Many RFIDauthentication protocols with randomized tag response have been proposed to avoid simple tag tracing. These protocols are symmetric in common due to the lack of computational power to perform expensive asymmetric cryptography calculations in low-cost tags. Protocols with constantly changing tag key have also been proposed to avoid more advanced tag tracing attacks.With both the symmetric and constantchanging properties, tag and reader re-synchronization is unavoidable as the key of a tag can be made desynchronized with the reader due to offline attacks or incomplete protocol runs. In this paper, our contribution is to classify these synchronized RFID authentication protocols into different types and then examine their highest achievable levels of privacy protections using the privacy model proposed by Vaudenay in Asiacrypt 2007 and later extended by Ng et al. in ESORICS 2008. Our new privacy results show the separation between weak privacy and narrow-forward privacy in these protocols, which effectively fills themissing relationship of these two privacy levels in Vaudenay’s paper and answer the question raised by Paise and Vaudenay in ASIACCS 2008 on why they cannot find a candidate protocol that can achieve both privacy levels at the same time. We also show that forward privacy is impossible with these synchronized protocols.
Available at: http://works.bepress.com/ymu/70/