Weaknesses of fingerprint-based mutual authentication protocol

The Internet of Things is an emerging paradigm, which is used to link physical objects with Internet. One of the most common ways of communicating and identifying objects on Internet of Things is using Radio Frequency IDentification (RFID) systems between different objects. Researchers have focused on developing improvements of RFID authentication protocols that stave off privacy threats and well-known security problems. Recently, Khor et al. have proposed a new authentication protocol that conforms to the Electronic Product Code Class-1 Generation-2 standard (ISO/IEC 18000-6C for RFID systems). In this paper, we show the vulnerabilities of this authentication protocol concerning to full disclosure, impersonation, traceability, de-synchronization, and Denial-of-Service attacks. These attacks make the protocol unfeasible to introduce it with an adequate security and sufficient privacy protection level. Finally, we present a new protocol, called Fingerprint(+) protocol, which is based on ISO/IEC 9798-2 and ISO/IEC 18000-6C and whose security is formally verified using BAN logic. Copyright (c) 2014 John Wiley & Sons, Ltd.