JOURNAL OF INFORMATION AND COMMUNICATION TECHNOLOGIES, VOLUME 3, ISSUE 3, MARCH 2013

1

Providing Anonymity for RFID Systems
Wissam Razouk, Ferucio Laurentiu Tiplea, Abderrahim Sekkaki, and Cosmin Varlan
AbstractRadio frequency identification (RFID) is considered as the next generation technology, and is certainly playing an
important role for several applications, which makes security a pressing need for various cases. However, Low-cost RFID tags
are very constrained devices and cannot apply the existing cryptographic algorithms due to computation and memory size
restriction. Consequently, RFID systems are vulnerable to numerous security attacks which imply many privacy issues. In this
paper, we propose a security protocol that fits low-cost RFID tags requirements, and provides data protection and location
privacy for the consumer. Moreover, different from previous works, our protocol enables searching on encrypted data without
leaking any information, and provides also protection based on the assumption that the server is not necesserally considered as
a trusted third party. We present the formal proof of correctness of our scheme based on GNY Logic.
Index TermsRFID Security, Anonymity, Formal Verification, GNY Logic, Security Protocols.

1 INTRODUCTION
RFID systems have become widely used in access control
and security applications, and more significantly in in-
dustries that require tracking or identification of products
like the supply chain management or the manufacturing
process. The potential benefits of RFID applications are
multiple; first, unlike barcodes, RFID tags do not require
a line of sight to be read; they can be read from distance
and from any orientation. Therefore, a huge number of
tags can be scanned remotely at once and very quickly.
Second, bar codes are in most cases scanned only once at
the checkout during the lifetime of the item. On the other
hand, RFID systems have read and write capabilities,
which allow for data to be changed dynamically at any
time. Thus, RFID systems can be deployed in a way in
which numerous supply chain management applications
can be simultaneously implemented, benefiting all enti-
ties involved in the commercial transaction process (the
manufacturers, the retailers and the users).
An RFID system typically consists of three main compo-
nents; the readers (or transceivers), the tags (or transpond-
ers) and a back end database. The reader starts the com-
munication by querying the tag and transferring energy by
emitting electronic waves. The tag charges up and uses RF
energy to send the stored data.
1.1 RFID Security and Privacy Requirement
Many studies have developed a classification of RFID at-
tacks and presented several analyses of potential security
treats in RFID systems. We describe below some security
goals; nevertheless, we refer the reader to the studies [2],
[6], [1], [9], [5] for a comprehensive and detailed descrip-
tion of possible attacks.
We summarize the RFID security requirement as fol-
lows:
Resistance to tag impersonation attacks: The protocol
should not allow the authentication of fake tags as long as
the tags are not compromised.
Resistance to DoS attacks: Power interruption or fault
induction should not compromise future communication
or make hijacking possible.
Resistance to replay attacks: Impersonation using previ-
ous messages should not be possible.
Backward and forward traceability: Should be provided
even if the tag is compromised. An attacker should not be
able to identify past or future interactions [7].
To avoid privacy treats the protocol should also satisfy
the following requirements [8]:
Resistance to traceability: The tag's messages should be
anonymous and randomized. Hence, an adversary should
not be able to link messages to each other or to the tag.
Resistance to information leakage: Only a genuine read-
er should be able to access the information associated
with a tag [8].

1.2 RFID Performance Requirements
In order to fit the low-cost RFID tags requirements, a secu-
rity protocol has to fulfill the following conditions:
Computational capabilities: Cost effective RFID tags are
very constrained devices and cannot afford very intensive
computations due to their low power and small memory
size. Thus the computational effort required at the tag
side is considered as an important criterion.
Storage abilities: The protocol should not exceed the ca-
pacity of the tag, as low-cost RFID tags have very limited
storage area
Message traffic: For performance optimization reasons,
the number and size of the messages exchanged between
readers and tags should be minimized [7].
Scalability: The readers usually have to perform an ex-
haustive search over a list of entries in order to identify or
authenticate a tag. This has to be done in a reasonable
time to provide scalability.
The rest of this paper is organized as follows: First, we
present the related work in Section 2, and then we pro-
pose a security protocol in Section 3. In section 4, we for-
mally verify the proposed scheme. Next, we discuss the

Wissam Razouk and Abderrahim Sekkaki are with the Department of
Mathematics and Computer Science, Hassan II University, Casablanca,
Morocco.
Email :{wissam.razouk, abderrahim.sekkaki}@etude.univcasa.ma
Ferucio Laurentiu Tiplea and Cosmin Varlan are with the Faculty of Com-
puter Science, Alexandru Ioan Cuza University of Iasi, Iasi, Romania
Email: {fltiplea, vcosmin}@info.uaic.ro
2

security and performance evaluation in Section 5. Finally,
we make conclusions in Section 5.
2 RELATED WORK
The hash lock scheme was first proposed by Weis et al. [10],
followed by the improved hash-lock scheme where a random
value is generated by the tag to avoid traceability attacks.
However, their protocol is considered insecure, as eaves-
dropping and impersonating attacks can easily be done.
In the same way, Henrici et al. [4] presented the random-
ized hash lock scheme where the tag is authenticated with
its ID hashed together with a transaction number. The
tag's identifier is refreshed using a random value sent by
the reader. Their protocol is simple but cannot resist man-
in-the-middle attacks; since messages between the tag
and reader can be relayed, and an attacker can be easily
authenticated by the reader before the next session.
Indeed, the one-wayness of hash functions is considered
as an efficient solution for low-cost RFID tags [11], and
many proposals were published to address RFID security
issues using this cryptographic tool, but obtaining a max-
imum security for these very constrained devices is still
considered as a real challenge [15].
3 THE PROPOSED SECURITY PROTOCOL FOR RFID
SYSTEMS
3.1 Notations and Assumptions
We use the following notation to describe the protocol
throughout the paper:
Our protocol works with the assumption that the tag has
a hash function, a re-writable memory EEPROM and the
capability to keep state during a single session.
Usually, in the previous proposed protocols in the litera-
ture, the server S is assumed to be a TTP (Trusted third
party) and the communication channel between the read-
er R and S is secure. However, we assume that S is not
necessarily a TTP and the communication channel be-
tween R and S is insecure.
We also assume that R and S have normally sufficient
computation abilities; and thus, can support cryptograph-
ic operations.
3.2 Initial Setup
1. Each tag stores initially a pointer encrypted with
the server's secret key, and a counter C increment-
ed after each query. In addition, T possesses a
hash function which is used to com-
pute )) ( , , ( P E N N H S k R T . Also, to keep the proto-
col lightweight and produce randomness in the
tag's response, we choose to generate the pseudo
random number T N using ) ( C N H R , instead
of implementing a random number generator on
the tag side, wich is not easy and practical on low-
cost RFID tags.
2. The reader stores the encrypted pointers, and pos-
sesses a random number generator to generate
NR. A secret key R K is also necessary to retrieve
the received encrypted data from the server.
3. The server S has a secret key S K to communicate
with the reader and retrieve P from ) (P E S k . The
server stores also the encrypted information relat-
ed to the tag.
3.3 Detailed Description
The general description of the proposed scheme is de-
tailed as follows:
Step 1 The reader R generates a fresh random nonce R N .
Then R sends R N along with the request to the queried
tag T. In our scheme R N is very important, as it is in-
cluded in the tag's answer to prevent from replay attacks
and detect illegitimate responses.
Step 2 When queried, the tag T generates a fresh random
number T N , this nonce is hashed together with the read-
er's nonce R N and the encrypted pointer ) (P E S k to form
a one-time-use authentication key. Then T sends
T N along with the output of the computed
hash )) ( , , ( P E N N H S k R T . This allows protecting the pro-
tocol from replay and man-in-the-middle attacks. There-
fore, the reader is able to verify the freshness of the re-
ceived message.
Step 3 When the reader receives the tag's response, R ver-
ifies at first whether the forwarded message is valid or
not by computing H' using T N and R N for the stored
encrypted pointers, and comparing H' with H until a
match is found. This proves that the message is fresh and
genuine, mainly because it was generated using the read-
er's and tag's nonce, and also the secret encrypted pointer.
If the received message is valid, R can easily forward the
encrypted pointer ) (P E S k to the server.
Step 4 The server is not considered as a trusted third par-
ty since it stores only the encrypted information and
doesn't know about the decryption process. Thus, when
the pointer has been recovered using the server's secret
key S K , S can easily access the encrypted data to be sent
in the next step to the reader.
TABLE 1
PROTOCOL NOTATIONS


Fig.1. Description of the proposed protocol.
3

Step 5 Finally, the reader receives the encrypted infor-
mation and retrieves data using its private key.
4 FORMAL VERIFICATION
Formal methods have a very important role in examining
security protocols. Numerous logic techniques have high-
lighted many protocol weaknesses, and are considered
successful [13]. Furthermore, the designers are forced to
make security assumptions, and to achieve well-defined
authentication goals. In this paper we use GNY Logic
(Gong L., Needham R., and Yahalom R.) [3], which is a
direct successor to BAN [14] logic; it is considered rea-
sonably powerful in its capacity to reveal whether a secu-
rity protocol is ambiguous, incorrect, inconsistent or in-
complete [13]. Indeed, message extensions are used in
GNY Logic to describe the formalization of the protocol.
Thus, the involved parties can transfer and reason about
their beliefs. Moreover, unlike BAN Logic which assumes
that all parties are honest and competent, it is possible to
deal with diverse levels of trust. In this section, we show
the correctness of our scheme based on GNY Logic [3].
Precisely, it means that after the protocol execution, both
parties T and S are sure that the received messages are
fresh. They should also believe that they are sharing se-
crets in case the communication channel is insecure.
4.1 Formalization of the Protocol Steps
The conventional notations are not suitable for manipula-
tion in logic. Thus, the first step in logic-based verification
consists of avoiding ambiguity by specifying the protocol
in a logical language, and expressing the messages of the
protocol as a logical formula. In this section, we simplify
the proposed protocol as a generic type. Then we formal-
ize it for verification purposes as presented in Table 2.
In S1, the tag is told a random nonce R N from the reader,
which is going to be included in the tag's response in or-
der to enable the security check on the readers side. In-
deed; in S2, the reader receives the tag's nonce T N along
with )) ( , , ( P E N N H S k R T . After the reader has found a
match for the received hash, the back-end server is told in
S3, the encrypted pointer ) (P E S k . In S4, the reader is told
the encrypted data ) (D E R k stored in the server using the
address contained in the recovered pointer P. A formal-
ized version of the proposed protocol is shown in Table 1.
4.2 Specification of the Initial Assumptions
The second step in the logic-based formal verification
includes the beliefs and possessions of the different par-
ties at the beginning of each session of the protocol. In-
deed, unlike most of the proposed security protocols in
the literature, we assume that the server is not a trusted
party. Thus, the information is not stored in clear, and
only a genuine reader possesses the key to recover the
encrypted data. The formalization of the initial assump-
tions for our scheme is listed as shown in Table 3.
The first three rows state that the tag has a hash function
and stores the encrypted pointer and a counter. While the
assumption (4) states that the reader possesses the point-
er. The next row states that the server stores only the en-
crypted data. Each principal believes in its nonce fresh-
ness in (6) and (7). Finally, the last two rows are about
recognizability assumptions; the reader and the server
recognize the encrypted pointer.
4.3 Specification of the Protocol Goals
The third step of logic-based formal verification concerns
expressing in the language of logic the beliefs and posses-
sions of the involved principals at the end of a successful
protocol run. The goals of the proposed scheme are de-
tailed in table 4.
The first row states that the reader believes that the re-
ceived information is fresh. The goals in G2, G3, and G4
are about authentication; each principal should believe
that the received information was conveyed by its coun-
terpart. The Goals in G7, G8, and G9 concern the confi-
dentiality of the information.
TABLE 2
FORMALIZATION OF THE PROTOCOL STEPS

TABLE 3
INITIAL ASSUMPTION FOR PROOF

TABLE 4
GOALS OF THE PROPOSED PROTOCOL

4

4.4 Verification
The final step of the logic-based formal verification in-
volves establishing the beliefs and possessions of the pro-
tocol principals by applying the logical postulates. This
analysis aims to confirm that the goals can result from the
initial assumptions. The protocol is successfully verified if
such derivation exists. If not, the verification fails.
We follow the logical postulate of GNY Logic [3], and
present the formal proof of our scheme based on the as-
sumptions stated in Table 3:
S1. NR T :
-- Applying T1 yields R N T . The tag possesses the
reader's nonce.
S2. ))) ( , , ( ,. ( P E N N H N R S k R T T
-- Applying T1 yields T N R ; thus, the reader possesses
the tag's nonce.
-- Since R recognizes ) (P E R k , applying R1 yields
)) ( , ( , P E N N H R R k R T

.
-- Applying F1 yields ))) ( , , ( ,. ( P E N N H N R r k R T T and
satisfies the goal (G1).
S3. ) (P E S S k
-- Applying T1 yields ) (P E S S k . The server possesses
the encrypted pointer.
-- Applying I4 yields ) ( ~ P E R S R k and satisfies the
goal (G3).
-- Applying T3 yields P S and satisfies the goal (G6).
S4. ) (D E R R k
-- Applying T1 yields ) (D E R R k . The reader possesses
the encrypted Data.
-- Applying I4 yields ) ( ~ D E S R R k and satisfies the
goal (G4).
-- Applying T3 yields D R and thus satisfies the goal
(G5).
The application of the logical postulate and the result of
verification are summarized in Table 5. After verifying
the protocol using GNY Logic, it is established that all the
proof goals are accomplished by verification steps (4) for
G1, (5) for G7, (7) for G5, (8) for G9, (10) for G6, (11) for
G8.
5 EVALUATION
5.1 Security Analysis
We evaluate the proposed scheme in the security re-
quirement viewpoint. Firstly, in our protocol, the server
is not considered as a third trusted party; thus, the infor-
mation to be stored on S is encrypted and the server
doesn't have the key to retrieve the real information. Sec-
ondly, the channel between the reader and the server is
also considered insecure; therefore, we use asymmetric
encryption to exchange data between R and S. Our
scheme has also the following security properties:
Data Secrecy: The information transmitted between the
RFID system components should not be understandable
to the attacker. Usually the tag stores the unique identifier
that is used by the reader for identification purposes.
However if this identifier is exposed, it could be used by
an attacker to identify the tag's carrier items or disclose
the user's private information profile. In our protocol, the
tag stores the encrypted version of a pointer, thus even if
the encrypted pointer is exposed, the attack would fail,
because only the reader can retrieve the real pointer using
its secret key. Moreover, the pointer holds the address of
encrypted data, and again only the reader can retrieve the
real information.
Data Anonymity: The user should be able to use a ser-
vice or resource without disclosing his identity. In this
case, the transmitted data between all the RFID system
components should not be distinguishable to an attacker.
Although the exchanged messages are not comprehensi-
ble for the attacker, it is possible to link a message to a
tag. Thus, tracing an object enables an attacker to trace
the tag's carrier. In our protocol, the tag's response is
randomized and different for each session to protect the
user. Therefore, our scheme provides user's privacy pro-
tection because an attacker cannot identify or trace a tag.
Resist replay attacks: Our scheme is designed to counter
replay attacks. Indeed, in each session, different random
numbers are included into the exchanged messages be-
tween the reader and the tag to prevent this type of vul-
nerabilities. For example, an eavesdropper could try to
impersonate a tag and replay the tag's response, however
the message would not be validated by the reader, be-
cause the reader's random number contained in the mes-
sage is not fresh, and would not match the reader's in-
formation; thus, it will not pass verification and the attack
would fail. Therefore, our protocol resists replay attacks.
5.2 Performance Analysis
In addition to providing many security properties against
several possible attacks in RFID systems, our scheme has
low computational cost, and is better than other protocols
in the literature in terms of communication and storage
requirements.
Computation cost: Standard cryptographic algorithms
have a very high computational cost, and need large
memory space. Therefore these kinds of methods are not
suitable for very constrained devises such us low-cost
RFID tags. The protocol we have proposed requires only
a hash function to be implemented. We assume that the
TABLE 5
VEERIFICATION RESULTS USING THE LOGICAL POSTULATES

5

reader and the server have enough computational power
to handle cryptographic operations based on asymmetric
key cryptosystem.
Communication Cost: Our scheme is accomplished with
only two rounds between the reader and the tag. In gen-
eral, previous protocols require a minimum of three and
up to six rounds. Therefore, the proposed scheme is prac-
tical and feasible in the sense of communication over-
heads.
Storage requirement: Each tag needs only to store two
records in ROM, in addition to the implementation of a
hash function. The encrypted pointer ) (P E S k and n are
considered to have 96-bit length, which is compliant with
all encoding schemes (i.e. GID, SGTIN, SSCC) defined by
EPCGlobal standard. Moreover, a hash function can be
implemented with only about 1.7 K-gate [11], and is con-
sidered as a proper solution in the aspect of security re-
quirements and hardware implementation for low-cost
RFID tags. Thus, the proposed protocol is lightweight and
practical.
6 CONCLUSION AND FUTURE WORK
Our protocol guarantees confidentiality for the tag's own-
er, in the sense of supporting the searching functionality
without any loss of data confidentiality. Also, the user
privacy is strongly protected; indeed, we use a new fresh
random nonce in each session; thus tag anonymity is
guaranteed and the location privacy of the tag carrier is
not disclosed either. The formal proof of correctness for
our scheme was based on GNY Logic. In future, we plan
to extend our protocol to decrease the computation and
the search time on the readers side.
ACKNOWLEDGMENT
This work was supported by a grant provided by the Eu-
ropean Commission under the framework of ERASMUS
MUNDUS - Al IDRISSI project.
REFERENCES
[1] G. Avoine and P. Oechslin. R_d traceability: A multilayer problem.
Financial Cryptography and Data Security, pages 577-577, 2005.
[2] M. Burmester and B. De Medeiros. R_d security: attacks, countermeas-
ures and challenges. Computer Science Department, Florida State Uni-
versity, 2007.
[3] L. Gong, R. Needham, and R. Yahalom. Reasoning about belief in cryp-
tographic protocols. In Research in Security and Privacy, 1990. Proceed-
ings, 1990 IEEE Computer Society Symposium on, pages 234-248. IEEE,
1990.
[4] D. Henrici and P. Muller. Hash-based enhancement of location privacy
for radiofrequency identi_cation devices using varying identi_ers. In
Pervasive Computing and Communications Workshops, 2004. Pro-
ceedings of the Second IEEE Annual Conference on, pages 149-153.
IEEE, 2004.
[5] A. Karygicmnis, T. Phillips, and A. Tsibertzopoulos. R_d security: A
taxonomy of risk. In Communications and Networking in China, 2006.
ChinaCom'06. First International Conference on, pages 1-8. IEEE, 2006.
[6] A. Mitrokotsa, M.R. Rieback, and A.S. Tanenbaum. Classifying r_d
attacks and defenses. Information Systems Frontiers, 12(5):491-505,
2010.
[7] B. Song. RFID Authentication Protocols using Symmetric Cryptog-
raphy. PhD thesis, PhD thesis, December, 2009.
[8] B. Song and C.J. Mitchell. Scalable r_d security protocols supporting tag
ownership transfer. Computer Communications, 34(4):556-566, 2011.
[9] T. Van Deursen and S. Radomirovic. Attacks on r_d protocols. IACR
eprint Archive, 310, 2008.
[10] S. Weis, S. Sarma, R. Rivest, and D. Engels. Security and privacy aspects
of lowcost radio frequency identi_cation systems. Security in pervasive
computing, pages 50-59, 2004.
[11] K. Yuksel. Universal hashing for ultra-low-power cryptographic
hardware applications. PhD thesis, Citeseer, 2004.
[12] V.D. Gligor, R. Kailar, S. Stubblebine, and L. Gong. Logics for crypto-
graphic protocols-virtues and limitations. In Computer Security Foun-
dations Workshop IV, 1991. Proceedings, pages 219-226. IEEE, 1991.
[13] A. Mathuria, R. Safavi-Naini, and P. Nickolas. Some remarks on the
logic of gong, needham and yahalom. In Proceedings of the Interna-
tional Computer Symposium, volume 1, pages 303-308. Citeseer, 1994.
[14] M. Burrows, M. Abadi, and R.M. Needham. A logic of authentication.
Proceedings of the Royal Society of London. A. Mathematical and
Physical Sciences, 426(1871):233-271, 1989.
[15] G. Avoine, X. Carpent, and B. Martin. Privacy-friendly synchronized
ultralightweight authentication protocols in the storm. Journal of Net-
work and Computer Applications, 2011.

Wissam Razouk received her B.Sc and M.Sc degree from Hassan II
Universiy, Casablanca, Morocco. She is currently a PhD student in
the mathematics and computer science department, in the same
university. Her primary research interests are RFID security proto-
cols, and formal verifications.

Ferucio Laurentiu iplea received his Ph.D. degree in Computer
Science from Al. I. Cuza University of Iasi, Romania, in 1993. He
joined the Department of Computer Science of the aforementioned
university in 1990, where he is currently Professor of Computer Sci-
ence. Tipleas research interests lie in the area of theories and tools
for high-level modeling, design, and analysis of systems (including
Petri nets and formal verification), computability and complexity,
cryptography and computer security, and algebraic foundations of
computer science. He has published more than 70 papers in profes-
sional journals and refereed conference proceedings in these areas,
co-edited five conference volumes, contributed to six edited vol-
umes, and delivered invited talks at many universities and interna-
tional conferences.

Abderrahim Sekkaki received his D.Sc. in Network Management
domain from the Paul Sabatier University, France, 1991. He re-
ceived a Dr. of State Degree from Hassan II University, Morocco in
2002and is presently a computer science professor at the same
university. His research interests include distributed systems, policies
based network management and security.

Cosmin Vrlan received his B.S. degree in Mathematics, Al. I.
Cuza University of Iasi, Romania, in 2002. He joined the Depart-
ment of Mathematics as a teaching assistant in 2002 and the De-
partment of Computer Science of the aforementioned university in
2004. He is currently working towards his Ph.D. degree with a focus
on anonymity-related properties in security protocols.





2012 JICT
www.jict.co.uk