Survey on Prominent RFID Authentication Protocols for ... - MDPI

sensors Review

Survey on Prominent RFID Authentication Protocols for Passive Tags Rania Baashirah * and Abdelshakour Abuzneid * Department of Computer Science and Engineering, University of Bridgeport, Bridgeport, CT 06604, USA * Correspondence: [email protected] (R.B.); [email protected] (A.A.); Tel.: +1-(203)-576-4113 (A.A.) Received: 1 September 2018; Accepted: 19 October 2018; Published: 22 October 2018







Abstract: Radio Frequency Identification (RFID) is one of the leading technologies in the Internet of Things (IoT) to create an efficient and reliable system to securely identify objects in many environments such as business, health, and manufacturing areas. Recent RFID authentication protocols have been proposed to satisfy the security features of RFID communication. In this article, we identify and review some of the most recent and enhanced authentication protocols that mainly focus on the authentication between a reader and a tag. However, the scope of this survey includes only passive tags protocols, due to the large scale of the RFID framework. We examined some of the recent RFID protocols in term of security requirements, computation, and attack resistance. We conclude that only five protocols resist all of the major attacks, while only one protocol satisfies all of the security requirements of the RFID system. Keywords: RFID; security; privacy; authentication; passive tag; security threats; security attacks; IoT; lightweight protocol

1. Introduction The wireless sensor network has expanded recently to employ new technologies in the Internet of Things (IoT). The purpose of this evolution is to create a low-cost, reliable, and secure communication network for current and future applications using radio waves in the most convenient way. Radio Frequency Identification (RFID) is a technology where the detection of the electromagnetic signals in the wireless sensor network identifies objects or people. Hundreds and thousands of RFID applications have been used to improve business efficiency and productivity in a variety of business operations, including supply chain management, access control limitation, product tracking, merchandise allocation, toll collection, and so on. It is also considered an integral part of daily life where its applications not only are limited to business activities, but also daily life activities that are integrated into cell phones, household, automobile, etc. Although the basic concept of RFID is similar to barcodes in identifying the items using the data stored in barcodes, RFID technology has vital benefits over barcodes. It does not require physical contact with the objects, allows scanning multiple and different types of barcodes using one signal, has the ability to read and write on the tag multiple times [1], and enables identifying objects in different climates such as fog and snow, and packaging conditions such as ice, perishable food, and liquids [2]. RFID is considered a significant structure for future market development. Many business enterprises and manufactures nowadays in the supply chain, including banks, transportation, government, agriculture, food safety, health care, and mass production, are using RFID to automate their product identification faster in different conditions to improve their business efficiency and customer service experience.

Sensors 2018, 18, 3584; doi:10.3390/s18103584

www.mdpi.com/journal/sensors

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW

2 of 31 2 of 31

2. System Architecture and Communication Model 2. System Architecture and Communication Model The basic system of of RFID includes a receiver (reader), transponder (tag), and back-end database The basic system RFID includes a receiver (reader), transponder (tag), and back-end database (server) to store and manage data. The RFID tag is a label that is placed into the object to be (server) to store and manage data. The RFID tag is a label that is placed into the object to be identified identified and among locatedhundreds among hundreds and thousands of a small antenna and located and thousands of objects.ofIt objects. consistsItofconsists a small antenna attached to a attached to a microchip with a small memory to store the object’s identity and data [3]. The microchip with a small memory to store the object’s identity and data [3]. The RFID reader is a RFID scanner reader is in a scanner placed in fixed location to whenever interrogatethe thetag tagexists whenever the tag exists in the placed a fixed location to ainterrogate the tag in the scanning environment. scanning environment. The back-end database server operates as a data processor that manages, The back-end database server operates as a data processor that manages, controls, and stores the data controls, and the dataAn from thesystem tag and An system from the tagstores and reader. RFID is reader. depicted inRFID Figure 1 [4]. is depicted in Figure 1 [4].

Figure 1. Basic Radio Frequency Identification (RFID) Model.

Figure 1. Basic Radio Frequency Identification (RFID) Model.

RFID tags can be classified into three categories based on the storage memory, cost, and battery requirements: passive tags, semi-passive tags, and based active on tagsthe [5,6]. RFID tags can be classified into three categories storage memory, cost, and battery

requirements: passive tags, semi-passive tags, and active tags [5,6]. • A passive tag operates without battery, as the tag is energized when the reader interrogates it by a signal to request tagbattery, information. hasisaenergized short transmission ininterrogates communication, • A sending passive tag operates without as theIttag when therange reader it and has limited resources in term of storage. It is considered the lowest in costrange and has by sending a signal to request tag information. It has a short transmission in a higher lifespan.and has limited resources in term of storage. It is considered the lowest in cost communication, • and A has semi-passive tag has a battery for its internal chip circuit; however, it is also energized by the a higher lifespan. interrogation, in the passive tag. • A reader semi-passive tag has as a battery for its internal chip circuit; however, it is also energized by the • reader An active tag runs with battery and can have two-way communication between tag and reader. interrogation, as in the passive tag. is larger the battery larger storage and battery. The transmission is also larger • AnItactive tagdue runstowith and cancapacity have two-way communication betweenrange tag and reader. compared to to passive tags.storage It is more expensive and has The a limited life depending thelarger battery It is larger due the larger capacity and battery. transmission range ison also lifespan to [2].passive tags. It is more expensive and has a limited life depending on the battery compared lifespan [2]. Table 1 provides some comparison of the three types of RFID tags. Table 1 provides some comparison of the three types of RFID tags. Table 1. Classification of RFID Tags [7,8]. Table 1. Classification of RFID Tags [7,8]. Passive Tags Semi-Passive Tags Active Tags

Passive Tags Semi-Passive Tags Active Tags Surrounding signal Internal chip battery Integrated battery Surrounding signal Internal chip battery battery Read memory Reade/write memory Integrated Reade/write memory 5m 100 m 1000 m memory Read memory Reade/write memory Reade/write tracking Environmental and logistic 5 mIdentification 100 Real-time m 1000 m Low High High Identification Real-time Environmental and logistic Small Large tracking Large LowUnlimited High High 10 years 10 years Low High High Small Large Large High Low Low Lifespan Unlimited 10 years 10 years Tag Signal Low High High The basic communication session between Required Signal High Low an RFID reader and Lowa tag starts when the reader broadcasts radio waves to interrogate the tag. The tag receives the signal and responds corresponding to The the reader’s request. Since session the communication between reader and tag isthe assumed basic communication between an channel RFID reader andthe a tag starts when reader to be insecure, it is important maintain a the secure system communication to avoid broadcasts radio waves to tointerrogate tag. The during tag receives the signal and information responds corresponding to the reader’s request. Since the communication channel between the reader and tag Power Power Storage Distance Storage Application Distance Cost Application Size Cost Lifespan Tag Signal Size Required Signal

Sensors 2018, 18, 3584

3 of 31

leakage or forgery by unauthorized users. Efficient RFID concerns about system security, cost, and liability are essential factors for future adoption in the IoT. 3. Security Requirements and Threats 3.1. Security Requirements The basic entities in the RFID system are the tag, reader, and database server. The communication channel between a tag and a reader is insecure and vulnerable to different security threats. Security requirements are the ability features that enable the system to avoid security threats. There are several security requirements to evaluate the security level of an RFID system:

•

• • •

• •

Mutual Authentication: the main requirement in a simple scenario of RFID communication session is the authentication between the reader and tag before exchanging or transmitting any secret or valuable information. Both tag and reader have to prove their legitimacy to each other to start a secure communication. Confidentiality: all of the transmitted messages have to be secure in which secret information and values that are used to execute communication cannot be obtained by an unauthorized user. Integrity: the transmitted data has to maintain its accuracy and not to be altered or changed during communication. Availability: the communication should be successfully executed by maintaining a synchronous state between the RFID entities. Communication values have to be updated after every successful session to provide system availability. Privacy: all of the secret information such as tag identity has to be secured in order to provide anonymity and avoid tracing the tag or its location. Forward Security: the transmitted data during communication have to be independent and updated for every session, and cannot be used or related to another authentication session. If a tag or any information is compromised, it is impossible for an adversary to pass the authentication on or violate the system.

3.2. Security Threats A secure RFID system must be able to resist different types of attacks. Messages in RFID communication are transmitted in clear, and thus are vulnerable to eavesdrop; hence, secret information is disclosed. Many RFID protocols are proposed to defend against different attacks such as:

• • •

• •

•

Replay Attack: an adversary tries to capture the tag response and resend it to the reader to start a successful communication with the reader or obtain any secret information. Man-In-The-Middle: an adversary intercepts the message between two legitimate entities tag/reader to modify it and send it back. Impersonate Attack: an adversary obtains either the reader or tag identity information to create a forged entity. As a result, the adversary acts as a legitimate entity to pass the authentication and proceed with the communication. Traceability: an adversary traces the tag to find its location and revoke the tag’s privacy. This attack violates the private information of RFID users, which is an instance where the privacy is important. Desynchronization Attack: communication session between tag and reader starts using the synchronous values stored in both the tag and reader to authenticate each other. A desynchronization attack occurs when an adversary breaks the synchronous state between the tag and server by blocking the update messages, causing the communication values stored in both server and tag to be different. Denial of Service: an adversary sends multiple signals simultaneously to the server as responses to make the system unavailable for further communication, which could further lead to a desynchronization attack.

Sensors 2018, 18, 3584

• •

4 of 31

Cloning: an adversary uses a malicious device to obtain the reader or tag secret information and create a fake entity that can be used to perform a successful communication. Disclosure: an adversary identifies the secret information of the tag and the secret keys used in the communication to fully compromise the security of the protocol.

Many other security threats have been identified for RFID systems. A secure RFID system is created to defend against various threats that are related to the application in use. 4. Review of Recent RFID Authentication Protocols Several articles are proposed to create a secure RFID protocol that improves the security measures of RFID systems. The modern advancement in technology helps discover many gaps in the proposed protocols presented in the literature. The aim of this work is to review some of the recent RFID authentication protocols that specifically use passive tags. We aim to present an adequate comparison between the protocols in terms of performance and security. Since a passive tag is a very small chip with scarce resources, it is able to do only low computations. Hence, RFID protocols are classified in this paper into four categories based on the complexity of the algorithm that is used to compute the tag responses: heavyweight, simple weight, lightweight, and ultra-lightweight [9]. Heavyweight algorithms use symmetric and public key cryptography that is beyond the scale of the passive tag ability to process. Simple-weight algorithms use hash functions that are also not feasible for passive tag resources. Lightweight algorithms use simple one-way hash functions, cyclic redundancy checks, and pseudo-random number generators [10]. Finally, ultra-lightweight algorithms use bitwise operations, which can be performed at low cost. 4.1. Heavyweight Protocols Wang and Sarma [11] proposed two session-based authentication protocols, SB-A and SB-B, for reader–tag authentication based on symmetric key encryption to ensure privacy and access control using two types of passive tags. The protocols are based on a symmetric cryptography algorithm to provide low-cost authentication such as the Advanced Encryption Standard (AES) and Data Encryption Standard (DES). Protocol SB-A in Figure 2 includes two processes. The first phase involves mutual authentication between server and tag according to the three-pass mutual authentication protocol according to the International Organization of Standardization and the International Electrotechnical Commission—ISO/IEC 9798-2 [12]. The second phase is for generating a session key between reader and tag according to the Otway–Rees protocol and updating the pseudo tag identity (PID). Protocol SB-B in Figure 3 uses tags with no memory or ID so that all of the tag’s information is stored in the server. A physical tag operation is mapped with the digital virtual tag in the server that can do all of the tag’s executions. The protocol time to keep synchronization is controlled by the tag nonce and counter, and not the server, because of the limited power of the tag to keep synchronization. The protocols proved to be secure against major types of attacks; however, the protocols are considered to be heavyweight, since DES and AES are expensive operations that require a lot of computational overhead.

Sensors 2018, 18, 3584 Sensors Sensors 2018, 2018, 18, 18, xx FOR FOR PEER PEER REVIEW REVIEW Server Server SS

5 of 31 of31 31 55of Reader R Step 1: Send RID, OPR to T →

TagTT Tag Step 2: 2: Send Send PID PIDnnand andnonce nonceN NTTto toRR Step ← ←

Step 3: Send PIDn, NT to server ← Step Step4: 4: Use Use PID PID to to search search the the tag tag KTS TS Step Step 5: 5: Send Send EEKTS KTS (N (NTT,, N NSS,, PID PIDnn) to R → →

Step 6: Send EKTS (NT, NS, PIDnn) to T T→ → Step 8: Send to server ← - EKTS (NS, NT), PIDn - RID, OPR, NR

Step9: 9: Step Verify OP OPRR --Verify Generate K KRT RT --Generate Update PID PIDnn to to PID PIDn+1 n+1 --Update Step10: 10: Step Send to to RR Send KRS (N (NRR,, PID PIDnn,, RID, RID, OP OPRR,, K KRT RT)) → --EEKRS KTS (N (NTT,, PID PIDn+1 n+1,, RID, RID, OP OPRR,, K KRT RT) → --EEKTS

Step 11: - Retrieve KRT - Send EKTS (NT, PIDn+1, RID, OPRR, K KRT RT)) → → - If OPR is (write), encrypt info with with K KRT RT and send it to T →

Step 7: 7: Step -- Verify Verify N NTT to to authenticate authenticateSS -- Send Send EEKTS KTS(N (NSS,, N NTT),),PID PIDnnto toRR← ←

Step Step 12: 12: -- Retrieve Retrieve K KRT RT,, PID PIDn+1 n+1,,RID, RID,OP OPRR -- Verify Verify OP OPRR == OP OPRRin inStep1 Step1 -- Check Check the the on-tag on-tagcounter counter -- Decode Decode OP OPRR and andexecute executeitit -- Update Update PID PIDnn to to PID PIDn+1 n+1 -- If If OP OPRR is is (read), (read), encrypt encryptinfo infowith withKKRTRT and and send send itit to to reader reader← ←

KRS RS:: server/reader server/reader shared shared key; KTS TS: server/tag shared key; KRT K RT: reader/tag reader/tag shared shared key; key; N NTT:: nonce nonce R : nonce generated by reader; N S : nonce generated by server; RID: reader generated by tag; N S generated by server; RID: reader ID; ID; OP OPRR:: generated by tag; NR: nonce operation of of reader; reader; PID PIDnn: pseudo-ID of tag in current session; EKK(M): (M): message message encrypted encrypted by by key keyK. K. operation Figure2. 2.Session-Based Session-Based Authentication Authentication Protocol Figure 2. Session-Based Protocol (SB-A) by Wang and Sarma. Figure Protocol (SB-A) (SB-A)by byWang Wangand andSarma. Sarma. Server SS Server

Reader Reader R R Step 1: 1: Send Send RID, RID, OP Step OPRR to to T T→ →

Step4: 4: Use Use PID PID to to search search the the tag tag K KTS TS Step

Step 3: 3: Send Send PID PIDnn,, N Step NTT to to SS ← ←

Step5: 5: Step Update PID PIDnn to to PID PIDn+1 n+1 --Update Send EEKTS KTS(NT, NS, PIDn+1) to R → --Send (NT, NS, PIDn+1) to R →

Step 6: 6: Send Send E EKTS (NS, NT, PIDn+1) to T → Step KTS(NS, NT, PIDn+1) to T →

Step9: 9: Step Verifyreader reader authorization authorization for for OP OPRR --Verify

Step 8: 8: Step Send E EKTS KTS (NS, NT, RID, OPR), PIDn to S ← -- Send (NS, NT, RID, OPR), PIDn to S ← Send RID, RID, OP OPRR,, N -- Send NRR to to SS ← ←

Step10: 10: Step If OP read, send send the the message message - If OPRR == read, OPRR == kill: kill: --IfIfOP Send EKTS (NT, PIDn+1, RID) to R •• Send EKTS (NT, PIDn+1, RID) to R → → • Kill Vtag • Kill Vtag

Tag TagTT Step Step 2: 2: Send Send PID PIDnnand andnonce nonceN NTTto toRR← ←

Step Step 7: 7: -- Verify Verify N NTT to to authenticate authenticateSS -- Send E KTS (NS, NT, RID, OPR), PIDn to R Send EKTS (NS, NT, RID, OPR), PIDn to R ← ← -- If If OP OPRR is is not not (kill), (kill),update updatePID PIDnnto to PID PIDn+1 n+1

Step 11: Send EKTS (NT, PIDn+1, RID) to T Step 11: Send EKTS (NT, PIDn+1, RID) to T → →

- Retrieve NT, PIDn+1, RID - Retrieve NT, PIDn+1, RID - Verify RID = RID in step1 - Verify RID = RID in step1 - Check on-tag counter with time limit - Check on-tag counter with time limit - Perform physical kill operation - Perform physical kill operation KRS: server/reader shared key; KTS: server/tag shared key; KRT: reader/tag shared key; NT: nonce generated by tag; NR: nonce KRS: server/reader shared key; KTS: server/tag shared key; KRT: reader/tag shared key; NT: nonce generated by tag; NR: nonce generated by reader; NS: nonce generated by server; RID: reader ID; OPR: operation of reader; PIDn: pseudo-ID of tag in generated by reader; NS: nonce generated by server; RID: reader ID; OPR: operation of reader; PIDn: pseudo-ID of tag in current session; EK(M): message encrypted by key K; Vtag: virtual tag in the server. current session; EK(M): message encrypted by key K; Vtag: virtual tag in the server.

Figure3.3.Session-Based Session-Based Authentication Authentication Protocol Figure Protocol (SB-B) (SB-B)by byWang Wangand andSarma. Sarma. Figure 3. Session-Based Authentication Protocol (SB-B) by Wang and Sarma.

For elliptic curve curve cryptography-based cryptography-based Fortraceability traceability issues issues in in RFID, RFID, Ryu Ryu et et al. al. [13] proposed proposed elliptic For traceability issues in RFID, Ryu et al. [13] proposed elliptic curve cryptography-based untraceable protocol(ECU) (ECU)using using Schnorr signature scheme. The curve elliptic untraceable authentication authentication protocol thethe Schnorr signature scheme. The elliptic untraceable authentication protocol (ECU) using the Schnorr signature scheme. The elliptic curve cryptography is considered to be a public cryptography for RFID systems withsystems low constrained curve cryptography is considered to be key a public key cryptography for RFID with low cryptography is considered to be a public key cryptography for RFID systems with low constrained tags. It is used to solve issues of three recent elliptic curve-based untraceable RFID authentication constrained tags. It isthe used to solve the issues of three recent elliptic curve-based untraceable tags. It is used to solve the issues of three recent elliptic curve-based untraceable RFID authentication protocols: Strong Privacy-preserving protocol (SPA) [14],protocol Efficient(SPA) Mutual RFID authentication protocols: Strong Authentication Privacy-preserving Authentication [14], protocols: Strong Privacy-preserving Authentication protocol (SPA) [14], Efficient Mutual Authentication protocol EMA [15], and ECC-based authentication protocol PII [16]. Ryu’s protocol Efficient Mutual protocol Authentication protocol EMA [15], authentication and ECC-basedprotocol authentication PII [16]. Authentication EMA [15], and ECC-based PII [16].protocol Ryu’s protocol generates a digital signature with an appendix on the binary message of arbitrary length, and generates a digital signature with an appendix on the binary message of arbitrary length, and

Sensors 2018, 18, 3584

6 of 31

Sensors 2018, 18, x FOR PEER REVIEW

6 of 31

Ryu’s protocol generates a digital signature with an appendix on the binary message of arbitrary length, and requires a cryptographic hash function, shown Figure The sender’s session key is combined requires a cryptographic hash function, asas shown inin Figure 4. 4. The sender’s session key is combined with thethe receiver’s which the themessage messagecan canbebeverified verified only with receiver’spublic publickey keyto toprovide provide privacy, privacy, in in which byby only thethe receiver’s private key. Ryu’s protocol is secure against replay attacks, impersonate attacks, traceability receiver’s private key. Ryu’s protocol is secure against replay attacks, impersonate attacks, attacks, and it attacks, maintains security. It requires twoIt scalar multiplications, two hash functions, traceability andforward it maintains forward security. requires two scalar multiplications, two a message total size of 544 bits, communications between tag andbetween reader. Even though this hash functions, a message totaland sizetwo of 544 bits, and two communications tag and reader. protocol requires associated with scalar multiplications and a hash function, Even though thiscomplex protocolcomputations requires complex computations associated with scalar multiplications and it does not authenticate a hash function, it doesthe notreader. authenticate the reader. Server S Setup Phase: - Generate elliptic group G of prime order q. - Choose generator P of group G. - Server private/public keys (y, Y = yP) - Store tag verifier X = xP (public key)

Reader R

Step 1: Send random c to T →

Authentication Phase:

Step 3: To authenticate tag - Compute R’ = y−1 Z - Derive X’ = eid ⊕ H (R’, s) - Check X’ = X registered verifier - Compute v’ = H (R’, c) - Authenticate the tag as H(sP − v’ X, c) = v’

Tag T Store x, X, Y (server public key)

Step 2: - Pick r as session secret - R = rP - v = H (R, c) - schnorr sign Z = rY, s = r + x * v - Encrypted verifier eid = X ⊕ H (R,s) - Send (eid, Z, s) to R ←

G: Cyclic additive group; P: Generator of group G; q: Order of group G; xi: Tag’s private key; ⊕ XOR; Xi: Tag’s public key; y: Server’s private; Y: Server’s public; H: Hash function.

Figure EllipticCurve CurveCryptography-Based Cryptography-Based Untraceable Untraceable Authentication byby Ryu. Figure 4. 4. Elliptic AuthenticationProtocol Protocol(ECU) (ECU) Ryu.

reducethe thetag’s tag’soverhead overhead in in heavyweight heavyweight protocols, ToToreduce protocols, Yao Yao etet al.al.[17] [17]introduced introducedThe The Reviving-UNder-DoS(RUND) (RUND) authentication to to defend against denial of service (DoS) and Reviving-UNder-DoS authenticationprotocol protocol defend against denial of service (DoS) preserve user privacy by powering up the do complex computing for symmetric and public and preserve user privacy by powering uptag thetotag to do complex computing for symmetric and key cryptography. It leverages the power in DoS scans to enable the tag to respond in two ways: public key cryptography. It leverages the power in DoS scans to enable the tag to respond in two eithereither usingusing simple encryption when when the tagthe is activated by low by signals a reader, using or ways: simple encryption tag is activated low from signals from a or reader, public encryption (higher security) when the the backscattered signals are are high in in anan insecure using public encryption (higher security) when backscattered signals high insecure environment. The more signals there are in communication, the more power charges the tag. option The environment. The more signals there are in communication, the more power charges the tag. The option of using public key encryption in RUND protocol is to overcome the problem of breaking up of using public key encryption in RUND protocol is to overcome the problem of breaking up the the synchronization state between the reader and tag in symmetric key encryption. The protocol is synchronization state between the reader and tag in symmetric key encryption. The protocol is secure secure because secret information is not sent in clear, so no useful information can be gained if any because secret information is not sent in clear, so no useful information can be gained if any message is message is compromised. Moreover, the parameters used in communication are changed and compromised. Moreover, the parameters used in communication are changed and updated in every updated in every session, as shown in Figure 5, to prevent replay attack, maintain forward security, session, as shown in Figure 5, to prevent replay attack, maintain forward security, and resist tracking. and resist tracking. Even though the overall efficiency of RUND is O(1), it is still not compliant with Even though the Product overall efficiency of RUND is O(1),(EPC it is still with which the Electronic Product the Electronic Code Class1 Generation2 C1 not G2)compliant standard [18], is defined by Code Class1 Generation2 C1 G2) standard [18], which is defined by EPCGlobal Inc. for RFID EPCGlobal Inc. for RFID (EPC data communication. data communication.

Sensors 2018, 18, 3584

7 of 31

Sensors 2018, 18, x FOR PEER REVIEW Server: S Initialization Phase:

Reader R: PUR, PRR, shared Ki Step 1: Precompute and store in S: f(Ki, c, pad1) ← Where pad is padding length for f()

Mutual Phase:

Step 2: Send power waves last for Tpw with energy Ec. Send PRN r1 in l length to tag →

Authentication

7 of 31 Tag T: PUR, shared Ki, ID - Counter c is set to 0.

Step3: Compute: If Ec energy: - I1 = f(K, c, pad1) - I2 = r1||f(K, r1||I1, pad1) - I = I1||I2 - Update c = c + 1 - Energy consumed Esk If Epk energy: - E(PUR, K, r1||r2, ID, c) in l length - Energy consumed Epk Step4: Send I to reader ←

Step 5: If response with symmetric: - Check counter c and search database for f(K’, c’, pad1) ← - Check r1 for replayed msg. - If matches: tag is authenticated. If response with public key: - Check and search database for (ID, K) pair ← - Check r1, r2 for replayed msg. - If matches: tag is authenticated Updating Phase: Step 6: Generate r3 and compute I3 = r3||f(K, r3||I1, Step 7: Check I3 using r3 by pad1) - Send I3, r3 to tag → computing I’3 - Update K = f(K, r3, pad1) - If matches: reader is authenticated. - Update precomputed f(Ki, c, pad1) with updated key. - Update K = f(K, r3, pad1) - Preserve old key of tag. -C=0 PUR: Public key of reader; ID: Tag’s ID; Ki: Shared symmetric key; c: Counter for current key lifecycle; PRR: Private key of reader; padi: Padding for f(); Ec: The initial power the tag is charged; TPW: Time for the power waves to last; ESK: Energy consumption for hash function; EPK: Energy consumption for public key.

Figure TheReviving-UNder-Denial Reviving-UNder-Denial of Service Service Authentication byby Yao. Figure 5.5.The AuthenticationProtocol Protocol(RUND) (RUND) Yao.

4.2.4.2. Simple-Weight Simple-WeightProtocols Protocols ToTo better improve andreduce reducethe thepower powerthat that needed better improvethe theperformance performance of of RFID RFID protocols protocols and is is needed forfor complex operations [19] proposed proposedaamutual mutualauthentication authentication protocol complex operationsininECC-based ECC-basedprotocols, protocols, Farash Farash [19] protocol (IECC) based the ellipticcurve. curve.The Theprotocol protocol enhances enhances Chou’s (EMA) [15], (IECC) based onon the elliptic Chou’sauthentication authenticationprotocol protocol (EMA) [15], which does fulfill the security requirement of forward security, mutual authentication, tag which does notnot fulfill the security requirement of forward security, mutual authentication, tag privacy, privacy, and security against tracking, location tracking, impersonating and tag cloning attack forRFID an and security against location impersonating attacks,attacks, and tag cloning attack for an RFID system. The main idea behind the protocol is to use the server’s public key to create the system. The main idea behind the protocol is to use the server’s public key to create the authentication authentication avoid breaking the as system privacy, as depicted Figure 6. TheisIECC message to avoidmessage breakingtothe system privacy, depicted in Figure 6. The in IECC protocol secure protocol is secure against major attacks, even though the computation cost is the same as in Chou’s against major attacks, even though the computation cost is the same as in Chou’s protocol that needs protocol that needs to be reduced for practical implementation. to be reduced for practical implementation.

Sensors 2018, 18, 3584

8 of 31

Sensors 2018, 18, x FOR PEER REVIEW Server S: {Xi, yP, P} Setup phase: - Generate an elliptic group G of prime order q - Choose generator P of group G - Choose random no. y as private key - Public key Y = yP - Choose random X from G as tag identifier - Store Xi, Y, P in each tag. Authentication phase: Step 1: - Choose a prime random no. r - Compute C0 = rP - Send C0 to tags →

Step 3: - Obtain K’ = y−1C1 - Obtain Xi’ = C2 – h(C0, C1, K’) - Find a match for Xi’ in DB - If found: C3 = h(Xi’, K’) and tag authenticated - Send C3 to tag →

8 of 31 Reader R

Tag T: {Xi, Y, P}

Step 2: - Choose a prime random no. k - K = kP - C1 = kY - C2 = Xi + h(C0, C1, K) - Send C1, C2 to server →

Step 4: - Validate C3 = (Xi, K) - Server is authenticated G: A additive group of prime order q; P: Generator of group G; h: One-way hash function; y: Server’s private; Y: Server’s public; Xi: Identifier of ith tag which is a random point in G.

Figure6.6.Mutual MutualAuthentication AuthenticationProtocol Protocol Based on Elliptic Figure Elliptic Curve CurveCryptography Cryptography(IECC) (IECC)bybyFarash. Farash.

Zhangand andQi Qi[20] [20]also alsoproposed proposed another another protocol (EECC) Zhang (EECC)to towithstand withstandthe thesecurity securityweaknesses weaknesses Chou’s protocol, EMA [15]. EECC protocol enhances patient medication safety by using also using ofof Chou’s protocol, EMA [15]. EECC protocol enhances patient medication safety by also elliptic elliptic curve cryptography. In comparison to EMAEECC protocol, EECCresulted protocol in better curve cryptography. In comparison to EMA protocol, protocol in resulted better performance performance and security resistance toand impersonate and forward security attacks. and security resistance to impersonate forward security attacks. B.Chen [21] proposed a role-based access control (RBAC) protocol B.Chen [21] proposed a role-based access control (RBAC) protocolfor formobile mobileRFID RFIDtotoenable enable user privacy, access control through the back-end serveronbased on a certification user privacy, role,role, and and access control through the back-end server based a certification mechanism. mechanism. assigns as keys to control the information and number of times RBAC assigns RBAC role classes as role keysclasses to control the information and the number ofthe times each reader can each reader can read a tag. RBAC authorizes readers, assigns role classes to control the reader’s read a tag. RBAC authorizes readers, assigns role classes to control the reader’s authority to request to request tag information, and updates time stamps using random numbers and different tagauthority information, and updates time stamps using random numbers and different shared keys between shared keys between the database server and reader and tag ad, as depicted in Figure 7. Traceability the database server and reader and tag ad, as depicted in Figure 7. Traceability and replay attacks are and replay attacks are prevented using updated random numbers in every session; access control is prevented using updated random numbers in every session; access control is provided using shared provided using shared keys to prevent unauthorized readers to request or read any tag’s keys to prevent unauthorized readers to request or read any tag’s information, and integrity is ensured information, and integrity is ensured using timestamps. However, RBAC uses one encryption using timestamps. However, RBAC uses one encryption mechanism that is excessive for low-cost mechanism that is excessive for low-cost passive tags. passive tags.

Sensors 2018, 18, 3584

9 of 31

Sensors 2018, 18, x FOR PEER REVIEW Server: kx, ky keys 1- Reader Authorization and role class:

9 of 31 Reader: ky keys Step 1: Reader sends Hello to tag →

Tag: kx keys - Create random no. r1 - M1 = Ekx (TID, TS, r1) Step 2: Sends M1 to reader ←

- Create random no. r2. - M2 = Eky (M1, r2, RID, Command) Step 3: Send M2 to server ← - Request role-class command, read tag command, TID, and RID from RBAC - RBAC sends role-class. - M3 = Eky(RID, r1, TS1, CertR, role-class) - M4 = Ekx(TID, r2, TS1, role-class) - Send M3, M4 to reader → Step 4: - Retrieve r1, TS1, CertR, role-class from M3 . - M5 = H(TS1 ⊕ r2) - Send M4, M5 to tag → 2- Assign No. timestamps:

of

reads

and

Step 5: Verify M5 using TS1 from M4 and its r1 to authenticate reader - Calculate number of reads TCn−1 = TCn – 1 - if TS1 is verified, it’s updated to TS2 - M6 = Ekx(TS2, TCn−1) - Send M6 to reader ←

update

Step 6: - Receive M6 - M7 = Eky(CertR, r2, M6) - Send M7 to database server ← Step 7: Retrieve CertR, r2 from M7 - If CertR is verified, retrieve TS2, TCn−1 from M6 . - M8 = Eky(TS2, TCn−1, r2) - Send M8 to reader →

Step 8: - Retrieve TS2, TCn−1, r2 from M8 - Verify r2 TID: Tag ID; Ky: Server/Reader shared key; r: random number; TCn: number of times a reader request information; Kx: Server/Tag shared key; TS: Timestamp; CertR: Reader security certificate; RBAC: role-based access control.

Figure Role-BasedAccess Access Control Control Protocol B. B. Chen. Figure 7. 7. Role-Based Protocol(RBAC) (RBAC)byby Chen.

4.3. 4.3. Lightweight Protocols Lightweight Protocols Successful businesses demand an efficient is based mainlyonbased on low Successful businesses demand an efficient RFID RFID systemsystem that is that mainly low computation for a low cost. RFID Many protocols recent RFIDuse protocols useoperations low-cost operations are handled by for acomputation low cost. Many recent low-cost that arethat handled by low-cost low-cost passive tags for practical implementations. passive tags for practical implementations. Fernando and Abawajy[22] [22]proposed proposed aa mutual mutual authentication forfor Networked RFID Fernando and Abawajy authenticationprotocol protocol Networked RFID Systems NRS, which is a lightweight mutual authentication scheme for an RFID system using low Systems NRS, which is a lightweight mutual authentication scheme for an RFID system using low operations such as excusive or operation (XOR) and one-way hash functions. However, Alagheband operations such as excusive or operation (XOR) and one-way hash functions. However, Alagheband and Aref [10] reported NRS to be vulnerable to major attacks and specifically a full disclosure attack and Aref [10] reported NRS to be vulnerable to major attacks and specifically a full disclosure attack that that compromises the whole RFID system. Alagheband and Aref improved NRS protocol and compromises the whole RFIDthree system. and improved NRS protocol and proposed proposed NRS+ by adding moreAlagheband hash functions to Aref the authentication message to increase the NRS+ by adding three more hash functions to the authentication message to increase the system system security. X. Chen et al. [23] noted that the NRS+ protocol is exposed to desynchronization security. X. Chen et al. [23] the NRS+ protocol desynchronization and traceability attacks by noted using that one random number for is theexposed tag and to reader. Thus, X. Chen and traceability using one for previous the tag and reader. Thus, Chen proposed proposedattacks NRS++ by to improve therandom security number flaws in the versions of NRS by X. generating two different randomthe numbers, and r2, for previous the tag and reader of using pseudo-random number NRS++ to improve securityr1flaws in the versions NRSaby generating two different generator (PRNG) to defend against replay attack. In Figure 8, the authentication M3 is random numbers, r1 and r2, for the tag and reader using a pseudo-random number message generator (PRNG) encrypted using the tag’s random number r1 and reader’s random number r2 to provide message to defend against replay attack. In Figure 8, the authentication message M3 is encrypted using the tag’s integrity, so any message cannot be verified byprovide the tag. message NRS++ uses fewer hash functions, random number r1 modified and reader’s random number r2 to integrity, so any modified which resulted in less computation overhead and storage space than the other versions, with more message cannot be verified by the tag. NRS++ uses fewer hash functions, which resulted in less security power. computation overhead and storage space than the other versions, with more security power.

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW Server S

- Update secrets in Database IDnew = ID ⊕ (r2right||K1left) K1new = H[(K1right||r1left) ⊕ r2]

Reader R Step 1: - Generate random no. r - Calculate M1 = H(EPC ⊕ K1||r) M2 = r ⊕ K 1 - Send to tag M1||M2 →

Step 3: - Extract r1 = N ⊕ K1 - Compute C2 = H(EPC ⊕ K1||r||r1) - Verify C2 = M3 If equal: Generate random no. r2 M4 = r 2 ⊕ K 1 M5 = H(EPC ⊕ K1||r1||r2) If not equal: terminate - Send M4||M5 →

10 of 31 10 of 31 Tag T

Step 2: - Extract r as r = M2 ⊕ K1 - Compute C1 = H(EPC ⊕ K1||r) If C1 = M1, generate r1 N = r1 ⊕ K1 M3 = H(EPC ⊕ K1|| r||r1) Else termination - ← Send M3||N to reader

Step 4: - Extract r2 as r2 = M4 ⊕ K1 - Compute C3 = H(EPC ⊕ K1||r1||r2) - Verify C3 = M5 If equal: Update the secrets. If not equal: terminate

ID, EPC: Tag identifier; H(): one-way hash function; K1: Server/Tag shared key; r, r1, r2: random No; ⊕/||: XOR and concatenation operation.

Figure8.8.Mutual MutualAuthentication Authentication Protocol Protocol for for Networked Networked RFID Systems (NRS++) Figure (NRS++)by byX. X.Chen. Chen.

C. (ACSP) as as another anotherlightweight lightweightprotocol protocol C.Chen Chen[24] [24]proposed proposedAnti-Counting Anti-Counting Security Protocol (ACSP) for attacker’sability abilityto tocount count forRFID RFIDsystems systemsto todefend defendfrom from aa counter counter attack, attack, which is defined as the attacker’s the number of objects in a system. Safkhani et al. [25] reported ACSP to be vulnerable to major attacks, the number of objects in a system. Safkhani et al. [25] reported ACSP to be vulnerable to major including the forward/backward traceability attack. Safkhani further proposed ACSP+ to improve attacks, including the forward/backward traceability attack. Safkhani further proposed ACSP+ to Chen’s protocol. Later, X. Chen pointed that ACSP protocol not secure, proposed improve Chen’s protocol. Later, [23] X. Chen [23]out pointed out that ACSP is protocol is notand secure, and proposed to DoS withstand DoS and forward/backward attacks.enhances ACSP++the enhances ACSP++ to ACSP++ withstand and forward/backward traceabilitytraceability attacks. ACSP++ session the session identifier (SID) update, which is used verify session, the current and tag identification identifier (SID) update, which is used to verify thetocurrent andsession, tag identification phases that phases thatdifferent suffer from different attacks in ACSPversions. and ACSP+ versions. ACSP++inas depicted in suffer from attacks in ACSP and ACSP+ In ACSP++ asIn depicted Figure 9, a tag Figure 9, a tag identifier (TID) is added to the identification message as ( , R4, R5, TID) instead identifier (TID) is added to the identification message as (IDENT, R4, R5, TID) instead of (IDENT, of R5), ( R4, authentication R5), and the authentication messageR4, (( R5, TID), isR4, R5, TID) is (AUTHEN, replaced with R4, and, the message (AUTHEN, replaced with R5, ( to overcome , R5, TID) toattack overcome DoS attack the andTID modifying the TID in the identification phase. Theof TID) DoS and modifying in the identification phase. The update phase update of everywith key two is associated with two separate nonce values avoid forward and every keyphase is associated separate nonce values to avoid forward andtobackward traceability. backward traceability. Even thoughthe thesecurity protocolweaknesses improved the security weaknesses of all of the Even though the protocol improved of all of the ACSP versions, it did not ACSPthe versions, it did not lower the overhead nor the storage space. lower computation overhead norcomputation the storage space.

Sensors 2018, 18, 3584

11 of 31

Sensors 2018, 18, x FOR PEER REVIEW

11 of 31

Reader R (SID Update Phase) Step 1: - Generate nonce R1 - Send the following to tag: , R1⊕SID, H( , R1, SID) →

Tag T

Step 2: - Extract R1 to verify H( , R1, SID) - Generate R2 - Update SID SIDnew = H(SID||R2||R1) SIDold = SIDcur - ← Send to reader confirmation: , R2 ⊕ SID, H( , R2, R1, SID)

Step 3: - Extract R2 and verify H( , R2, R1, SID) - Update SID as SIDnew = H(SID||R2||R1) (Tag Identification Phase) Step1: - Generate R3, R4 - Send the following messages to tag → a) , SID1⊕ R3, H( , R3, SID)) b) , SID ⊕ TID ⊕ R4, H( , R4, SID, TID))

Step 4: - Authenticate tag - Extract R5’ to verify H( , R4, R5, TID) - If not verified: stop the session and send

Step 2: - Extract R3’ to verify H( , R3, SID) If not verified: wait until next run. If verified: respond with step3. Step 3: - Extract R4’ to verify H( , R4, SID, TID) - Generate R5 - ← Send ( , TID ⊕ R5, H( , R4, R5, TID)



→

- If verified: update TID as TIDnew = H(TID||R4||R5) TIDold = TID - Send ( , H( , R5, TID) →

Step 5: - Calculate and verify H( , R5, TID) - If not verified: stop the session. - If verified: update the tag identifier as TIDnew = H(TID||R4||R5) R1, R2, R3, R4, R5: nonce; / : Select/ query commands; SIDcur/ SIDnew: Current/ New session identifier; / : SID update/ Update knowledge message; TIDcur/TIDnew: Current/ New unique identifier; / : Identification/ authentication messages.

Figure9.9.Anti-Counting Anti-Counting Security Security Protocol (ACSP++) (ACSP++) by Figure byX. X.Chen. Chen.

Chien authenticationprotocol protocoltotosolve solve Chienand andHuang Huang [26] [26] presented presented LAP, LAP, which which is a lightweight authentication the [27], and and enhance enhancethe thecomputational computationalcost cost thevulnerabilities vulnerabilitiesin inthe theauthentication authentication protocol of Li et al. [27], from The security security of of LAP LAPprotocol protocolisisbased basedon onaa fromO(n) O(n)to toO(1) O(1)in inidentifying identifying tags tags in in RFID RFID systems. systems. The synchronized readerand andtag tagusing usinga secret a secret key, secret index pseudonym. synchronized PRNG PRNG between between reader key, secret ID,ID, andand index pseudonym. In Figure In Figure10,10,LAP LAPprotocol protocoluses usesthe therotate rotateoperator operatoron onthe the message message and and left/right left/rightoperator operatorfor forthe the dividedrotation rotationduring during the the messages messages that that were exchanged to form divided form a secure secure permutation. permutation.Random Random numbers are are used used to shift tag to to be be used safely in communication. Then,Then, the numbers shift the thesecret secretvalues valuesofofthe the tag used safely in communication. random number is XORed withwith the shifted secret valuevalue to securely retrieve a tag abytag theby server. The the random number is XORed the shifted secret to securely retrieve the server. server usesuses the the index pseudonym (IDS) to to quickly identify thethe tag The server index pseudonym (IDS) quickly identify tagininthe thedatabase databaseinstead insteadofof computingPIDL PIDL ⊕ ⊕PIDR PIDRfor forevery every tag tag to to make make the the computation computation O(1). computing O(1). LAP LAPprotocol protocolisisresistant resistanttoto replayattack, attack,DoS, DoS, and and forward forward security. security. It It can can be be employed employed easily replay easily by by different differentstandards standardssuch suchasas EPCGen2 Gen2and andISO ISO 15693 [28] practical implementation. However, the protocol as EPC 15693 [28] forfor practical implementation. However, the protocol was was notednoted as being being partially secure against traceability and synchronization attacks, since a tag can be traced partially secure against traceability and synchronization attacks, since a tag can be traced between two between two successful if not the update tag could update its IDS. successful sessions if the sessions tag could itsnot IDS.

Sensors 2018, 18, 3584

12 of 31

Sensors 2018, 18, x FOR PEER REVIEW Server S: flag, Xold, Xnew, IDSold, IDSnew, SID

Step 2: - Search IDSi - If IDS == IDSold: flag = 0, X = Xold - If IDS == IDSnew: flag = 1, X = Xnew - g’ = g(R1||R2||X) - SID’ = rotate(SID, g’) - Verify R’ as R’ = left(SID’ ⊕ g’) - Compute R’’ = right(SID’ ⊕ g’) - If flag = 1 • IDSold = IDSnew • Xold = Xnew - Else • IDSnew = g(IDS||SID’) • Xnew = g(X||g’) - Send R’’ to reader →

12 of 31 Reader R Step 1: - Generate R1. - Send Query||R1 to T →

- Forward R1||R2||R’||IDS to S ←

- Forward R’’ to T →

Tag T: {SID, IDS, X}

- Generate R2 - Compute g’ = g(R1||R2||X) - SID’ = rotate(SID, g’) - R’ = left(SID’ ⊕ g’) - Send R2||R’||IDS to R ←

Step 3: - Verify R’’ right(SID’ ⊕ g’) - Update: • IDS = g(IDS||SID’) • X = Xnew = g(X||g’) - Send ACK to R ←

- Forward ACK to S ← Step 4: - When OK is received, send SID to R → SID: Secure ID; PID: Partial ID; IDS: Index pseudonym; g(): Random No. generator; X: l-bit secret key; R1, R2: Random numbers; Rotate(): Rotation function; Left(s): Left half of s; Right(s): Right half of s; ACK: Acknowledgement.

Figure10. 10.Lightweight Lightweight Authentication Authentication Protocol Figure Protocol(LAP) (LAP)by byChien. Chien.

Burmesterand andMunilla Munilla[29] [29] proposed proposed aa lightweight lightweight mutual Burmester mutual authentication authenticationprotocol protocolcalled called Flyweightthat thatisisbased basedon onexchanging exchanging messages messages using based onon a a Flyweight using only only PRNG. PRNG.Their Theirprotocol protocolis is based shared PRNG algorithm between the tags and back-end server that takes the same seed to produce shared PRNG algorithm between the tags and back-end server that takes the same seed to produce sameoutput. output. The The concept is to threethree consecutive numbers—RN1, RN2, and thethe same conceptofofthe theprotocol protocol is use to use consecutive numbers—RN1, RN2, RN3—generated by the same PRNG in the server, and the tags of five numbers if an active adversary and RN3—generated by the same PRNG in the server, and the tags of five numbers if an active is presented, such as in Figure Furthermore, RFID tagsRFID precompute the valuesthe to values the server adversary is presented, such as in11. Figure 11. Furthermore, tags precompute to the challenging the response, so an adversary can be detected based on the response time from the tag. server challenging the response, so an adversary can be detected based on the response time from the The protocol is able to provide mutual authentication, integrity, confidentiality, and forward and tag. The protocol is able to provide mutual authentication, integrity, confidentiality, and forward and backward security. In addition, it provides strong synchronization, since the server keeps a record backward security. In addition, it provides strong synchronization, since the server keeps a record for for the current and next response value of the tag. the current and next response value of the tag. S. Lee et al. [30] proposed a lightweight protocol (MASS) for RFID systems using XOR and a S. Lee et al. [30] proposed a lightweight protocol (MASS) for RFID systems using XOR and a one-way hash function to conform to the scarce resources of RFID tags. The concept of the MASS one-way conform resources of RFID tags. The of theusing MASS protocolhash is tofunction challengeto the tag withtoa the freshscarce random string every session, and theconcept tag responds protocol is to challenge tag with a fresh random stringthe every session, the tag responds using the reader’s value and the its own random key to authenticate reader ad, as and depicted in Figure 12. The thesecret reader’s value and its own random key to authenticate the reader ad, as depicted in Figure key is shared between entities, and all of the messages are encrypted during transmission.12. The secret key is [31] shared between entities, and experiment all of the messages are encrypted duringproposed transmission. However, Zuo conducted a survivability on the authentication protocol by However, [31]defined conducted a survivability experiment the authentication protocol proposed by S. Lee etZuo al. and the vulnerability of the protocol on to replay, desynchronize, and impersonate S. Lee et al. and defined from the vulnerability ofthat the the protocol replay, desynchronize, and impersonate attacks. Zuo concluded his experiment systemtocould employ two different values for the attacks. Zuonew) concluded from his that the could employ two different values for the keys (old, to recognize the experiment tag and overcome thesystem desynchronization problem. keys (old, new) to recognize the tag and overcome the desynchronization problem.

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW Server S

Reader R Step 1:. - Send Query to T →

cur - Check if RN1 = RN1cur • cnt = 1 • Generate RN2, send RN2 to R → next - If RN1 = RN1next • cnt = 0 • Update values in DB • Send updated RN2 to R →

Step 4: - If RN = RN3, and cnt = 0 • Tag is authenticated - If RN = RN4 • Send RN3, store RN5 • Update values • Send RN3 to R

13 of 31 13 of 31 Tag T tag (state) - RN1 = gtag - Set alarm cnt = 1 - Send RN1 to R ←

Step 2: - Forward RN1 to S ←

- Forward RN2 to T →

Step 3: - If RN2 is correct to authenticate S • Generate RN3, RN4, RN5 • Cnt = 0 - If cnt = 0, send RN3 to R ← - If cnt = 1, send RN4 to R ←

- Forward RN4 to S ←

- Forward RN3 to T →

- Forward RN5 to S ← Step 6: - If RN5 is correct • Authenticate T • Update values - Else terminate RN: Random numbers output of the same generator function

Step 5: - If RN3 is correct and cnt = 1 • Send RN5 to R ← - Else terminate

cnt: l-bit flag

Figure11. 11. Flyweight Flyweight Mutual Authentication Protocol Figure Protocol by by Burmeter Burmeterand andMunilla. Munilla. Server S

Reader R Step 1: - Generate l-bit string str - Send str to tag →

Step 3: - Search database to match key Ki - If found proceed to update key - Retrieve rB from rC - Ki = h(Ki) - r’C = h(rB ⊕ Ki ⊕ str) - Send r’C to tag →

Tag T

Step 2: - Generate l-bit string rA - rB = h(rA ⊕ Ki ⊕ str) - rC = h(rB ⊕ Ki ⊕ str) - Send rB, rC to reader ←

Step 4: - Verify r’C = rC - If verified, update key

Ki: Tag/server shared secret key; h(): One-way hash function

Protocol based on Synchronized Figure Synchronized Secret Secret (MASS) (MASS)by byS. S.Lee. Lee. Figure12. 12. Lightweight Lightweight Protocol

To session, K. K. Lee Leeet etal. al.[32] [32]proposed proposed Toreduce reducethe thecommunication communicationtime time during during the the authentication authentication session, Efficient Protocol (EP-UAP). (EP-UAP). The The concept conceptof ofEP-UAP EP-UAPisisthat that EfficientPassively-Untraceable Passively-Untraceable Authentication Authentication Protocol the before the the system system initialization, initialization,so soonly only thesystem systemprecomputes precomputes all all of of the the necessary necessary computations computations before during the process phase. low phase. The Theprotocol protocolisis lowcomputation computation overhead overhead is is required required on on the the tag tag side side during protocol, which based which uses uses aa static static identifier, identifier, and and its its strong strongsecurity security basedon onRandomized Randomized Hash-Lock Hash-Lock protocol, against traceability depends mainly on PRNG to randomize the responses, as explained in Figure against traceability depends mainly on randomize the responses, as explained in Figure13. 13. Since and responses responses requires requiresaastorage storagememory memory Sinceprecomputing precomputing all all of of the the possible possible random random numbers numbers and the database, database, EP-UAP for EP-UAP is is preferred preferredfor forsmall smallto tomedium mediumnetworks, networks, forall allof ofthe theprecomputed precomputed data data in in the as the storage memory increases when the number of tags increases. The protocol shows a huge

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW

14 of 31 14 of 31

as the storage over memory increases when number of tags increases. The protocol shows a huge improvement the randomized hashthe lock protocol in terms of computation time, in that only improvement over the randomized hash lock protocol in terms of computation time, in that only requires 40 ms for authentication; this is similar to LRMAP, which is the most efficient one in stateful requires 40However, ms for authentication; similar to LRMAP, which is the efficient one inintegrity stateful protocols. it requires 100this MBisof database storage memory. Themost protocol provides protocols. However, it requires 100 MB of database storage memory. The protocol provides integrity due to the two randomly generated nonce values that are used from both tag and reader, and is due to the two randomly generated nonce values that fromresponses. both tag and reader, and is secure secure against passive attacks and traceability due toare theused random However, the EP-UAP against passive and traceability dueattacks to the random However, the attacks, EP-UAPsince protocol protocol seems attacks to be vulnerable to active such as responses. impersonate and replay the seems to be vulnerable to active attacks such as impersonate and replay attacks, since the random random responses depend on the database/reader. It also requires high storage capacity in the responsesside. depend on the database/reader. It also requires high storage capacity in the database side. database Reader Step 1: - Generate RR - Send Query, RR to tag →

Step 3: - Search for IDi1R - Verify H(IDi1R||RR) = mTR to authenticate the tag. - Compute mRT = H(IDi2R||RT) - Send mRT to tag→

Tag

Step 2: - Generate RT - Compute mTR = H(ID1T||RR) - Send mRT, RT to reader ←

Pre-compute cT = H(ID2T||RT)

Step 4: - If mRT = cT, reader is authenticated. H: One-way hash function; ID: Tag identifier; RR, RT: nonce generated by reader/tag; m: Authentication challenge; c: Authentication challenge response.

Figure 13. Efficient Efficient Passively-Untraceable Authentication Protocol (EP-UAP) by K. Lee.

To defend defend against against aa desynchronization desynchronization attack, Rahman and Ahamad [33] proposed a Desynchronization attack-resistant attack-resistant Robust Robust Authentication Authentication Protocol Protocol (DRAP) (DRAP) in the wireless Desynchronization technology is is combined combined with with sensor sensor nodes. nodes. identification and sensing platforms (WISP), where RFID technology Their protocol mechanism is to decrease the tag collision that leads to DoS attack, as shown in Figure 14. protocol mechanism is to decrease the tag collision that leads to DoS attack, as shown in Figure The technique is to is decrease the collision rate at rate the link layer andlayer maintain the system’s 14. The technique to decrease the collision at the link and maintain the efficiency. system’s The protocol also detects the DoS attack and recovers the synchronization state of the system. It has efficiency. The protocol also detects the DoS attack and recovers the synchronization state of the higher resources thanresources passive tags, allow implementation. Yet, it has a short system. It has higher thanwhich passive tags,higher whichsecurity allow higher security implementation. Yet, distance limitation, where tags can only tags function less than 1–2 m away readers. it has a short distance limitation, where can only function less thanfrom 1–2 m away from readers. Authentication in most RFID protocols is executed between one reader oneattag at a Authentication in most RFID protocols is executed between one reader and and one tag a time. time.etLiu al. [34] proposed a grouping proofs-based authenticationprotocol protocol(GUPA) (GUPA) to to enable Liu al. et[34] proposed a grouping proofs-based authentication authenticating multiple multiple tags tags and multiple multiple readers simultaneously, such that multiple readers can authenticating authenticate a single tag, and multiple tags can be authenticated by a single reader in large-scale RFID. GUPA protocol is based based on on hierarchical hierarchical identification identification between independent subgroups in a distributed RFID system, and the use of an asymmetric denial mechanism to resist denial-of-proof of of a new entity, GUPA deploys a ringasignature using attack (DoP). (DoP). For Forthe theanonymous anonymousauthentication authentication a new entity, GUPA deploys ring signature a lightweight cryptography (elliptic curve). also uses bitwise operations readers and using a lightweight cryptography (ellipticItcurve). It lightweight also uses lightweight bitwise for operations for tags secret information updates, PRNGs, one-way hash functions, timestamps for session freshness, readers and tags secret information updates, PRNGs, one-way hash functions, timestamps for and access lists forand each legallists reader/tag system initialization as identity flags as to identity prevent session freshness, access for eachduring legal reader/tag during system initialization forgery tracking attack, as tracking fully explained Since the are 15. chosen randomly flags to and prevent forgery and attack,inasFigure fully 15. explained inflags Figure Since the flagsfrom are the pseudonym index, queries and responses are independent for each session to resist DoP attack; chosen randomly from the pseudonym index, queries and responses are independent for each hence, illegal proofs eliminated duringproofs authentication. session to resist DoPare attack; hence, illegal are eliminated during authentication.

Sensors 2018, 18, 3584 Sensors 2018, Sensors 2018, 18, 18, x x FOR FOR PEER PEER REVIEW REVIEW

Server Server S S

15 of 31 15 of 15 of 31 31

Reader Reader R: R: ID IDii:: K Kiprev iprev,, K Kii,, D Diprev iprev Step 1: Step 1: Generate random -- Generate random n nrr.. -- Send Send n nrr to to tag tag → →

Tag Tag T: T: K Kii,, ID IDii,, Δ Δ

Step Step 3: 3: Generate P(K -- Generate P(Kii ⊕ ⊕n nrr||n ||nii)) for for all all tags tags to to verify verify α αii.. If If there there is is a a match: match: Decrypt α αii and and β βii -- Decrypt -- Retrieve Retrieve D D If D Dnewi is not not equal equal to to D Dnew then update: update: -- If newi is new then Ki Kiprev prev = = Ki Ki X= = h(Ki) h(Ki) X αj αj = = P(X P(X ⊕ ⊕ n nrr||n ||nii)) Ki = = h(x) h(x) Ki Di Dipev pev = = Di Dinew new Else ignore ignore the the message message and and αj αj = = rand rand -- Else If If there there is is no no match: match: Generate P(K P(Kiprev ⊕n nrr||n ||nii)) for for all all tags tags to to verify verify -- Generate iprev ⊕ α αii If correct: correct: -- If -- Decrypt Decrypt α αii and and β βii If D Dnewi is not not equal equal to to D Doldi then update: update: -- If newi is oldi then αj αj = = P(h(Ki P(h(Kiprev prev) )⊕ ⊕n nrr||n ||nii)) Diprev = Di Dinew Di prev = new -- Else Else ignore ignore the the message message and and αj αj = = rand rand Else ignore ignore the the message message and and αj αj = = rand rand Else -- Send Send αj αj to to tag tag → →

Step Step 2: 2: If (Δ (Δ ≤ If ≤D Dnew new – –D Dold old) ) -- Generate Generate random random n nii αii = = P(K P(Kii ⊕ ⊕n nrr||n ||nii)) -- α -- β βii = =E EKwti Kwti(h(ID (h(IDii)) ⊕ ⊕D Dnew new) ) Send α αii,, β βii,, n nii to to reader reader ← ← -- Send

Step Step 4: 4: -- Y Y= = h(Ki) h(Ki) Generate P(Y -- Generate P(Y ⊕ ⊕n nrr||n ||nii)) to to verify verify αj αj if correct: correct: Ki Ki = = h(Y) -- if h(Y) P(): P(): Pseudorandom Pseudorandom No. No. generator; generator; Δ: Δ: Activity Activity threshold; threshold; D: D: Sensor Sensor value; value; K Kii:: Secret Secret number; number; ID: ID: Tag Tag identifier; identifier; h(): h(): One-way hash hash function. function. One-way

Figure 14. Desynchronization (DRAP) by by Rahman Rahman Figure 14. Desynchronization Attack-Resistant Robust Authentication Authentication Protocol Protocol (DRAP) Desynchronization Attack-Resistant Attack-Resistant Robust and Ahamad. Ahamad. and Database: Database: DB DB Initialization Initialization Phase: Phase: 1- Generate Generate PRN PRN rrDB 1DB 22- Send Send rrDB DB to to tag tag → →

Reader: Reader: R Rjj

66- Verify Verify H H11 in in database database for for match match 77- H H11 == (ΔR (ΔRjj||L ||LRR||r ||rTy Ty) ) 8- PRNG 8PRNG (ΔR (ΔRjj)) 99- Send Send H H11||PRNG ||PRNG (ΔR (ΔRjj)) to to tag tag → → Authentication Authentication Phase: Phase:

Tag: Tag: T Taa

33- Generate Generate rrTy Ty 4- H 4H11(L (LRR||r ||rDB DB) ) 55- Send Send rrTy Ty||H ||H11(L (LRR||r ||rDB DB) ) to to DB DB ← ←

−1 1010- PRNG PRNG−1(ΔR (ΔRjj)) to to obtain obtain ΔR ΔRjj 11- H 11H11 = = (ΔR (ΔRjj||L ||LRR||r ||rTy Ty) ) to to authenticate authenticate DB DB 12- Add Add ΔR ΔRjj to to L LRR 12-

L LRR:: Local Local access access list; list; ΔR ΔRjj:: Reader’s Reader’s information; information; H(): H(): One-way One-way hash hash function. function.

Figure Grouping Proofs-Based Authentication (GUPA) Liu Proofs-Based Authentication ProtocolProtocol (GUPA) by Liu for aby Figure 15.15. 15.Grouping Grouping Proofs-Based Authentication Protocol (GUPA) bySingle-Reader— Liu for for aa Single-Reader—Single-Tag Case. Single-Tag Case. Single-Reader—Single-Tag Case.

Since Since tag tag collision collision is is a a major major problem problem in in the the large-scale large-scale networks, networks, Rahman Rahman and and Ahamad Ahamad [35] [35] proposed two batch probabilistic authentication protocols to determine the valid tags efficiently and proposed two probabilistic batch authentication protocols to determine the valid tags efficiently and accurately in in large-scale large-scale systems. systems.FTest FTestis protocolbased basedon onFrame FrameSlotted Slotted Aloha algorithm that in large-scale Aloha algorithm that is accurately systems. FTest isisaaaprotocol protocol based on Frame Slotted Aloha algorithm that is is used reduce theprobability probabilityof collisionslots. slots.The Theother otherprotocol protocolis GTest, which which is is a used to to reduce the probability ofofcollision collision slots. The other protocol isisGTest, GTest, which is a protocol used to reduce the protocol based based on on group group batch batch authentication authentication that that is is used used to to reduce reduce the the cost cost of of detecting detecting counterfeit counterfeit tags. tags. Their protocols protocols use use simple simple lightweight lightweight operations operations such such as as XOR XOR and and cyclic cyclic redundancy redundancy checks checks (CRC) (CRC) Their

Sensors 2018, 18, 3584

16 of 31

Sensors 2018, 18, x FOR PEER REVIEW

16 of 31

based on group batch authentication that is used to reduce the cost of detecting counterfeit tags. Their usefor simple lightweight operations such as XOR and cyclic redundancy with aprotocols shared key each group of tags. The theory in both protocols is not to send thechecks tag ID (CRC) when with a shared key for each group of tags. The in both is fake not totags. sendInthe ID responding, but rather accept or reject a tag bytheory estimating theprotocols number of thetag FTest when responding, but rather accept or reject a tag by estimating the number of fake tags. In the protocol that is depicted in Figure 16, a counterfeit threshold parameter is used in the system to FTest protocol that isofdepicted Figure 16, a counterfeit threshold parameter is used in theso system to reduce the number rounds in the detection process and response time of the protocol, that the reduce theresponses number ofdorounds in the detection process andthe response time ofstop the protocol, so that the entire tag not need to be checked. Instead, detection will if the percentage of entire tag responses do not need to be checked. Instead, the detection will stop if the percentage of counterfeit tags exceeds the counterfeit threshold. In GTest, the reader randomly selects a counterfeit exceeds the counterfeit In GTest, randomly selects population population tags of tags to authenticate. If threshold. one counterfeit tagthe is reader detected, the batch of atags will be of tags to authenticate. one counterfeit tag aislarge detected, the of batch will be considered invalid. TheIfreader needs to read amount dataoftotags identify theconsidered validity of invalid. a batch The reader needs to read a large amount of data to identify the validity of a batch in GTest, so the in GTest, so the reader still consumes time through the computation overhead from the tag search. reader still consumes through computation overhead the tag Both FTestsince and Both FTest and GTest time protocols are the proved to be secure againstfrom tracking andsearch. privacy attacks, GTest protocols are proved to be secure against tracking and privacy attacks, since tags responses are tags responses are based on dynamic frame size, random numbers, and ID that is not transmitted based on dynamic frame size, random numbers, and ID that is not transmitted during communication. during communication. However, the FTest shows less execution time and better performance over However, the FTest shows less execution time and better performance over GTest. GTest. Server S Group Identification Phase:

Reader R 1- Send nonce nr to tag→

Tag T: Shared group key ki 2- Respond by h(ki||nr) ←

3- Find a group key to decrypt the message. 4- Identify the group of tags based on the group key. Authentication Phase:

Initialization

1- Send to server “Start authentication” ← 2- Receive (f, r) from server 3- Broadcast frame size and random no.

6- Generate RV based on responses 0, 1, coll. 7- Turn collision slot into singleton by removing one tag (removed tags remain silent until next phase) 8- Send RV to server for verification.

Counterfeit Detection Phase:

1- Send random nr from server to rem tags →

4- Each tag compute its slot position SP = h(id, r) mod f = 0 or 1 5- Send SP to reader with random bits ←

2- Respond h(id||nr)

4- Reconstruct RVS as only valid 3- Forward RV to server ← tags can compute correct h() 5- Accept valid tags if RVS = RV n: Nonce value; ki: Shared group key; h(): One-way hash function; SP: Slot position within frame; id: Tag ID; f: Frame size; r: Random N; RV: Response vector generated by reader; RVs: Response vector generated by server; rem: Set of tags removed to reduce collision slot.

Protocol based on on Frame Slotted Aloha (FTest) by Rahman and Figure 16. Batch BatchAuthentication Authentication Protocol based Frame Slotted Aloha (FTest) by Rahman and Ahamad. Ahamad.

Another security protocol protocol (ACS) (ACS) is is proposed proposed by by Keqiang Keqiang et et al. al. [36] [36] for Another anti-collision anti-collision security for aa high-efficiency RFID system combining the chaotic sequence generator with the dynamic frame-slotted high-efficiency RFID system combining the chaotic sequence generator with the dynamic ALOHA algorithm for fast tag identification. protocol scheme is based scheme on a logistic mapping frame-slotted ALOHA algorithm for fast tagThe identification. The protocol is based on a structure with XOR operation and spreading operation to generate real-time keys in a chaotic sequence logistic mapping structure with XOR operation and spreading operation to generate real-time keys that usedsequence in authentication messages. Keys are updated in each response from tag to reader and in a are chaotic that are used in authentication messages. Keys are updated in each response reader to tag during and the same session iteration equations that are known only to the server from tag to reader reader to tagusing during the same session using iteration equations that and are tag, such as in Figure 17. The protocol is effective against counterfeits and impersonates attacks, as the known only to the server and tag, such as in Figure 17. The protocol is effective against counterfeits authentication scheme not only depends on the iterated also on spreading and key, random and impersonates attacks, as the authentication schemekey, notbut only depends on thecode iterated but numbers, so faking at least one of them will result in a wrong response. The protocol requires only four also on spreading code and random numbers, so faking at least one of them will result in a wrong message low hardware cost, and computation cost onlow the hardware tag side. It cost, also has response.exchanges, The protocol requires only fourlow message exchanges, andlower low energy consumption than weightconsumption protocols, because XORheavy uses less computation cost on the tagother side.heavy It alsoand has simple lower energy than other and energy simple than symmetric encryption and uses hash less functions. weight protocols, because XOR energy than symmetric encryption and hash functions.

Sensors 2018, 18, 3584

17 of 31

Sensors 2018, 18, x FOR PEER REVIEW Server S: K0

17 of 31 Reader R Step 1: - Generate and send a frame size R0 to tag →

- K0 = Master key, x0 = K0 to compute xi - Verify ChaosSpec using xi: • If there is collision, go to step5. • If no collision, proceed. - Perform one-time iteration to get xi+1 = Ki+1 - Extract R’0 from H’(R0) and verify R’0 = R0 - Tag is authenticated. - Extract ID from H’(ID) - Perform R1 iteration to get xj, j = (r+R1+R0) - Kj = xj - H(R1) = R1 ⨁ Kj - Send to reader (H(R1)) ⊗ ChaosSpec →

Step 3: - Send (H’(R0)||H’(ID)||R1) ChaosSpec, and R0 to S ←

⊗

Tag T: K’0 Step 2: - Receive R0. - Choose slot index with the value in [1, R0 ] - Reset time slot counter = slot-index - r = 20, i = (r+R0), x’0 = K’0 - x’k+1 = rx’k (1-x’k) iteration = x’i - x’i = ChaosSpec - Perform one-time iteration to get K’i+1 = x’i+1 - H’(R0) = R0 ⨁ K’i+1 - H’(ID) = K’i+1 ⨁ ID - Generate random R1 Send (H’(R0)||H’(ID)||R1) ⊗ ChaosSpec ←

- Send (H(R1)) ⊗ ChaosSpec → Step 4: - Perform the equations to get K’j = x’j - Calculate R’1 = H(R1) ⨁ K’j - If R’1 = R1, then K’j = Kj - R is authenticated

Step 5: Collision case - Increase tag’s slot counter by 1 - Restart identification process in Step2 Step 6: No authentication occurs - Issue AdjustQuery command - Adjust R0 to decide a new frame size - Send search signal to rest of tags → R0: Frame size; i: Number of iterations; K’0: Tag key; K0: Server master key; K’i+1: Real-time key; H(), H’(): One-way hash functions; ChaosSpec: Spreading code; ID: Tag’s ID; R1: Random number generated by tag; r: Constant value to put the equation in chaotic state.

Figure 17. 17. Anti-Collision Anti-Collision Security Protocol (ACS) Figure (ACS) by by Keqiang. Keqiang.

Cho mutual authentication protocol (HBA) to to defend against the Choetetal. al.[37] [37]proposed proposeda ahash-based hash-based mutual authentication protocol (HBA) defend against the brute attack. This protocol was reported by Chang et al. [6] vulnerable to be vulnerable to denial of brute forceforce attack. This protocol was reported by Chang et al. [6] to be to denial of service service (DoS) and replayLater, attacks. Later, et al. proposed an improved (HBA+)toprotocol to (DoS) and replay attacks. Chang et Chang al. proposed an improved (HBA+) protocol avoid DoS avoid DoS and replay attacks using a shared PRNG algorithm between the server and tag to produce and replay attacks using a shared PRNG algorithm between the server and tag to produce the same the same output that used in updating the protocol values, as in Figure 18.the Also, the confidentiality output that is used inisupdating the protocol values, as in Figure 18. Also, confidentiality in the in the protocol on protecting secret value datai using ID (Rid), which is only protocol is basedisonbased protecting the secretthe value datai using reader ID reader (Rid), which is only known to a known to a legitimate reader and server. The improved protocol of Chang is considered to be legitimate reader and server. The improved protocol of Chang is considered to be efficient and secure efficient andattack, securetraceability, against DoSand attack, traceability, against DoS forward secrecy.and forward secrecy.

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW Server S

Step 4: Search the database using I: - Found: I = Inew {EPCi, Auknew, Acknew, datai} I = Iold {EPCi, Aukold, Ackold, datai} M1’ = Auknew ⨁ Inew ⨁ PRNG(EPCk ⨁ Acknew ⨁ Rt ⨁ Rr) to authenticate T. - Not Found: termination. - B = datai ⨁ Ridk - M2 = PRNG(Auknew ⨁ Rt) ⨁ Acknew - C = H(datai ⨁ Rr) - Update database values and keys: Aukold = Auknew Auknew = PRNG(Auknew) Ackold = Acknew Acknew = PRNG(Acknew) Iold = Inew Inew = PRNG(Acknew ⨁ Inew) - send {B, C, M2} →

18 of 31 18 of 31 Reader R Step 1: - Generate random No. Rr →

Step 3: - A = H(Rid ⨁ Rr) - ← {M1, Rt, I, A, Rr}

Tag T Step 2: - Generate random No. Rt - M1 = Auk ⨁ I ⨁ PRNG (EPC ⨁ Ack ⨁ Rr ⨁ Rt) - ← {M1, Rt, I}

Step 5: - Obtain datai from B - C’ = H(datai ⨁ Rr) - send M2 →

Step 6: - Compute M2’ = PRNG(Auk ⨁ Rt) ⨁ Ack - Update tag values and keys Rr, Rt: Random No. of reader/tag; Auk: Authentication key of tags shared with server; Rid: Reader ID; EPC: Electronic product code of tag; Ack: Access key of tags shared with server; I: Index value of tag; H(): One-way hash function; datai: Secret information of the tag’s object.

Figure 18. 18. Hash-Based Mutual Authentication (HBA+) Figure (HBA+) Protocol Protocol by by Chang. Chang.

Z.Liu shift-based authentication protocol (VLP) to support the Z.Liu etetal. al.[38] [38]proposed proposedvariable variablelinear linear shift-based authentication protocol (VLP) to support implementation of RFID the for newthe EPCnew Gen2v2 its security of untraceability the implementation of for RFID EPCstandard, Gen2v2 satisfy standard, satisfy features its security features of and access control, reduce a tag’s range. In Figure 19, theInprotocol on a lightweight untraceability and and access control, andread reduce a tag’s read range. Figure is 19,based the protocol is based encryption function called Variable Shift Register (VLFSR), which (VLFSR), is implemented on a lightweight encryption functionLinear calledFeedback Variable Linear Feedback Shift Register which at the application-specific integrated circuit (ASIC) level. In every session, mutual authentication is implemented at the application-specific integrated circuit (ASIC) level. In every session, mutual involves different random numbers from the tag andfrom reader with the new secret SID authentication involves different random numbers thecombined tag and reader combined withvalue the new secret value storedtoinprovide the database to provide against active attacks. stored in the SID database resistance againstresistance active attacks. Another protocol protocol(OMP) (OMP)is is proposed by Niu al. mainly [39] mainly for passive tag ownership Another proposed by Niu et al.et[39] for passive tag ownership transfer transfer using a lightweight authentication mechanism support Gen2 Since standard. Since the using a lightweight authentication mechanism to supporttoEPC Gen2EPC standard. the ownership ownership transfer is based on transferring keys, the OMP to prove theofpossession transfer is based on transferring the keys, thethe OMP protocol aimsprotocol to proveaims the possession the shared of the key shared keyreader to a tagwithout and reader withoutitdisclosing it using ultra-lightweight permutation secret to asecret tag and disclosing using ultra-lightweight permutation operation operation Figure 20. Yet, has the no protocol has notomechanism to checkofthe theis (Per), as in (Per), Figureas 20.inYet, the protocol mechanism check the freshness thefreshness message of that message that is sentreader. by a legitimate reader. sent by a legitimate

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW Server S

19 of 31 19 19 of of 31 31 Reader R Step 1: - Generate random Rrr - Send Rr to tag →

Step 5: Authenticate and Update 1- Find an SIDj match in database based on UID 2- Extract Rt1, Rt2 3- (Rt2t2||Rt1) ⨁ SIDj 4- Find mj from Mj table based on SIDj 5- Bbb = VLFSR (Rt1||Rr, mj) 6- If Bbb = Bt, proceed to update • mj+1 j+1 = (Rt2 t2||Rt1 t1) ⨁ mjj j+1 = VLFSR (Rt1 t1||Rt2 t2, mjj) • SIDj+1 • Store new values in Mjj and keep j−1 tables. the old in Mj−1 7- If Bbb ≠ Btt, find mjj and SIDjj from Mj−1 j−1 table and do step3 8- If no match is found, protocol will stop. Step 6: - Send to reader VLFSR (Rt1t1||Rrr, SIDjj) →

Tag Tag T T

Step Step 2: 2: -- Generate Generate random random R Rt1t1,, RRt2t2 -- Secret Secret value value == m mjj -- BBtt == VLFSR VLFSR (R (Rt1t1||R ||Rrr,, m mj)j)

Step 4: - Send to server Rrr, Btt, (Rt2t2||Rt1t1) ⨁ ⨁ SID SIDjj and UID ←

Step Step 3: 3: -- Send Send to to reader reader BBtt,, (R (Rt2t2||R ||Rt1t1)) ⨁ ⨁ SID SIDjj ← ←

Step 7: - Send to reader VLFSR (Rt1t1||Rrr, SID SIDjj)) → →

Step Step 8: 8: Authenticate Authenticate R R and and SS -- Authentication Authentication via via received received msg. msg. -- m mj+1 j+1 = =R Rt2t2||R ||Rt1t1)) ⨁ ⨁m mjj -- SID SIDj+1 j+1 = = VLFSR VLFSR (R (Rt1t1||R ||Rt2t2,, m mj)j) SID: Session Session secure secure ID ID of of tag; tag; UID: UID: Unique SID: Unique ID ID of of tag; tag; R Rrr:: Reader Reader random random No.; No.; R Rt1t1,, R Rt2t2:: Random Random No. No. generated generated by by tag; tag; m mj:j: Secret value value used used in in aa session; session; VLFSR(): VLFSR(): Variable Secret Variable LFSR LFSR function. function.

Figure 19. 19. Variable Variable Linear Figure Linear Shift-Based Shift-Based Authentication Authentication Protocol Protocol (VLP) (VLP) by by Z. Z. Liu Liu et et al. al. Server S S Server Mutual Mutual Authentication: Authentication:

Reader Reader R: R: K, K, K KM M,, EPC, EPC, R RID1 ID1 1- Generate Generate random 1random rnd rnd11,, rnd rnd22 of of 96 96 bits bits 2- A Aii == rnd rnd1i1i ⨁ 2⨁ PRNG(K PRNG(Kii ⨁ ⨁R RID1i ID1i)) ⨁ ⨁ PRNG(K PRNG(Kii ⨁ ⨁ RID2i ID2i) ) R 3- B Bii == rnd rnd2i2i ⨁ 3⨁ PRNG(rnd PRNG(rnd1i1i ⨁ ⨁K Kii)) 4- C Cii PRNG(rnd PRNG(rnd1i1i ⨁ 4⨁ R RID1i ID1i)) ⨁ ⨁ PRNG(rnd PRNG(rnd2i2i ⨁ ⨁ RID2i ID2i) ) R 5- Send Send A Aii,, B 5Bii,, C Cii to to tag tag → →

Tag Tag T: T: K, K, K KMM,, EPC, EPC, R RID ID,, IDS IDS

66- Extract Extract rnd rnd11,, rnd rnd22 -- rnd rnd1i1i == A Aii ⨁ ⨁ PRNG(K PRNG(Kii ⨁ ⨁R RID1i ID1i)) ⨁ ⨁ PRNG(K PRNG(Kii ⨁ ⨁ R ) RID2i ID2i) -- rnd rnd2i2i == BBii ⨁PRNG(rnd ⨁PRNG(rnd1i1i ⨁ ⨁K Kii)) -- C’ i = PRNG(rnd1i ⨁ RID1i) ⨁ PRNG(rnd2i ⨁ C’i = PRNG(rnd1i ⨁ RID1i) ⨁ PRNG(rnd2i ⨁ R ) RID2i ID2i) 77- If If C C == C’, C’, reader reader authenticated authenticated -- K = Per(rnd1i, Ki) ⨁ K(i+1 mod 6) Ki+1 i+1 = Per(rnd1i, Ki) ⨁ K(i+1 mod 6) -- IDS = Per(rnd2i, Ki) ⨁ Ki IDSi+1 i+1 = Per(rnd2i, Ki) ⨁ Ki -- D ⨁ IDSi+1), where i = 1 to 6 Dii == PRNG(K PRNG(Ki+1 i+1 ⨁ IDSi+1), where i = 1 to 6

88- Send Send D D to to reader← reader← 9- Verify Verify D: 9D: D’ii == PRNG(K PRNG(Ki+1 ⨁ IDSi+1), where i = 1 to 6 -- D’ i+1 ⨁ IDSi+1), where i = 1 to 6 If D D is is verified, verified, tag -- If tag is is authenticated authenticated K: Secret Secret shared shared key key for for owners; owners; K KM : Master key to modify K. EPC: Static ID of a tag. RID: ID of reader owning tag. IDS: K: M: Master key to modify K. EPC: Static ID of a tag. RID: ID of reader owning tag. IDS: Pointer to to tag tag database. database. Pointer

Figure 20. Figure Protocol (OMP) (OMP) Protocol Protocol by by Niu. Niu. Figure 20. Passive Passive Tag Tag Ownership Ownership Authentication Authentication Protocol Protocol (OMP) Protocol by Niu.

Dass an efficient authentication protocol protocol (SEAS) that that uses Dass and and Om Om [40] [40] also also proposed proposed Dass and Om [40] also proposed an efficient authentication authentication protocol (SEAS) (SEAS) that uses uses lightweight number generator (PRNG) for for a low computational cost. lightweightoperations operationsand anda a apseudo-random pseudo-random number generator (PRNG) aa low computational lightweight operations and pseudo-random number generator (PRNG) for low computational cost. Their Their scheme scheme is is based based on on aa secure cost. secure channel channel between between the the back-end back-end server server and and reader, reader, prestored prestored

Sensors 2018, 18, 3584

20 of 31

Sensors 2018, 18, x FOR PEER REVIEW

20 of 31

Their scheme is based on a secure channel between the back-end server and reader, prestored tags’ secretsecret (SIDs)(SIDs) in the in tags side, hash function of the tagofID in tag the server side, and rewritable tags’ the tagsa one-way side, a one-way hash function the ID in the server side, and memory with a flag indicator in indicator the serverinside update thetosecret values. Any change thechange messages rewritable memory with a flag thetoserver side update the secret values.to Any to transmitted leads to terminate the communication during the verification to resist security attacks, the messages transmitted leads to terminate the communication during the verification to resist as shownattacks, in Figure 21. security as shown in Figure 21. Server S

Step 4: Search the database using h(ID): - Not Found: termination - Found: verify V V’ = PRNG(Snew ⨁ NR ⨁ NT) Send Snew to reader → Flag = 0 V” = PRNG(Sold ⨁ NR ⨁ NT) Send Sold to reader → Flag = 1

Step 6: - Flag = 0 → S = Snew U = h (Snew||M) Sold = Snew Snew = Snew ⨁ U

Reader R Step 1: - Generate random No. NR →

Step 3: - ← {V,H, NR, NT}

Step 5: - Reader takes Snew or Sold - M = PRNG(Snew, old, NR) - N = PRNG(M) - Send N to tag → - ← send M to server

Tag T Step 2: - Generate random No. NT - V = PRNG (S ⨁ NR ⨁ NT) - H = h (ID) - ← {V, H, NT}

Step 6: - To authenticate reader: Calculate M’ = PRNG(S, NR) Calculate N’ = PRNG(M’) Verify N’ = N - If equal calculate U = h (S||M’) - Update S = S ⨁ U

- Flag = 1 → S = Sold U = h (Sold||M) Sold = Sold Snew = Sold ⨁ U h(): One-way hash function; NR, NT: Random No. generated by reader/tag; S: Secret value of tag; ID: ID pseudonym of tag; Snew, Sold: Current and old session secrets of tag.

Figure 21. Efficient Efficient Authentication Protocol (SEAS) by Dass and Om.

solution to replace the central database database in the RFID system is to use a serverless An alternative solution model in which the database server does not maintain a connection with the readers and tags during Regarding this this challenge, challenge, Mtita Mtita et et al. [41] proposed (SAP), a serverless security the communication. Regarding protocol used for the mass authentication of RFID tags in the presence of untrusted readers. In SAP protocol, the andand tag do with thewith back-end instead, theyinstead, authenticate thereader reader tagnot docommunicate not communicate the server; back-end server; they each other using the tag’s of secrets thatsecrets expire that within a given time, as shown in authenticate each only otherephemeral using onlyof ephemeral the tag’s expire within a given time, as Figure 22. Verification and authentication between reader and tag are done authentication shown in Figure 22. Verification and authentication between reader and during tag arethe done during the phase to exchange thetodata and generate keythe locally in both tag and forand their next authentication phase exchange the datathe andsession generate session key locally inreader both tag reader communication. The protocol The has also beenhas proved usingproved the CryptoVerif [42], which for their next communication. protocol also been using thetool CryptoVerif tool was [42], shown which to have low computation overhead and resources. was shown to have low computation overhead and resources.

Sensors 2018, 18, 3584

21 of 31

Sensors 2018, 18, x FOR PEER REVIEW Server: S Initialization Phase: 2- Generate Kij, tempij, ARij (access right) for each tag derived from time window and start date Kij = HMACidi(Wsj||ARij) 3- Build lists of authenticated tags Lj for Rj Lj − {(temp1j, K1j), (temp2j, K2j),.., (tempij, Kij)} 4- Send Lj, ARij, Wsj to Rj →

21 of 31 Reader: Rj 1- Request permission from server S.

1- Generate rj 2- Send to tag A= WSj, ARij, rj →

Mutual Authentication Phase:

Tag: Ti - Ti has Timestamp TSYS and idi

3- Generate ri 4- Hij = HMACKij (ri||rj) 5- Send to reader B = Hij, ri ←

6- Verify H’ij = HMACKij (ri||rj) If equal: Ti is authenticated If not equal: Kij is not in the list and tag is not authorized 7- Generate timestamp tj and calculate Vij = HMACKij (ri||tj) 9- Send to tag C = ti, Vij → 10- Verify V’ij = HMACKij (ri||tj) If equal: Rj is authenticated 11- Update TSYS = tj 12- Generate session key KS = HMACKij (tj||ri WSj) 13- Generate session key KS = HMACK’ij (tj||ri WSj) TSYS: Tag static timestamp; tj: Reader timestamp; idi: Tag ID; Kij: Tag’s key; tempij: Temporary tag ID; ARij: Access rights; Wsj: Time window; Ks: Session key; Lj: List of authorized tags; ri, rj: Reader/Tag random No.

Figure 22. 22. Serverless Security Authentication Protocol (SAP) by Mtita. Figure Mtita.

4.4. 4.4. Ultra-Lightweight Ultra-Lightweight Protocols Protocols As are small chips with with scarce scarce resources resources that that can can As mentioned mentioned earlier earlier in in this this paper, paper, passive passive tags tags are small chips only support low-cost operations. The goal of ultra-lightweight protocols is to reduce the cost of only support low-cost operations. The goal of ultra-lightweight protocols is to reduce the cost of RFID for promising promising future future use. use. In Inthis thisregard, regard, RFID systems systems at at aa minimum minimum and and provide provide strong strong security security for Sundaresan et al. [43] introduced an ultra-lightweight serverless protocol (STS) using only simple XOR Sundaresan et al. [43] introduced an ultra-lightweight serverless protocol (STS) using only simple and PRNG operations that require than 2000 number generation on XOR128-bit and 128-bit PRNG operations thatless require less gates, than three 2000 random gates, three random number the tag, and on twothe message exchanges. In Figure 23, theIn STS protocol mechanism is to use a blind factor generation tag, and two message exchanges. Figure 23, the STS protocol mechanism is to to hide the pseudo-random numbers that are used in communication readers and tags to use a blind factor to hide the pseudo-random numbers that are used between in communication between overcome impersonation attacks. RFID tag is also able to preserve location by its responding readers and tags to overcome impersonation attacks. RFID tag isits also able toprivacy preserve location as a noise tag. Moreover, the protocol does not employ a one-way hash function nor any encryption privacy by responding as a noise tag. Moreover, the protocol does not employ a one-way hash conforming EPC C1 G2 Standards. function nortoany encryption conforming to EPC C1 G2 Standards.

Sensors 2018, 18, 3584 Sensors 2018, 18, x FOR PEER REVIEW Server: ts Setup Phase: - Stores access list (AL) of all n tags: h(TID1, ts1) = id1, rts1, ctr1, ctrmax1 h(TIDn, tsn) = idn, rtsn, ctrn, ctrmaxn - Establish shared rts between a reader and each tag to be searched.

22 of 31 22 of 31 Reader R - Precompute and store id = h(TID, ts)

Search Phase: - Server is offline. Step 1: 1- Check that ctr