Security analysis of an ultra-lightweight RFID authentication protocol for m-commerce

Nowadays, many people perform their commercial activities, such as electronic payment and electronic banking, through their mobile phones. Mobile commerce (m-commerce) refers to manipulating electronic commerce (e-commerce) by using mobile devices and wireless networks. Radio-frequency identification (RFID) is a technology which can be employed to complete payment functions on m-commerce. As an RFID subsystem is applied in m-commerce and supply chains, the related security concerns are very important. Recently, Fan et al. have proposed an ultra-lightweight RFID authentication scheme for m-commerce (ULRAS) and claimed that their protocol is efficient enough and provides a high level of security. In this paper, we show that their protocol is vulnerable to secret disclosure and reader impersonation attacks. Finally, we improve it to a protocol that is resistant to the attacks presented in this paper and the other known attacks in the context of RFID authentication. We further analyze the security of the improved protocol through the Burrows-Abadi-Needham logic (BAN-logic). Moreover, our proposed improvement does not impose any additional workload on the RFID tag.