Design Weaknesses in Recent Ultralightweight RFID Authentication Protocols

. In this paper we focus our attention on the design of several recently proposed ultralightweight authentication protocols and show that the underlying methodology is not sound. Indeed, the common feature of these protocols lies in the use of transforms , which are the main building blocks. We analyze these transforms and show that all of them present some weaknesses, which can be essentially reduced to poor confusion and diﬀusion in the input-output mappings. Then, exploiting the weaknesses of the transforms, we describe impersonation attacks against the ultralightweight authentication protocols in which they are used: precisely, RCIA, KMAP, SLAP, and SASI + . On average, an attack requires a constant number of interactions with the targeted tag, compared to the allegedly needed exponential number in the informal security analysis. Moreover, since the weaknesses are in the transforms, the attack strategies we describe can be used to subvert any other protocol that uses the same transforms or closely-related ones.


Introduction
Motivations for the current work.Secure authentication is a well-established research area in cryptography and several good solutions are available and used every day.Unfortunately, for low-cost inexpensive computing elements, like RFID tags, it is quite a challenging problem.These protocols involve two parties: a Reader and a Tag, both of which are small devices.The hardware imposes very strong constraints on the computing capabilities of these elements, especially on the Tag.Hence, standard techniques based on public key cryptography or on symmetric key primitives cannot be employed in the design.
Due to the above constraints, there are two choices: either to give up because it is difficult, or probably impossible, to achieve the security standard we get with other, much more powerful, digital devices, or to try to achieve a reasonable security level also in applications using these cheap computing elements.It goes without saying that they are becoming a crucial end point of smart automated solutions in the so called Internet of Things.Thus, it is desirable to follow the latter option.
However, unfortunately, the current state of knowledge is quite poor: we do not have any impossibility result within a model for such ultralightweight protocols but, at the same time, all ultralightweight authentication protocols, designed according to ad hoc approaches, proposed in the last years, have been shown to suffer several weaknesses of different significance and impact: in many cases the weaknesses have been used to break the protocols.
In some papers warnings have been rised against such solutions.In [3] a full analysis of one of the most representative (at that time) ultralightweight authentication protocol was provided, and in general the limits of such approaches, not based on sound security arguments, were stressed.Moreover recently, in [2], a full guide to the common pitfalls which are usually present in the design of ultralightweight authentication protocols has been provided to designers and practitioners.
As a matter of fact, ad hoc protocols with informal security analyses continue to be presented at a considerable rate and they are broken quickly after publication 1 .Compared to the first protocol proposals of a few years ago, the new feature which almost all newer protocols exhibit, is that some more involved transforms of the data stored in the tag memory are used in order to construct the messages the Reader and the Tag send to each other to be confident of the reciprocal identities.However, as for the earlier protocols, also for these, sort of generation 2.0 ultralightweight authentication protocols, the informal security analyses are based solely on the following, questionable and very weak, conclusion: since the transforms are complex, only the legitimate parties who share the secret keys can produce the correct messages required by the authentication protocol; for the same reason, no adversarial entity, without the secret keys, can be successful with non negligible probability, that is, the best attack that can be applied is to guess the secret keys, which belong to an exponentially large set.In other words the entire security proof, in most cases, reduces to the alleged complexity of the transforms.
Our Contribution.Among the many novel ultralightweight protocols appeared in the literature in the last two years, we concentrated our attention on: KMAP [5], RCIA [6], SASI + [7], and SLAP [4].All these protocols base their security properties upon some transforms.Our attention was caught because they appear to be more structured, compared to other previous proposals.The transforms essentially try to protect their input values by masking them via a processing stage, in which some secret values are involved and elementary operations, allowed by the low-power computational devices, are applied.We have studied such transforms and pointed out that they achieve poor confusion and diffusion.Moreover, exploiting the weaknesses found, we construct impersonation attacks against KMAP, RCIA, SASI+ and SLAP, which reduce from exponential to constant the number of trials needed to an adversary to impersonate the Reader to a Tag.We remark that the results on the transforms can be used to attack any protocol based on them.

Preliminaries: transforms
Let us look at the transforms used in the authentication protocols we are dealing with.Due to lack of space, all proofs are omitted from this abstract.Pseudo-Kasami codes.Pseudo-Kasami codes, used in [5], are defined as follows.Let x = x 1 , . . ., x n be a string of n bits and let s be an integer, called seed, such that 1 ≤ s ≤ n.Let y = CRshift(x, s), where y is obtained from x by a circular right shift of s positions.Then, the pseudo-Kasami code of x is defined as pKc(x, s) = x ⊕ y.Here is an example, where n = 24 and the seed s = 6: The following lemma holds: Lemma 1.Let x = x 1 , . . ., x n be a string of n bits, and let s be a seed for the pseudo-Kasami code pKc(x, s) such that n is a multiple of s.Let x be a new string obtained from x by flipping n/s bits, all at distance s from each other.Then pKc(x, s) = pKc(x , s).
An example helps in understanding the above result.Let us consider the same bitstring x considered before, and let us apply the lemma starting from position j = 2.
x = 110101 100101 111100 000110 y = 000110 110101 100101 111100 pKc(x , s) = 110011 010000 011001 111010 It is easy to check that pKc(x, s) and pKc(x , s) coincide.Let hw(•) denote the Hamming weight of a binary string, i.e., the number of bits equal to one.The following results also hold: Lemma 2. Let x = x 1 , . . ., x n be a string of n bits chosen uniformly at random, and let s be an integer chosen uniformly at random such that 1 ≤ s ≤ n.Moreover, let x be a new string obtained from x by flipping one bit.Then 2n .Lemma 3. Let x = x 1 , . . ., x n be a string of n bits chosen uniformly at random.Let x be a new string obtained from x by flipping two randomly selected bits.Then, for any seed s such that 1 ≤ s ≤ n, it holds that: a) pKc(x, s) and pKc(x , s) are equal with probability 1 (n−1) b) pKc(x, s) and pKc(x , s) differ in two bits with probability n•(n−2) n 2 (n−1) c) pKc(x, s) and pKc(x , s) differ in four bits with probability n 3 −3n+2 Finally, the pseudo-Kasami code transform exhibits the following structural property: Lemma 4. Let x = x 1 , . . ., x n be a string of n bits chosen uniformly at random, and let the seed s be equal to n/2.Then, pKc(x, s) is the concatenation of two equal substrings of n/2 bits.
Recursive Hash.Recursive hash was defined in [6].Let x be a string of n bits, x = b 1 , b 2 , . . ., b n , and let and z be integers such that is a divisor of n and z = n/ .Moreover, let s be an integer value, called seed, such that 1 ≤ s ≤ z.Then, dividing x into z chunks x 1 , . . ., x z of bits each, and denoting with Rot(x, y) a right rotation of the string x by y positions 2 , the recursive hash of x and s, denoted by Rh(x, s) for short, is defined as: That is, each chunk c i of the recursive hash is the ⊕ of chunks x i and x s , except for chunk c s , which is equal to x s right rotated by its Hamming weight.
Let us look at an example: let n = 24 and x = 100100101011110101111110.Moreover, let = 6 and, thus, z = 4.We get: x 4 100100 101011 110101 111110 Let the seed s be equal to 3. The selected chunk is x 3 = 110101 whose Hamming weight is hw(x 3 ) = 4. Hence, the right rotation of x 3 is 010111.The recursive hash Rh(x, s) is: x 4 100100 101011 110101 111110 x 3 replicated 110101 110101 110101 Lemma 5. Let , n and z integers such that is a divisor of n and z = n/ .Moreover, let x = x 1 , . . ., x n be a string of n bits chosen uniformly at random, and x be a new string obtained from x by flipping two randomly selected bits.
Then, for any seed s ∈ {1, . . ., z}, Rh(x, s) and Rh(x , s) differ in two bits with probability equal to .
Notice that the probability function is decreasing in .Since meaningful values of range from 2 to n/2, we have that the minimum value is obtained for = n 2 .Therefore, for = n 2 , it is ≈ 1 4 .Lemma 6.Let , n and z integers such that is a divisor of n and z = n/ .Moreover, let x = x 1 , . . ., x n be a string of n bits chosen uniformly at random, and x a new string obtained from x by flipping two randomly selected bits.Then, for any seed s ∈ {1, . . ., z}, Pr[hw(Rh(x, s)) = hw(Rh(x , s))] is at least .
A simple study of the function (for example with a math program like Maple), shows that it is an increasing function.Since meaningful values of range from 2 to n/2, we have that the minimum value is obtained for = 2.For n = 64 the above probability is ≈ 1  2 .Conversion transform.In [4] the authors introduce the Cnv transform.It takes as input two binary strings of length n, and a threshold t such that 1 ≤ t ≤ n, and produces in output a binary string Cnv(A, B, t) of length n by applying a three-step procedure.More precisely: Step 1 (Grouping).Determine a bit grouping for both A and B. The grouping is a function of the Hamming weight of the string and of the threshold t.Let X = x n x n−1 . . .x 2 x 1 be the binary string to be bit-grouped.The grouping is defined recursively as follows: if the length of X is strictly shorter than t, then the recursion ends; otherwise, the string is split in two groups X L and X R according to its Hamming weight w = hw(X), by letting X L = x n x n−1 . . .x w+1 , the n − w leftmost bits, and X R = x w x w−1 . . .x 1 , the w rightmost bits.Then, the bit grouping procedure is applied recursively to both X L and X R .Let us consider an example.Let n = 24, X = 1011 0101 1111 1101 1101 1101 and t = 6.The Hamming weight of X is hw(X) = 18.Since |X| ≥ 6, the string is split into two substrings, the left one, X 1 , containing the leftmost 24 − 18 = 6 bits, and the right one, X 2 , containing the rightmost 18 bits of X; that is, X 1 = 1011 01 and X 2 = 01 1111 1101 1101 1101.
In the following table we report another example in a more concise form: the vertical lines indicate the splittings of the substrings.The starting string is X = 101101010101110101011111.Step 2 (Rearrangement).Once both A and B have been bit-grouped, the rearrangement phase simply swaps the two groupings, that is, the grouping found for A is applied to B and vice versa.Notice that the groupings might differ both in the number of groups and in the size of each group.Let us continue with an example.We prove the following result: Lemma 7. Given two binary strings A and B of length n, chosen uniformly at random, and a threshold t, with 1 < t ≤ n, if we flip two bits of A in the first t positions to obtain A , then

KMAP
The protocol KMAP, introduced in [5], is a mutual authentication protocol.According to the authors, "KMAP avoids unbalanced logical operations (or, and) and introduces a new ultralightweight primitive, the pseudoKasami code, which enhances the diffusion properties of the protocol messages and makes the Hamming weight of the secrets unpredictable and irreversible".The protocol is also claimed to be "highly resistive against all possible attacks" and efficient in terms of communication cost and computational operations.
In this section we show that this is not the case.By building on the previous analysis of the pseudo-Kasami transform, we construct an efficient impersonation attack.
Protocol description.Tags are identified with a static identifier ID which however is never exposed.Instead, a sequence of changing "pseudonyms" IDS is used.Tag and Reader share the pseudonym IDS and two secret keys, K 1 and K 2 ; these values are updated upon each successful completion of a session of the protocol.To cope with desynchronization attacks, the Tag and the Reader maintain both the current values and the previous ones.If a Tag receives twice the initial "Hello" message (see below), then the first time it replies with the current value of IDS, while the second time falls back to the old value, assuming that there has been a desyncronization with the Reader, which has been unable to recognize the newer value.
Hence, Tag and Reader maintain two triples of values: (IDS cur , K 1,cur , K 2,cur ) and (IDS old , K 1,old , K 2,old ).For the sake of simplicity of notation, sometimes, to save space, we omit the subscript of IDS, K 1 and K 2 when we are referring to the current values IDS cur , K 1,cur and K 2,cur .

Reader Message Tag
Hello The protocol is a four-message protocol whose general structure is shown in Fig. 1: 1.The Reader starts the protocol by sending an "Hello" message; 2. The Tag replies with the current value of the identifier IDS cur ; 3. The Reader checks the received value IDS: if it is equal to IDS cur , then the rest of the computation is performed using K 1 = K 1,cur and K 2 = K 2,cur ; if the received value is equal to IDS old , then the rest of the computation is performed using K 1 = K 1,old and K 2 = K 2,old -that is, the old values become the current ones; otherwise, the protocol is immediately terminated.The Reader performs some computation, computing some temporary values (a seed and two temporary keys K * 1 and K * 2 ), and three sequences of bits, A, B and C, and sends a message consisting of three parts.A, B and C, which are sent to the tag; 4. The Tag checks that the values received are consistent with its own information (if not, the protocol is immediately terminated) and performs some computation to obtain a sequence of bits D, which is sent to the Reader.
Upon completion of a session of the protocol, both the Tag and the Reader update the values of ID and of the keys K 1 and K 2 , storing in (IDS old , K 1,old , K 2,old ) the values of (IDS cur , K 1,cur , K 2,cur ), and updating the latter.The Tag maintains also a failure counter, so that if there are too many unsuccessful attempts, the Tag will stop its funcionality for a while, in order to introduce delays into the attacks 4 .The details of the computation of the messages A, B, C and D are shown in Fig. 2.More specifically, the Reader chooses two random values n 1 and n 2 , and computes their xor P = n 1 ⊕ n 2 and a seed s = hw(P ) mod 64.Then, A is computed by a double rotation of n 1 , the first of a number of positions given by the weight of IDS⊕K 1 , and the second of a number of positions given by the weight of K 2 ; similarly, B is computed by a double rotation of n 2 , the first of a number of positions given by the weight of K 2 ⊕IDS, and the second of a number of positions given by the weight of K 1 ⊕n 1 .The Reader, then, computes two temporary keys, K * 1 and K * 2 , namely K * 1 = Rot(pKc(K 1 , s), pKc(n 1 , s)) ⊕ K 2 ) and K * 2 = Rot(pKc(K 2 , s), pKc(n 2 , s)) ⊕ K 1 ), and, finally, computes C, again with a double rotation, namely C = Rot(Rot(pKc(n 1 , s), pKc(K * 2 ⊕ pKc(n 2 , s)), pKc(K * 1 , s) ⊕ n 2 )).The message consisting of the concatenation of A, B, C is sent to the tag.
The Tag, upon reception of the message A||B||C, extracts the value of n 1 from A, by computing n 1 = Rot −1 (Rot −1 (A, K 2 ), IDS⊕K 1 ), and n 2 from B, by computing n 2 = Rot −1 (Rot −1 (B, K 1 ⊕ n 1 ), IDS⊕K 2 ), then computes P = n 1 ⊕ n 2 , the seed s and the temporary keys K * 1 and K * 2 .At this point, the Tag can compute the value of C * in the same way as the Reader computed C, and compare the computed value C * with the received one C.If they are equal, the Tag completes the protocol by computing and sending D and updating IDS, K 1 and K 2 as detailed in Figure 3. On the other hand, if a mismatch is detected, then the protocol is aborted and the failure counter is incremented.The failure counter is reset when a session of the protocol is successful.Impersonation attack.Analyzing the equations used in the protocol, the following observations hold: Reader chooses n1 and n2 randomly P = n1 ⊕ n2 s= hw(P ) mod 64 1. Flipping two bits of B is equivalent to flipping two bits of n 2 in some unknown positions.2. Let P = n 1 ⊕ n 2 , where n 2 is equal to n 2 up to two flipped bits.Then P is equal to P up to two flipped bits.If the two flipped bits are the complement of each other, i.e., they are 01 or 10 respectively, we have that hw(P ) = hw(P ).Since there are 2 out of 4 bit patterns that satisfy the above, this event occurs with probability 1/2.3.If hw(P ) = hw(P ), the structure of pKc(•, s) does not change since the seed is the same.4. If hw(pKc(n 2 , s)) = hw(pKc(n 2 , s)), then the value K * 2 does not change.5. pKc(K * 1 , s) ⊕ n 2 and pKc(K * 1 , s) ⊕ n 2 differs in two bits.6. hw(pKc(K * 1 , s) ⊕ n 2 ) = hw(pKc(K * 1 , s) ⊕ n 2 ) with probability 1/2, since there are two patterns of bits, i.e., 01 and 10, such that, when flipped, the overall weight of the bitstring stays the same.7. pKc(K * 2 , s) ⊕ pKc(n 2 , s) and pKc(K * 2 , s) ⊕ pKc(n 2 , s) have the same weight with probability at least 3/8, since there are six patterns of four bits out of sixteen such that, when flipped, the overall weight of the bitstring stays the same.
Putting everything together, we can prove the following: Lemma 8. Assume an adversary eavesdrops an authentication session and stores A||B||C.Let B be equal to B up to two bits which are flipped.Then, forcing the Tag to send the old IDS and replying with A||B ||C, the adversary succeeds in impersonating the legal Reader with probability roughly equal to 1  28 .
Thus, a few interactions are sufficient to break the security of the authentication protocol.Notice that, the authors specify that "a protocol message counter has also been integrated in the KMAP which stops the functionality of the Tag for some particular time, if the counter's value exceeds the threshold 8".It means that if the attack does not succeed during the first trials, an extra delay is added due to the temporary stop of the Tag.

RCIA
The protocol RCIA, introduced in [6], is a mutual authentication protocol.It has been designed to "provide robust confidentiality, integrity, and authentication in a cost effective manner".In RCIA, Tags use only three main operations, the bitwise and, or, and bit rotation, and the recursive hash transform scrutinized before.
Protocol description.Since the protocol is very similar to the KMAP protocol, we describe it in a very concise way.The overall structure is the same as the one of KMAP (see Fig. 1): the differences lay in the way the messages A, B, C and D are constructed, and how the pseudonym and the keys are updated.The details of RCIA are described in Fig. 4 and Fig. 5.
We have shown that the design of several recently proposed ultralightweight authentication protocols is affected by a common problem: the transforms, used as building blocks in the protocols, do not provide confusion and diffusion in the input-output mappings as they should.Exploiting the corresponding weaknesses, we have shown for example how impersonation attacks against the protocols can be mounted.Attacks defeating other properties of the schemes are possible (e.g., [8]).Moreover, we have not considered important practical issues in the implementation of ultralightweight protocols (e.g., [1]).Our goal was to point out that the lack of confusion and diffusion can open the door to several breaches.In the future proposals the designers should primarily check whether such basic properties are achieved by the underlying transforms.A closer look at the standard strategies used in the design of lightweight symmetric primitives might help.Actually, the most important open problem in our opinion is to come up with a reasonable model for the class of ultralightweight protocols, in order to get an in-depth understanding of possibilities and limits for these protocols.

Step 3 .
Let A = 1011 0101 1111 1101 1101 1101 and B = 1011 0101 0101 1101 0101 1111 be the strings that we have used as examples before.The grouping obtained for each of them is summarized in the following tables.A = 10 1101 0111 111 101 11 01 1101 B = 101 10101 01011 101 01 0 11111 Swapping the groupings we get: A = 101 10101 11111 101 11 0 11101 B = 10 1101 0101 011 101 01 01 1111 At this point each group of bits gets (left circularly) rotated according to the Hamming weight of the group itself.Thus we obtain: A = 110 10101 11111 110 11 0 11110 B = 01 1110 0101 101 110 10 10 1111 The final step that produces the output bitstring is simply the ⊕ of the rearranged bitstrings A and B .Completing our example, we have: