server.

metaIDold,K2old The previous values of metaID and K2 before update.

metaIDnew,K2new The values of metaID and K2 after update.

⊕ The bitwise XOR operation.

|| The concatenation operation.

B ← A Assigning the value of A to B.

[x]L/R The left/right half part of the string x.

CRC() The Cyclic Redundancy Code (CRC) function with 16-bit output length.

PRNG() The pseudo random number generator with 16-bit output length.

rQuery, N

1t L1 iM ,N || (N [K ] )r t1 ,M ,N N

2M

❶

❷❸

❹ ❺

RS T

2M

Figure 1. Wei and Zhang’s Lightweight RFID Authentication Protocol

Due to the linearity, CRCs have the followingproperties. Let A be any bit string and B be n-bitstring. Then, as proved in [13, 35], CRC satisfies thefollowing properties.

CRC(A⊕B) = CRC(A)⊕ CRC(B) (1)

CRC(A||B) = CRC(A�n)⊕ CRC(B) (2)

We will take advantage of these properties forattacking WZ-LRAP.

5 Vulnerabilities of Wei and Zhang’sProtocol

In this section, we present concrete attacks toWZ-LRAP. We use the standard Dolev-Yao intrudermodel [36], in which the adversary controls the”network”. In this model, the adversary can

eavesdrop, block, modify, and inject messages in anycommunication between reader and tag. However,the channel between back-end server and reader isassumed to be secure, which can be guaranteed byusing full-fledged cryptographic technologies.

5.1 Server/Reader Impersonation Attack

We show that an active adversary can impersonatea legitimate server/reader to a tag in WZ-LRAPeven when the adversary has no access to any of thetag’s secrets. The detail of this attack is given below.In this case we focus on message M2, generated bythe back-end server. The adversary should be ableto generate this message in order to impersonatethe legitimate server/reader. For the adversary, it isenough to listen an iteration between a legitimate tagand the reader in order to exploit this vulnerability.

July 2016, Volume 3, Number 3 (pp. 163–174) 167

(1) R→ Ti : Query,Nr

(2) Ti → R : M1, N ||(Nt ⊕ [K1i ]L)

(3) R→ S : M1, Nt, Nr

(4) S → R : M2

(5) R→ Ti : M2

The adversary has to block or disturb radio channelto obstruct the correct reception of message 5. Theobjective of this is to prevent the legitimate tagfrom updating its K2

i and metaIDi. At this moment,the adversary could supplant the back-end serverwithout knowing its private information. It choosesthe random number Nr from previous session, andsends it to the tag. The tag generates a randomnumber N ′t and replies with M ′1, N

′||(N ′t ⊕ [K1i ]L).

Then, the adversary using the eavesdropped values(Nr,M

′1,M2), calculates a new value M ′2 = [M ′1]L ⊕

CRC(Nr)||[M2]R, and sends it to the tag. Finally, thetag accepts M ′2 and authenticates the adversary.

We now prove that the tag will accept M ′2and the adversary will impersonate as a legitimateserver/reader. The adversary knows the followingvalues,

M ′1 = [CRC(K2i ||(Nr ⊕N ′t))||CRC(K2

i ||N ′t)]⊕metaIDi

M2 = [CRC(K2i ||Nt)||CRC(K2

i ||Nr)]⊕metaIDi

Thus, by using CRC properties shown in previoussection iteratively, the following equations hold. Fromproperty (2), we can observe that

M ′1 = [CRC(K2i�16)⊕ CRC (Nr ⊕N ′t)

||CRC(K2i�16)⊕ CRC(N ′t)]⊕metaIDi

and, using the property (1), it is easy to see

M ′1 = [CRC(K2i�16)⊕ CRC(Nr)⊕ CRC(N ′t)

||CRC(K2i�16)⊕ CRC(N ′t)]⊕metaIDi.

Furthermore, the following result can be achieved byseparating the metaIDi into two parts.

M ′1 = [CRC(K2i�16)⊕ CRC(Nr)⊕ CRC(N ′t)

⊕ [metaIDi]L||CRC(K2i�16)⊕ CRC(N ′t)

⊕ [metaIDi]R]

In the same as above via the property (1) and (2), wecan rewrite M2 equation as follows.

M2 = [CRC(K2i�16)⊕ CRC(Nt)⊕ [metaIDi]L

||CRC(K2i�16)⊕ CRC(Nr)⊕ [metaIDi]R]

Since adversary knows Nr, it can calculate CRC(Nr)by definition of CRC. From this value and followingequations,

[M ′1]L = CRC(K2i�16)⊕ CRC(Nr)⊕ CRC(N ′t)

⊕ [metaIDi]L

[M ′1]R = CRC(K2i�16)⊕ CRC(Nr)⊕ [metaIDi]R

[M2]L = CRC(K2i�16)⊕ CRC(Nt)⊕ [metaIDi]L

[M2]R = CRC(K2i�16)⊕ CRC(Nr)⊕ [metaIDi]R

it can calculate

M ′2 = [M ′1]L ⊕ CRC(Nr)||[M2]R

= [CRC(K2i�16)⊕ CRC(N ′t)⊕ [metaIDi]L

||CRC(K2i�16)⊕ CRC(Nr)⊕ [metaIDi]R]

= [CRC(K2i ||N ′t)||CRC(K2

i ||Nr)]⊕metaIDi

which is the exact value a legitimate server/reader wasexpected to send to the tag. Therefore, the adversarycan successfully impersonate the server/reader.

5.2 De-synchronization Attack

Wei and Zhang propose that the back-end servermaintains old and new values {metaIDi,K

2i } for

each tag to defend against a de-synchronization.This assumption allows the back-end server toauthenticate tags and re-synchronize these tags eachtime they suffer a de-synchronization. However, ourimpersonation attack described in Section 5.1. resultsin synchronization loss between the back-end serverand the tag due to update of the secret informationof the tag.

The adversary forces the tag to update its secret valuesuch that it does not match the value that back-endserver has stored in its database. The tag uses N ′t toupdate K2

i and metaIDi as follows.

K2i ← PRNG(K2

i )⊕N ′tmetaIDi ← PRNG(metaIDi)||CRC(metaIDi)

⊕N ′t ⊕Nr

Therefore, after the tag updates its secret parameters,the updated values K2

i and metaIDi of the tagwill be different to the corresponding parametersstored in the database of the back-end server. Thus,de-synchronization happens, and the tag and theback-end server will not authenticate each otheranymore.

6 Countermeasure for the SecurityVulnerabilities on WZ-LRAP

We now describe a countermeasure for WZ-LRAPto overcome the flaws mentioned in the previoussections and other attacks in the context. Themain weakness of the protocol is that thecomputational similarity between M ′1 = [CRC(K2

i ||(Nr ⊕ N ′t))||CRC(K2

i ||N ′t)] ⊕ metaIDi and M2 =

168 Security Analysis of an EPC Class-1 Generation-2 Compliant RFID . . . — F. Moradi, H. Mala, et al.

[CRC(K2i ||Nt)||CRC(K2

i ||Nr)]⊕metaIDi gives theadversary an opportunity to forge a valid M ′2 withoutknowing the secret values K2

i and metaIDi.

The structure of messages should be altered inorder to switch the complexity over the reader andthe back-end server which is equipped with strongerprocessors and also to provide quick and reasonableassurance of the integrity of messages delivered.CRC is an easily reversible function, which makesit unsuitable for use in cryptographic operations.Following this fact, we should try to reduce the numberof calls to this function on the tag side and change theconstruction to protect secret values from revealing.

To prevent the given de-synchronization andserver/reader impersonation attacks, we make somechanges in generating messageM1, that is generated bythe tag. First, the structure of this message is changedto apply PRNG function in the places where theCRC functions are used. This alteration eliminates themessages similarity in authentication process but stillit is feasible for an adversary to mount exhaustive keysearch on this construction. Therefore, for inhibition ofthis weakness we consider second operational changeto supplant inner concatenation operations with theexclusive-OR. Mainly, using PRNG function withexclusive-OR as its input operation does not contradictwith each other. PRNG function does not havelinearity properties so it can be used as a one-wayfunction, therefore the following definition of M1 canwipe out the aforementioned attacks.

M1 = [PRNG(K2i ⊕Nr)||PRNG(K2

i ⊕Nt)]

⊕metaIDi

6.1 Security Analysis

Here, we present a detailed security analysis ofthe proposed modifications to show that it meetsresistance against the attacks presented in this paperand the other known active and passive attacks in thecontext. Our security proof is carried out based oninformal method relying on the heuristic opinions ofsecurity experts and also the formal method relyingon the mathematical rules to draw a conclusion.

Informal method mainly relies on intelligence ofanalyst. Since the analyst may forget or ignore somepoints during the analysis, so there is no way tounderstand if the analysis is complete or not. However,due to its simplicity and lack of need for sophisticatedtools, the informal methods are widely used in theprotocol security analysis.

In the formal method, the target protocol andits features are modeled based on algebra andlogic. Several logic tools exist to prove the security

correctness of a cryptographic authentication protocol,for example, BAN logic [37], GNY logic [38], AVISPAtool [39], and ProVerif tool [40].

Furthermore, there are limitations in formalizingsecurity notions of cryptographic protocols whichare practical and useful in real-life setting. Forexample, de-synchronization is needed for practicalsense for cryptographic protocols, while we cannoteasily formalize this property. Thus, we combine thesetwo informal and formal methods to prove the securitycorrectness.

In this subsection, first we argue the securityimprovement through informal method then weuse BAN logic for modeling to prove the securitycorrectness of the revised protocol.

Resistance against Replay Attack.

In the revised scheme, the message M1 like otherthe authentication messages (i.e. M2, and N) iscomputed with the random numbers, which providesfreshness and resistance against replay attack.

Resistance against Tag Impersonation Attack.

The resistance of WZ-LRAP against tagimpersonation attack arises from this fact that thetag’s information (metaID and K2) is stored in theback-end server, which is assumed to be secure, andthis assumption that the communication channelbetween the back-end server and the reader is secure.Therefore, an adversary is not able to access theinformation of a tag which is stored in the back-endserver.

On the other hand, the adversary, who wants toimpersonate the valid tag, must be able to completethe authentication steps successfully. It needs torespond to the reader with a valid M1 which iscomputed on the basis of the shared secret keys K2

and metaID. Thus, it is not possible for the attackerto compute a valid M1 without knowing secret valuesof K2 and metaID.

Resistance against Server/Reader ImpersonationAttack.

In the revised scheme, through messagetransformation (PRNG generated message) suchas M1 or transmitting scrambled bits (XOR-ed)the revised scheme data security is achieved. Inaddition, M1 and M2 involve at least two secret values(metaID and K2) that are well protected againsteavesdroppers. Among the mutual communicationperiod, anonymity of the tags can be provided sinceonly transformed messages and valid random numbersare broadcasted. Hence, adversary cannot easily

July 2016, Volume 3, Number 3 (pp. 163–174) 169

impersonate the server/reader. The best strategy forthe adversary to impersonate the server/reader couldbe sending a random value to the tag. However, sincethe tag has only one record of the secret parameter,the adversary’s success probability in each try isbounded by 2−16.

Resistance Against De-synchronization Attack.

De-synchronization attack against WZ-LRAPhappened after the adversary succeeded to imposeinvalid random number on the tag for updatingparameters. This flaw is based on the linear property ofCRC function which is fixed by using PRNG functionin using M1.

Moreover, employment of a combined processoriented mechanism (flag = 0 or flag = 1) inupdating the shared secret keys makes parties remainin synchronized state even if the previous session isnot safely terminated. This design allows a tag withnon-synchronized keys due to de-synchronizationattack, to be still authenticated by the back-endserver and re-synchronize its secret data with theserver database.

Resistance Against Traceability Attack.

Traceability attack against WZ-LRAP isaccomplished based on this fact that an adversarycan link two different sessions of a tag. WZ-LRAPguarantees tag privacy by refreshing the secret andthe random number in tag for each session. Hence,adversary cannot easily trace a specific tag since thereare no consistent clues revealed in each tag response.Furthermore, due to the freshness of random numbersNr and Nt per session, our scheme can resist thereplay attack.

6.2 Formal Logic Proof

Following, we use BAN logic to prove the securitycorrectness of the revised scheme. We formally showthat after one run of the protocol, the tag, the reader,and the server believe the received messages arefrom the expected sender, and these messages arefresh. Hence, they can be authenticated by each otherproperly. To prove the security of a protocol formallywith BAN logic, the following four steps should befollowed [37]:

a) The messages and the actions of the protocol partiesshould be represented by mathematical relations.

b) The messages and the actions of the protocolparties should be converted into BAN logic formulasand dropping the plain text messages from protocolmessages. In this step, the resulting protocol messages

are called idealized messages.

c) The protocol initial assumptions and security goalsshould be explained as BAN logic formulas.

d) Finally, the protocol security goals should bededuced. In this step, using BAN logic rules, it isevaluated whether protocol security goals are satisfiedor not.We present only principle rules and notations inTable 2 which are used in our proof.

a) Expression of the revised scheme messages asmathematical relations.

M1 : R→ Ti : Query,Nr

M2 : Ti → R : [PRNG(K2i ⊕Nr)||PRNG(K2

i ⊕Nt)]

⊕metaIDi,

[CRC([K1i ]R||Nr)⊕Nt]||(Nt ⊕ [K1

i ]L)]

M3 : R→ S : [PRNG(K2i ⊕Nr)||PRNG(K2

i ⊕Nt)]

⊕metaIDi, Nt, Nr

M4 : S → R : [CRC(K2i ||Nt)||CRC(K2

i ||Nr)]

⊕metaIDi

M5 : R→ Ti : [CRC(K2i ||Nt)||CRC(K2

i ||Nr)]

⊕metaIDi

b) Messages idealization.In this step, we transform each message into anidealized message, such as plaintexts are omittedfrom protocol messages, and only encrypted messagecontents are relevant to this step. We also useBAN logic notations for representing these idealizedmessages as follows.

IM1 : R / {{Nr}K2i, {Nt}K2

i}metaIDi

IM2 : R / {Nt}[K1i]L

IM3 : S / {{Nr}K2i, {Nt}K2

i}metaIDi

IM4 : Ti / {Nr, Nt,K2i }metaIDi

c) Initial assumptions and security goals.The explicit assumptions of the revised protocol areshown in the succeeding text.

A1 : S| ≡ TiK2

i←→S

A2 : Ti| ≡ SK2

i←→Ti

A3 : Ti| ≡ RK1

i←→Ti

A4 : R| ≡ TiK1

i←→R

A5 : S| ≡ TimetaIDi←→ S

A6 : Ti| ≡ SmetaIDi←→ Ti

A7 : Ti| ≡ #(Nt)A8 : R| ≡ #(Nr)

The assumptions A1 to A6 are related to secretswhich are shared between the protocol parties andthe assumptions A7 and A8 are related to freshness of

170 Security Analysis of an EPC Class-1 Generation-2 Compliant RFID . . . — F. Moradi, H. Mala, et al.

Table 2. Principles and Notations

Principles and Notations Meaning

P /MSG1 : P receives MSG1 (possibly after doing some decryption).

P | ∼MSG1 : P sends MSG1.

#(X) : X is fresh.

P | ≡ #(MSG1) : P believes the freshness of MSG1.

{X}K : Message X is encrypted with the key of K.

P | ≡ PK↔Q : P believes the secret K is shared between P and Q.

R1 :P | ≡ P

K↔Q,P / {X}KP | ≡ Q| ∼ X

: The message meaning rule of BAN logic that means if P believesthat it shares a secret key K with and if P receives a message Xencrypted with K, then P is entitled to believe that Q once said

X. In this paper we called this rule R1.

R2 :P | ≡ Q| ∼ {X,Y }P | ≡ Q| ∼ {X}

: This is one rule of BAN logic that means if P believes Q has sentX,Y then P is entitled to believe that Q has sent X. In this paper

we called this rule R2.

random numbers which are generated by the readerand the tag respectively. The goals of the proposedscheme are as below.

G1 : S| ≡ Ti| ∼ Nt

G2 : Ti| ≡ S| ∼ Nr

In the above, G1 means that the server believesthe tag Ti has sent the random number Nt. This goalshows that the adversary does not have any control onthis random number, which was generated by the tagand sent through the reader to the server. Therefore,the adversary cannot apply any attack on the protocolthat requires any change on the random number.

G2 means that the tag believes that Nr, which isgenerated by the reader, is transmitted to the tagwithout any modification. In other words, at the endof the last step of this protocol run, this randomnumber reach to the tag without any tampering bythe adversary.

d) Goals deductions.In this step, we combine idealized messages and theassumptions to construct numerator expressions ofBAN logic rules. If such relations are correspondedto the numerator expressions of BAN logic rules, itcan be concluded that the denominator expressions ofBAN logic rules are correct. We show these deductionsas below.

D1:IM3, A5, R1⇒ S| ≡ Ti| ∼ {{Nr}K2i, {Nt}K2

i}

D2:D1, R2⇒ S| ≡ Ti| ∼ {Nt}K2i

As the IM1 and IM3 show, the encrypted messagesare delivered directly to the server through the readerin the secure communication channel. Therefore, thefinal result of D2 is S / {Nt}K2

i.

D3:D2, A1, R1⇒ S| ≡ Ti| ∼ Nt

It is obvious that D3 is equals to G1. Similarly, wehave following deductions to reach G2.

D4: IM4, A6, R1⇒ Ti| ≡ S| ∼ {Nr, Nt,K2i }

D5:D4, R2⇒ Ti| ≡ S| ∼ Nr

Finally, it also deduced that D5 is equals to G2.Hence, the security goals of the revised scheme, aresatisfied.

6.3 Performance Analysis

The proposed modification does not increasecomputational cost of the protocol extensively whileit provides much better security. It has only one moreexclusive-OR operation on the both side because ofreducing the number of concatenation operation. Theonly increased cost is two calls of PRNG functioninstead of CRC function. Table 3 shows performancecomparison between WZ-LRAP and revised schemein detail.

Now, we analyze the efficiency of our revised schemethrough comparing it with Ghaemmaghami et al. [24]and Abdolmaleki et al. [25, 28] protocols which arebased on the same framework. They succeeded inomitting the vulnarability of likeness between thetransmitted messages and removed drawbacks in theupdating procedure.

As shown in Table 4, Ghaemmaghami et al. [24]and Abdolmaleki et al. [25, 28] protocols store 4nand 3n parameters in the tag memories. Our revisedscheme stores 3n parameters that is an efficientvalue in storage areas. It is also shown that ourcountermeasure impacts the protocol to involve CRCbesides PRNG function on the tag side. On thepoint of implementation, these functions can employLFSR-based operations in the same hardware.

July 2016, Volume 3, Number 3 (pp. 163–174) 171

Table 3. Performance Comparison

Server/Tag of Protocols #PRNG #⊕ #CRC #|| #Transferedbits

Server of WZ-LRAP 2 6n 5 7 n

Server of Revised Scheme 4 7n 3 5 n

Tag of WZ-LRAP 2 8n 6 9 2n

Tag of Revised Scheme 4 9n 4 7 2n

n denotes the bit length of parameters.

Table 4. Comparison of Revised Scheme With Similar Ones

Protocols Comp. of TagComp. of

Server/ReaderStorage of Tag

Storage of

Server/Reader

Rounds of

Communication

[24] 6P 7P + 2H 4n 9n 5

[25] 7P 7P + 4H 4n 9n 5

[28] 6P 7P 3n 5n 3

This scheme 4P + 4CRC 4P + 3CRC 3n 4n 4

n denotes the bit length of parameters. H: Hash function. P : PRNG function.

Indeed, the idea of using linear feedback shiftregisters (LFSR) in the construction of cost-effectiveoperations for RFID tags is widely suggested [41].

LFSR functions are fast and efficient in hardwareimplementations as well as simple in terms ofcomputational requirements. Therefore, the mainfunctions of the revised scheme are able to executeLFSR-based functions in the same hardware and aresuitable for RFID applications.

The required hardware complexity of low-costtags is considered by its number of equivalent logicgates (GEs). Based on the measurements presentedby [42, 43], the number of GEs for LFSR-based PRNGis about 453 because of implementing polynomialselector and decoding logic modules. In addition,LFSR can be measured with approximately 73 GEs.LFSR along with a few logic gates are used to obtainCRC. This scheme versus the similar protocols holdsfour calls of CRC rather than PRNG. Hence, theenergy consumption for operating functions of thisscheme is almost 1.5 times lower than other comparingprotocols.

In terms of communication rounds, our revisionassures a secure performance without increasingrounds rather than WZ-LRAP scheme. In allmentioned protocols, three of these rounds are relatedto connection between the reader and the tag, whileothers are associated to connection between the readerand the back-end server. Reducing the computationalcost of the tag is the goal for designing improvedauthentication protocols. Therefore, this scheme has

low communication complexity and computationalcost.

7 Conclusions

In this paper we investigated the security of alightweight RFID authentication protocol compliantwith EPC-C1G2 which has been proposed by Weiand Zhang [17]. We proved that, in contrary tothe designers claim, this protocol does not provideresistance against server/reader impersonation andde-synchronization attacks. We showed that thesecurity weaknesses are due to the abuse of the CRCincluded in protocol and computational similaritybetween transferred messages. In addition, weproposed a modification of this protocol to withstandthe attacks presented in this paper. We also analyzedthe security properties of the proposed protocol aswell as its efficiency. The proposed scheme also wascompared with the original WZ-LRAP and two othersimilar protocols.

References

[1] Ari Juels. RFID security and privacy: aresearch survey. IEEE Journal on SelectedAreas in Communications, 24(2):381–394, 2006.doi:10.1109/JSAC.2005.861395. URL https://

doi.org/10.1109/JSAC.2005.861395.[2] Tassos Dimitriou. A lightweight RFID protocol to

protect against traceability and cloning attacks.

172 Security Analysis of an EPC Class-1 Generation-2 Compliant RFID . . . — F. Moradi, H. Mala, et al.

In Security and Privacy for Emerging Areas inCommunications Networks, 2005. SecureComm2005. First International Conference on, pages59–66. IEEE, 2005.

[3] Jeongkyu Yang, Jaemin Park, Hyunrok Lee, KuiRen, and Kwangjo Kim. Mutual authenticationprotocol. In Workshop on RFID and lightweightcrypto, 2005.

[4] Sanjay E Sarma, Stephen A Weis, Daniel WEngels, et al. RFID systems and security andprivacy implications. In CHES, volume 2, pages454–469. Springer, 2002.

[5] Yung-Chin Chen, Wei-Lin Wang, and Min-ShiangHwang. RFID authentication protocol foranti-counterfeiting and privacy protection. InAdvanced Communication Technology, The 9thInternational Conference on, volume 1, pages255–259. IEEE, 2007.

[6] Y-C Lee, Y-C Hsieh, P-S You, and T-C Chen. Animprovement on RFID authentication protocolwith privacy protection. In Convergence andHybrid Information Technology, 2008. ICCIT’08.Third International Conference on, volume 2,pages 569–573. IEEE, 2008.

[7] Jung-Sik Cho, Sang-Soo Yeo, and Sung KwonKim. An analysis of RFID tag authenticationprotocols using secret value. In Future GenerationCommunication and Networking (FGCN 2007),volume 1, pages 482–487. IEEE, 2007.

[8] EPCglobal Ratified Standard. EPCRadio Frequency Identity Protocols Class-1Generation-2 UHF RFID Protocol forCommunications at 860MHz-960MHz Version1.0. 9. EPCglobal, US, 2005.

[9] Eun-Jun Yoon. Improvement of the securingRFID systems conforming to EPC class 1generation 2 standard. Expert Systems withApplications, 39(1):1589–1594, 2012.

[10] Tzu-Chang Yeh, Yan-Jun Wang, Tsai-ChiKuo, and Sheng-Shih Wang. Securing rfidsystems conforming to epc class 1 generation 2standard. Expert Systems with Applications, 37(12):7678–7683, 2010.

[11] Xiaoluo Yi, Liangmin Wang, Dongmei Mao,and Yongzhao Zhan. An gen2 based securityauthentication protocol for RFID system. PhysicsProcedia, 24:1385–1391, 2012.

[12] Jing Huey Khor, Widad Ismail, Mohammed IYounis, MK Sulaiman, and Mohammad GhulamRahman. Security problems in an RFID system.Wireless Personal Communications, 59(1):17–26,2011.

[13] Pedro Peris-Lopez, Julio C Hernandez-Castro,Juan ME Tapiador, and Jan CA Van derLubbe. Cryptanalysis of an EPC class-1generation-2 standard compliant authentication

protocol. Engineering Applications of ArtificialIntelligence, 24(6):1061–1069, 2011.

[14] Masoumeh Safkhani, Nasour Bagheri, PedroPeris-Lopez, Aikaterini Mitrokotsa, andJulio C Hernandez-Castro. Weaknesses inanother gen2-based rfid authentication protocol.In RFID-Technologies and Applications(RFID-TA), 2012 IEEE InternationalConference on, pages 80–84. IEEE, 2012.

[15] Pablo Picazo-Sanchez, Lara Ortiz-Martin, PedroPeris-Lopez, and Nasour Bagheri. Weaknesses offingerprint-based mutual authentication protocol.Security and Communication Networks, 8(12):2124–2134, 2015.

[16] Fereidoun Moradi, Hamid Mala, andBehrouz Tork Ladani. Security analysisand strengthening of an RFID lightweightauthentication protocol suitable for VANETs.Wireless Personal Communications, 83(4):2607–2621, 2015.

[17] Guoheng Wei and Huanguo Zhang. A lightweightauthentication protocol scheme for RFID security.Wuhan University Journal of Natural Sciences,18(6):504–510, 2013.

[18] Hung-Yu Chien and Che-Hao Chen. Mutualauthentication protocol for RFID conforming toEPC Class 1 Generation 2 standards. ComputerStandards & Interfaces, 29(2):254–259, 2007.

[19] Pedro Peris-Lopez, Tieyan Li, Julio CHernandez-Castro, and Juan ME Tapiador.Practical attacks on a mutual authenticationscheme under the EPC Class-1 Generation-2standard. Computer Communications, 32(7):1185–1193, 2009.

[20] Dang Nguyen Duc, Hyunrok Lee, and KwangjoKim. Enhancing security of EPCglobalGen-2 RFID against traceability and cloning.Auto-ID Labs Information and CommunicationUniversity, White Paper, 2006.

[21] Chin-Ling Chen and Yong-Yuan Deng.Conformation of EPC Class 1 Generation2 standards RFID system with mutualauthentication and privacy protection.Engineering Applications of ArtificialIntelligence, 22(8):1284–1291, 2009.

[22] Masoumeh Safkhani, Nasour Bagheri,Somitra Kumar Sanadhya, and Majid Naderi.Cryptanalysis of improved Yeh et al.’sauthentication Protocol: An EPC Class-1Generation-2 standard compliant protocol.IACR Cryptology ePrint Archive, 2011:426, 2011.

[23] Yu-Chung Huang and Jehn-Ruey Jiang.Ultralightweight rfid reader-tag mutualauthentication revisited. In Mobile Services(MS), 2015 IEEE International Conference on,pages 166–173. IEEE, 2015.

July 2016, Volume 3, Number 3 (pp. 163–174) 173

[24] Seyed Salman Sajjadi Ghaemmaghami, AfroozHaghbin, and Mahtab Mirmohseni. Traceabilityimprovements of a new RFID protocol based onEPC C1 G2. The ISC International Journal ofInformation Security, 8(2):105–115, 2016.

[25] Behzad Abdolmaleki, Karim Baghery, BaharehAkhbari, and Mohammad Reza Aref. Analysis ofXiao et al.’s authentication protocol conformingto EPC C1 G2 standard. In Telecommunications(IST), 2016 8th International Symposium on,pages 111–116. IEEE, 2016.

[26] Feng Xiao, Yajian Zhou, Jingxian Zhou,Hongliang Zhu, and Xinxin Niu. SecurityProtocol for RFID System Conforming toEPC-C1G2 Standard. JCP, 8(3):605–612, 2013.

[27] Khaled Ouafi and Raphael CW Phan. Privacyof recent rfid authentication protocols. LectureNotes in Computer Science, 4991:263–277, 2008.

[28] Behzad Abdolmaleki, Karim Baghery,Shahram Khazaei, and Mohammad Reza Aref.Game-Based Privacy Analysis of RFID SecuritySchemes for Confident Authentication in IoT.Wireless Personal Communications, 95(4):5057–5080, 2017.

[29] Shaohui Wang, Sujuan Liu, and Danwei Chen.Security analysis and improvement on two RFIDauthentication protocols. Wireless PersonalCommunications, 82(1):21–33, 2015.

[30] Masoumeh Safkhani, Nasour Bagheri, and MajidNaderi. On the designing of a tamper resistantprescription rfid access control system. Journalof medical systems, 36(6):3995–4004, 2012.

[31] Da-Zhi Sun and Ji-Dong Zhong. A hash-basedRFID security protocol for strong privacyprotection. IEEE Transactions on ConsumerElectronics, 58(4), 2012.

[32] Eyad Taqieddin. On the Improper Use of CRCfor Cryptographic Purposes in RFID MutualAuthentication Protocols. International Journalof Communication Networks and InformationSecurity, 9(2):230, 2017.

[33] Lijun Gao, Maode Ma, Yantai Shu, and YuhuaWei. An ultralightweight RFID authenticationprotocol with CRC and permutation. Journal ofNetwork and Computer Applications, 41:37–46,2014.

[34] B Westerbaan. Reversing CRC. Intrepid Blog,Posted Jul, 15, 2005.

[35] Daewan Han and Daesung Kwon. Vulnerability ofan RFID authentication protocol conforming toEPC Class 1 Generation 2 Standards. ComputerStandards & Interfaces, 31(4):648–652, 2009.

[36] Danny Dolev and Andrew Yao. On the securityof public key protocols. IEEE Transactions oninformation theory, 29(2):198–208, 1983.

[37] Michael Burrows, Martın Abadi, and Roger M.

Needham. A Logic of Authentication.ACM Trans. Comput. Syst., 8(1):18–36, 1990.doi:10.1145/77648.77649.

[38] Li Gong, Roger Needham, and Raphael Yahalom.Reasoning about belief in cryptographicprotocols. In Research in Security and Privacy,1990. Proceedings., 1990 IEEE Computer SocietySymposium on, pages 234–248. IEEE, 1990.

[39] AVISPA. avispa tool. Available from, 1thNovember 2016. URL www.avispa-project.

org.[40] Bruno Blanchet and Avik Chaudhuri. Automated

formal analysis of a protocol for secure file sharingon untrusted storage. In Security and Privacy,2008. SP 2008. IEEE Symposium on, pages417–431. IEEE, 2008.

[41] Peng-yu Cui. An Improved Ownership Transferand Mutual Authentication for Lightweight RFIDProtocols. IJ Network Security, 18(6):1173–1179,2016.

[42] Jiageng Chen, Atsuko Miyaj, HiroyukiSato, and Chunhua Su. Improvedlightweight pseudo-random numbergenerators for the low-cost rfid tags. InTrustcom/BigDataSE/ISPA, 2015 IEEE,volume 1, pages 17–24. IEEE, 2015.

[43] Joan Melia-Seguı, Joaquin Garcia-Alfaro, andJordi Herrera-Joancomartı. Multiple-polynomialLFSR based pseudorandom number generatorfor EPC Gen2 RFID tags. In IECON 2011-37thAnnual Conference on IEEE IndustrialElectronics Society, pages 3820–3825. IEEE,2011.

174 Security Analysis of an EPC Class-1 Generation-2 Compliant RFID . . . — F. Moradi, H. Mala, et al.

Fereidoun Moradi received his B.Sc. degree

in Information Technology from PayameNoor University of Hamedan in 2012 and

he received the M.Sc. degree in Information

Security at University of Isfahan in 2015. Hismain research interests include lightweight

cryptography and cryptanalysis, RFIDsecurity, RFID authentication protocols,

IoT security and Data Center Infrastructure

Management.

Hamid Mala received his B.Sc., M.Sc. andPh.D. degrees in Electrical Engineering from

Isfahan University of Technology (IUT) in2003, 2006 and 2011, respectively. He joinedUniversity of Isfahan (UI) in September 2011

as an Assistant Professor in the Departmentof Information Technology Engineering. HisResearch interests include the design and

cryptanalysis of block ciphers, cryptographicprotocols and secure multiparty computation.

Behrouz Tork Ladani holds a bachelor

in Computer Engineering from University of

Isfahan, M.Sc. in Software Engineering fromAmir Kabir University of Technology anda Ph.D. in Software Engineering from the

University of Tarbiat Modarres. Dr. TorkLadani joined University of Isfahan in 2005.His research interests are in the areas ofCryptographic Protocols, Access Control,

Trust, and Formal verification. He is currently member ofexecutive council of Iranian Society of Cryptology (ISC).

Fariba Moradi currently is a B.Sc. student

in Information Technology at Hamedan

University of Technology. His researchinterests include IoT Systems and RFID

Security.