Abstract
Radio frequency identification tag authentication protocols are generally classified as non-full-fledged and full-fledged, according to the resource usage of the tags. The non-full-fledged protocols typically suffer de-synchronization, impersonation and tracking attacks, and usually lack scalability. The full-fledged protocols, supporting cryptographic functions, are designed to overcome these weaknesses. This paper examines several elliptic-curve-cryptography (ECC)-based full-fledged protocols. We found that some still have security and privacy issues, and others generate excessive communication costs between the tag and the back-end server. Motivated by these observations, we construct two novel protocols, PI and PII. PI is designed for secure environments and is suitable for applications, including E-Passport and toll payment in vehicular ad-hoc networks. PII is for hostile environments and can be applied in pseudonymous payment and anti-counterfeiting services. After analysis, we conclude that PII can resist many attacks, outperform previous ECC-based proposals in communication efficiency, and provide mutual authentication function and scalability.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abid, M., & Afifi, H. (2008). Secure E-passport protocol using elliptic curve Diffie–Hellman key agreement protocol. In International Conference on Information Assurance and Security (pp. 99–102).
Abid, M., Kanade, S., Petrovska-Delacrétaz, D., Dorizzi, B., & Afifi, H. (2010). Iris based authentication mechanism for E-passports. In International Workshop on Security and Communication Networks (IWSCN’10) (pp. 1–5).
Ahamed, S. I., Rahman, F., & Hoque, M. E. (2008). ERAP: ECC based RFID authentication protocol. In IEEE International Workshop on Future Trends of Distributed Computing Systems (pp. 219–225).
Alomair, B., Clark, A., Cuellar, J., & Poovendran, R. (2012). Scalable RFID systems: A privacy-preserving protocol with constant-time identification. IEEE Transactions on Parallel and Distributed Systems, 23(8), 1536–1550.
Avoine, G., & Oechslin, P. (2005). A scalable and provably secure hash based RFID protocol. In IEEE Pervasive Computing and Communication Security (PerSec’05) (pp. 110–114).
Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., & Verbauwhede, I. (2007). Public-key cryptography for RFID-tags. In IEEE International Conference on Pervasive Computing and Communications Workshops (Per’07) (pp. 217–222).
Bianchi, G. (2011). Revisiting an RFID identification-free batch authentication approach. IEEE Communication Letters, 15(6), 632–634.
Bogdanov, A., Leander, G., Paar, C., Poschmann, A., Robshaw, M. J. B., & Seurin, Y. (2008). Hash functions and RFID tags: Mind the gap. In CHES 2008. LNCS. (pp. 283–299).
Buccafurri, F., & Lax, G. (2011). Implementing disposable credit card numbers by mobile phones. Electronic Commerce Research, 11(3), 271–296.
Burmester, M., & Medeiros, B. (2008). The security of EPC Gen2 compliant RFID protocols. In International Conference on Applied Cryptography and Network Security (ACNS’08) (pp. 490–506).
Cao, T., Bertino, E., & Lei, H. (2009). Security analysis of the SASI protocol. IEEE Transactions on Dependable and Secure Computing, 6(1), 73–77.
Cheon, J. H., Hong, J., & Tsudik, G. (2012). Reducing RFID reader load with the meet-in-the-middle strategy. Journal of Communications and Networks, 14(1), 10–14.
Chen, Y., Chou, J. S., & Sun, H. M. (2008). A novel mutual authentication scheme based on quadratic residues for RFID systems. Computer Networks, 51(12), 2373–2380.
Chien, H. Y. (2007). SASI: A new ultralightweight RFID authentication protocol providing strong authentication and strong integrity. IEEE Transactions on Dependable and Secure Computing, 4(4), 337–340.
Chien, H. Y., & Chen, C. H. (2007). Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards. Computer Standards & Interfaces, 9(2), 254–259.
Chou, J. S., Chen, Y., Wu, C. L., & Lin, C. F. (2011). An efficient RFID mutual authentication scheme based on ECC. Cryptology ePrint Archive: Report 2011/418.
D’Arco, P., & Santis, A. D. (2011). On ultralightweight RFID authentication protocols. IEEE Transactions on Dependable and Secure Computing, 8(4), 548–563.
Deng, R.H., Li, Y., Yung, M., & Zhao, Y. (2010). A new framework for RFID privacy. Computer Security—ESORICS, LNCS# 6345 (pp. 1–18).
Eurich, M., Oertel, N., & Boutellier, R. (2010). The impact of perceived privacy risks on organizations’ willingness to share item-level event data across the supply chain. Electronic Commerce Research, 10(3–4), 423–440.
Fan, J., Batina, L., & Verbauwhede, I. (2009). Light-weight implementation options for curve-based cryptography: HECC is also ready for RFID. In International conference for Internet Technology and Secured Transactions (pp. 1–6).
Fürbass, F. (2006). ECC signature generation device for RFID tags.
Fürbass, F. & Wolkerstorfer, J. (2007). ECC processor with low die size for RFID applications. In IEEE International Symposium on Circuit and Systems (ISCAS’07) (pp. 1835–1838).
Girault, M. (1991). Self-certified public keys. In Eurocrypt ‘91, LNCS# 547 (pp. 490–497).
Godor, G., Giczi, N., & Imre, S. (2010). Elliptic curve cryptography based mutual authentication protocol for low computational capacity RFID systems-performance analysis by simulations. In IEEE International Symposium on Wireless Pervasive Computing (ISWPC) (pp. 331–336).
Habibi, M. H., Aref, M. R., & Ma, D. (2011). Addressing flaws in RFID authentication protocols. In INDOCRYPT 2011, LNCS#7107, (pp. 216–235).
Han, D., & Kwon, D. (2009). Vulnerability of an RFID authentication protocol conforming to EPC Class 1 Generation 2 Standards. Computer Standards & Interfaces, 31(4), 648–652.
Huang, Y. J., Lin, W. C., & Li, H. L. (2012). Efficient implementation of RFID mutual authentication protocol. IEEE Transactions on Industrial Electronics, 59(12), 4784–4791.
Isaac, J. T., Zeadally, S., & Sierra, J. C. (2010). Implementation and performance evaluation of a payment protocol for vehicular ad hoc networks. Electronic Commerce Research, 10(2), 209–233.
Isaac, J. T., Zeadally, S., & Sierra, J. C. (2012). A lightweight secure mobile payment protocol for vehicular ad-hoc networks (VNETs). Electronic Commerce Research, 12(1), 97–123.
Jeng, A. B., & Chen, L. Y. (2009). How to enhance the security of E-passport. In Proceedings of International Conference on Machine Learning and Cybernetics (pp. 2922–2926).
Juels, A., Molnar, D., & Wagner, D. (2005). Security and privacy issues in E-passports. In IEEE International Conference on Security and Privacy for Emerging Areas in Communications Networks (pp. 1–12).
Juels, A., & Weis, S. (2006). Defining strong privacy for RFID. Cryptology ePrint Archive, Report 2006/137.
Kapoor, G., & Piramuthu, S. (2010). Vulnerabilities in some recently proposed RFID ownership transfer protocols. IEEE Communication Letters, 14(3), 260–262.
Kapoor, G., & Piramuthu, S. (2012). Single RFID tag ownership transfer protocols. IEEE Transactions on Systems, Man, and Cybernetics-Part C, 42(2), 164–173.
Kaya, S. V., Savas, E., Levi, A., & Ercetin, O. (2009). Public key cryptography based privacy preserving multi-context RFID infrastructure. Ad Hoc Networks, 7(1), 136–151.
Kim, H. W., Lim, S. Y., & Lee, H. J. (2006). Symmetric encryption in RFID authentication protocol for strong location privacy and forward-security. In International Conference on hybrid information technology (ICHIT’06) (pp. 718–723).
Kinoshita, S., Ohkubo, M., Hoshino, F., Morohashi, G., Shionoiri, O., & Kanai, A. (2005). Privacy enhanced active RFID tag. Proceedings of Environments: International Workshop on Exploiting Context Histories in Smart (pp. 1–5).
Ko, W. T., Chiou, S. V., Lu, E. H., & Chang, H. K. (2011). An improvement of privacy-preserving ECC-based grouping proof for RFID. In Cross Strait Quad-Regional Radio Science and Wireless Technology Conference (pp. 1062–1064).
Kumar, S. & Paar, C. (2006). Are standards compliant elliptic curve cryptosystems feasible on RFID? In Workshop on RFID Security (pp. 1–19).
Lee, Y. K., & Batina, L. (2010). Low-cost untraceable authentication protocols for RFID. In ACM conference on Wireless Network Security (WiSec’10) (pp. 55–64).
Lee, Y. K., Batina, L., Singelee, D., Preneel, B., & Verbauwhede, I. (2010). Anti-counterfeiting untraceability and other security challenges for RFID systems—Public-key-based protocols and hardware. Information security and cryptography, Part 5 (pp. 237–257).
Lee, Y.K., Batina, L., & Verbauwhede, I. (2008). EC-RAC (ECDLP Based Randomized Access Control): Provably secure RFID authentication protocol. In IEEE International Conference on RFID (pp. 97–104).
Lee, Y. K., Batina, L., & Verbauwhede, I. (2009). Untraceable RFID authentication protocols: Revision of EC-RAC. In IEEE International Conference on RFID (pp. 178–185).
Lehtonen, M. O., Michahelles, F. M., & Fleisch, E. F. (2007). Trust and security in RFID-based product authentication systems. IEEE System Journal, 1(2), 129–144.
Lim, C. H., & Kwon, T. (2006). Strong and robust RFID authentication enabling perfect ownership transfer. In ICICS’06, LNCS#4307 (pp. 1–20).
Liu, H., & Ning, H. (2011). Zero-knowledge authentication protocol based on alternative mode in RFID systems. IEEE Sensors Journal, 11(12), 3235–3245.
Liu, H., Ning, H., Zhang, Y., He, D., Xiong, Q., & Yang, L. T. (2012). Grouping-proofs based authentication protocol for distributed RFID systems. IEEE Transactions on Parallel and Distributed Systems, 24(7), 1321–1330.
Luo, P., Wang, X., Feng, J., & Xu, Y. (2008). Low-power hardware implementation of ECC processor suitable for low-cost RFID tags. In International conference on solid-state and integrated-circuit technology (pp. 1681–1684).
Maimut, D., & Ouai, K. (2012). Lightweight cryptography for RFID tags. IEEE Security & Privacy, 10(2), 76–79.
Mao, W. (2003). Modern cryptography—Theory and practice. New Jersey: Prentice Hall.
Nathan, B. T., Meenakumari, R., & Usha, S. (2011). Formation of elliptic curve using finger print for network security. In International Conference on Process Automation, Control and Computing (PACC) (pp. 1–5).
Ning, H., Liu, H., Mao, J., & Zhang, Y. (2011). Scalable and distributed key array authentication protocol in radio frequency identification-based sensor systems. IET Communications, 5(12), 1755–1768.
O’Neill, M., & Robshaw, M. J. B. (2010). Low-cost digital signature architecture suitable for radio frequency identification tags. IET Computers & Digital Techniques, 4(1), 14–26.
Ouafi, K., & Phan, R. C.-W. (2008). Traceable privacy of recent provably-secure RFID protocols. In International Conference Applied Cryptography and Network Security (ACNS), LNCS#5037 (pp. 479–489).
Oyarhossein, S., & Mohammadi, S. (2009). Cryptography and authentication processing framework on RFID active tags for carpet products. In International Conference on Communications Technology and Applications, (ICCTA’09) (pp. 26–31).
Peeters, R., Singelée, D., & Preneel, B. (2012). Toward more secure and reliable access control. Pervasive Computing, 11(3), 76–83.
Pendl, C., Pelnar, M., & Hutter, M. (2012). Elliptic curve cryptography on the WISP UHF RFID tag. RFID Security and Privacy, LNCS#7055 (pp. 32–47).
Peris-Lopez, P., Hernandez-Castro, J. C., Tapiador, J. M. E., & Ribagorda, A. (2009). Advances in ultralightweight cryptography for low-cost RFID tags: Gossamer protocol. Information Security Applications, LNCE#5379 (pp. 56–68).
Phan, R. C.-W. (2009). Cryptanalysis of a new ultralightweight RFID authentication protocol—SASI. IEEE Transactions on Dependable and Secure Computing, 6(4), 316–320.
Piramuthu, S. (2008). Lightweight cryptographic authentication in passive RFID-tagged systems. IEEE Transactions on Systems, Man, and Cybernetics-Part C, 38(3), 360–376.
Piramuthu, S. (2011). RFID mutual authentication protocols. Decision Support Systems, 50(2), 387–393.
Poupard, G., & Stern, J. (1998). Security analysis of a practical ‘On the Fly’ authentication and signature generation. In Eurocrypt’98, LNCS#1403 (pp. 422–436).
Rennhard, M., Rafeli, S., Mathy, L., Plattner, B., & Hutxhison, D. (2004). Towards pseudonymous e-commerce. Electronic Commerce Research, 4(1–2), 83–111.
Rizomiliotis, P., Rekleitis, E., & Gritzalis, S. (2009). Security analysis of the Song–Mitchell authentication protocol for low-cost RFID tags. IEEE Communication Letters, 13(4), 274–276.
Roberti, M. (2007). A 5-cent breakthrougha. In International Workshop on RFID Technology - Concepts, Applications, Challenges (IWRT’07).
Sadeghi, A. R., Visconti, I., & Wachsmann, C. (2010). Enhancing RFID security and privacy by physically unclonable functions. Information security and cryptography, Part 5 (pp. 281–305).
Seo, Y., Lee, H., & Kim, K. (2006). A scalable and untraceable authentication protocol for RFID. In International Conference on Emerging Directions in Embedded and Ubiquitous Computing (EUC’06) (pp. 252–261).
Song, B., Hwang, J. Y., & Shim, K. A. (2011). Security improvement of an RFID security protocol of ISO/IEC WD 29167–6. IEEE Communication Letters, 15(12), 1375–1377.
Song, B., & Mitchell, C. J. (2011). Scalable RFID security protocols supporting tag ownership transfer. Computer Communications, 34(1), 556–566.
Stinson, D. R. (1995). Cryptography—Theory and practice. Boca Raton: CRC Press Inc.
Sun, H. M., & Ting, W. C. (2009). A Gen2-based RFID authentication protocol for security and privacy. IEEE Transactions on Mobile Computing, 8(8), 1052–1062.
Sun, H. M., Ting, W. C., & Wang, K. H. (2011). On the security of Chien’s ultralightweight RFID authentication protocol. IEEE Transactions on Dependable and Secure Computing, 8(2), 315–317.
Tagra, D., Rahman, M., & Sampalli, S. (2010). Technique for preventing DoS attacks on RFID systems. Software, Telecommunications and Computer Networks, 23(25), 6–10.
Tan, C. C., Sheng, B., & Li, Q. (2008). Secure and serverless RFID authentication and search protocols. IEEE Transactions on Wireless Communications, 7(4), 1400–1407.
Tan, C. C., Sheng, B., & Li, Q. (2010). Efficient techniques for monitoring missing RFID tags. IEEE Transactions on Wireless Communications, 9(6), 1882–1889.
Tian, Y., Chen, G., & Li, J. (2012). A new ultralightweight RFID authentication protocol with permutation. IEEE Communication Letters, 6(5), 702–705.
Tuyls, P., & Batina, L. (2006). RFID-tags for anti-counterfeiting. Topics in cryptology—CT-RSA, LNCE#3850 (pp. 115–131).
Vaudenay, S. (2007). On privacy models for RFID. Advances in cryptology, LNCS#4822 (pp. 68–87).
Vaudenay, S. (2007). E-passport threats. IEEE Security and Privacy, 5(6), 61–64.
Wang, B., & Ma, M. (2012). A server independent authentication scheme for RFID systems. IEEE Transactions on Industrial Informatics, 8(3), 689–696.
Wei, C. H., Hwang, M. S., & Chin, A. Y. (2011). A mutual authentication protocol for RFID. IT Professional, 13(2), 20–24.
Yamada, I., Shiotsu, S., Itasaki, A., Inano, S., Yasaki, K. & Takenaka, M. (2005). Secure active RFID tag system. In International Workshop on UbiComp Privacy (pp. 1–5).
Yeh, K. H., & Lo, N. W. (2010). Improvement of two lightweight RFID authentication protocols. Information Assurance and Security Letters, 1, 6–11.
Yeh, T. C., Wang, Y. J., Kuo, T. C., & Wang, S. S. (2010). Securing RFID systems conforming to EPC Class 1 Generation 2 standard. Expert Systems with Applications, 37(2), 7678–7683.
Zuo, Y. (2012). Survivability experiment and attack characterization for RFID. IEEE Transactions on Dependable and Secure Computing, 9(2), 289–302.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chen, Y., Chou, JS. ECC-based untraceable authentication for large-scale active-tag RFID systems. Electron Commer Res 15, 97–120 (2015). https://doi.org/10.1007/s10660-014-9165-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10660-014-9165-0