A novel mutual authentication scheme based on quadratic residues for RFID systems

doi:10.1016/j.comnet.2008.04.016

Computer Networks

Volume 52, Issue 12, 22 August 2008, Pages 2373-2380

https://doi.org/10.1016/j.comnet.2008.04.016 Get rights and content

Abstract

In 2004, Ari Juels proposed a Yoking-Proofs protocol for RFID systems. Their aim is to permit a pair of tags to generate a proof which is verifiable off-line by a trusted entity even when the readers are potentially untrusted. However, we found that their protocol does not possess the anonymity property but also suffers from both known-plaintext attack and replay attack. Wong et al. [Kirk H.M. Wong, Patrick C.L. Hui, Allan C.K. Chan, Cryptography and authentication on RFID passive tags for apparel products, Computer in Industry 57 (2005) 342–349] proposed an authentication scheme for RFID passive tags, attempting to be a standard for apparel products. Yet, to our review, their protocol suffers from guessing parameter attack and replay attack. Moreover, both of the schemes have the common weakness: the backend server must use brute search for each tag’s authentication. In this paper, we first describe the weaknesses in the two above-mentioned protocols. Then, we propose a novel efficient scheme which not only achieve the mutual authentication between the server and the tag but also can satisfy all the security requirements needed in an RFID system.

Introduction

An RFID (radio frequency identification device) system has become one of the most important applications today. It consists of radio frequency (RF) tags, tag readers and a backend server. In the system, when the server wants to identify a tag, the reader will broadcast an RF signal. The tag in the range of the signal will then be triggered and respond with its resident data. After receiving the responded data, the reader, usually cooperating with the backend server, identifies whether the tag is legal or not. For an earlier application, an RF tag is used for replacing the barcode, the universal product code (UPC) printed on merchandise, with an advantage that 100–200 tags can be read per second in a range of several meters [6]. Moreover, an RF tag as a “smart label” has its own memory and computing unit. These equipments can further support access control or cryptographic functions and thus can make an RF tag applicable in various significant areas such as, supply chain management, inventory control, counterfeiting prevention, etc. However, this promising technology may suffer from some security threats. For example, 1. Secrecy: a fake reader may defraud an honest tag of its resident secrecy, 2. Location privacy: a malicious person may expose a person’s location through tracing a particular tag embedded in a product. 3. Forward secrecy: due to the impracticality of equipping a low-cost tag with tamper-proof device, an attacker may compromise a tag’s resident data and then expose the bearer’s previous locations by tracing the past transactions the tag had been involved in, 4. Replay attack and DOS attack: a poor designed tag identification protocol may suffer from replay attack or deny-of-service (DOS) attack.

To prevent the above-mentioned security threats, many researchers have proposed solutions. Weis et al. [4], [5] proposed “hash locking” and “randomized hash-locking” schemes by using hash function and pseudo-random number generation (PRNG) function. In their scheme, when a tag is locked, it does not respond to any reader’s triggering. Only a legitimate reader possessing the right key can unlock the tag to obtain its resident data. However, in their scheme, after a reader unlocking a tag, the tag ID (TID) is transmitted between the tag and the reader in clear. This makes personal information or individual location of the bearer traceable. It violates the anonymity property of TID. In the same year, Ohkubo et al. [11] proposed a “privacy-friendly” tag scheme by using hash-chain. In the scheme, the tag sends a_i = G(s_i) to the reader/server for being authenticated and renews s_i+1 = H(s_i) in the ith authentication. After receiving a_i, the server which maintains a list of (TID, s₁) checks if a_i is equal to G(Hⁱ(s₁)) to identify the tag valid or not. Although their scheme has the anonymity property of TID, it obviously suffers from the replay attack. When an attacker replays any old message a_j = G(s_j) where j ⩽ i, the server will undoubtedly identify the tag as valid. Henrici et al. [8] proposed another “hash lock”-like scheme. They claimed that their scheme possesses the properties of TID anonymity, location privacy, and can resist replay and DOS attacks. However, in 2005, Yang et al. [13], [14] pointed out that their scheme suffers from man-in-the-middle attack because an attacker may do some malicious actions between a tag and a reader to obtain information and be authenticated by the reader before the next transaction. Moreover, we found that Henrici et al.’s scheme does not provide forward secrecy. Because when a tag is compromised, the attacker can use the current tag ID (changed to ID ⊕ RND after each authentication, where RND is a random number generated by the backend server) and the last authentication flows (which contains the information of h(ID), RND, etc.) to trace the tag’s previous transaction by computing the tag’s previous ID. Hence, Yang et al. proposed a new mutual authentication protocol for low-cost RFID also based on hash function [13], [14]. They claimed that their scheme can guarantee TID anonymity and location privacy of the tag bearers, and can prevent active attacks such as, man-in-the-middle attack, replay attack, forgery and so on. However, [21] pointed out that their scheme lacks the forward secrecy. Moreover, another weakness of this study is that the backend server always uses brute search for finding TID in each authentication. This needs O(n²) time complexity for n tags’ authentication. It is very time consuming and limits the number of tags to be authenticated by the reader/server each time.

In 2004, Molnar et al. [10] proposed a pseudo-random-function(PRF)-based scheme for library RFID. They claimed that their scheme can protect a patron’s privacy and can be extended to a tree-based protocol needing only O(log n) rounds for n tags’ simultaneous identification. However, Rhee etal. [12] pointed out that Molnar et al.’s scheme does not achieve forward secrecy. Hence, Rhee et al. proposed an improvement based on Molnar et al.’s scheme. Unfortunately, Rhee et al.’s is still unable to provide forward secrecy mentioned in [2]. In addition, we found that the common drawback of server’s brute search exists in Molnar et al.’s scheme. This is time-consuming and thus compromises the advantage of round efficiency they emphasized.

Beside the above hash-based and PRF-based (cryptography-based) approaches for RFID systems, some lightweight schemes (non-cryptography-based) [7], [9], [2] have been proposed. Both Duc et al.’s [7] and Chien et al.’s schemes [2] adopt CRC function (instead of costly hash function) and PRNG function. Karikeyan et al’s scheme [9] is based on matrix operations. However, Chien et al. [2] pointed out that Duc et al.’s scheme [7] does not provide forward secrecy and suffers from DOS attack, and Karikeyan et al.’s scheme [9] does not provide TID anonymity and suffers from DOS attack as well. Hence, Chien et al. [2] proposed a scheme intended to satisfy all of the security and privacy requirements of an RFID system. However, we found the common drawback still exist in their scheme, the backend server searching TID in a brute way. This significantly impacts on the scalability of the RFID system’s deployment. Moreover, such lightweight schemes are intuitively less secure than the cryptography-based ones.

This paper is organized as follows. In Section 2, we review Juels’ and Wong et al.’s schemes and discuss their weaknesses. In Section 3, we present our protocol. The security analysis and performance evaluation of our scheme is discussed in Section 4. Finally, a conclusion is given in Section 5.

Section snippets

Review of Juels’ and Wong et al.’s schemes

In this section, we aim to review Juels’ scheme [2] and Wong et al.’s scheme [3] and analyze their weaknesses. Juels’ scheme exposes the information of TID and suffers from both replay and known-plaintext attacks whereas Wong et al.’s scheme leaks individual location and can be broken by guessing parameter and replay attacks. Moreover, both the schemes have the common weakness: the backend server’s brute search for each tag’s authentication. The details of the two schemes and their weaknesses

Proposed scheme

In this section, we present a simple protocol based on hash function and quadratic residue assumption which can achieve the security requirements of an RFID system but it can also be implemented efficiently because we use direct indexing for each tag’s authentication. Thus, it can avoid server’s brute search. Moreover, our scheme is able to resist all known attacks such as, replay, DOS, known-plaintext and guessing parameter attacks. Next, we will first describe the quadratic residue assumption

Security analysis and performance evaluation

In this section, we will present the security analysis and evaluate the performance of our scheme. The comparisons of various security attributes and usage of brute search among our scheme and other work are listed in Table 1. The performance comparisons of our scheme with others are shown in Table 2.

Conclusion

Many secure schemes have been proposed for RFID systems but only few of them can achieve the three privacy properties (TID anonymity, individual location privacy and forward), replay attack resistance, and DOS attack resistance. In this paper, we have demonstrated that Juels’s scheme is vulnerable to known-plaintext and replay attacks. We also found that Wong et al.’s scheme is easy to be broken. Then, we presented a new mutual authentication RFID scheme using quadratic residues. After our

Yalin Chen received her bachelor degree in the department of computer science and information engineering from Tamkang University in Taipei, Taiwan and her MBA degree in the department of information management from National Sun-Yat-Sen University (NYSU) in Kaohsiung, Taiwan. She is now a Ph.D. candidate of the Institute of Information Systems and Applications of National Tsing-Hua University (NTHU) in Hsinchu, Taiwan. Her primary research interests are data security and privacy, protocol

References (21)

A. Juels, Yoking-Proofs for RFID tags, in: Proceedings of IEEE International Conference Digital Object Identifier,...
H.Y. Chien et al.
Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards
Computer Standards & Interfaces
(2006)
Kirk H.M. Wong et al.
Cryptography and authentication on RFID passive tags for apparel products
Computer in Industry
(2005)
S. Sarma, S. Weis, D. Engels, RFID system, security and privacy implications, in: White Paper, MIT Auto-ID Center,...
S.A. Weis, S.E. Sarma, R.L. Rivest, D.W. Engels, Security and privacy aspects of low-cost radio frequency...
EPCglobal web site,...
D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen-2 RFID tag against traceability and cloning, in:...
A.D. Henrici, P. Mauller, Hash-based enhancement of location privacy for radio-frequency identification devices using...
S. Karthikeyan, M. Nesterenko, RFID security without extensive cryptography, in: Proceedings of the 3rd ACM Workshop on...
D. Molnar, D. Wagner, Privacy and security in library RFID: issues, practices, and architectures, in: Conference on...

There are more references available in the full text version of this article.

Cited by (121)

SAPWSN: A Secure Authentication Protocol for Wireless Sensor Networks
2023, Computer Networks
Citation Excerpt :
Juels in [11] suggested the “Yoking Proof” technique, which utilized hash functions and message authentication codes, but the proposed scheme was not secure against replay attacks and chosen- plaintext attacks [12]. Wong et al. presented a “hash-lock” concept [13], but this system also had numerous security flaws against various assaults [12]. Weis et al. in [14] created a security protocol based on hash functions and pseudo random number generators (PRNG).
With the advancement of RFID systems, there is a need for secure RFID authentication that can provide security against a variety of attacks, so designing a perfectly safe protocol has become a security challenge. The most remarkable security challenges may be information leakage, traceability, and tag impersonation. Several researchers have attempted to address this security demand by proposing ultra-lightweight solutions that use only very low-cost operations such as bit-wise operations. However, approximately all of the presented previous ultra-lightweight authentication schemes are vulnerable to a variety of attacks. For this purpose, Chiou and Chang recently proposed an EPC Class 1 Gen-2-based RFID authentication protocol and claimed it is resistant against replay attacks and also other known active and passive attacks. They also stated that their proposed protocol does not require features such as a secure channel, time parameters, or virtual IDs. In this paper, we will investigate the security of the Chiou and Chang authentication scheme and demonstrate that it is completely insecure. Specifically, we will present the security faults of this scheme. In addition, we will present an enhanced protocol called SAPWSN. The proposed protocol presents precise authentication and highly secure transfers. We demonstrate the proposed protocol’s security in the formal and informal methods. In the formal method, we use the Compromise version of Scyther tool.
Lightweight fog computing-based authentication protocols using physically unclonable functions for internet of medical things
2021, Journal of Information Security and Applications
The Internet of Medical Things (IoMT) is a network of connections between a medical information system and medical equipment. Fog computing for IoMT is a model for extending cloud computing and medical services to the edge of the network, but the conventional fog computing model does not support some necessary features, such as device-to-device (D2D) communications for the effective exchange of data and processing thereof between devices in the IoMT. This investigation develops a secure authentication scheme for the fog computing model with cooperative D2D communication support. Since the power and resources of the medical sensors are limited, the proposed protocols use lightweight cryptographic operations, including a one-way cryptographic hash function, the Barrel Shifter Physically Unclonable Function (BS-PUF), to ensure the security of the sensors and fog nodes and to avoid a computational burden on devices. The proposed protocols not only resist possible attacks and provide more security than related schemes, but also are more efficient.
Acoustic-based sensing and applications: A survey
2020, Computer Networks
With advancements of wireless and sensing technologies, recent studies have demonstrated technical feasibility and effectiveness of using acoustic signals for sensing. In the past decades, low-cost audio infrastructures are widely-deployed and integrated into mobile and Internet of Things (IoT) devices to facilitate a broad array of applications including human activity recognition, tracking, localization, and security monitoring. The technology underpinning these applications lies in the analysis of propagation properties of acoustic signals (e.g., reflection, diffraction, and scattering) when they encounter human bodies. As a result, these applications serve as the foundation to support various daily functionalities such as safety protection, smart healthcare, and smart appliance interaction. The already-existing acoustic infrastructure could also complement RF-based localization and other approaches based on short-range communications such as Near-Field Communication (NFC) and Quick Response (QR) code. In this paper, we provide a comprehensive review on acoustic-based sensing in terms of hardware infrastructure, technical approaches, and its broad applications. First we describe different methodologies and techniques of using acoustic signals for sensing including Time-of-Arrival (ToA), Frequency Modulated Continuous Wave (FMCW), Time-Difference-of-Arrival (TDoA), and Channel Impulse Response (CIR). Then we classify various applications and compare different acoustic-based sensing approaches: in recognition and tracking, we review daily activity recognition, human health and behavioral monitoring hand gesture recognition, hand movement tracking, and speech recognition; in localization and navigation, we discuss ranging and direction finding, indoor and outdoor localization, and floor map construction; in security and privacy, we survey user authentication, keystroke snooping attacks, audio adversarial attacks, acoustic vibration attacks, and privacy protection schemes. Lastly we discuss future research directions and limitations of the acoustic-based sensing.
Secure attribute-based search in RFID-based inventory control systems
2020, Decision Support Systems
Citation Excerpt :
As per the Chinese Remainder Theorem, four incongruent solutions exist for this scenario. However, given that it is rather difficult to determine a and b, it is equally difficult to determine x [22,42]. If replacing x with x2 results in a valid solution, which is a perfect square, only one of the solutions is a valid quadratic residue modulo n [22].
We develop a secure attribute-based search protocol for Radio Frequency Identification (RFID) systems. This protocol can be used to simultaneously identify groups of items that share a set of attribute values. To the best of our knowledge, this is the first such work with the potential to significantly enhance the security and intelligence of RFID-enabled applications in inventory control and supply chain management. The protocol is designed to be lightweight, suited for resource-constrained basic passive tags, and compliant with the Electronic Product Code (EPC) standards. This is achieved by exploiting the zero knowledge properties of quadratic residues. The security and privacy properties offered by the protocol are rigorously proven through formal verification.
A novel group ownership transfer protocol for RFID systems
2019, Ad Hoc Networks
Radio Frequency Identification (RFID) is a wireless communication technology nowadays widely used in almost every aspect of our lives including healthcare, logistics and supply chain management, inventory tracking, race timing, access control, toll collection, and a lot more. In RFID systems, a tag usually stores private or sensitive information, and so it needs an access control mechanism. When a tag's owner is changed, the read permission of the tag needs to be transferred from the old owner to the new owner, and this is when ownership transfer schemes come into play. In fact, not only do RFID ownership transfer schemes do ownership transfer, but they have to make sure that the ownership transfer procedure is executed under proper security protection. Besides, in some particular environments, the ownership transfer would be far more efficiently done if the tags could be treated as a group instead of individual tags. Therefore, in this paper, we propose a novel group ownership transfer protocol that satisfies all important security requirements including mutual authentication, data and location privacy, forward/backward secrecy, ownership privacy, and group ownership integrity. In addition, due to the use of cloud computing, our new protocol provides ubiquitous authentication. Based on homomorphic encryption and quadratic residues, our novel RFID group ownership transfer protocol can have encrypted data efficiently processed, and the communication cost is very low. The results of our BAN logic correctness check, security analysis, and performance evaluation confirm that the new protocol is logically correct and is capable of providing high level security/privacy protection on the basis of high cost-effective performance.
Security enhancement on an RFID ownership transfer protocol based on cloud
2019, Future Generation Computer Systems
Due to the advancement of convenience technology for people, the era of Internet of Things (IoT) has going on thriving, which has brought more and more attention to Radio Frequency Identification (RFID), as RFID is key to the sensor technology in IoT. As promoting of IoT, kind of protocols combine cloud to store authentication data and perform heavily computing which achieve the property of geographical restrictions in IoT. An ideal RFID system design should offer thorough protection in aspects of confidentiality, system security as well as user privacy. The protection should cover all functions and phases, among which is when the ownership is being transferred. A smooth ownership transfer mechanism can both help efficiently recycle used tags thus keeping the system cost down and provide the system with a high degree of flexibility so that different users other than the original owner can be properly authorized and then have a certain degree of control over the data and the sensors. So far, quite a number of studies about RFID ownership security issues have been brought up in the literature concerned with possible solutions provided; unfortunately, most of the existing ownership transfer protocols either come with some security weaknesses in the design itself and so are easy targets of attacks or cannot seem to fit in with the cloud environments. Recently, Cao et al. proposed an ingenious ownership transfer protocol, which still has some security flaws including vulnerability to the desynchronization attack as well as the tag impersonation attack and a tendency towards plaintext miscalculations. In this paper, we shall propose an improved, especially lightweight version of Cao et al.’s protocol we have developed on the basis of quadratic residues. With the identified security flaws mended, the improved protocol ensures a higher level of protection for ownership transfer at a much lower cost. Also included in this paper are some correctness and security analyses we have completed to prove the practicability of the proposed protocol. Moreover, we have compared the proposed protocol with some related works to show its superiority in terms of efficiency and scalability.

View all citing articles on Scopus

Jue-Sam Chou received his Ph.D. degree in the department of computer science and information engineering from National Chiao Tung University (NCTU) in Hsinchu, Taiwan, ROC. He is an associate professor and teaches at the department of Information Management of Nanhua University in Chiayi, Taiwan. His primary research interests are electronic commerce, data security and privacy, protocol security, authentication, key agreement, communication and statistics.

Hung-Min Sun received his B.S. degree in applied mathematics from National Chung-Hsing University in 1988, his M.S. degree in applied mathematics from National Cheng-Kung University in 1990, and his Ph.D. degree in computer science and information engineering from National Chiao-Tung University in 1995, respectively. He was an associate professor with the Department of Information Management, Chaoyang University from 1999 to 2002. Currently he is an associate professor with Department of Computer Science, National Tsing Hua University. He has published over 100 international journal and conference papers. He was the program co-chair of 2001 National Information security Conference and the program committee member of 1997, 2005, Information security Conference, 2000 Workshop on Internet and Distributed System, 2001, 2002, and 2005 Workshop on the 21st Century digital Life and Internet Technologies. 1998–1999 2002–2004 2006–2007 National conference on Information Security, ACISP’04, NCS’2001, ICS’2002, ITRE’2005, NCS’2007. His research interests include information security, wireless network security, cryptography and multimedia security.

View full text

A novel mutual authentication scheme based on quadratic residues for RFID systems

Abstract

Introduction

Section snippets

Review of Juels’ and Wong et al.’s schemes

Proposed scheme

Security analysis and performance evaluation

Conclusion

Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards

Computer Standards & Interfaces

Cryptography and authentication on RFID passive tags for apparel products

Computer in Industry