. . Breaking the Forward Secrecy of O-FRAKE

e above attack can be extended to break the forward secrecy of the O-FRAKE protocol, which is an extension of O-FRAP that furthermore establishes a shared secret session key between the tag and reader.

. It then corrupts a tag Ti′ at the point a er the tag outputs Accept. It thus obtains a pairKi′; SKi′ corresponding to a previously completed subsession, and not the updated

Ki′; SKi′ = v4; v5 .

. e adversary calculates v1jjv2jjv3jjv4jjv5 = F (Ki′; rjjri). It can then check the computed v2 with its recorded v2 for a match, thereby associating the tag Ti′ to the particular completed subsession corresponding to its recorded r; ri; v2 ; and further it also knows that the established session key for that associated session is SKi′.

6.9Conclusion

Although we have used a very limited privacy model, we have been able to show that several RFID protocols that allegedly addressed privacy were vulnerable to rather simple attacks. We identify the main cause behind these failure to be the lack of formal analysis. Indeed, most presentedprotocolswereonlysupportedbyinformalargumentsthatcannottakeintoaccount all the possible attacks an adversary can perform. erefore, we stress the need of studying the extend of privacy an RFID protocol o ers by providing a formal proof of security.

Moreover, wehaveshownthatthechoiceofthemodeliscrucialasitcanbethataprotocolis proven private according to a model with a correct reduction and Still be vulnerable to privacy attacks not covered by the model. As it was demonstrated with the O-FRAP and O-FRAKE protocols, this applies to the LBdM model.

.