Abstract
We report on the security claims of an RFID authentication protocol by Li and Ding which was specifically designed for use in supply chains. We show how the protocol's vulnerabilities can be used to track products, relate incoming and outgoing products, and extort supply chain partners.
Starting from a discussion of the relevant security requirements for RFID protocols in supply chains, we proceed to illustrate several shortcomings in the protocol with respect to mutual authentication, unlinkability, and desynchronization resistance. We investigate the use of the xor operator in the protocol, suggest possible improvements, and point out flaws in the proofs of the security claims.