## 1. Introduction

Today, many researchers are trying to develop systems that use mobile phones to reach beyond the boundaries of communications and convert a mobile device into a remote authenticator device or a remote control switch. We regularly use computers, mobile phones, and other smart communication systems as devices for electronic interactions, bank payments and pay bills remotely. All of these technologies, in order to provide comfort for their users, are seeking security and preserving privacy. To address this requirement, a lot of authentication protocols have been proposed for such environments. Some of the protocols’ designers have designed their protocols using rotation operations to retain the protocol’s ultra-weight.

RFID is one of the technologies that is often used in these devices, which identifies objects by using radio waves. RFID has three main components including tags, readers, and a back-end database. Tags are small electronic chips which connected to a product, an object, or a person that we aim to track or authenticate it. Readers, which can be implemented in our cell phones, tablets and etc., are electronic equipment that detect the presence of the tags in an environment and they retrieve the information stored in the tags. The back-end database which stores the extra information about the readers and the tags can be integrated with the reader in our cell phones or similar communication devices or on the separate server outside these devices.

There are two important issues in the RFID systems: Identification and Authentication. Identification means that the reader or tag can identify each other. When the reader broadcasts the query signals to identify or search a special tag, it is possible more than one tag receives the reader’s request and replies simultaneously, where their data collide on the reader side with each other and the collision occurs and data is destroyed. This is also the case for readers. If two or more requests arrive to a particular tag from two or more readers, the collision will occur and the data will be destroyed. So there are three kinds of collisions: The tag-tag collision, the reader-reader collision and the tag-reader collision. To counter this problem, anti-collision algorithms have been introduced which have their own literature, e.g., [

1,

2,

3,

4,

5,

6,

7,

8,

9,

10,

11]. There are many issues in the field of anti-collision in RFID systems which researchers try to solve, e.g., increasing the number of read tags by the reader. Since the efficiency of RFID systems depends on the number of tags read at a specific time, much effort is being made to increase the number of tags that are read by the reader [

5,

10,

11]. Once the tag or the reader has been successfully identified, in the next step it should be authenticated, in order to solve the RFID security issues. In this phase, which is known as the authentication phase of their communication, the rest of the readers and the tags in the vicinity are remaining-silent, to avoid collision. It should be noted in this paper that we assume the reader and the tag are using proper anti-collision protocol and our concentration is on the authentication phase of a reader to a tag communication.

Authentication protocols are protocols that ensure that the parties involved in the protocol are the same as they claim, but the identification protocols do not provide that assurance. The authentication protocols can be one-way, that is, in the course of the process they are assured of one’s identity, or they can be mutual, that is to say, they must ensure the identity of the parties during execution.

**Problem Definition:** Assuming that a reader and a tag decided to communicate in the identification phase of their communication, to provide the security of RFID users, security protocols are also required. Security protocols, such as authentication protocols, are expected to provide the CIA triangle of security which is Confidentiality, Integrity, and Availability. Confidentiality means all of the secret information of protocols’ parties must be kept secret. To contradict this property, secret disclosure attack and traceability attack were proposed. Integrity means the adversary cannot change and control protocol messages without the protocol parties’ notice. Impersonation attacks can contradict integrity property. Availability means the protocols’ parties can authenticate each other at any time and be synchronized with each other. De-synchronization attacks can contradict this property, e.g., by blocking protocol messages or forcing protocols parties to update their shared secret values to different values, where the protocols’ parties do not authenticate each other any more and availability of service is destroyed.

Many protocols have been proposed in the literature [

12,

13,

14,

15] that have attempted to address CIA security principles, but unfortunately, there have been several reports of attacks [

16,

17,

18,

19,

20,

21,

22,

23] against them that indicate they have failed to provide the desired security. Hence, efforts to design a secure protocol are still ongoing and the new attacks that are developing provide designers with new insight on how to (not) design a protocol. In this way, these attacks and security analyses have contributed to the development of the protocols.

**Our contributions:** The contributions of this paper are summarized as follows:

We show that the ULRAS protocol [

24], a protocol which has been designed based on rotation function, is not secure and fixing the security problem by any particular mode of rotation function may not be possible.

An improved protocol named UEAP has also been proposed using lightweight encryption functions in which the ULRAS protocol’s security pitfalls are solved.

The security proof of the UEAP protocol has been done through an informal way and also a formal way through Scyther tool.

In fact, in this paper, we show that the ULRAS protocol, consistent with the SASI protocol [

12] and the Gossamer protocol [

13], is not secure. Precisely, we present a de-synchronization attack against ULRAS protocol. Hence, employing it in any application is not recommended. In this regard, by using the ULRAS protocol as an example, we show that designing a secure protocol using only the rotation operation without the use of cryptography primitives is not possible.

**Paper’s organization:** The rest of this paper is structured as follows:

Section 2 introduces required preliminaries including a brief review of rotation-based RFID authentication protocols and the explanation of the ULRAS protocol. We present the security analysis of the protocol in

Section 3. We proposed an improved protocol in

Section 4 and its security evaluation is explained in

Section 4.1. Finally, we conclude the paper in

Section 5.

## 3. Security Analysis of ULRAS Protocol

The main observation which we used in our attacks against ULRAS protocol is that the used reverse function in the protocol, i.e.,

${X}^{\prime}=Reverse(X,Y)$, equals to

$X\oplus Y$, as shown by a truth table in

Table 2. So, with this equality, we can express

$RR(X,Y)$ as

$RR(X,Y)=Rot({X}^{\prime},Y)=Rot(Reverse(X,Y),Y)=Rot(X\oplus Y,Y)=(X\oplus Y)\u22d8\left(Y\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L\right)$, where

L is the bit-length of

X and

Y.

Given that $RR(X,Y)=(X\oplus Y)\u22d8\left(Y\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L\right)$, in this section, we present our security analysis for ULRAS protocol.

#### 3.1. De-Synchronization Attack

A de-synchronization attack is a type of attack for which the adversary tries to do operations that lead to a shared value between protocols’ parties to be updated to different values. Therefore, in this case, protocols’ parties may not authenticate each other any more and therefore the adversary, by using this attack, can destroy the availability property of security protocols. A security protocol which does not have any of three main security properties, i.e., confidentiality, integrity or availability (or in brief CIA triangle) is not secure and it is not recommended to be used in any sensitive application.

The ULRAS protocol’s designers have claimed that, since the reader keeps a history of old shared $IDS$ and K, an adversary cannot de-synchronize the tag and the reader. However, in this section, we present an efficient attack to de-synchronize the tag and the reader. In our attack, the adversary employs the fact that the tag and the reader partially update the key in the last step of the protocol. Hence, if the adversary forces them to update different parts of K, the tag and the reader will be de-synchronized. To do the attack, in a session of the protocol between the legitimate reader and the target tag $\mathcal{T}$, the adversary does as follows:

The reader sends ${T}_{R}$ and Query to the tag.

The tag verifies whether ${T}_{R}\stackrel{?}{>}{T}_{t}$, generates ${R}_{t}$, calculates ${M}_{1}=RR(RR(ID\oplus K\oplus {R}_{t}\oplus {T}_{R},ID+{R}_{t}),K\oplus {R}_{t})$, and sends $IDS,{M}_{1}$ and ${R}_{t}$ to the reader.

The reader sends $IDS$, ${M}_{1}$, ${R}_{t}$ and ${T}_{R}$ to the back-end database.

The back-end database verifies the received ${M}_{1}$, authenticates the tag, generates ${i}_{sub}\in \{1,2,3,4\}$ and computes ${M}_{2}=RR(RR(ID\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),{K}_{X}+{R}_{t})$ and ${M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$ and sends them to the reader. It then generates $subkey=Rot({K}_{X}\left({i}_{sub}\right),{K}_{X}\oplus {R}_{t}\oplus {T}_{R})$ and updates the tag’s parameters as below:

$ID{S}_{old}=ID{S}_{new}$;

${K}_{old}={K}_{new}$;

$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;

${K}_{new}$ generated by replacing ${K}_{{i}_{sub}}$;

The adversary, who has eavesdropped ${T}_{R}$, ${R}_{t}$, ${M}_{2}$ and ${M}_{3}$, manipulates ${M}_{3}$ as follows:

Assuming $x={K}_{X}\oplus {R}_{t}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and given that ${M}_{3}=({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, because ${M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})=({i}_{sub}\oplus {K}_{X}\oplus {K}_{X}\oplus {R}_{t}\oplus {T}_{R})\u22d8({K}_{X}\oplus {R}_{t}\oplus {T}_{R})=({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8({K}_{X}\oplus {R}_{t}\oplus {T}_{R})=({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, the adversary can determine ${i}_{sub}$ and also x by knowing ${M}_{3}$ as below:

- -
Given that the adversary already has eavesdropped ${R}_{t}$ and ${T}_{R}$, she can calculate ${R}_{t}\oplus {T}_{R}$. On the other hand, ${i}_{sub}$ has only three bits. Hence, given ${R}_{t}\oplus {T}_{R}$ and $({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, it would be easy to determine the values of x and ${i}_{sub}$, exclude that the value of $({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$ is rotation invariant which has no high probability and we omit it here for simplicity.

Adversary selects ${i}_{sub}^{\prime}\in \{1,2,3,4\}/\left\{{i}_{sub}\right\}$ and calculates ${M}_{3}^{\prime}={M}_{3}\oplus (({i}_{sub}\oplus {i}_{sub}^{\prime})\u22d8x)$.

The adversary sends ${M}_{2}$ and ${M}_{3}^{\prime}$ to the tag.

Upon receipt of the messages, the tag calculates ${M}_{2}^{\prime}=RR(RR(ID\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),K+{R}_{t})$ with its local values and then verifies whether ${M}_{2}^{\prime}\stackrel{?}{=}{M}_{2}$, which it is because the adversary has not changed ${M}_{2}$. Hence, the tag:

successfully authenticates the back-end server;

gets ${i}_{sub}^{\prime}$, where ${i}_{sub}^{\prime}\ne {i}_{sub}$.

generates a new sub-key as $subkey=Rot(K\left({i}_{sub}^{\prime}\right),K\oplus {R}_{t}\oplus {T}_{R})$;

and finally updates its $IDS,K$ and ${T}_{t}$ as below:

$ID{S}_{new}=Rot(IDS\oplus {R}_{t},K\oplus {R}_{t}\oplus {T}_{R})$;

${K}_{new}$ generated by replacing ${K}_{{i}_{sub}^{\prime}}$;

In the above attack, the tag updates ${K}_{{i}_{sub}^{\prime}}$ and ${i}_{sub}^{\prime}={i}_{sub}\oplus \Delta \ne {i}_{sub}$ while the reader updated ${K}_{{i}_{sub}}$. In this attack, if ${R}_{t}\oplus {T}_{R}$ is not rotation invariant, the adversary’s success probability to de-synchronize the tag and the reader would be ‘1’ and its complexity is only one run of protocol and doing some offline computation and sending some messages. It should be noted in the given attack that the tag authenticates the reader and updates its parameters. Hence, keeping a record of old parameters by the back-end server does not prevent this attack and so the ULRAS protocol is not a secure protocol for use.

#### 3.2. Traceability Attack

Traceability attacks often occur when a constant information binded with protocols’ parties leak through the exchanged messages over protocol. Now, in this section, we present a traceability attack against the ULRAS protocol which once again shows that this protocol is not secure.

In the de-synchronization attack which was presented in

Section 3.1, the adversary can determine

x. Given that

$x={K}_{X}\oplus {R}_{t}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and the adversary knows

${R}_{t}\oplus {T}_{R}$,

x leaks log

${}_{2}$L bits information from

${K}_{X}$, if

$L={2}^{n}$, where

n is an integer. In this case, the above de-synchronization attack can be used as a traceability attack on a target tag

$\mathcal{T}$, as long as the first quarter of

${K}_{X}$ has not been updated. To do this traceability attack, a passive adversary eavesdrops

${T}_{R}$,

${R}_{t}$ and

${M}_{3}$ and determines

x. Assuming that

${i}_{sub}\ne 1$ the tag

$\mathcal{T}$ will not update the first quarter of

${K}_{X}$, which

x depends on. Hence, in the next run of the ULRAS protocol, given a tag

${\mathcal{T}}^{\prime}$, the adversary can eavesdrop a session between

${\mathcal{T}}^{\prime}$ and the reader

$\mathcal{R}$ to determine log

${}_{2}$L bits of the first quarter of

${K}_{X}$ and to decide whether

${\mathcal{T}}^{\prime}\stackrel{?}{=}\mathcal{T}$. Here,

$\mathcal{T}$ is the target tag which previously adversary eavesdropped its authentication session with the reader and saved its protocol’s exchanged messages and

${\mathcal{T}}^{\prime}$ is a new tag which adversary wants to know whether it is the target tag. The algorithm of the above attack is also shown in Algorithm 1. The adversary’s success probability to trace the tag is ‘1’ and its complexity is only two runs of the protocol and some offline computations.

**Algorithm 1:** The algorithm of proposed traceability attack against ULRAS protocol |

**Data**: ${T}_{R},{R}_{t},{M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})==({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$, ${i}_{sub},{i}_{sub}^{\prime}\ne 1$ |

**Result**: decides whether ${\mathcal{T}}^{\prime}\stackrel{?}{=}\mathcal{T}$ where $\mathcal{T}$ is an adversary’s target tag. |

1. Eavesdrops a session between reader and $\mathcal{T}$ and stores ${T}_{R},{R}_{t},{M}_{3}=RR({i}_{sub}\oplus {K}_{X},{K}_{X}\oplus {R}_{t}\oplus {T}_{R})==({i}_{sub}\oplus {R}_{t}\oplus {T}_{R})\u22d8x$; |

2. Obtains $x={K}_{X}\oplus {R}_{T}\oplus {T}_{R}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and ${i}_{sub}$ by using ${M}_{3}$, ${T}_{R}$ and ${R}_{t}$ and this fact ${i}_{sub}\in \{2,3,4\}$; |

3. Retrieves $lo{g}_{2}L$ bits information from ${K}_{X}$ by using x; |

4. Eavesdrops a session between ${\mathcal{T}}^{\prime}$ and the reader; |

5. Obtains ${x}^{\prime}={K}_{X}^{\prime}\oplus {R}_{T}^{\prime}\oplus {T}_{R}^{\prime}\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and ${i}_{sub}^{\prime}$ by using ${M}_{3}^{\prime}$, ${T}_{R}^{\prime}$ and ${R}_{t}^{\prime}$ and this fact ${i}_{sub}^{\prime}\in \{2,3,4\}$; |

6. Retrieves $lo{g}_{2}L$ bits information from ${K}_{X}^{\prime}$ by using ${x}^{\prime}$; |

7. Compares the retrieved bits of ${K}_{X}^{\prime}$ with ${K}_{X}$ to decide whether ${\mathcal{T}}^{\prime}\stackrel{?}{=}\mathcal{T}$. |

#### 3.3. Security Analysis of Aghili and Mala Improvement to ULRAS

There are several important points to note about Aghili and Mala’s [

25] improvement to ULRAS:

The use of a rotation operation several times is like using one rotation i.e., ${M}_{2}=Rot(Rot(K\oplus {R}_{t}\oplus {T}_{R},ID\oplus {R}_{t}),{K}_{X}+{R}_{t})$ in the Aghili and Mala improvement equals with ${M}_{2}=Rot(K\oplus {R}_{t}\oplus {T}_{R},i)$ where i is a value between 0 to L. The same point applies to ${M}_{1}$ message.

Based on this fact given $M=Rot(X,Y)\phantom{\rule{3.33333pt}{0ex}}mod\phantom{\rule{3.33333pt}{0ex}}L$ and X, if we rotate right M for $i=0,\dots ,L$ and comparing the result with X, one can determine Y, the adversary with eavesdropping two sessions of protocol messages without completion of protocol sessions which leads to not updating secret values, can conduct secret disclosure attack which reveals $ID$ and K. Precisely, given ${M}_{2}=Rot(K\oplus {R}_{t}\oplus {T}_{R},i)$ and ${M}_{2}^{\prime}=Rot(K\oplus {R}_{t}^{\prime}\oplus {T}_{R}^{\prime},j)$, ${R}_{t}$, ${R}_{t}^{\prime}$, ${T}_{R}$, ${T}_{R}^{\prime}$, ${M}_{1}$ and ${M}_{1}^{\prime}$, the adversary for $i,j=0,\dots ,L$ verifies whether $RoR({M}_{2},i)\oplus {R}_{T}\oplus {T}_{R}\stackrel{?}{==}RoR({M}_{2}^{\prime},j)\oplus {R}_{T}^{\prime}\oplus {T}_{R}^{\prime}$ to retrieve K as $RoR({M}_{2},i)\oplus {R}_{T}\oplus {T}_{R}$. Similarly, for $i,j=0,\dots ,L$ the adversary verifies whether $RoR({M}_{1},i)\oplus {R}_{T}\oplus {T}_{R}\stackrel{?}{==}RoR({M}_{1}^{\prime},j)\oplus {R}_{T}^{\prime}\oplus {T}_{R}^{\prime}$ to retrieve $ID\oplus K$ as $RoR({M}_{1},i)\oplus {R}_{T}\oplus {T}_{R}$. Given that K has already been acquired, the adversary can get $ID$ and can verify the correctness of the obtained values by using other protocol’s messages.

Since all the secret values of the protocol are revealed, it is easy to do a variety of attacks including impersonation attacks, traceability attacks, de-synchronization attacks, etc.

## 5. Conclusions

In this paper, we analyzed the security of a rotation-based ultra-lightweight authentication protocol which has been recently proposed for mobile applications. We presented an efficient de-synchronization attack against this protocol and extended it to a traceability attack when the parameter length is an integer power of 2. Although it is possible to present several other attacks against the protocol, we just mentioned our most efficient attacks in this paper, which is enough to contradict the designers’ claims on the security of this protocol. We also extend the attack against its improved version which has been introduced by Aghili and Mala.

Moreover, we presented a new lightweight RFID authentication protocol named UEAP using lightweight encryption functions and also its security proof which showed that the proposed protocol is safe against all types of active and passive attacks.

This paper once again showed that the design of a secure protocol based on rotation operation may not be possible, and hence the use of lightweight cryptographic primitives in the design of the security protocols is inevitable.