Security of Grouping-Proof Authentication Protocol for Distributed RFID Systems
IEEE Liu et al. proposed a grouping-proof authentication protocol (GUPA) for distributed RFID systems. At the same time, Liu et al. claimed that GUPA can resist the well-known attacks such as replay, forgery, tracking, and denial of proof. However, we report that, according to Liu et al.'s assumption of the attack ability, the attacker is able to compromise all secrets by the manin-the-middle (MIM) attacks. Although the MIM attacks were not explicitly evaluated by GUPA, the attacker can easily launch replay, forgery, tracking, and denial of proof when he knows all secrets of GUPA. That is, the lethal security flaws exist in GUPA. We also suggest employing the cryptographic hash function to protect the secrets in GUPA. Our security analysis of GUPA will be beneficial to the design of the robust grouping-proof authentication protocols in the future.