RFID Authentication Protocol for Medication Safety ... - Semantic Scholar

J Med Syst (2013) 37:9964 manuscript No. (will be inserted by the editor)

RFID Authentication Protocol for Medication Safety of Patients Sonam Devgan Kaul · Amit K. Awasthi

Received: 3 August 2013 / Accepted: 18 September 2013 / Published online: 13 October 2013

Abstract Medication errors can cause substantial harm to patients. Automated patient medication systems with RFID technology is purposely used to reduce the medication error, to improve the patient safety, to provide personalized patient medication and identification and also to provide counterfeit protection to the patients. In order to enhance medication safety for patients we propose a new dynamic ID based lightweight RFID authentication protocol. Due to low storage capacity and limited computational and communicational capacity of tags, only pseudo random number generator function, one way hash function and bitwise Xor operation are used in our authentication protocol. The proposed protocol is practical, secure and efficient for health care domain.

1 Introduction Radio Frequency Identification (RFID) technology can play a vital role in the health care domain for improving the patient safety as it ensure that patients receive the correct medications and medical devices, prevents the distribution of counterfeit drugs and medical devices, manage assets such as hospital equipment, medical records, etc., track patients and staff and provide data for electronic medical records systems. So, the need of secure and efficient RFID lightweight authentication protocol become essential nowadays as any interpretation of intruder in an authentication process will be expensive as well as unsafe for patients. London school of hygiene and tropical medicine report, 2012 states that one in ten hospital patients suffers harm as School of Applied Sciences, Gautam Buddha University, Greater Noida, India E-mail: [email protected], [email protected]

a result of errors in their care [1]. With the increasing need of patient safety; RFID system that ensure secure communication through an wireless channel are gaining popularity in pharmaceutical industry or in hospitals. RFID is an automatic identification technology that uses radio waves to identify patients, drugs and equipments. RFID system consists of RFID transponder (tag), RFID interrogator (reader) and the back-end server. In a RFID system, tags are labeled on the drugs, equipments and containers and also patients wear RFID tagged wristbands (Pallet tag) so that the drug information and patient information can be checked for integrity. At the time of initialization or registration of the tags, pre-shared secret keys have been stored in the memory of tags and the server. Then, for mutual authentication, back end server and the tag can run authentication protocol via the reader. The tag sends an authentication message using its identity and secret key to the reader upon request, then the reader will communicate with the back-end database server for verification. The communication channel between the server and the reader is secure, while the communication channel between the reader and the tag is insecure as the reader to tag and tag to reader communication is through wireless channel which can be intercepted and read by an eavesdropper or an adversary can modify the message in such a way that legitimate recipient does not detect the manipulation. The consequence of an adversary interpretation seriously endanger the safety of the patient. Thus, there is an urgent need for secure medication administration in health care domain. In this paper, We are proposing a secure lightweight RFID authentication protocol to prevent patient from medication errors. Due to low storage capacity and lim-

2

ited computational and communicational capacity of tags, we perform only pseudo random number generator function, one way hash function and bitwise Xor operation in our authentication protocol. The rest of the paper is organized as follows: Section 2 briefly review the related work of RFID authentication protocol. Our proposed RFID authentication protocol is presented in Section 3, followed by security analysis in Section 4. Finally, we conclude the paper in Section 5.

2 Related Work In 2003, Juels et al. [9] gave the first approach towards the privacy and security is to kill the RFID tag at a point of sale, but it is not practicable as all the previous details of communication is lost. Then, Weis et al. [26] proposed a hash based access control (HAC) approach to protect a tag, in which hash of a random key is stored as its metaID, but the scheme allows a tag to be tracked as the same metaID is used repeatedly. They also suggested Randomized Access Control (RAC) approach, in which a random number is embedded with the tag ID to prevent location privacy, but it does not provide backward traceability as the random number can be replayed and the tag ID is fixed. Okhbo et al. [17] also proposed an RFID privacy protection scheme providing backward un-traceability in 2003, but his scheme is vulnerable to replay attack and impersonation attack. In 2004, Henrici and Muller [6] proposed hash based ID variation scheme (HIDV) in which one way hash function is used and ID is changed after each session, to protect the tag from location privacy, but after an unsuccessful session, it replies with the same hash ID, which makes it traceable and vulnerable to impersonation attack and backward traceability. In 2006, Lim and Kwon [13] proposed mutual authentication scheme to provide backward and forward untraceability, but the tag is traceable by an adversary. In 2006, Peris-Lopez et al. proposed a family of ultra-lightweight mutual authentication protocols, M2 AP [21], LMAP [20] and EMAP [19], but these protocols are vulnerable to de-synchronization attack and fully disclosure attack. In 2007, Chien [4] introduce ultralightweight mutual authentication protocol to provide strong authentication and strong integrity (SASI), but his protocol is also vulnerable to de-synchronization attack, DOS attack and traceability attack.

In 2008, Lopez et al. [22] proposed an Gossamer protocol for low cost RFID tags, but it is memory and computational exhaustive and still vulnerable to desynchronization attack and DOS attack. In 2008, Song and Mitchell [24] proposed mutual authentication protocol on RFID that employed bit operation and keyed hash function. But, his protocol is not secure against impersonation attack and de-synchronization attack. In 2009, Lee et al. [11] propose an ultra-lightweight RFID protocol with mutual authentication as an alternative to Gossamer protocol. But it is vulnerable to fully disclosure attack, cloning attack, de-synchronization attack and traceability attack. To improve the accuracy of healthcare management, Juels [8] proposed the ”Yoking Proof” in 2004, which enables two tags to be simultaneously tracked, but it his protocol is not withstand against replay attack. Then, Sandlin [23] introduce the SurgiChip based RFID system to prevent from counterfeit surgery, drug, procedure or site in 2005. Wu et al. [27] also proposed the application of RFID technology on drug safety of inpatient nursing healthcare in 2005. In 2008, Sun et al. [25] also proposed a new mechanism to prevent the risk of medication error. In 2010, Lo and Yeh [14] presented denial of proof attack on grouping proof RFID authentication algorithms [23, 25, 27]. In 2011, Peris-Lopez et al. [18] proposed inpatient safety RFID system (IS-RFID) which cover almost every phase of the drug administration process, but IS-RFID system is also vulnerable to denial of proof attack and the generated medication evidence cannot defend against counterfeit evidence generated from the hospitals. Then to improve security and privacy, several authentication protocols and their improvements [2, 3, 5, 7, 10, 12, 15, 16, 28,29] have been proposed for constrained devices like RFID to improve patient safety. 3 Proposed Scheme In order to enhance medication safety for patients, we propose a new dynamic ID based lightweight RFID authentication protocol which uses only one way hash function, pseudo random number generator function and bitwise Xor operation. To resist the tag from traceability, secret key and the identity are updated after each successful authentication between the tag and the server. The proposed protocol consists of three phases: Initialisation Phase, Authentication Phase and Updating Phase. The notations used throughout the paper are summarized in table 1.

3 Table 1 Notations and symbols used in paper tidi ki tidnew i kinew n r1 , r2 T δT h(.) ⊕ k

successful authentication process.

Identity of ith tag 4. Then, Server firsly verify the validity of time stamp Secret key for ith tag Updated identifier of ith tag T 0 by verifying (T 00 − T 0 ) ≤ δT 0 to accept or reject Updated secret key for ith tag the authentication request. If it finds correct, then The number of tags server finds r2∗ for ith tag pair (tidi , ki ) Random strings of l bits generated by pseudo random generator For 1 ≤ i ≤ n , r2∗ = A1 ⊕ h(ki ⊕ r1 ) Current date and time of input device Expected time interval for a transmission delay and verify the authenticity of r2∗ by verifying comSecure one way hash function h(.) : {0, 1}∗ → {0, 1}l puted A2∗ with the received A2, Bitwise XOR operation A2∗ = h(tidi kr1 kr2∗ kki kT 00 ) Concatenation operation

3.1 Initialisation Phase In Initialisation Phase, the server assigns the tag identity tidi {0, 1}l and the secret key ki {0, 1}l , strings of l bits, for all n tags and stores the (tidi , ki ) in both the tag memory and in the data base system. There is an assumption that ordered pair of tag identifier and secret key of the corresponding tag with the server i.e. (tidi , ki ) is shared just between the server and the tag. Reader has no knowledge of the ordered pair.

If it is not verified for any pair (tidi , ki ) then the session is dismissed otherwise server authenticates the tag and server computes the mutual authentication factor A3, A3 = h(tidi ⊕ r1 ⊕ r2 ⊕ ki ) and sends A3 to the reader. 5. Reader directly sends A3 to the tag. 6. Finally, Tag verify the authenticity of received A3 by the computed A3∗ where A3∗ = h(tidi ⊕r1 ⊕r2 ⊕ki ). If it is so, then the mutual authentication can be done.

3.2 Authentication Phase In Authentication Phase, Server, reader and tag follow the following steps to mutually authenticate each other. 1. When the Reader wants to communicate with the tag, reader generate a pseudo random number r1 {0, 1}l and send r1 to the tag via an insecure communication channel.

Table 2 Authentication Phase Server (tidi , ki ), (tidnew , kinew ) i

Reader

Tag (tidi , ki )

Generate r1 r

1 − − →

Generate r2

2. After receiving a random number r1 , tag itself generate a pseudo random number r2 {0, 1}l and computes an authentication factor A1 and A2, A1 = h(ki ⊕ r1 ) ⊕ r2 A2 = h(tidi kr1 kr2 kki kT ) where T is the current time stamp and send the request message (A1, A2, T ) to the reader.

A1 = h(ki ⊕ r1 A2 = h(tidi kr1 (A1,A2,T )

←−−−−−−−− Verify (T 0 − T ) ≤ δT (r1 ,A1,A2,T 0 )

←−−−−−−−−−−

3. After receiving the message (A1, A2, T ), reader first verify the validity of time stamp T by checking (T 0 − T ) ≤ δT to accept/reject the authentication request where T 0 is the current time of the reader. If it finds incorrect, the authentication request is rejected else the reader sends (r1 , A1, A2, T 0 ) to the server along with a counter and by incorporating a counter in the message, server will avoid the computation exhaustive attacks as counter is incremented with the each reply of the tag and after a limited number of wrong attempts server will lock the tag for some specific period and the counter will reset only after

Verifies (T 00 − T 0 ) ≤ δT 0 f or1 ≤ i ≤ n r2∗ = A1 ⊕ h(ki ⊕ r1 ) A2∗ = h(tidi kr1 kr2∗ kki kT 00 ) A2∗ =?A2 A3 = h(tidi ⊕ r1 ⊕ r2 ⊕ ki ) A3

−−→ A3

−−→

A3∗ = h(tidi ⊕ A3∗ =?A3

4

3.3 Updating Phase After achieving the mutual authentication between the server, reader and tag, the server and the tag computes a new dynamic identity and secret key for the next session so that the tag become anonyms and it can not be traced. 1. Tag update its identifier tidi with the new identity and secret key ki with the new secret key tidnew i kinew , tidnew = h(tidi ⊕ r1 ⊕ r2 ) i kinew = h(ki kr1 kr2 ) Tag replace the stored ordered pair (tidi , ki ) with the new ordered pair (tidnew , kinew ). i

to tag and tag to reader communication is through wireless channel. The server/reader to tag authentication is done by the message A2 and tag to reader authentication is done by the message A3 and an adversary ca not modify the message A2 and A3 as both A2 and A3 are protected by one way hash function and security parameters tidi , r1 , r2 and ki . 4.0.2 Resist De-synchronization Attack

Its not possible for an adversary to perform de-synchronization problem by modifying the communication in between reader and the tag in our protocol, as tag update their identity and secret key only after each successful session. If an adversary modify the last message A3 renew new ceived by the tag, even then he is unable to de-synchronize 2. Server computes tidi and ki , where new new the tag and the server as server store not only the new tidi = h(tidi ⊕ r1 ⊕ r2 ) and ki = h(ki kr1 kr2 ) new as well as old identifier and secret key ordered pair and store (tidnew , k ) in its database memory. i i (tidi , ki ) and (tidnew , kinew ) in its database and mainTo save the protocol from desynchronization attack i new newtain the pair (tidi , ki ) till a synchronized case is ocserver will not replace the new ordered pair (tidi , ki ) curred. with the existing one (tidi , ki ) at that time and maintain the pair (tidi , ki ) till synchronized authentication is done. 4.0.3 Resist Impersonation Attack

Table 3 Updating Phase Server tidnew = h(tidi ⊕ r1 ⊕ r2 ) i kinew = h(ki kr1 kr2 ) Store (tidnew , kinew ) in database i

To make the protocol secure from tag impersonation attack, both A1 and A2 are protected by secure one way Tag hash function and any modification in request message (A1 , A2 , T ) will be detected by the server by verifying tidnew = h(tidi ⊕ r1 ⊕ r2 ) i A2 . The legitimate server reply the message A3 to the tidi ← tidnew i new tag in order to enable the tag to authenticate the reader ki = h(ki kr1 kr2 ) ki ← kinew or server. So, because the attacker has no way to find tidi and ki of the legitimate tag, he can not form the same request message A3 , which makes our protocol secure against server impersonation attack.

4 Security Analysis 4.0.4 Resist Replay Attack and Parallel Session Attack In this section, we present the security analysis of our scheme. In addition to limited storage capacity, low computational and communicational cost, our protocol also withstand against de-synchronization attack, impersonation attack, replay attack, parallel session attack, DOS attack, backward traceability, forward traceability, man in middle attack and cloning attack and also achieve mutual authentication, tag anonymity and untraceability. 4.0.1 Achieve Mutual Authentication In our protocol, mutual authentication between tag, reader and the server is achieved on the assumption that the communication between the server and the reader is secure as it is wired, while the communication between the reader and the tag is insecure as the reader

Our proposed protocol, can withstand replay attack and parallel session attack as replaying a request message (A1, A2, T ) of one session into another session is useless as freshly generated random numbers are used and the authenticity of the request is verified by checking the freshness of the time stamp T and secret information is updated after each successful session and also by replaying a request message within the valid time frame window, can not give an attacker, the common key between the reader and the tag. 4.0.5 Tag Anonymity and Untraceability To make the tag anonymous, all the transaction messages and the updation process are composed with the internal secret parameters (tidi , ki ) and involve random

5

numbers r1 and r2 . Consequently, only the server can extract the pair tag identifier and secret key tidi , ki from the message (A1 , A2 ) sent by the tag. Thus, an adversary is unable to trace the tag as tag identity and secret key is updated after a successful run of the protocol.

4.0.6 Resist DOS Attack To resist the server from denial of service attack, reader employs an increasing counter, which reset only after successful authentication process by the back-end server and by incorporating a counter in the tag, server will avoid the computation exhaustive attacks like DOS attack, as counter is incremented with the each reply of the tag and after a limited number of wrong attempts server will lock the tag for some specific period.

4.0.7 Resist Backward and Forward Traceability In our protocol, even when at the current time t0 the secret information of tag is disclosed, an adversary is unable to identify the tag at the time t for all t < t0 and also an adversary is unable to identify the tag at the time t for all t > t0 which makes our protocol secure against backward and forward traceability. For the security of past and future communication, updation process not only involves secret parameters (tidi , ki ) and random numbers r1 and r2 , but also involves one way hash function.

4.0.8 Resist Man in Middle Attack In our protocol, an adversary can not act as the middle man in between the tag and the reader as the transaction messages are secured by one way hash functions and adversary can intercept in the transaction only if he knows the secret parameters, but it is not possible to find out all the secret parameters correctly at the same time.

4.0.9 Resist Cloning An adversary can not find the secret parameters and the random numbers as the secret parameters, key and identity are dynamic by nature which use freshly generated pseudo random numbers which makes him unable to make the fake tag and prevent our protocol from cloning attack.

5 Conclusion As the consequence of any small error in pharmaceutical industries or in hospitals, seriously endanger the safety of the patient. Thus, we present a new dynamic ID based lightweight RFID authentication protocol, which is designed to enhance patient safety. Inspite of low storage capacity and limited computational and communicational capacity of tags, our scheme withstand against de-synchronization attack, impersonation attack, replay attack, parallel session attack, DOS attack, backward traceability, forward traceability, man in middle attack and cloning attack and achieve mutual authentication, tag anonymity and untraceability which make our protocol secure and efficient for health care domain.

References 1. Annual report 2012. Technical report, London School of Hygiene and Tropical Medicine report, 2012. http : //www.lshtm.ac.uk/aboutus/introducing/annualreport/2012/annual 2. C. L. Chen and Y. L. Deng. Conformation of epc class-1 generation-2 standards rfid system with mutual authentication and privacy protection. Engineering Applications of Artificial Intelligence, 22(8):1284–1291, 2009. 3. H. Chien, C. Yang, T. Wu, and C. Lee. Two rfid-based solutions to enhance inpatient medication safety. Journal of medical systems, 35(3):369–375, June 2011. 4. H. Y. Chien. SAS1: A new ultralightweight rfid authentication protocol providing strong authentication and strong integrity. IEEE Transactions on Dependable and Secure Computing, 4(4):337–340, Oct-Dec 2007. 5. H.Chien and C. Chen. Mutual authentication protocol for rfid confirming to epc class 1 generation 2 standard. Computer Standard and Interface, 29(2):254–259, Feb 2007. 6. D. Henrici and P. Muller. Hash based enhancement of location privacy for radio frequency identification devices using varying identifiers. International Workshop on Pervasive Computing and Communication Security - PerSec 2004, IEEE Computer Society, pages 149–153, March 2004. 7. H. H. Huang and C. Y. Ku. A rfid grouping proof protocol for medication safety of inpatient. Journal of medical systems, 33(6):467–474, Dec 2009. 8. A. Juels. ”yoking proofs” for rfid tags. First International Workshop on Pervasive Computing and Communication Security, IEEE Computer Society, pages 138–143, 2004. 9. A. Juels, R. L. Rivest, and M. Szudlo. The blocker tag : selective blocking of rfid tags for consumer privacy. The 8th ACM Conference on Computer and Communications Security, pages 103–111, 2003. 10. S. M. Lee, Y. J. Hwang, D. H. Lee, and J. I. Lim. Efficient authentication for low-cost rfid systems. International Conference on Computational Science and its Applications - ICCSA 2005, Springer Verlag, 3480:619– 629, 2005. 11. Y. C. Lee, Y. C. Hsieh, P. You, and T. C. Chen. A new ultralightweight rfid protocol with mutual authentication. In Proc. of WASE’09, 2:58–61, 2009. 12. Y. Z. Li, Y. B. Cho, N. K. Um, and S. H. Lee. Security and privacy on authentication protocol for low-cost

6

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

23.

24. 25.

26.

27.

28.

29.

rfid. IEEE International Conferennce on Computational Intelligence and Security, 2:1101–1104, 2006. C. Lim and T. Kwon. Strong and robust rfid authentication enabling perfect ownership transfer. Information and Communications Security, Lecture Notes in Computer Science, Springer, 4307:1–20, 2006. N. W. Lo and K. H. Yeh. Anonymous coexistence proofs for rfid tags. Journal of Information Science and Engineering, 26(4):1213–1230, July 2010. D. Molnar, A. Soppera, and D. Wagner. A scalable, delegatable pseudonym protocol enabling ownership transfer of rfid tags. Proc. Workshop on Selected Areas in Cyptography, LNCS Springer, SAC2005, 3897, 2006. M. M. Morshed, A. Atkins, and H. Yu. Secure ubiquitous authentication protocols for rfid systems. EURASIP Journal on Wireless Communications and Networking, (doi: 10.1186/1687-1499-2012-93):1–35, 2012. M. Okhubo, K. Suzuki, and S. Kinoshita. Cryptographic approach to privacy friendly tags. RFID Privacy Workshop, Nov 2003. Peris-Lopez, A. Orfila, A. Mitrokotsa, and J. V. der Lubbe. A comprehensive rfid solution to enhance inpatient medication safety. International Journal of Medical Informatics, 80(1):13–24, Jan 2011. P. Peris-Lopez, J. C. Hernandez-Castro, J. M. EstevezTapiador, and A. Ribagorda. EM AP : An efficient mutual authentication protocol for low cost rfid tags. In Proc. of IS’06, Springer Verlag, 4277:352–361, 2006. P. Peris-Lopez, J. C. Hernandez-Castro, J. M. EstevezTapiador, and A. Ribagorda. LM AP : A real lightweight authentication protocol for low cost rfid tags. In Hand of Workshop on RFID and Lightweight Crypto, 2006. P. Peris-Lopez, J. C. Hernandez-Castro, J. M. EstevezTapiador, and A. Ribagorda. M 2 AP : A minimalist mutual authentication protocol for low cost rfid tags. In Proc. of UIC’06, Springer Verlag, 4159:912–923, 2006. P. Peris-Lopez, J. C. Hernandez-Castro, J. M. EstevezTapiador, and A. Ribagorda. Advances in ultralightweight cryptography for low cost rfid tags : Gossamer protocol. In Proc. of WISA’08, Springer Verlag, 5379:56–68, 2008. D. Sandlin. Surgichip - new technology for prevensions of wrong site, wrong procedure, wrong person surgery. J Perianesth Nurs., 20(2):144–146, April 2005. B. Song and C. J. Mitchell. Rfid authentication protocol for low cost tags. WISEC’08, pages 140–147, 2008. P. R. Sun, B. H. Wang, and F. Wu. A new method to guard inpatient medication safety by the implementation of rfid. Journal of medical systems, 32(4):327–332, August 2008. S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engles. Security and privacy aspects of low-cost radio frequency identification systems. Security in Pervasive Computing - SPC 2003, Springer-Verlag, 2802:201–212, March 2003. F. Wu, F. Kuo, and L. W. Liu. The application of rfid on drug safety of inpatient nursing healthcare. ICEC ’05 Proceedings of the 7th international conference on Electronic commerce, pages 85–92, 2005. K. Yeh, N. Lo, and E. Winata. An efficient ultralightweight authentication protocol for rfid systems. Workshop on RFID Security, pages 49–60, Feb 2010. Y. Yu, T. Hou, and T. Chiang. Low cost rfid real lightweight binding proof protocol for medication errors and patient safety. Journal of medical systems, 36(2):823–828, April 2012.