Security Analysis of the Qian et al. Protocol: A Revised Tree-LSHB+ Protocol

Low-cost radio-frequency identification tags are confronted with various security and privacy issues due to their limits in computational and storage capabilities. Many lightweight authentication protocols have been proposed so far to resist all possible attacks and threats. A revised Tree-LSHB+ protocol was recently proposed by Qian et al. [Wirel Pers Commun 77(4):3125–3141. doi: 10.1007/s11277-014-1699-x , 2014] after a security analysis on the original Tree-LSHB+ protocol proposed by Deng et al. [Wirel Pers Commun 72(1):159–174. doi: 10.1007/s11277-013-1006-2 , 2013]. And it claimed to be secure against secret information disclosure attack. In this paper, we present an active attack against it in a general man-in-the-middle attack where an adversary is capable of eavesdropping, intercepting, manipulating, and blocking the messages transmitted between a legitimate reader and a legitimate tag. The attack is proved to be efficient to disclose all the authentication keys shared between a reader and a tag. Additionally, we introduce another possible active attack which can even retrieve all the secrets in the tree-traversal stage.