• No results found

On the Security of Permutation Based Authentication Protocols for Internet of Things Applications: The Case of Huang et al.'s Protocol

N/A
N/A
Protected

Academic year: 2020

Share "On the Security of Permutation Based Authentication Protocols for Internet of Things Applications: The Case of Huang et al.'s Protocol"

Copied!
9
0
0

Loading.... (view fulltext now)

Full text

(1)

Journal of Computing and Security

On the Security of Permutation Based Authentication Protocols for

Internet of Things Applications: The Case of Huang et al.’s Protocol

Samad Rostampour

a,

, Nasour Bagheri

b

, Mehdi Hosseinzadeh

c

, Ahmad Khademzadeh

d aDepartment of Computer Engineering, Ahvaz Branch, Islamic Azad University, Iran.

bDepartment of Electrical Engineering, Shahid Rajaee Teacher Training University, Tehran, Iran. cIran University of Medical Sciences, Tehran, Iran.

dIran Telecommunication Research Center, Tehran, Iran.

A R T I C L E I N F O.

Article history:

Received:20 January 2017

Revised:11 November 2017

Accepted:12 December 2017

Published Online:01 April 2018

Keywords:

Internet of Things, RFID, Security, Authentication.

A B S T R A C T

The Internet of Things (IoT) is a new technology, which enables objects to exchange data via the Internet. Authentication process is a method to prevent an unauthorized access to the IoT systems. The using of bit-wise functions such as XOR, Shift and Rotation could decrease the cost of authentication protocols. On the other hand, the simple operations usually could not provide an acceptable security level. Therefore, the researchers try to improve the security level by creating new permutation functions. In this paper, we evaluate some permutation functions and analyze a protocol which recently has been proposed by Huang et al. We prove that their protocol is vulnerable to the disclosure and the impersonation attacks and an adversary can clone a valid tag easily. The complexity of the proposed attack is low and attack method works efficiently for the secret keys and ID numbers with variable length.

c

2016 JComSec. All rights reserved.

1

Introduction

The Internet of Thing (IoT) is a new concept in the world of information technology. In short, it can be said that the IoT is a modern technology wherein each item (human, animal, object, etc.) is able to exchange data in communication networks [1–4]. In an IoT data exchange process, a unique identification number and an IP address are assigned to each item and its data is sent to a back-end server for processing. This data is then accessible through different devices such as smart phones, tablets, personal computers, etc. The IoT consists of various technologies and services, and

Corresponding author.

Email addresses:samad.rostampour@iauahvaz.ac.ir(S. Rostampour),nbagheri@srttu.edu(N. Bagheri),

hosseinzadeh.m@lums.ac.ir(M. Hosseinzadeh),

zadeh@itrc.ac.ir(A. Khademzadeh)

ISSN: 2322-4460 c2016 JComSec. All rights reserved.

concentrates on establishing a connection between appliances that are used every day.

The two main features of an object are communica-tion and identity. In terms of communicacommunica-tion, there are a lot of technologies to gather an object’s data such as Radio Frequency Identification (RFID), Bluetooth Low Energy (BLE), and Wi-Fi [5–10]. In an RFID system a tag is assigned to each item, a reader collects the tag’s information in a wireless environment and then sends it to a back-end database server.

(2)

tags. On the other hand, the use of sophisticated cir-cuits to improve the security level could lead to an increase of accommodated gates on a tag. Therefore, the making a trade-off between the security level and the tag’s weight is necessary. In terms of the tag’s weight, IoT authentication protocols are divided into three categories: Ultra-lightweight, Lightweight, and Non-lightweight.

• Ultra-lightweight: in these kinds of protocols only simple bit-wise functions such as AND, XOR, and Shift are used and the number of gates on the tag is very low.

• Lightweight: in lightweight protocols, the design-ers can also use one-way or two-way cryptogra-phy methods such as Pseudo Random Number Generator (PRNG), Cycle Redundancy Check (CRC) functions, and Data Encryption Standard (DES). These kinds of protocols have resource limitations, and the approximate 3000 gates are accommodated on the tag for the security mod-ule [12, 13]. Lightweight protocols are suitable for low-cost tags and can be implemented based on international standards.

• Non-lightweight: in this category, encryption methods such as Hash functions and Elliptic Curve cryptography (ECC) are used to increase the security level. Although these functions can increase the complexity and confidentiality of ex-changed messages, they also cause an increase in the number of required gates on the tag beyond that of the lightweight protocols for an equal level of security.

Since the context of this article is about ultra-lightweight protocols, we describe and analyze some of the current presented protocols of this category. One of the first and famous ultra-lightweight pro-tocols is SASI (Strong Authentication and Strong Integrity)[14]. In the SASI protocol, the authors attempted to design a protocol based on bit-wise functions such as XOR and Rotate for low-cost tags. Although SASI had some vulnerabilities and could not satisfy an acceptable level of security, it was employed as the basic theory for ultra-lightweight protocols.

In addition, in recent years many ultra-lightweight protocols have been proposed and most of them had security vulnerability and were not resistant against IoT threats. Because the use of bit-wise functions de-creases the complexity of the protocol and inde-creases the probability of a successful attack[15–19]. Hence, the researchers tried to create new permutation func-tions based on bit-wise operafunc-tions.

For example, RAPP (RFID Authentication Proto-col with Permutation) is an ultra-lightweight protoProto-col that used a permutation function to improve the

secu-rity level[20]. The function used the hamming weight and changed the place of the bits. Therefore, it had a simple hardware circuit. Even though RAPP was affordable and low-power, there have been three at-tack methods presented and proven that RAPP is not secure against traceability, secret disclosure, and desynchronization attacks[21].

Fan et al. proposed another Ultra-Lightweight RFID Mutual Authentication Protocol with Cache (UL-RMAPC) for the IoT applications[22]. The authors created a permutation function based on rotate and re-verse operations(RR function). They claimed that the proposed protocol is robust against well-known RFID attacks and they have solved the security problems of previous protocols such as SASI and Gossamer.

In addition, Tewari and Gupta proposed an ultra-lightweight mutual authentication protocol in IoT environments for RFID tags[23]. Their protocol is very efficient since it only utilizes bit-wise operations such as Rotate and XOR. The authors also provided a detailed analysis to demonstrate this protocol is secure against various attacks. Their protocol aims to provide a secure communication with least cost in both storage and computation. Although Tewari and Gupta tried to provide a low-cost and ultra-lightweight protocol based on bit-wise and hamming weight, they could not provide an acceptable security level by these kinds of functions. Because Wang et al. proved that Tewari and Gupta protocol is vulnerable to the key disclosure attack and they could obtain the secret information of the tags[24].

In this direction, Huang et al. also presented an authentication protocol to enhance the security level and reduce the tags’ cost in IoT healthcare applica-tions [25]. They used a permutation function called

Con, claiming it to be more lightweight than other encryption functions such as hash functions and ellip-tic curve based crypto-systems (ECC). In this paper, we argue that Huang et al.’s protocol is not resistant against the disclosure and the impersonation attacks and an adversary can disclose the stored secret pa-rameters of the tag, and clone it.

In the rest of this paper, we review Huang et al.’s protocol in Section 2. Then, we analyze this protocol and implement attacks on it in Section 3. Ultimately, in Section 4 we will conclude.

2

Huang et al.’s Protocol

(3)

applications. When two or more tags participate in an authentication process and the reader has to identify them simultaneously, it is called grouping proof. In the proposed protocol, the reader tries to authenticate two tags and prove the tags are valid. Because the reader has to create a unique message for each tag and provide the integrity in tags’ messages, therefore presenting a secure grouping proof protocol that can satisfy all security features seems difficult. Their protocol is based on ISO-14443 standard for passive tags and uses a permutation functionCon. In this section, we reviewConfunction and Huang et al.’s protocol.

2.1 Con Function

To reduce the cost and computational load of passive tags, Huang et al. utilize a new permutation function that has two input parameters and one output,Con

(X,Y). It rearranges the first input (X) based on the hamming weight of the second input (Y) that just usesXORandRotfunctions to calculate the output as follows:

(1) Receives two inputs X and Y.

(a) X=x1x2. . . xl; wherexi∈ {0,1}andi= 1; 2;. . .;l;

(b) Y =y1y2. . . yl; whereyj ∈ {0,1}andj= 1; 2;. . .;l;

(2) Calculates the hamming weight of Y that is called (m) that is the number of ones inY, such that yk1 =yk2 =... =ykm = 1 and ykm+1 = ykm+2 =... =ykl = 0(ki is discontinuous,i.e.

ykijust presents one of all theyj, that equals to 0 or 1.).

(3) Divides ones to even-group and odd-group and rearranges X based on the position of ones in Y to compute the output ofConas below:Con=

xk1xk3...xkm+1xkm+2...xkl...xk4xk2.

As it is shown in Figure 2, if X = 11001010,Y = 10100110, where m = 4, as a result Con(X, Y) = 10101010

In addition, Huang et al.’s usesRot(a, b) function. The first parameter of the function is the main eter that we want to rotate it and the second param-eter indicates the number of rotations.Rotfunction rotates the first inputhtimes wherehis the hamming weight of the second parameter.

2.2 Huang et al.’s Method

In this section, we explain how Huang et al.’s proto-col works based onConfunction. The used notations of the proposed protocol have been listed in Table 1. The protocol has two phases: Initialization and Au-thentication.

Table 1. Notations Used in the Huang et al.’s Protocol

Notations

X First input ofConfunction

Y Second input ofConfunction

TAandTB The participating tags in

the authentication process

T Output ofConfunction

m Hamming weight

r A random number

l Data length bit

k Shared secret key of each tag

ID ID number of each tag

Rot(a, b) Rotateabased on hamming weight ofb

⊕ XOR function

PAB Proof betweenTA andTB

(1) Initialization phase

In this phase, the shared secret keykand the identification numberIDare stored in the tags. (2) Implementation Phase

(a) The reader generates two random numbers

r1andr2 and sends them with a request

message toTA andTB.

(b) Upon receiving r1, TA generates a random number rA, calculates A =

Con(Rot(rA;r1)⊕IDA;rA) and sends A

to the reader.

(c) After receivingAandrA, the reader calcu-latesVRA=Con(rA;IDA) and transmits it toTB.

(d) WhenTB receivesVRA, generatesrB ran-domly and computesB =Con(Rot(VRA;rB)⊕

IDB;rB⊕r2) andVRB=Con(rot(B;r2);k2).

Then, TB transfers B,rB andVB to the reader.

(e) Afterwards, the reader computesVRB =

Con(rB;IDB) and transmits it toTA. (f) TAcalculatesVA=Con(VRB;Rot(rA;k1))

and responds to the reader.

(g) The reader calculates proofPAB withrA,

rB, A, B, VA andVB and transfers it to the server.

(h) Upon receivingPAB, the server computes

(4)

VB= Con(Rot(B; r2); k2)

TA

IDA, k1

Reader IDA, IDB, k1, k2

TB

IDB, k2

Request, r1 Request, r

2

A, rA

VRA

VRB

VA

B, VB, rB

A = Con(Rot(rA; r1)⨁IDA; rA)

VA= Con (VRB; Rot(rA; k1))

VRB= Con (rB; IDB) B =Con(Rot(VRA; rB)⨁IDB; rB⨁r2)

Con(Rot(VRA;rB)_IDB;rB_r2)

VRA= Con (rA; IDA)

Figure 1. The Huang et al.’s Protocol

Table (1): notations that are used in the paper

0 0 0 1

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

0 0 1 0

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

yk1 yk2 yk3 yk4

Y 1 0 1 0 0 1 1 0

X 1 1 0 0 1 0 1 0

T=Con(X,Y) 1 0 1 0 1 0 1 0

Figure 2. An Example ForConFunction

3

Security Analysis of Huang et al.’s

Protocol

Huang et al. claimed that their protocol is robust against well-known RFID attacks based on the follow-ing reasons:

• The protocol is based on ISO-14443 standard and the user can adjust the transmission power of the tag under 4 inches. Therefore, the adversary cannot eavesdrop or intercept the information in the communication channel.

• Each tag has a shared secret key that the infor-mation is encrypted by it. Because the secret key is not transferred in the channel, the adversary cannot access to it. Accordingly, the protocol is resistant against the disclosure attack.

• Information is computed by two tags, which are related to each other. Hence, if one of them is ab-sent, the authentication process is not completed and adversary needs both of them simultaneously. In this section, we prove that mentioned reasons can-not guarantee the security of the proposed protocol and present an attack model to penetrate to the sys-tem. The attack method does not depend on power transmission of the tag. Given a valid tag and an

il-legitimate reader, the adversary can send a request to the tag and collects its responses. Afterwards, she processes the stored tag responses and obtains the secret values.

In addition, a user of the system can obtain the secret values of tags. For instance, one can put a sniffer between a tag and a reader and eavesdrops the messages.

The aim of this attack is to disclose the secret parameters of the tag. In each tag, there are two stored parameters, secret key (k) and ID-number (ID). The security method of the Huang et al.’s protocol is based on a permutation function that is calledCon that was explained in Section 2.Confunction consists of three parameters X and Y as input andT as output,

T = Con (X, Y). We show that if the adversary has just two parameters of Con function, can also get the third parameter. In this attack, we assume that the adversary has an illegitimate reader and sends messages to the tag and collects its responses. In two separate processes, we will disclosekand ID-number.

3.1 ID Disclosure Attack

Given,Y, inT =Con(X, Y) function, the mapping fromTtoXis an invertible permutation. Hence, given

Y andT, the adversary can computeXeasily, because

Xis rearranged based onY. We explain ID disclosure attack as follow, which is shown in Figure 3:

(1) The adversary divides ones ofY to two groups, odd (gray cells) and even (blue cells). Odd ones imply left side bits ofT and even ones point to right side bits as it is shown in Figure 3b. (2) Puts the first left bit ofT in the position of the

first one ofY.

(5)

Y 1 0 1 1 0 1 0 0

X 1 0 0 1 1 1 1 0

T=Con(X,Y) 1 1 0 1 1 0 1 0

T 1 1 0 1 1 0 1 0

Y 1 0 1 1 0 1 0 0

X 1 0 1 1

T 1 1 0 1 1 0 1 0

Y 1 0 1 1 0 1 0 0

X 1 0 0 1 1 1 1 0

(a) theConFunction T=Con(X, Y)

Y 1 0 1 1 0 1 0 0

X 1 0 0 1 1 1 1 0

T=Con(X,Y) 1 1 0 1 1 0 1 0

T 1 1 0 1 1 0 1 0

Y 1 0 1 1 0 1 0 0

X 1 0 1 1

T 1 1 0 1 1 0 1 0

Y 1 0 1 1 0 1 0 0

X 1 0 0 1 1 1 1 0

(b) Finding Bits of X Based on Left-Side and Right-Left-Side Bits ofT and the Position of Ones inY.

Y 1 0 1 1 0 1 0 0

X 1 0 0 1 1 1 1 0

T=Con(X,Y) 1 1 0 1 1 0 1 0

T 1 1 0 1 1 0 1 0

Y 1 0 1 1 0 1 0 0

X 1 0 1 1

T 1 1 0 1 1 0 1 0

Y 1 0 1 1 0 1 0 0

X 1 0 0 1 1 1 1 0

(c) Bits ofX Based on Middle Bits of T and the Position of Zeros inY

Figure 3. The Steps of the Finding ID-Number

the second one ofY.

(4) She repeats steps 2 and 3, (m) times for odd group and even group respectively.

(5) There are (l−m) zeros in Y. The adversary arranges remaining bits ofT (red cells) based of zeros ofY. As it is shown in Figure 3c, the adversary selects the first bit after even group (gray cells) and puts it in the position of the first left zero bit ofY. She repeats this operation for (l−m) times.

Hence, to disclose IDA and IDB the adversary impersonates a legitimate reader and does as follows: (1) The adversary generates a random numberr1

and sends it with a request message toTA . (2) Upon receiving r1, TA generates a random

number rA, calculatesA=Con(Rot(rA;r1)⊕ IDA;rA) and sendsAto the reader (imperson-ated by the adversary).

(3) After receivingAandrA, adversary can deter-mineRot(rA;r1)⊕IDA.

(4) Adversary determinesIDAasIDA=Rot(rA;r1)⊕ IDA⊕Rot(rA;r1).

(5) The Adversary also calculatesVRA=Con(rA;IDA) and transmits it toTB.

(6) When TB receives VRA, generates rB ran-domly and computesB =Con(Rot(VRA;rB)⊕

IDB;rB⊕r2) andVRB =Con(rot(B;r2);k2).

Then,TB transfersB,rB andVB to the reader. (7) GivenB,VRA,rB andr2the adversary can

de-termineRot(VRA;rB)⊕IDBand discloseIDB asIDB=Rot(VRA;rB)⊕IDB⊕Rot(VRA;rB). The success probability of the presented attack is ‘1’ while the attack complexity is only impersonating the legitimate reader in a single session between the tags and the reader. On the other hand, given thatID -number is a static value for each tag, the adversary can use the extracted values to trace the tag holder at any time. Since the attack procedure is trivial, we omit more details. The success probability of the adversary to determine the tag holder correctly would be 1−2−n, wherenis the bit length of ID, and the complexity for each attack session would be just impersonating the reader once.

3.2 Secret Key Disclosure Attack

In Huang et al.’s protocol, a transferred value from the tag to the reader isVRB =Con(Rot(B;r2);k2), where k2is a static value for each tag and is not updated. On

the other hand, assuming that the adversary follows the attack procedure that presented in Section 3.1, we can assume that the adversary knowsB andr2

and can calculateRot(B;r2). Thus, extractingk2 is

reduced to extractY fromT =Con(X;Y) givenT

andX. Unlike the mappingTtoX, for fixedY, which is an invertible permutation, the mappingT toY, for fixedX, is not a permutation necessarily. However, given several pairsTi =Con(Xi;Y), the adversary can determineY uniquely. Hence, to determinek2 in

Huang et al.’s protocol, the adversary impersonates the reader and initiatestsessions with the legitimate tagsTAandTB. In each sessioni, the adversary stores

Bi,ri2 andVRBi , for 1 ≤i≤ t, that are transferred from the adversary to the tag or from the reader to the tag in theithsession. To obtain the value ofk2,

the adversary storesB,VRBandrB as Table 2 to find appropriateY =k2. In each row of Table 2, examples

of the calculated values by the tag for each adversary’s query are shown. GivenTi= (Con(Xi;k

2)), for 1≤ i≤t, whereXi =Rot(Bi;ri

2) and assuming that (Z)j determines thejthbit of stringZ, (Z)

0is the most left

bit, the adversary can extractk2bit by bit as follows:

• If (Ti)0 = (Xi)0 for 1 ≤ i ≤ t, set (k2)0 = 1

otherwise (k2)0= 1.

• Given, (k2)0, the adversary determines (k2)1in

the next step. There could be two cases for (k2)0,

i.e. (k2)0 = 0 and (k2)0 = 1 respectively and

adversary does as follows in each case:

◦ When (k2)0= 0, if (Ti)0= (Xi)1for 1≤i≤t,

set (k2)1= 1 otherwise (k2)0= 1.

(6)

206 On the Security of Permutation Based Authentication Protocols . . . — S. Rostampour, M. Hosseinzadeh, et al.

Table 2. Examples ofConFunction Based on Different Inputs

X=Rot(B;r2) Y =k T =Con(X, Y) =VB

1 1 0 1 0 1 0 0 1 0 0 0 0 1 1 1 1 0 1 0 1 0 0 1

0 1 0 0 1 1 1 0 1 0 0 0 0 1 1 1 0 1 1 0 0 1 0 1

0 0 1 1 0 1 1 0 1 0 0 0 0 1 1 1 0 1 0 1 1 0 0 1

1 0 1 0 0 1 1 1 1 0 0 0 0 1 1 1 1 1 0 1 0 0 1 1

• Following this procedure, the adversary can de-termine wholek2bit by bit. For example

assum-ing that the adversary already has determined the firstrbits ofk2and the hamming weight of

theserbits ism. To extract (r+ 1)th-bit ofk2,

i.e.(k2)rthe adversary does as follows:

◦ Whenmis even, if (Ti)m

2+1= (X

i)r

+1for 1≤ i≤t, set (k2)m+1= 1 otherwise (k2)m+1= 1.

◦ When m is odd, if (Ti)rm+1

2 = (X

i)r

+1

for 1 ≤ i ≤ t, set (k2)m+1 = 1 otherwise

(k2)m+1= 1.

Following the above attack, the adversary can de-termine whole bits of k2. To determine the success

probability of the given attack, omit the case where

k2={0}n, an- bit string for which all bits are zero,

where the above-mentioned attack returnsk2={1}n,

and can be fixed easily. For (k2)0 the attack may

re-turn a wrong guess if there exist 1≤j≤n−1 such that (Xi)

0= (Xi)jwhich happens with the probabil-ity 1−(1−2−t)n−1. Assuming that, the adversary

already has determined the firstrbits ofk2correctly,

it may return a wrong guess for (k2)r if there exist r+ 1 ≤j ≤ n−1 such that (Xi)

0 = (Xi)j which

happens with the probability of 1−(1−2−t)n−1−r. Hence the total success probability of the given attack is lower bounded by Πnj=0−1(1−2−t)n−1−j.

Another approach to determineY =k2is as follows:

Step 1 ◦ The adversary dividesY into 4-bit blocks and analyzes the first left-side block as it is shown in Figure 4.

◦ Based onX andT, she assumes the value of the block from (0000) to (1111) and checks that which of 16 possible states can be true as it is shown in Table 3. In each row of Table 3, the adversary finds the true possible states fork. For example, in step 3.2 for X=1 1 0 1 0 1 0 0 and T = 1 0 1 0 1 0 0 1, she analyzes the first 4-bit block ofY and finds the seven values can be true possible state. In step 2, she changesX

andT, repeats the comparisons and continues this operation until finding the appropriate states.

◦ For instance, as it is shown in Figure 5, (0001) can be true because the forth bit of X equals to the first bit of T and there are not any

0 1 0 0 1 1 1 0

1 0 0 0 0 1 1 1

0 1 1 0 0 1 0 1

0 0 1 1 0 1 1 0

1 0 0 0 0 1 1 1

0 1 0 1 1 0 0 1

1 0 1 0 0 1 1 1

1 0 0 0 0 1 1 1

1 1 0 1 0 0 1 1

Step

X

T

True Possible states

False states

1

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

0001, 0100, 0101,

1000, 1001, 1100,

1110

0010, 0011,

0110, 0111,

1010, 1011,

1101, 111

2

0 1 0 0 1 1 1 0

0 1 1 0 0 1 0 1

0001, 1000, 1100

0100, 0101,

1001, 1110

3

0 0 1 1 0 1 1 0

0 1 0 1 1 0 0 1

1000

0001, 1100

4-bit block

? ? ? ?

4-bit block

1 0 0 0 ? ? ? ?

Figure 4. A 4-Bit Search Block

Table (1): notations that are used in the paper

0 0 0 1

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

0 0 1 0

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

yk1 yk2 yk3 yk4

Y 1 0 1 0 0 1 1 0

X 1 1 0 0 1 0 1 0

T=Con(X,Y) 1 0 1 0 1 0 1 0

Figure 5. Evaluation a True Possible State

Table (1): notations that are used in the paper

0 0 0 1

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

0 0 1 0

1 1 0 1 0 1 0 0

1 0 1 0 1 0 0 1

yk1 yk2 yk3 yk4

Y 1 0 1 0 0 1 1 0

X 1 1 0 0 1 0 1 0

T=Con(X,Y) 1 0 1 0 1 0 1 0

Figure 6. Evaluation a False State

dissimilar bits.

◦ On the other hand, as it is shown in Figure 6, (0010) is not true, because the third bit of X is

zero, though the first bit of T is one.

◦ The adversary continues this comparison for all numbers to (1111) and understands 0100; 0101; 0110; 1000; 1001; 1100; 1110 can be true and stores acceptable numbers. It must be noted that (0000) will be checked at the end because this number could be true for each state. If any possible state is not found, the adversary checks (0000) and merge it to the next 4-bit block.

Step 2

• The adversary checks remaining numbers by the second row of Table 2 that X = (01001110) and T = (01100101).

• Again, (0001) is acceptable but (0100) is not. Because, the second bit of X is one but the first bit of T is zero.

• Accordingly, for theseXandT, 0001; 1000; 1100 is acceptable and 0100; 0101; 1001; 1110 are not match as shown in Table 3.

Step 3

(7)

Table 3. Steps of the Finding K and Reducing False Values in Each Step

Step X T True Possible States False States

1 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0001, 0100, 0101, 1000, 1001, 1100, 1110 0010, 0011, 0110, 0111, 1010, 1011, 1101, 111

2 1 1 0 1 0 1 0 0 0 1 1 0 0 1 0 1 0001, 1000, 1100 0100, 0101, 1001, 1110

3 0 0 1 1 0 1 1 0 0 1 0 1 1 0 0 1 1000 0001, 1100

20 30 40 50 60 70 80 90 100 110 120

0 200 400 600 800 1000 1200 1400 1600 1800

X: 128 Y: 1624

Data-length (bit)

N

u

m

b

e

r

o

f

C

o

m

p

a

ri

s

o

n

s

X: 16 Y: 180

X: 32 Y: 330

X: 64 Y: 780 Number of Comparisons

Figure 7. The Graph of the Average Number of Comparisons for 16-Bit to 128-Bit Data Length

Hence, she repeats these steps for the next 4-bit block and checks all numbers based on (1000) in the first block for X and T in Table 2. Ultimately, she finds (0111) is the correct answer andY = (10000111). The number of comparisons is 42 that it is much smaller than the number of comparisons in the comprehensive search for 8-bit data (28). Therefore, inConfunction,

if the second parameter be fixed, the adversary can obtain it and this function is insecure. We evaluated this attack method for different lengths of parameters such as k from 16-bit to 128-bit. For each length, we used five differentk and calculated the average number of comparisons. For 16-bit, 32-bit, 64-bit and 128-bit length, the average number of comparisons consequently were 180, 330, 780 and 1624 as it is shown in Figure 7. The complexity of this attack is less than using the comprehensive search for finding

k, though the comprehensive search is not practicable for data length more than 32-bit.

3.3 Permanent Impersonation Attack

For permanent impersonation attack, the adversary needs to obtain all stored parameters in the tag.

Be-cause just two parameters (k, ID) are stored in the tag, if the adversary computes them, she can clone the tag.

In Section 3, the adversary obtainedkandIDof the tag; therefore, she can make a hard copy and cloneTB. ForTA, the adversary repeats the proposed attack in Section 3 and computes all stored parameters. Hence, the disclosure attack causes to the permanent imper-sonation attack easily and adversary impersonates all the tags in the system.

The using of only one secret parameter in each vari-able that is created by the tag is the main reason of the weakness of the protocol. To generateB, Because

TB just usesIDB as a secret parameter, the attacker can compromise the protocol. If we use bothIDBand

k2to generate tags’ messages, the security level of the

(8)

secure and ultra-lightweight protocol, it must be ana-lyzed based on formal and informal security method completely.

4

Conclusion

In this paper, we discussed about security of authenti-cation protocols which have used permutation function in IoT technology. We reviewed some protocols and analyzed one of them that recently has been presented by Huang et al. for medical healthcare applications. The authors presented an authentication protocol and utilized a new permutation function that is calledCon

for rearranging data before sending. The Con func-tion had two input parameters and rearranged the first input based on hamming weight of the second input. We proved thatConfunction was vulnerable to the disclosure and the impersonation attacks, and the attack method is efficient for data with any length. Therefore, it proves that the permutation function is not suitable solution to improve the security of ultra-lightweight and ultra-lightweight protocols in IoT systems and researchers have to improve the security level of the protocols that use permutation functions.

References

[1] M. Chen, S. Chen, and Y. Fang. Lightweight Anonymous Authentication Protocols for RFID Systems. IEEE/ACM Transactions on Network-ing, 25(3):1475–1488, June 2017. ISSN 1063-6692. doi:10.1109/TNET.2016.2631517.

[2] Prosanta Gope, Ruhul Amin, S.K. Hafizul Is-lam, Neeraj Kumar, and Vinod Kumar Bhalla. Lightweight and privacy-preserving RFID authentication scheme for distributed IoT in-frastructure with secure localization services for smart city environment. Future Generation Computer Systems, 2017. ISSN 0167-739X.

doi:https://doi.org/10.1016/j.future.2017.06.023. [3] Fan Wu, Lili Xu, Saru Kumari, Xiong Li, Ashok Kumar Das, and Jian Shen. A lightweight and anonymous RFID tag authentication proto-col with cloud assistance for e-healthcare appli-cations. Journal of Ambient Intelligence and Hu-manized Computing, Apr 2017. ISSN 1868-5145. doi:10.1007/s12652-017-0485-5.

[4] In Lee and Kyoochun Lee. The Internet of Things (IoT): Applications, investments, and challenges for enterprises. Business Hori-zons, 58(4):431 – 440, 2015. ISSN 0007-6813. doi:https://doi.org/10.1016/j.bushor.2015.03.008. [5] Anas Basalamah. BLESS: Opportunistic

Crowd-sensing Framework for Internet of Things using Bluetooth Low Energy.The Journal of

Engineer-ing, 1(1), 2016.

[6] M. Gentili, R. Sannino, and M. Petracca. BlueVoice: Voice communications over Blue-tooth Low Energy in the Internet of Things scenario. Computer Communications, 89-90 (Supplement C):51 – 59, 2016. ISSN 0140-3664. doi:https://doi.org/10.1016/j.comcom.2016.03.004. Internet of Things Research challenges and Solutions.

[7] C. A. Trasvi˜na-Moreno, R. Blasco, R. Casas, and A. Marco. Autonomous WiFi Sensor for Heating Systems in the Internet of Things.Journal of Sen-sors, 2016:1–14, 2016. doi:10.1155/2016/7235984. [8] Xin Huang, Paul Craig, Hangyu Lin, and Zheng

Yan. SecIoT: a security framework for the Inter-net of Things. Security and Communication Net-works, 9(16):3083–3094, 2016. ISSN 1939-0122. doi:10.1002/sec.1259.

[9] P. Gope and T. Hwang. A Realistic Lightweight Anonymous Authentication Protocol for Secur-ing Real-Time Application Data Access in Wire-less Sensor Networks. IEEE Transactions on In-dustrial Electronics, 63(11):7124–7132, Nov 2016. ISSN 0278-0046. doi:10.1109/TIE.2016.2585081. [10] Alexander Yohan, Nai-Wei Lo, Vincentius Randy, Shih-Jen Chen, and Ming-Yuan Hsu. A Novel Authentication Protocol for Micropayment with Wearable Devices. InProceedings of the 10th In-ternational Conference on Ubiquitous Informa-tion Management and CommunicaInforma-tion, IMCOM ’16, pages 18:1–18:7. ACM, 2016. ISBN

978-1-4503-4142-4. doi:10.1145/2857546.2857565. [11] Adarsh Kumar Manjulata. Survey on lightweight

primitives and protocols for RFID in wireless sensor networks. International Journal of Com-munication Networks and Information Security, 6(1):29, 2014.

[12] S. Sundaresan, R. Doss, S. Piramuthu, and W. Zhou. A Robust Grouping Proof Proto-col for RFID EPC C1G2 Tags. IEEE Trans-actions on Information Forensics and Secu-rity, 9(6):961–975, June 2014. ISSN 1556-6013. doi:10.1109/TIFS.2014.2316338.

[13] Javad Alizadeh, Mohammad Reza Aref, Nasour Bagheri, and Alireza Rahimi. JHAE: A Novel Permutation-Based Authenticated Encryption Mode Based on the Hash Mode JH. Journal of Computing and Security, 2(1), 2016. ISSN 2383-0417. URL http://jcomsec.org/index.php/

JCS/article/view/181.

(9)

[15] Aras Eghdamian and Azman Samsudin. A Se-cure Protocol for Ultralightweight Radio Fre-quency Identification (RFID) Tags, pages 200– 213. Springer Berlin Heidelberg, 2011. ISBN 978-3-642-25327-0. doi:10.1007/978-3-642-25327-0 18.

[16] Pedro Peris-Lopez, Agustin Orfila, Julio C. Hernandez-Castro, and Jan C.A. van der Lubbe. Flaws on RFID grouping-proofs. Guidelines for future sound protocols. Jour-nal of Network and Computer Applications, 34(3):833 – 845, 2011. ISSN 1084-8045. doi:https://doi.org/10.1016/j.jnca.2010.04.008. RFID Technology, Systems, and Applications. [17] Shaohui Wang, Sujuan Liu, and Danwei Chen.

Se-curity Analysis and Improvement on Two RFID Authentication Protocols. Wireless Personal Communications, 82(1):21–33, May 2015. ISSN 1572-834X. doi:10.1007/s11277-014-2189-x. [18] Pedro Peris-Lopez, Julio Cesar

Hernandez-Castro, Juan M. E. Tapiador, and Arturo Rib-agorda. Advances in Ultralightweight Cryptogra-phy for Low-Cost RFID Tags: Gossamer Protocol, pages 56–68. Springer Berlin Heidelberg, 2009. ISBN 978-3-642-00306-6. doi:10.1007/978-3-642-00306-6 5.

[19] Kai Fan, Wei Wang, Wei Jiang, Hui Li, and Yin-tang Yang. Secure ultra-lightweight RFID mu-tual authentication protocol based on transpar-ent computing for IoV. Peer-to-Peer Network-ing and Applications, Apr 2017. ISSN 1936-6450. doi:10.1007/s12083-017-0553-9.

[20] Y. Tian, G. Chen, and J. Li. A New Ul-tralightweight RFID Authentication Protocol with Permutation. IEEE Communications Let-ters, 16(5):702–705, May 2012. ISSN 1089-7798. doi:10.1109/LCOMM.2012.031212.120237. [21] Zahra Ahmadian, Mahmoud Salmasizadeh, and

Mohammad Reza Aref. Desynchronization attack on RAPP ultralightweight authentica-tion protocol. Information Processing Let-ters, 113(7):205 – 209, 2013. ISSN 0020-0190. doi:https://doi.org/10.1016/j.ipl.2013.01.003. [22] Kai Fan, Yuanyuan Gong, Chen Liang, Hui

Li, and Yintang Yang. Lightweight and ultra-lightweight RFID mutual authentication protocol with cache in the reader for IoT in 5G. Security and Communication Networks, 9(16):3095–3104, 2016. ISSN 1939-0122. doi:10.1002/sec.1314. [23] Aakanksha Tewari and B. B. Gupta.

Cryptanal-ysis of a novel ultra-lightweight mutual authenti-cation protocol for IoT devices using RFID tags. The Journal of Supercomputing, 73(3):1085–1102, Mar 2017. ISSN 1573-0484. doi:10.1007/s11227-016-1849-x.

[24] King-Hang Wang, Chien-Ming Chen, Weicheng

Fang, and Tsu-Yang Wu. On the security of a new ultra-lightweight authentication protocol in IoT environment for RFID tags. The Journal of Supercomputing, 74(1):65–70, Jan 2018. ISSN 1573-0484. doi:10.1007/s11227-017-2105-8. [25] Ping Huang, Haibing Mu, and Changlun Zhang.

A New Lightweight RFID Grouping Proof Proto-col, pages 869–876. Springer Netherlands, 2014. ISBN 978-94-007-7262-5. doi:10.1007/978-94-007-7262-5 98.

Samad Rostampouris a Lecturer and Fac-ulty member of Department of Computer in Ahvaz Branch, Islamic Azad University. His research interests include Computer Networks, Information Security and Cryptography and System Design.

Nasour Bagheriis an assistant professor at Electrical Engineering Department, Shahid Rajaee Teacher Training University, Tehran, Iran. He is the author of over 50 articles in information security and cryptology. Home-page of the author is available at: http:// n-bagheri.srttu.ir.

Mehdi Hosseinzadehis an assistant profes-sor at Department of Computer Engineering, Science and Research branch, Islamic Azad University, Tehran, Iran. His research inter-ests are Computer Arithmetic with emphasis on Residue Number System, Cryptography, Network Security and E-Commerce.

doi:10.1109/TNET.2016.2631517. doi:https://doi.org/10.1016/j.future.2017.06.023. doi:10.1007/s12652-017-0485-5. doi:https://doi.org/10.1016/j.bushor.2015.03.008. doi:https://doi.org/10.1016/j.comcom.2016.03.004. doi:10.1155/2016/7235984. doi:10.1002/sec.1259. doi:10.1109/TIE.2016.2585081. doi:10.1145/2857546.2857565. doi:10.1109/TIFS.2014.2316338. http://jcomsec.org/index.php/JCS/article/view/181 doi:10.1109/TDSC.2007.70226. doi:10.1007/978-3-642-25327-0 18. doi:https://doi.org/10.1016/j.jnca.2010.04.008. doi:10.1007/s11277-014-2189-x. oi:10.1007/978-3-642- doi:10.1007/978-3-642-00306-6 5. doi:10.1007/s12083-017-0553-9. doi:10.1109/LCOMM.2012.031212.120237. doi:https://doi.org/10.1016/j.ipl.2013.01.003. doi:10.1002/sec.1314. doi:10.1007/s11227-016-1849-x. doi:10.1007/s11227-017-2105-8. doi:10.1007/978-94-007-7262-5 98. http://n-bagheri.srttu.ir

Figure

Table 1. Notations Used in the Huang et al.’s Protocol
Figure 1. The Huang et al.’s Protocol
Figure 3. The Steps of the Finding ID-Number
Figure 5. Evaluation a True Possible State
+2

References

Related documents

Therefore the plant was designed to use different water sources and different treatment processes: seawater (from the Westerschelde estuary) and integrated membrane system (IMS)

T he greatest security threat today – not just for the United States, or for the West, but for the world – is the possibility that a terrorist group could acquire a nuclear weapon

took office in 2007. McConnell also represented some states in their lawsuits against the tobacco industry. His work, and the work of other private at- torneys, led to the 1998

metalliche : Brass/Ottone 7/8 Contact/Contatto 7/8 : Brass/Ottone 4/16 Contact/ Contatto 7/16 : Brass/Ottone Insulator/Isolante : PTFE Gaskets/Guarnizioni :..

9.6 The Administration Company is entitled to receive and retain payments from banks, including both the Scheme bank account and any account maintained by an investment

All persons claiming to be creditors of or who have any claims or demands upon or affecting the Estate of ALETHA GRACE CROSS, the aforesaid deceased, who died at Brookfield, in

patient - provider interaction and here are some of the unique uses we have utilized the portal to achieve Meaningful.. Use as well as Patient Centered Medical

a. Child Action Process. Findings in the child's action process when participating in handwashing activities that can improve children's life skills through two