A Provably Secure RFID Authentication Protocol

0 downloads 0 Views 1MB Size Report
A Provably Secure RFID Authentication Protocol Based on Elliptic Curve for Healthcare Environments. Mohammad Sabzinejad Farash2 · Omer Nawaz3 · Khalid ...

J Med Syst (2016) 40:165 DOI 10.1007/s10916-016-0521-6

PATIENT FACING SYSTEMS

A Provably Secure RFID Authentication Protocol Based on Elliptic Curve for Healthcare Environments Mohammad Sabzinejad Farash2 · Omer Nawaz3 · Khalid Mahmood1 · Shehzad Ashraf Chaudhry1 · Muhammad Khurram Khan4

Received: 25 July 2015 / Accepted: 6 May 2016 © Springer Science+Business Media New York 2016

Abstract To enhance the quality of healthcare in the management of chronic disease, telecare medical information systems have increasingly been used. Very recently, Zhang and Qi (J. Med. Syst. 38(5):47, 2014), and Zhao (J. Med. Syst. 38(5):46, 2014) separately proposed two authentication schemes for telecare medical information systems using radio frequency identification (RFID) technology. They claimed that their protocols achieve all security requirements including forward secrecy. However, this paper demonstrates that both Zhang and Qi’s scheme, and Zhao’s scheme could not provide forward secrecy. To augment the security, we propose an efficient RFID authentication scheme using elliptic curves for healthcare environments. The proposed RFID scheme is secure under common random oracle model. Keywords Telecare medical information systems · RFID · Elliptic curve · Authentication · Untraceable privacy · Random oracle model This article is part of the Topical Collection on Patient Facing Systems  Shehzad Ashraf Chaudhry

[email protected] 1

Department of Computer Science & Software Engineering, International Islamic University, Islamabad, Pakistan

2

Faculty of Mathematics Sciences and Computer, Kharazmi University, Tehran, Iran

3

Telecommunication Systems, Blekinge Institute of Technology, Karlskrona, Sweden

4

Center of Excellence in Information Assurance, King Saud University, Riyadh, Saudi Arabia

Introduction During the recent times, Radio frequency identification (RFID) system has got much popularity and is now progressively substituting the bar-codes for identification [1]. An RFID system represents following three Constituents: (1) readers, (2) tags, and (3) a server. The tag consists of a radio transponder, which stores and process the information along with an antenna to communicated with the readers [2, 3]. For identification the RFID server using the antenna transmits a signal. Once receiving the signal, a tag within antenna’s range replys with some pre-stored information. Once received by the reader, the information is passed to the RFID server for identification and further processing [4]. When a back-end server wants to identify one or more tags, a reader emits an interrogation signal via its antenna. Any tag within range of the signal responds with certain stored data, such as a tag identifier. The reader then passes the received tag data to the back-end server for further processing, including tag identification and information retrieval [4]. The radio interface between the tags and reader is generally insecure, while RFID server and reader’s interface is fixed and secure. The insecure wireless communication channel between the tags and reader will induce some serious security and privacy problems. The common threats to an RFID system include: man in middle, spoofing, counterfeiting, traceability, eavesdropping, desynchronization, traffic analysis etc. One of the most important way to assure privacy and security in RFID systems is authentication protocol [5, 6]. Many schemes for RFID authentication are proposed based on symmetric key cryptography [7–13], because of a common perception that public key cryptography is too slow and power hungry. However, recent works proved this concept to be wrong, for example the smallest published

165

J Med Syst (2016) 40:165

Page 2 of 7

elliptic curve implementations [14, 15] consume less storage space than the candidate cryptographic hash algorithms proposed in the SHA-3 competition [16]. Moreover, symmetric-key solutions suffer from scalability problems [17–20, 34, 35, 40, 41]. These have led to the introduction of elliptic curve cryptography (ECC) [36–39] based RFID authentication protocols to solve the scalability issues, prevents cloning attacks and offers untraceable privacy [21, 22]. In 2006, the first ECC-based RFID authentication protocol was proposed by Tuyls and Batina [23] using the Schnorr identification scheme [24]. In 2007, Batina et al. [25] proposed a similar ECC-based solution by applying Okamoto identification scheme [26]. But, Lee et al. [27] pointed both Tuyls and Batina’s protocol, and Batina et al.’s protocol suffer from privacy problems. To address these privacy problems, Lee et al. [27], O’Neill & Robshaw [28] and Godor et al. [29] separately proposed improved ECCbased RFID authentication protocols. However, Chou [22] recently indicated that the three schemes [27–29] still have no scalability. Chou then designed a novel ECC-based RFID authentication protocol, to avoid these issues. Later, Liao and Hsiao [30] propose a new RFID authentication protocol using ECC. Unfortunately, Peeters and Hermans [31] found that Liao and Hsiao’s protocol is vulnerable to the tag masquerade attack, the server spoofing attack, the location tracking attack and the tag cloning attack. Motivations Very recently, Zhang & Qi [32], and Zhao [33] separately developed RFID authentication schemes using ECC for healthcare environments. Both of them claimed that their schemes [32, 33] offer all necessary security requirements including forward privacy. However, we prove that both Zhang & Qi’s and Zhao’s schemes do not provide forward privacy. Moreover, we proposed an efficient RFID authentication scheme to overcome the security weaknesses. We analyze the security of our scheme in random oracle model.

Table 1 Notations used in Zhang & Qi’s scheme Notation

Description

G: P: Xi : y: Y: h:

An additive group on an elliptic curve A generator of G The identifier for i th tag Server’s private key Y = yP Server’s public key A hash function h : {0, 1}∗ → {0, 1}l

Authentication While interrogating a set of tags, Fig. 1 illustrates the steps are performed between server and each tag, also described as follows: Step 1: The server chooses random integer r ∈ Zq and broadcasts message Co = r. Step 2: On reception, Tagi selects random k ∈ Zq and computes: K = kY , Ca = kP , Cb = Xi + K and Cc = h(Xi , K, Co , Ca , Cb ). Then Tagi sends {Ca , Cb , Cc }. Step 3: On reception of {Ca , Cb , Cc }, the server extracts K = yCa and computes identifier Xi = Cb − K and h(Xi , K, Co , Ca , Cb ). Then server compares it with the received Cc . If they are equal, the server directly fetches Xi from its database. If succeeds, the Tagi is authenticated. Finally, server computes and sends Cd = h(Xi , K, Co , Ca , Cb , Cc ) to the Tagi . Step 4 Tagi computes h(Xi , K, Co , Ca , Cb , Cc ) upon receiving Cd , then compares the result with the received Cd . If equal, Tagi believes that the counterpart is the legal server.

Review of Zhang & Qi’s scheme Zhang & Qi’s scheme consists of two phases: setup and authentication. Table 1 illustrate the notations used in Zhang & Qi’s scheme. Setup During system setup, the server chooses his private key y ∈ Zq and computes his public key Y = yP , then selects and stores identifier Xi ∈ G for each tag (i = 1, 2, 3.....). Finally, the server stores {Xi , Y , P } in each tag’s memory.

Fig. 1 Zhang & Qi’s RFID authentication scheme [32]

J Med Syst (2016) 40:165

Page 3 of 7 165

Security flaw of Zhang & Qi’s RFID scheme Forward untraceability implies that even if adversary A ables to get tag identifier Xi , he still remain unable to track tagi . Zhang & Qi claimed that their protocol satisfies the forward untraceability (see Theorem 4 in [32]). However, we show that Zhang and Qi’s RFID authentication scheme [32] could not provide forward untraceability. Let A knows identifier Xi . Further A intercepts the messages {Co∗ }, {Ca∗ , Cb∗ , Cc∗ } and {Cd∗ } transmitted between the server and a Tagi . A computes K ∗ = Cb∗ − Xi , and checks ?

Cc∗ = h(Xi , K ∗ , Co∗ , Ca∗ , Cb∗ ), if holds A assures message is from Tagi . Therefore, A can track Tagi by knowing the identifier Xi .

Review of Zhao’s scheme Fig. 2 Zhao’s RFID authentication scheme [33]

Zhao’s scheme [33] consists of two phases: setup and authentication. For convenience, notations used in Zhao’s scheme are presented in Table 2. Setup During setup phase, systems parameters and key pairs for the server and the tag are generated. 1. The server chooses the system parameters {q, a, b, P , n}. 2. The server selects xS ∈ Z∗n as private key and computes PS = xS P (the public key). 3. For each tag, the server generates random number xT ∈ Z∗n as the tag’s private key and computes tag’s public key ZT = xT P . The server stores (ZT , xT ) in its database. The server also stores {q, a, b, P , n}, (ZT , xT ) and PS into the tag’s memory. Authentication During authentication phase, the server and the tag authenticates each other. The process is shown in Fig. 2 and the details are described as follows: Table 2 Notations used in Zhao’s scheme Notation

Description

q , n: Fq : E: P: (xS , PS = xS P ): (xT , ZT = xT P ):

Two large prime numbers A finite filed An elliptic curve A generator point with order n Private/Public key pair of the server Private/Public keys of the tag

Step 1. The server generates random r2 ∈ Z∗n and computes R2 = r2 P . Then the server sends the message {R2 } to the tag. Step 2. Upon receiving {R2 }, the tag generates a random r1 ∈ Z∗n and computes R1 = r1 P = (kx , ky ), T KT 1 = (r1 kx )R2 , T KT 2 = (r1 ky )PS and AuthT = ZT + T KT 1 + T KT 2 . Then the tag sends the message {AuthT , R1 } to the server. Step 3. Upon receiving {AuthT , R1 }, the server computes T KS1 = (r2 kx )R1 , T KS2 = (xS ky )R1 and ZT = AuthT − T KS1 − T KS2 . Then, the server searches ZT in its database. If it is not found, the server stops the session; otherwise, the sever obtains the corresponding private key xT and computes AuthS = xT R1 + r2 ZT . Then the server sends the message {AuthS } to the tag. Step 4. Upon receiving {AuthS }, the tag checks whether AuthS and xT R1 + xT R2 are equal. If they are not equal, the tag stops the session; otherwise, the server is authenticated.

Security flaw of Zhao’s RFID scheme Zhao claimed his protocol to satisfy the forward untraceability (see Theorem 5 in [33]). However, we show that Zhao’s RFID authentication protocol could not provide forward untraceability. Let A gets TagT ’s secret key xT and ZT , further A intercepted message {R2∗ }, {Auth∗T , R1∗ } and {Auth∗S } transmitted between the server and an anonymous ?

tag. A checks Auth∗S = xT R1∗ + xT R2∗ , if holds, A assures

165

J Med Syst (2016) 40:165

Page 4 of 7

that message is originated by TagT . This equation holds for TagT ; Since AuthS = xT R1 + r2 ZT = xT R1 + r2 xT P = x T R1 + x T R2 . Therefore, the adversary A can track TagT by knowing the secret key xT .

Our improved scheme To solve the security problems of RFID authentication protocols, here we propose an improved ECC-based protocol based on Zhang & Qi’s scheme [32]. Setup During setup, the serve generates the systems parameters, private keys and public keys as follows:

Fig. 3 The improved RFID authentication scheme

1. Selects a finite field Fp , where p is a large prime. 2. Chooses an elliptic curve E : y 2 = x 3 +ax +b( mod p) over Fp . 3. Chooses a base point P over the elliptic curve E with the order p. where p is a large number for the security considerations. 4. Generates the additive group G generated by P . 5. Chooses an integer y ∈ Z∗p as its private key and computes the public key Y = yP . 6. For each tag, chooses a point Xi ∈ G as the identifier of i-th tag and then store each tag’s identifier and related information in a database. 7. Select the hash functions h : {0, 1}∗ → {0, 1}l , and H : {0, 1}∗ → G.

Tagi then sends {Ca , Cb } to the server. Step 3: On receiving {Ca , Cb }, the server computes:

Finally, server stores {E, P , p, Xi , Y , h, H } into the tag’s memory. Authentication phase When interrogating a set of tags, the server broadcasts a random point. Each tag in the range of the interrogation signal performs the authentication protocol shown in Fig. 3 and the detail is as follows: Step 1: The server chooses a random integer r ∈ Zq and broadcasts interrogation message Co = r to the Tagi . Step 2: On receiving the interrogation, Tagi picks a random integer k ∈ Zq and computes: K = kY,

(1)

Ca = kP ,

(2)

Cb = Xi + H (K, Co , Ca ).

(3)

K = yCa ,

(4)

and extracts the candidate tag identifier: Xi = Cb − H (K, Co , Ca ).

(5)

The server then directly fetches Xi from its database. If succeeds, the Tagi ’s identity is authenticated, and the server will authenticate itself to the Tagi by making a hash value: Cc = h(Xi , K, Co , Ca , Cb ).

(6)

Finally, the server returns Cc to the Tagi . Step 4 On receiving Cc , the Tagi computes a hash value h(Xi , K, Co , Ca , Cb ) then compares it with Cc . If equal, Tagi believes that the counterpart is the true server.

Security proof of the improved scheme In this section, we prove the correctness and the privacy of the improved authentication RFID scheme in the random oracle model. Lemma 1 (Correctness) In the presence of a benign adverj sary, both partner instances iT and S in the improved authentication RFID scheme output Accept decisions (i.e., j outputTi = outputS = Accept).

J Med Syst (2016) 40:165

Page 5 of 7 165

Proof According to the protocol description, the server S accepts Tagi if Xi computed by the server is equal to the Tagi ’s identifier Xi . This equality holds, since according to the equations (1–5) we have:





Xi = Cb − H (K, Co , Ca ) = Cb − H ((yCa ), Co , Ca )



= Cb − H ((ykP ), Co , Ca ) = Cb − H ((kY ), Co , Ca ) = (Xi + H (K, Co , Ca )) − H ((kY ), Co , Ca ) = (Xi + H (kY, Co , Ca )) − H ((kY ), Co , Ca ) = Xi . Moreover, the server is accepted by Tagi if the computed hash value h(Xi , K, Co , Ca , Cb ) is equal to the received message Cc . It is clear that they are equal since the parameter K computed by the server and Tagi is equal to kyP . Lemma 2 (Untraceable Privacy) In the improved authentication RFID scheme, for any polynomial time adversary A , the advantage Adv A (l) in winning the game with a challenger is negligible.

Proof Consider an adversary A having non-negligible advantage (l) to break untraceable privacy of our scheme, we show how to construct a challenger C that can solve the DDH problem. Suppose the challenger C foresees an instance (P1 = P , P2 = aP , P3 = bP , P4 = cP ) ∈ G of the DDH problem for a, b, c ∈ Z∗q , and is faced to find if P4 = abP . Assume that the game between C and A involves nt (l) tags where l is the security parameter. The challenger C and A interacts as follows: Setup Phase: C simulates the setup to A and provides public parameters {G, P , h}. C then sets the server’s public key Y = P2 = aP which is the input of DDH problem and gives it to A ; hence C does not know server’s private key. C then randomly chooses I ∈ {1, ..., nt (l)} to assign TagI as the target of Test query. Learning Phase: A can issue any Execute, Send, and Corrupt queries.

j

Execute(iT , S ): C returns the tuple {Co , Ca , Cb ,

Cc } to A , which are the exchanged message between j two instances iT and S . j Send(iT (resp. S ), m): C returns a message to j the adversary that the instance iT (resp. S ) would generate upon receipt of message m. Corrupt(Tagt ): C returns the secret identifier Xt of Tagt to the adversary.

Challenging Phase: In this phase, A issues a Test query on an uncorrupted tag Tagt . If Tagt = TagI , C aborts the simulation. Otherwise, C sets Co = P3 = bP . Since a and b are unknown, C can not compute the real parameters K as abP , thus it sets K = P4 = cP and computes Cb = XI + h(K, Co , Ca , K). Then, C returns {Co , Ca , Cb } to A . Guessing Phase: Eventually, A outputs a guess with a non-negligible advantage (l) to indicate that whether the received response in the challenging phase is a valid tuple or not. If the guess is YES, then K = abP ; if NO, K = abP . Therefore, C can find if K = abP using A and resultantly can compute the DDH problem. In the following we compute the success probability of C to solve DDH problem within this game. Success Probability: C aborts the simulation only if A issues a Test query on an tag Tagt other than the chosen tag TagI . Therefore, the success probability that C solves DDH problem is   1 (l),   (l) ≥ nt (l) which is a non-negligible function.

Theorem 1 The improved authentication RFID scheme has untraceable privacy, provided the DDH assumption holds. Specifically, suppose an adversary A wins the game with non-negligible advantage (l). Then there exists a polynomial-time algorithm C to solve the DDH problem with non-negligible advantage   (l) ≥ nt1(l) (l).

Proof From Lemma 1 and Lemma 2.

Table 3 Performance comparison

Hash functions Scaler multiplications

Liao & Hsiao’s [30]

Chou’s [22]

Zhao’s [33]

Zhang & Qi’s [32]

Ours

Tag

Server

Tag

Server

Tag

Server

Tag

Server

Tag

Server

0 5

0 5

2 2

2 1

0 5

0 5

2 2

2 1

2 2

2 1

165

J Med Syst (2016) 40:165

Page 6 of 7

Table 4 Security comparison Liao & Hsiao’s [30] Chou’s [22] Zhao’s [33] Zhang & Qi’s [32] Ours Resists Reply attack Resists Man-in-the-middle attack Resists Impersonation attack Offers Mutual authentication Offers Location privacy Offers Forward privacy Offers Provable Security

4 4 8 8 8 8 8

4 8 8 8 8 8 8

4 4 4 4 4 8 8

4 4 4 4 4 8 8

4 4 4 4 4 4 4

8:No, 4: Yes

The comparisons Here, a performance and functionality comparison is made between the proposed and some related ECC-based RFID authentication schemes. In this section, we evaluate the performance and functionality of our proposed scheme and make comparisons with some related ECC-based RFID authentication schemes. Table 3 shows the performance comparisons of our proposed and related schemes. It visible that, the computation cost of Chou’s [22] and Zhang & Qi’s schemes are less than the others but similar to our scheme. However, Zhang & Qi’s scheme doesn’t provide forward privacy and provable security and Chou’s [22]’s scheme is insecure to impersonation attack and does not provide some security features. Table 4 lists the security comparisons among our proposed scheme and other related schemes. It shows that our protocol has additional security features, which make it more suitable than other related protocols. Whereas, Liao & Hsiao and Chou’s schemes fails to provide mutual authentication, location and forward privacy. Moreover, their provable security can easily be compromised. On the other hand, security of Zhao and Zhang & Qi’s schemes are better than Liao & Hsiao and Chou’s schemes but their schemes also fail to provide forward privacy and provable security.

Conclusion In this paper, we briefly reviewed the Zhang & Qi’s and Zhao’s ECC-based RFID authenticated schemes for healthcare environments. We demonstrated that both Zhang and Qi and Zhao’s schemes do not satisfy tag forward privacy. To overcome the security weaknesses, we proposed an ECC based improved RFID authentication scheme for healthcare environments. The proposed schemes enhances the security of healthcare environments, which is proved in random oracle model. Moreover, performance and security comparison against related schemes discloses that the proposed scheme not only offers security against well-known cryptographic attacks, but also provides additional security features.

Acknowledgments Muhammad Khurram Khan extends his sincere appreciations to the Deanship of Scientific Research at King Saud University for its funding the Prolific Research Group (PRG-1436-16).

References 1. Burmester, M., Le, T.V., Medeiros, B.D., and Tsudik, G., Universally composable RFID identification and authentication protocols. ACM Trans. Inf. Syst. Secur.(TISSEC) 12(4):21, 2009. 2. Juels, A., and Weis, S.: Defining Strong Privacy for RFID. Cryptology ePrint Archive Report 2006/137, 2006. 3. Cai, S., Li, Y., Li, T., and Deng, R.H., Attacks and improvements to an RIFD mutual authentication protocol and its extensions. In: Proceedings of the second ACM conference on wireless network security, pp 51-58, 2009. 4. Song, B., and Mitchell C. J., Scalable RFID security protocols supporting tag ownership transfer. Comput. Commun. 34(4):556–566, 2011. 5. Niu, B., Zhu, X., Chi, H., and Li, H., Privacy and authentication protocol for mobile RFID systems. Wirel. Pers. Commun., 2014. doi:10.1007/s11277-014-1605-6. 6. Shao-hui, W., Zhijie, H., Sujuan, L., and Dan-wei, C., Security analysis of two lightweight RFID authentication protocols. annals of telecommunications-annales des tlcommunications, 2013. doi:10.1007/s12243-013-0361-z. 7. Dehkordi, M.H., and Farzaneh, Y., Improvement of the hash-based RFID mutual authentication protocol. Wirel. Pers. Commun., 2013. doi:10.1007/s11277-013-1358-7. 8. Safkhani, M., Peris-Lopez, P., Hernandez-Castro, J.C., and Bagheri, N., Cryptanalysis of the Cho others. protocol: A hashbased RFID tag mutual authentication protocol. J. Comput. Appl. Math. 259(1):571–577, 2014. 9. Alagheband, M.R., and Aref, M.R., Simulation-Based Traceability analysis of RFID authentication protocols. Wirel. Pers. Commun., 2013. doi:10.1007/s11277-013-1552-7. 10. Chen, C.L., Huang, Y.C., and Shih, T.F., A Novel Mutual Authentication Scheme for RFID conforming EPCglobal Class 1 Generation 2 Standards. Information Technology And Control 41(3):220–228, 2012. 11. Kuo, W.C., Chen, B.L., and Wuu, L.C., Secure Indefinite-Index RFID Authentication scheme with Challenge-Response strategy. Information Technology And Control 42(2):124–130, 2013. 12. Alagheband, M.R., and Aref, M.R., Unified privacy analysis of newfound RFID authentication protocols. Security and Communication Networks 6(8):999–1009, 2013. 13. Farash M.S., Cryptanalysis and improvement of an efficient mutual authentication RFID scheme based on elliptic curve cryptography. J. Supercomput. 70(2):987–1001, 2014.

J Med Syst (2016) 40:165 14. Hein, D., Wolkerstorfer, J., and Felber, N., ECC Is ready for RFID - a proof in silicon. In: Selected areas in cryptography, LNCS 5381, pp 401413, 2009. 15. Lee, Y.K., Sakiyama, K., Batina, L., and Verbauwhede, I., Elliptic curve based security processor for RFID. IEEE Trans. Comput. 57(11):1514–1527, 2008. 16. of Standards, N.N.I.: Technology: Cryptographic Hash Algorithm Competition. http://csrc.nist.gov/groups/ST/hash/sha-3/index. html. 17. Ning, H., Liu, H., Mao, J., and Zhang, Y., Scalable and distributed key array authentication protocol in radio frequency identificationbased sensor systems. IET Commun. 5(12):1755–1768, 2011. 18. Alomair, B., Clark, A., Cuellar, J., and Poovendran, R., Scalable RFID systems: a privacy-preserving protocol with constant-time identification. IEEE Trans. Parallel Distrib. Syst. 23(8):1536– 1550, 2012. 19. Alomair, B., and Poovendran, R., Privacy versus scalability in radio frequency identification systems. Comput. Commun. 33(18):2155–2163, 2010. 20. Song, B., and Mitchell, C.J., Scalable RFID Security protocols supporting tag ownership transfer. Comput. Commun. 34(4):556– 566, 2011. 21. Batina, L., Lee, Y.K., Seys, S., Singele, D., and Verbauwhede, I., Extending ECC-based RFID authentication protocols to privacypreserving multi-party grouping proofs. Pers. Ubiquit. Comput. 16(3):323–335, 2012. 22. Chou, J., S.,an efficient mutual authentication RFID scheme based on elliptic curve cryptography. J. Supercomput., 2013. doi:10.1007/s11227-013-1073-x. 23. Tuyls, P., and Batina, L., RFID-Tags for Anti-Counterfeiting. In: Topics in cryptology (CT-RSA’06), LNCS 3860, pp 115-131, 2006. 24. Schnorr, C.P., Efficient identification and signatures for smart cards. In Advances in Cryptology (CRYPTO’89), 239–252, 1990. 25. Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., and Verbauwhede, I., Public-key cryptography for RFID-tags. In: Fifth annual IEEE 2007. International Conference on Pervasive Computing and Communications Workshops, (PerCom Workshops’07), pp 217-222, 2007. 26. Okamoto, T., Provably secure and practical identification schemes and corresponding signature schemes. In: Advances in Cryptology (CRYPTO’92), pp 31-53, 1993. 27. Lee, Y.K., Batina, L., and Verbauwhede, I., EC-RAC (ECDLP Based randomized access control): provably secure RFID authentication protocol. In: IEEE International conference on RFID, pp. 97-104, 2008.

Page 7 of 7 165 28. O’Neill, M., and Robshaw, M. J., Low-cost digital signature architecture suitable for radio frequency identification tags. Comput. Digital Tech. IET 4(1):14–26, 2010. 29. Godor, G., Giczi, N., and Imre, S., Elliptic curve cryptography based mutual authentication protocol for low computational capacity RFID systems-performance analysis by simulations. In: IEEE International conference on wireless communications, networking and information security (WCNIS), pp 650-657, 2010. 30. Liao, Y., and Hsiao, C., A secure ECC-based RFID authentication scheme integrated with ID-verifier transfer protocol. Ad Hoc Netw., 2013. doi:10.1016/j.adhoc.2013.02.004. 31. Peeters, R., and Hermans, J.: Attack on Liao and Hsiao’s Secure ECC-based RFID Authentication Scheme integrated with ID-Verifier Transfer Protocol. http://eprint.iacr.org/2013/399, 2013. 32. Zhang, Z., and Qi, Q., An Efficient RFID Authentication protocol to enhance patient medication safety using elliptic curve cryptography. J. Med. Syst. 38(5):47, 2014. doi:10.1007/s10916-014-0047-8. 33. Zhao, Z., A Secure RFID Authentication protocol for healthcare environments using elliptic curve cryptosystem. J. Med. Syst. 38(5):46, 2014. doi:10.1007/s10916-014-0046-9. 34. Guo, P., Wang, J., Li, B., and Lee, S., A variable threshold value authentication architecture for wireless mesh networks. J. Internet Technol. 15(6):929–936, 2014. 35. Shen, J., Tan, H., Wang, J., et al., A novel routing protocol providing good transmission reliability in underwater sensor networks. J. Internet Technol. 16(1):171–178, 2015. 36. He, D., and Wang, D., Robust biometrics-based authentication scheme for multi-server environment. IEEE Syst. J. 9(3):816–823, 2015. 37. He, D., and Zeadally, S., Authentication protocol for an ambient assisted living system. IEEE Commun. Mag. 53(1):71–77, 2015. 38. He, D., An efficient remote user authentication and key agreement protocol for mobile clientserver environment from pairings. Ad Hoc Netw. 10(6):1009–1016, 2012. 39. Farash M.S., Cryptanalysis and improvement of ‘an improved authentication with key agreement scheme on elliptic curve cryptosystem for global mobility networks’. International Journal of Network Management 25(1):31–51, 2015. 40. Li, C. T., Weng, C. Y., and Lee, C.C., A secure RFID tag authentication protocol with privacy preserving in telecare medicine information system. J. Med. Syst. 39(8):1–8, 2015. 41. Srivastava, K., Awasthi, A. K., Kaul, S. D., and Mittal, R.C., A hash based mutual RFID tag authentication protocol in telecare medicine information system. J. Med. Syst. 39(1):1–5, 2015.

Suggest Documents