Security Analysis of a Privacy-preserving ECC-based Grouping-proof Protocol

Batina et al. have proposed a privacy-preserving grouping-proof RFID protocol with colluding tag prevention (CTP) recently which relies exclusively on the use of Elliptic Curve Cryptography (ECC). In this paper, we show that this proposed protocol is not secure against the tracking attack. To make this attack successfully, the adversary needs to execute three phases. Firstly, the attacker just eavesdrops on the messages exchanged between Reader and Tags. Secondly, the attacker impersonates Reader to replay the message which is got from the first phase. Finally, the adversary acts as a man in the middle to tamper the messages exchanged between Reader and Tag B. Then we propose an enhancement and prove that the revision is secure against the tracking attack which keeps other security properties.

[1]  Julien Bringer,et al.  Cryptanalysis of EC-RAC, a RFID Identification Protocol , 2008, CANS.

[2]  Ingrid Verbauwhede,et al.  Privacy-Preserving ECC-Based Grouping Proofs for RFID , 2010, ISC.

[3]  Gildas Avoine Adversarial Model for Radio Frequency Identification , 2005, IACR Cryptol. ePrint Arch..

[4]  Yi Mu,et al.  RFID Privacy Models Revisited , 2008, ESORICS.

[5]  Yunlei Zhao,et al.  A New Framework for RFID Privacy , 2010, ESORICS.

[6]  Lejla Batina,et al.  Untraceable RFID authentication protocols: Revision of EC-RAC , 2009, 2009 IEEE International Conference on RFID.

[7]  Dong Wang,et al.  Use of RFID for Intelligent Pre-shipment Inspection , 2010, J. Digit. Content Technol. its Appl..

[8]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[9]  Serge Vaudenay,et al.  On Privacy Models for RFID , 2007, ASIACRYPT.

[10]  Sasa Radomirovic,et al.  Algebraic Attacks on RFID Protocols , 2009, WISTP.

[11]  Sjouke Mauw,et al.  Secure Ownership and Ownership Transfer in RFID Systems , 2009, ESORICS.

[12]  Serge Vaudenay,et al.  Mutual authentication in RFID: security and privacy , 2008, ASIACCS '08.

[13]  Olivier Billet,et al.  An efficient forward private RFID protocol , 2009, CCS.

[14]  Ari Juels,et al.  RFID security and privacy: a research survey , 2006, IEEE Journal on Selected Areas in Communications.

[15]  Ingrid Verbauwhede,et al.  Wide-Weak Privacy-Preserving RFID Authentication Protocols , 2010, MOBILIGHT.

[16]  Ari Juels,et al.  Defining Strong Privacy for RFID , 2007, Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops (PerComW'07).

[17]  Sjouke Mauw,et al.  Untraceability of RFID Protocols , 2008, WISTP.

[18]  Yuanbo Guo,et al.  Security Improvement in Authentication Protocol for Gen-2 Based RFID System , 2011 .

[19]  Ingrid Verbauwhede,et al.  Elliptic-Curve-Based Security Processor for RFID , 2008, IEEE Transactions on Computers.

[20]  Dong Wang,et al.  Impact of RFID Technology on Tracking of Export Goods in Kenya , 2010, J. Convergence Inf. Technol..

[21]  L. Batina,et al.  EC-RAC (ECDLP Based Randomized Access Control): Provably Secure RFID authentication protocol , 2008, 2008 IEEE International Conference on RFID.

[22]  Sasa Radomirovic,et al.  Security of an RFID Protocol for Supply Chains , 2008, 2008 IEEE International Conference on e-Business Engineering.

[23]  Sasa Radomirovic,et al.  Untraceable RFID protocols are not trivially composable: Attacks on the revision of EC-RAC , 2009, IACR Cryptol. ePrint Arch..

[24]  Chris J. Mitchell,et al.  RFID authentication protocol for low-cost tags , 2008, WiSec '08.