RFID Authentication Protocols using Symmetric Cryptography by Boyeon Song RHUL-MA-2009-24 Abstract: Radio Frequency IDentification (RFID) is emerging in a variety of applications as an important technology for identifying and tracking goods and assets. The spread of RFID technology, however, also gives rise to significant user privacy and security issues. One possible solution to these challenges is the use of a privacy-enhancing cryptographic protocol to protect RFID communications. This thesis considers RFID authentication protocols that make use of symmetric cryptography. We first identify the privacy, security and performance requirements for RFID systems. We then review recent related work, and assess the capabilities of previously proposed protocols with respect to the identified privacy, security and performance properties. The thesis makes four main contributions. First, we introduce server impersonation attacks as a novel security threat to RFID protocols. RFID tag memory is generally not tamper-proof, since tag costs must be kept low, and thus it is vulnerable to compromise by physical attacks. We show that such attacks can give rise to desynchronisation between server and tag in a number of existing RFID authentication protocols. We also describe possible countermeasures to this novel class of attacks. Second, we propose a new authentication protocol for RFID systems that provides most of the identified privacy and security features. The new protocol resists tag information leakage, tag location tracking, replay attacks, denial of service attacks and backward traceability. It is also more resistant to forward traceability and server impersonation attacks than previously proposed schemes. The scheme requires less tag-side storage than existing protocols and requires only a moderate level of tag-side computation. Next, we survey the security requirements for RFID tag ownership transfer. In some applications, the bearer of an RFID tag might change, with corresponding changes required for the RFID system infrastructure. We propose novel authentication protocols for tag ownership and authorisation transfer. The proposed protocols satisfy the requirements presented, and have desirable performance characteristics. Finally, we address the issue of scalability in anonymous RFID authentication protocols. Many previously proposed protocols suffer from scalability issues because they require a linear search to identify or authenticate a tag. Some RFID protocols, however, only require constant time for tag identification; unfortunately, all previously proposed schemes of this type have serious shortcomings. We propose a novel RFID pseudonym protocol that takes constant time to authenticate a tag, and meets the identified privacy, security and performance requirements. The proposed scheme also supports tag delegation and ownership transfer in an efficient way.