Security analysis of ultra-lightweight cryptographic protocol for low-cost RFID tags: Gossamer protocol

Gossamer protocol has been recently published to achieve mutual authentication in low-cost RFID tags. This protocol is considered to fall in ultra-lightweight class as it incorporates simple and low cost operations. Most of the earlier proposals in this class were exposed soon after their publication. Common weaknesses included use of Triangular functions and improper use of logic operators. Gossamer protocol used two non-triangular functions a) ROTbits and b) MIXbits. These functions provide confusion and diffusion properties and are implemented as cheaper operations. Thus, this protocol can be used for EPCglobal Class-1 Generation-2 standard (considered as universal standard for low-cost tags). This protocol is able to overcome existing weaknesses and is considered to be more attractive for low-capability devices as compared to earlier protocols of this class. In this paper, we analyze the security features provided by Gossamer protocol. The vulnerabilities discovered during this analysis reveal that different attacks including denial of service, memory and computation exhaustive, de-synchronization, replay, attack on data integrity and IDS (index pseudonym) collision are possible. As a consequence, we propose a new mutual authentication protocol keeping in mind the constraints and making use of the existing operations without addition of any expensive one. The analysis of the proposed protocol shows that it is resistant to all the attacks possible in case of Gossamer protocol. A comparative security analysis shows that proposed protocol provides better security features with a small compromise of communication overheads. Two additional public messages are exchanged between the reader and the tag to address the vulnerabilities present in Gossamer protocol.