Cryptology ePrint Archive: Report 2014/968

Attacks on Secure Ownership Transfer for Multi-Tag Multi-Owner Passive RFID Environments

Jorge Munilla and Mike Burmester and Albert Peinado

Abstract: Sundaresan et al proposed recently a novel ownership transfer protocol for multi-tag multi-owner RFID environments that complies with the EPC Class1 Generation2 standard. The authors claim that this provides individual-owner privacy and prevents tracking attacks. In this paper we show that this protocol falls short of its security objectives. We describe attacks that allow: a) an eavesdropper to trace a tag, b) the previous owner to obtain the private information that the tag shares with the new owner, and c) an adversary that has access to the data stored on a tag to link this tag to previous interrogations (forward-secrecy). We then analyze the security proof and show that while the first two cases can be solved with a more careful design, for lightweight RFID applications strong privacy remains an open problem.

Category / Keywords: cryptographic protocols / cryptanalysis, anonymity, RFID

Date: received 26 Nov 2014

Contact author: burmester at cs fsu edu

Available format(s): PDF | BibTeX Citation

Version: 20141128:065519 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]