Abstract
As RFID-tagged systems become ubiquitous, acceptance of this technology by the general public necessitates addressing related security/privacy issues. The past eight years have seen an increasing number of publications in this direction, specifically using cryptographic approaches. Recently, the Journal of Medical Systems published two papers addressing security/privacy issues through cryptographic protocols. We consider the proposed protocols and identify some existing vulnerabilities.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
Radio-Frequency Identification (RFID) tags are increasingly being used in the health care domain for improving the effectiveness of health care delivery (e.g., [3]). As RFID tags become ubiquitous, concerns with respect to their privacy/security characteristics are increasingly being discussed among relevant entities. In a world where identity-theft, counterfeit products, corporate espionage, tracking, etc. are rampant, the urgent need to address privacy/security issues are especially crucial for successful deployment of RFID technology. This is especially crucial in the medical environment where privacy and security issues are rather critical given the sensitive nature of data in this domain as well as possible ramifications associated with violation of privacy and security.
Although these issues themselves are not new in a general context, they are new and idiosyncratic to the RFID context primarily due to their item-level (as opposed to class-level in the case of bar codes) identification capabilities. Whereas RFID was introduced about seven decades ago, major thrust in research addressing its security/privacy vulnerabilities has existed only for about eight years. Researchers have approached several facets of security/privacy issues from a cryptographic perspective. RFID is a very active area (e.g., [5]), and several papers have already been published in the Journal of Medical Systems (e.g., [1, 2, 4, 6–8]). The Journal of Medical Systems recently published two papers addressing issues related to RFID cryptography. Both these papers consider grouping protocols, which are cryptographic authentication protocols that validate the simultaneous presence of a specific group of RFID tags in the field of the reader. We consider the protocols presented in these papers and identify some of their inherent vulnerabilities.
The remainder of this paper is organized as follows: we consider the three protocols that were proposed in these two papers and identify some vulnerabilities in these protocols in the next Section. We conclude the paper with a brief discussion in the last section.
Mutual Authentication Protocols
Notations used in this paper:
-
r i , r p , r: random l-bit vectors
-
ID, PIN, EPC, R: identifier
-
k: l-bit shared secret key
-
f k : keyed (with key k) encryption function
-
TS: time stamp
-
CRC: cyclic redundancy check
-
PRNG: pseudo-random number generator
-
⊕: Exclusive-OR (XOR)
Huang and Ku Protocol
The Huang and Ku grouping proof protocol [2] considers two types of tags—the pallet tag that is worn as a bracelet by the patient and the other (item) tags that are on items that interact with the patient. The protocol is initiated by the Reader which sends the current time stamp (TS) to both the pallet tag and the first item tag in the sequence for this grouping proof. The pallet tag waits till it hears again from the Reader. The first item tag computes its m value (Fig. 1) and sends it to the Reader, which then forwards it to the second tag, and so on. In Fig. 1, n refers to the total number of item tags and ‘TS or m i − 1’ results in TS for the very first tag and m i − 1 for the remainder of the tags. Here, both PIN and EPC (Electronic Product Code) are used as tag identifiers. When the last tag (i.e., tag n) gets back to the Reader with its m value (i.e., m n ), the Reader forwards this to the pallet tag, which computes P that is then verified by the Reader.
Protocol of Huang and Ku [2]
This protocol uses PRNGs to encrypt messages passed among the entities (item tag, reader, pallet tag). A fundamental vulnerability is in this encryption since PRNG used in these tags are readily available to an adversary who can use this to compromise security of the RFID tagged items. Chien et al. [1] identify two vulnerabilities in this (Fig. 1) protocol of which only one is valid: Denial of Service (DoS) attack and replay attack. The former occurs when an adversary forces the tag to update its PIN by repeatedly sending random TS values. Since the tag does not verify the reader, this is easy to accomplish and the reader’s version of the tag’s PIN would be different from the tag’s actual PIN and they no longer would be able to communicate. The latter attack purportedly occurs when an adversary sends future TS values to the tag to collect its response, which are then replayed to the reader at later points in time. However, this latter attack will not work since the tag would have changed its PIN value and the reader expects a different (updated) PIN value. Moreover, Chien et al.’s implicit assumption that the latter attack (even if it) works is false since TS is sent only to the first tag in the sequence—i.e., it does not apply to the remainder of the tags. Since the attack as proposed by Chien et al. does not work for any tag, this is moot.
There are a few other vulnerabilities in this protocol. Since the EPC of every tag (including the pallet tag) is sent in the open in plaintext, an adversary can use this identifier information to track the tagged (item as well as pallet) object [5]. Being able to be tracked violates privacy/security of the tagged object. Since these tags do not have an on-board clock, an adversary can accomplish this attack by sending any random TS to the item tag, which would respond with its EPC value. As for the pallet tag, the adversary can send random TS and m n to the pallet tag which responds with its EPC since it does not validate TS or m n .
An adversary can impersonate the first tag in the sequence once using the ease with which PRNG(x) can be computed for any given x since PRNG is public information. The adversary can send a random TS A value to the tag, which responds with (EPC1, m 1). The adversary can capture this and wait till the reader initiates a Grouping proof round. When the reader sends a new TSnew to the first tag, the adversary impersonating this tag can capture it and compute m new ←m 1 ⊕ TS A ⊕ TSnew and send (EPC1, m new) to the reader, which will accept this as a valid message.
Chien et al. Protocol [On-line Verifier]
After identifying vulnerabilities in [2], Chien et al. [1] propose modified protocols that address the identified vulnerabilities. They propose two protocols—one with an on-line verifier, and another with an off-line verifier. Both these proposed protocols, however, are still vulnerable to attacks from an adversary. We consider the on-line verifier protocol first followed by the off-line verifier protocol.
The idea behind the on-line verifier protocol is similar to the protocol presented in [2]. The primary difference is in the independent way in which each of the tags are authenticated to be simultaneously present in the field of the reader. Unlike [2], this protocol does not use a TS but uses a freshly generated random nonce (r) for each authentication round.
As in [2], the protocols proposed in [1] are vulnerable to tracking/tracing attack since the EPC values of item tags as well as the pallet tag are broadcast in plaintext (Fig. 2). Since the EPC value uniquely identifies a tag, and therefore the tagged item or pallet, this is a serious vulnerability in a medical setting.
Protocol of Chien et al. [on-line verifier] [1]
This (on-line verifier) protocol exposes every tag in the sequence to vulnerabilities because of the independent way in which the tags are authenticated—i.e., this is unlike the protocol presented in [2] where the input to each tag (except the first tag in the sequence where it is TS) is the output from the previous tag in the sequence, where it is difficult to determine the input for any randomly chosen tag in the sequence. In response to the reader’s r, every tag (including those on items as well as pallet) responds with (m i ←PRNG(EPC i ⊕ PRNG(PIN i ) ⊕ PRNG(r) ⊕ PRNG(r i )), EPC i , r i ). Since PRNG is known to the adversary and since PRNG(EPC i ⊕ PRNG(PIN i )) is constant because EPC i and PIN i are not updated, the adversary can observe an authentication round and replay message from a previous round to the reader and can easily impersonate any tag (including the pallet tag) to the reader. This can be accomplished by generating an r i(new) in response to r new from reader such that (PRNG(r i(new)) ⊕ PRNG(r new) = PRNG(r i ) ⊕ PRNG(r)) where r and r i are from any previous authentication round. This attack can be prevented by a reader that keeps track of every message received from every tag and checking for repetitions. However, this involves a considerable amount of overhead that increases linearly with the number of authentication rounds.
The protocol checks for round-trip time taken by messages between reader and tag to ensure that they are within valid limits. The purpose of this step is unclear since this protocol is clearly not immune to relay attacks (e.g., [9]). It is also unclear as to why the protocol uses EPC i ⊕ PRNG(PIN i ) instead of either EPC i or PRNG(PIN i ) since EPC i and PRNG(PIN i ) are constant for a given tag. Similarly, for the reader, it is not clear why R ⊕ PRNG(PIN R ) is used instead of either R or PRNG(PIN R ) since both these are constant.
Chien et al. Protocol [Off-line Verifier]
The Chien et al. protocol with an off-line verifier is given in Fig. 3. In Fig. 3, n refers to the total number of item tags and ‘t or m i − 1’ results in t for the very first item tag and m i − 1 for the remainder of the item tags. This protocol is a modified version of the protocol presented in [2]. Again, instead of using time stamp in plaintext (as in [2]), encrypted time stamp is used apparently to avoid replay attacks. The Reader sends the encrypted time stamp to both the pallet tag and the first item tag. The pallet tag waits for another message from the Reader. The first item tag generates its m-value (m 1) and sends it to the Reader, which then forwards it to the second item tag, and so on. The Reader sends the m-value from the last item tag in the sequence (i.e., m n ) to the pallet tag which generates its m p value. This m p value is then validated by the Reader.
Protocol of Chien et al. [off-line verifier] [1]
Again, the EPC values are sent in plaintext and this leads to security/privacy violations. An adversary can replay either t or m i − 1 from an earlier round to the tag and can receive its EPC, which is an unique identifier of the tag.
Discussion
RFID authentication protocols, despite being a very active research area, have not received much attention in medical journals. There have only been two published research papers in the Journal of Medical Systems that directly address RFID authentication issues. However, the protocols presented in both these papers are vulnerable to attacks from an adversary and are therefore not secure. We identified some of these vulnerabilities. More research is needed to develop protocols that are resistant to attacks from both passive and active adversaries to gain trust among consumers of RFID technology.
References
Chien, H.-Y., Yang, C.-C., Wu, T.-C., and Lee, C.-F., Two RFID-based solutions to enhance inpatient medication safety. J. Med. Syst., 2009. doi:10.1007/s10916-009-9373-7.
Huang, H.-H., and Ku, C.-Y., A RFID grouping proof protocol for medication safety of inpatient. J. Med. Syst. 33:467–474, 2009.
Meiller, Y., Bureau, S., Zhou, W., and Piramuthu, S., Simulation of a health care knowledge-based system with RFID-generated information. In: Proceedings of the Asian Simulation Technology Conference (ASTEC2010), pp. 110–114. Shanghai, 2010.
Min, D., and Yih, Y., Fuzzy logic-based approach to detecting a passive RFID tag in an outpatient clinic. J. Med. Syst., 2009. doi:10.1007/s10916-009-9377-3.
Piramuthu, S., Protocols for RFID tag/reader authentication. Decis. Support Syst. 43(3):897–914, 2007.
Shim, H., Uh, Y., Lee, S. H., and Yoon, Y. R., A new specimen management system using RFID technology. J. Med. Syst., 2010. doi:10.1007/s10916-009-9417-7z.
Stahl, J. E., Holt, J. K., and Gagliano, N. J., Understanding performance and behavior of tightly coupled outpatient systems using RFID: initial experience. J. Med. Syst., 2009: doi:10.1007/s10916-009-9365-7.
Sun, P. R., Wang, B. H., and Wu, F., A new method to guard inpatient medication safety by the implementation of RFID. J. Med. Syst. 32:327–332, 2008.
Tu, Y.-J., and Piramuthu, S., RFID distance bounding protocols. In: Proceedings of the First International EURASIP Workshop on RFID Technology (RFID2007), pp. 67–68. Vienna, 2007.
Acknowledgements
The authors would like to thank the reviewers for their suggestions to improve the content and presentation of this paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wickboldt, AK., Piramuthu, S. Patient Safety Through RFID: Vulnerabilities in Recently Proposed Grouping Protocols. J Med Syst 36, 431–435 (2012). https://doi.org/10.1007/s10916-010-9487-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10916-010-9487-y