Paper 2008/470

From Weaknesses to Secret Disclosure in a Recent Ultra-Lightweight RFID Authentication Protocol

Paolo D'Arco and Alfredo De Santis

Abstract

A recent research trend, motivated by the massive deployment of RFID technology, looks at cryptographic protocols for securing communication between entities in which al least one of the parties has very limited computing capabilities. In this paper we focus our attention on SASI, a new Ultra-Lightweight RFID Authentication Protocol, designed for providing Strong Authentication and Strong Integrity. The protocol, suitable for passive Tags with limited computational power and storage, involves simple bitwise operations like $and$, $or$, exclusive $or$, modular addition, and cyclic shift operations. It is efficient, fits the hardware constraints, and can be seen as an example of the above research trend. We start by showing some weaknesses in the protocol and, then, we describe how such weaknesses, through a sequence of simple steps, can be used to compute in an efficient way all secret data used for the authentication process. More precisely, we describe three attacks: - A de-synchronisation attack, through which an adversary can break the synchronisation between the RFID Reader and the Tag. - An identity disclosure attack, through which an adversary can compute the identity of the Tag. - A full disclosure attack, which enables an adversary to retrieve all secret data stored in the Tag. Then we present some experimental results we have obtained by running several tests on an implementation of the protocol, in order to evaluate the performance of the proposed attacks. The results confirm that the attacks are effective and efficient.