Security of an RFID Based Authentication Protocol with Bitwise Operations for Supply Chain

Due to the stringent computational capabilities of low-cost RFID tags, several lightweight secure authentication protocols have been proposed for an RFID-based supply chain using bitwise operations. In this paper, we study the vulnerabilities associated with bitwise operations by doing cryptanalysis of a secure lightweight authentication protocol for RFID tags. The bitwise operations like rotation and XOR show that the protocol is vulnerable to tag, reader, and supply chain node impersonation attacks. We find that the major cause of the vulnerability is bitwise operations and suggest using the physically unclonable functions rather than bitwise operations to secure such lightweight protocols. We provide formal analysis using AVISPA tool and show that protocol is vulnerable to various attacks.


Introduction
Supply chain is the management of the entire flow of goods, data, finance and production, and supervises the processes until it transforms them into final products or reaches their destination. A well-managed and immutable supply chain is needed to identify the origin of counterfeit goods which have somehow reached to the consumers [1]. In supply chain many departments link with each other by using RFID tags for the acquisition of their own data.
Recently, several lightweight authentication protocols have been proposed with the goal of achieving secure authentication through bitwise operations because of limited computational capabilities of low-cost RFID tags. For low cost computation and energy constraints devices, often bitwise operations are suggested without crypto primitives, which lead to different vulnerabilities [2]. These bitwise operations have not been shown to help and create secure protocol [3][4][5][6][7][8]. In this article, we reveal that multiple uses of rotation functions (ROT) and XOR operations without crypto primitives does not secure protocol against various attacks, by doing cryptanalysis of a recently published Jangirala et al.'s protocol, "Designing secure lightweight blockchain-enabled RFID-based authentication protocol for supply chains in 5G mobile edge computing environment (LBRAPS)" [9].
The LBRAPS protocol is based on bitwise rotation (ROT) operation, one-way hash operation and bitwise XOR. It consists of two phases, (1) initialization, (2) Mutual authentication. The authors have proved that LBRAPS is immune to various active attacks by formal security analysis based on Automated Validation of Internet Security Protocols and Applications (AVISPA) tool and claimed that the protocol is not vulnerable against many known threats such as mutual authentication, tag impersonation attack and reader impersonation attack. However, the key issue related to their design is that an attacker can acquire the credentials by capturing transmitted messages as it is based on only bitwise rotate operation. We demonstrate that the protocol is not immune to reader impersonation, tag impersonation and supply chain node impersonation attacks. We also use AVISPA tool and show that the Jangirala et al.'s protocol is not secure against these attacks. We have also proposed security countermeasures for the protocol.
The rest of the article is organized as follows. Section 2 describes the related work and vulnerabilities of other related work. We give summary of Jangirala et al. protocol in Sect. 3. The problem statement is illustrated in Sect. 4 in which we crypt-analyze the Jangirala et al.'s protocol. Furthermore, Sect. 5 provides the formal analysis of Jangirala et al. protocol which shows that their protocols vulnerable to various attacks. In Sect. 6, we propose a remedy and Sect. 7 summarize our work.

Related Work
Radio frequency identification (RFID) is one of the leading technologies in the Internet of Things (IoT) because of its low cost, maturity and strong industry support [10]. RFID is a well-known automated identification technology based on radio frequencies that has a wide range of benefits and applications, including the ability to read and write an item's data (i.e. animal, person or product). Although advancements have been made in recent years, designing secure protocols for a constrained environment, such as IoT and RFID, remains a challenge. This is due to the fact that the majority of RFID and IoT-connected devices are extremely limited, and we may not be able to use common security solutions for their communications [11]. To deliver services at a low cost, He et al. [12] designed an RFID authentication protocol based on elliptic curve cryptography that combines with an identity to provide mutual authentication. Lee and Chien [13] cryptanalyzed the [12] protocol and show that their protocol is not immune to an active-tracking attack. They also proposed an improved RFID authentication protocol in order to resist an attack.
An RFID authentication protocol combined with an ID-verifier transfer mechanism based on ECC was devised by [14]. Later the same protocol [14] was proven to be nonresilient against ID-verifier confidentiality and forward security by [15] and proposed an efficient authentication approach to fix vulnerabilities. On several ECC-based RFID authentication mechanisms, He and Zeadally [16] presented a comprehensive study and noticed that only some security features are satisfied.
Two RFID mutual authentication protocols were presented by [17] with cache in the reader for IoT namely as LRMAPC P 1 and ULRMAPC P 2 , respectively. Li et al. [18] proved that LRMAPC failed to gain reader impersonation, message eavesdropping, and tag forgery attacks. However, LRMAPC is lightweight, and ULRMAPC is an ultralightweight protocol but both of them do not provide untraceability attributes.
The ultralight primitive referred to as 'pseudo-kasami code' introduced by Mujahid et al. [5]. The anonymity of RFID systems is obtained by the use of the unpredictable state of secret keys. In addition, a mutual RFID authentication protocol introduced depending on the hamming weight, pseudo-Kasami-Code, bitwise rotation and bitwise XOR. [19] proposed another RFID based protocol to overcome the flaw of [5]. It provides extra security feature known as untraceable command. The command "untraceable" allows a tag to uncover its secret credentials, including Electronic Product Code and the user memory. Because any unknow reader constructing this protocol can require as a preferred reader and can remove the anonymous feature of a tag, such features can make the cause of security attacks.
Sidorov et al. [4] proposed a protocol for blockchain-enabled supply chain infrastructure. The key concern with their design was that the attacker can get credentials easily by recording the messages communicated over the public channel. Since it depended on bitwise rotation function only. Similarly, multiple applications of ROT with XOR operations, according to Masoumeh and Mahyar [3], do not converge to produce a safe protocol. Later, Jangirala et al. [9] proposed a protocol and claimed that their protocol is secure against various attacks. In this paper, we show that single or multiple uses of rotation (ROT) functions and XOR operations without crypto-primitives do not secure protocol against various attacks, by doing cryptanalysis of a recently published Jangirala et al.'s protocol, "Designing secure lightweight blockchain-enabled RFID-based authentication protocol for supply chains in 5G mobile edge computing environment (LBRAPS)" [9]. Hence, we present an analysis on Jangirala et al.'s protocol and highlight its vulnerabilities.

Review of Jangirala et al.'s Protocol
There are three entities in the protocol, tag T , reader R and supply chain node S . The common notations used are shown in Table 1. The protocol has two phases: initialization, and login and authentication phases. Secret key between reader and supply chain Session key B S Blockchain associated with S (Identity)

Initialization Phase
To setup the protocol, the identity I T of tag T or reader R is considered as password, and the blockchain produces public key address for each account identifier. Therefore, the tag stores the record {I T , B BC } in its database, where balance amount and tag identity in blockchain under department D i are B BC and I T , respectively. Similarly, every reader R also saves I R in its repository. Consequently, the S and R exchanges a secret-key where B S denotes the blockchain connected with the S . R initiates the transaction message and forwards it towards T . Additionally, R must have an initial balance in its account in order to make transactions. Consequently, B BC denotes the balance of T in the blockchain and for every new transaction it is presented as B New = B BC + S Amount , where S Amount denotes the amount of S transactions.

Login and Authentication Phase
The entities S , T and R has the following below steps for the establishment of session key SK between T and S.
Step 1: The reader R engenders a nonce R N and current time-stamp T R . Furthermore, it calculates: , and then sends the request message Step 2: After receiving the message TM 1 from R , T first validates the time-stamp T R . If it does not hold, the session is aborted by Step 3: After receiving the message TM 2 from T , R validates the time-stamp T R to check the authenticity of the received message. If it holds, R veri- If it holds, R then engenders two nonces R a , R b and selects T ′ R , and calculates: Step 4: After receiving TM 3 from R and S checks the legitimacy of time-stamp T ′ R . If it holds, S proceeds the authentication mechanism to start the predefined smart-contract on the BC . The authentication mechanism is enabled via the S of BC by validating if I T presents in S repository. If it is not available, the session is aborted, else S gets B BC−REC and performs following calculations: Step 5: After receiving the message TM 4 from S , R verifies the validity of received time-stamp T S . If it holds, R extracts the random nonce S R of R as S � R = ROT R (S Q ⊕ ROT L (T S , X RS ), I S ) and checks it to authenticate S by validating S P R N ) and sends the message TM 5 = {S S , R Q , T S } towards T through an insecure channel.
Step 6: After receiving the message TM 5 from R , T fetches nonce to validate both S and R by checking the condition . If it does not match, T rejects the communication request, else if it holds, then T modifies B New = B BC + S Amount in its database record. After maintaining the session key SK ST between T and S with the help of R , B BC has modified in DL with updated balance B New . The purpose for preserving the session key between S and T that the blockchain will intercept with the relevant authority, where S and T desire to connect safely using the SK ST session key.

Cryptanalysis of the Protocol
We assume adversarial model same as Jangirala et al.'s in which an adversary A ad can block, alter or even delete the message on the radio link between a reader and tag. It can also perform cloning and physical attack. Further, we suppose that there are various readers in the system and the adversary has control over the public channel.

Reader Impersonation
The tag stores {I T } in its memory during initialization process. Suppose I T are some how leaked (stolen or retrieved through power analysis [20]) to A ad , we shall show that the SK can be constructed and impersonation is possible, because the reader uses {I T } in the generation of login message TM 1 = {M R , C R , T R } . Therefore, an A ad can easily steal these parameters and can utilize them to mount impersonation attack on a legitimate reader. For this purpose, an A ad performs the following steps: Step 1:First of all, the A ad randomly selects R Step 2:After the above calculations, A ad sends the request message Step 3:Upon receiving request message TM 1 , the tag first checks validity of time period T R . Then, it extracts R N as Actually, this R N is generated by adversary during login process. Hence, Both R N and R Hence, A ad has successfully impersonated as a legal reader and the protocol is vulnerable to reader impersonation attack. The detail is given in the Fig. 1.

Tag Impersonation
The tag stores {I T } in its memory during initialization process. Suppose I T are some how leaked (stolen or retrieved through power analysis [20]) to A ad . However, an adversary A ad can easily extract these parameters and can easily impersonate a valid tag after acquiring the login message TM 1 = {M R , C R , T R } . To impersonate a legitimate tag the adversary follows these steps: Step 1:Whenever the reader sends message TM 1 = {M R , C R , T R } to the tag, the A ad intercepts it and extracts R Step 2:On receiving the request message After the above calculations, reader checks whether A A ad R ? =A R . The verification check will be passed and reader sends message to the supply chain, it means that the A ad has successfully impersonated to a legitimate tag.
Hence, the A ad can successfully impersonate a valid tag and the protocol is exposed to tag impersonation attack. The detail is illustrated in the Fig. 2.

Supply Chain Node Impersonation Attack
The S and R share a secret key X RS = h(I S ‖B S ‖I R ) during initialization phase, which is session specific. The R and S has also used this shared secret key during login and authentication phase. However, it is obvious that both S and R need to store X RS in some memory so that X RS can be used later during login and authentication phase. Suppose, an A ad has compromised the reader and revealed X RS via power analysis [20]. Since I T and I R is already revealed to an A ad (Sec. V of ref [9]), therefore, after extracting these parameters {I R , I T , X RS } , supply chain node impersonation attack is possible in this protocol. The detail of this attack is given below.
Step 1:Whenever the reader sends TM 3 to supply chain, the A ad intercepts the message TM 3 = {M Q , M P , R check , T � R } and saves them for later use. Next, an A ad requires these parameters {S P , S Q , S s , T S } to impersonate legal supply chain node. To get these parameters, A ad execute subsequent steps: Step 2:Firstly, A ad randomly generates a number S R , T S and then calculates the following equations S P = ROT L (T S , I S ⊕ X RS ) ⊕ ROT L (S R , X RS ) and S Q = ROT L (S R , I S ) ⊕ROT L (T S , X RS ).
Step 3:The A ad calculates valid session key SK ST Step 4:Then, the A ad can send request message TM 5 = {S P , S Q , S S , T S } as legal supply chain node. Hence, the A ad can impersonate on behalf of legitimate supply chain node and the protocol is exposed to supply chain node impersonation attack. The detail is shown in the

3 5 Formal Security Analysis Jangirala et al.'s Protocol
Formal security analysis based on Automated Validation of Internet Security Protocols and Applications (AVISPA) tool [21] has utilized recently and many authentication protocols have used to validate whether a security protocol is counter against man-in-the-middle and replay attacks [22][23][24].

Analysis of Simulation Results
We have used the popularly-accepted CL-AtSe and OFMC backends under AVISPA tool and simulated Jangirala et al.'s protocol with the help of these two back-ends. Jangirala et al. has used the bitwise XOR operations frequently during computation. We have not implemented Jangirala et al.'s protocol on the other two back-ends TA4SP and SATMC because these back-ends have not implemented XOR functions. However, we have eliminated the simulation results of TA4SP and SATMC in our paper. Fundamentally, three verifications are necessary for Jangirala et al. protocol. We will check on: (1) Dolev-Yao model (2) Replay attack (3) Execution of significant HLPSL specifications.
Execution of the significant specifications of Jangirala et al. protocol in the HLPSL language is necessary to guarantee that [9] protocol can come to a position where an attack can take place between the running of the protocol. We have seen in HLPSL implementation that Jangirala et al. protocol has translated into the HLPSL language and finally it has reached the design goals by guaranteeing the execution. Our model has simulated to test executions and model checking for a limited number of sessions. The CL-AtSe and OFMC backends confirm whether legitimate agents can run the described protocol or not by searching for passive intruder attacks for replay attack checking. For the verification Dolev-Yao model, CL-AtSe and OFMC backends verify the event of any man-in-the-middle attack likely by intruder i. The OFMC backend visits nodes along with the depth of 6 piles, while it takes 0.07 seconds search time, though CL-AtSe examines 4 states and takes the translationtime of 0.10 seconds, and each of the 4 states is reachable. During this analysis, we have found that four states

Countermeasures
The protocol is vulnerable to supply chain node impersonation, tag impersonation and reader impersonation attacks because during the registration phase their identity is stored in their memory and can be extracted. Also, we have seen that the use of bitwise rotation functions is not enough for designing secure protocol, although point multiplication has also be used. Similarly, the supply chain node also stores its secret key in its memory in the registration phase which can also be revealed.
One way to make authentication protocol secure is to use bitwise operations with secure communication using strong crypto-primitives such as one-way hash function, encryption, elliptic curve cryptography and public key cryptography, etc. These techniques require more computation and energy resources. Though, it would be a challenge for attackers to impersonate the tag, reader and supply chain nodes, but this solution is not suitable for low cost tags with energy and computational constraints and also relies on the assumption that the server is trusted and physically secured.
The other solution which we propose for light protocol is use of physically unclonable function (PUF) [25] can be utilized embedded with the micro-controller of RFID tag and reader. The certificate authority randomly generates a small subset of challenges during registration phase and applies them to the PUF in order to produce a corresponding set responses. For each token the challenge response pair (CRPs) are stored in a secure database by the certificate authority. Later, the CRPs are used for the token authentication. Without access to a given PUF (Weak or Strong), it is impossible for attacker to arrive at response corresponding to a challenge to impersonate tag and reader. Since the output of PUF is always unique and depends on the physical characteristics of the device for which it is determined, therefore, any attempt to temper the memory of RFID tag or reader will automatically change the behavior of the PUF. The key from PUF can be generated only when required for a cryptographic operation and can be instantaneously erased thereafter. Consequently, the output of the challenge-response pair will be changed and the adversary can be resisted to impersonate as a valid entity.

Conclusion
In this paper, we have shown the vulnerabilities associated with using bitwise operations by doing the cryptanalysis of a RFID-based supply chain protocol, which uses operations like ROT and XOR. We have shown that protocol is vulnerable to tag, reader and supply chain node impersonation attacks due to bitwise operations and propose using Physically Unclonable Function for such kind of lightweight protocols. In future, we plan to implement and analyze the RFID PUF-based solution for supply chain.