The outbreak of the novel coronavirus has exposed many problems in the auxiliary information system for epidemic prevention and control, which needs to be resolved by using methods such as the antitampering of logistics data and the management and control of epidemic materials. This article discusses the introduction of emerging technologies such as Radio Frequency Identification (RFID), which support privacy protection into the auxiliary information system for epidemic prevention and control. Recently, this paper found that Khwaja et al.’s protocol (RAPUS protocol) is susceptible to database impersonation attacks and reader impersonation attacks. Therefore, this article proposes the enhanced protocol, which not only perfectly solves the problems of the abovementioned protocols but also comprehensively compares multiple protocols. The enhanced protocol has higher efficiency and security. The security of the proposed protocol (RAPUS + protocol) is analyzed by GNY logic and the AVISPA model. The designed scheme can help realize the safety and traceability of epidemic prevention materials and improve the automation and decision-making efficiency of the epidemic prevention.

1. Introduction

Medical Internet of Things (IoMT) needs higher demand for security than the Internet of Things (IoT) when decreasing medical expense and enhancing the medical workpiece ratio. Khwaja et al.‘s protocol [1] uses symmetric cryptography to design a robust authentication protocol. In the enforcement of IoMT, RFID is required to create an identity authentication system as a key technology, which can effectually verify patients [2]. It is helpful to design a safe and efficient RFID for protecting user privacy, improving the safety of the IoMT system, and boosting the efficiency of medical staff to inspect and manage patients.

In medical scenes that need to efficiently verify a good deal of tags in a brief period, the employ of traditional per-tag protocols is inefficient and may put off the cure of patients. To solve the problem that uses the solution of homogeneous linear equations as a key to make the authentication data of the tag encipherment to further decrease the expense, Nikkhah et al. [3] proposed the LAPCHS protocol on account of the cloud healthcare system and analyzed and proved the safety of the protocol against various attacks by heuristic security analysis. Sarier et al. [4] proposed a new biometric based on nontransferable certificate scheme, which maintains the privacy and efficiency of biometric identification and can be easily integrated into the current BBIM system based on efficient brand and PS certificate.

Due to the low cost, high stability, and excellent characteristics of noncontact automatic identification of RFID system, it has been used in many fields, such as waste electronic product processing, farm management, and supply chain management [57]. In addition, in the field of healthcare, RFID technology is also widely used, such as drug management and vital signs detection [8, 9]. During the epidemic, RFID technology also participated in the establishment of the auxiliary information system for epidemic prevention, with the purpose of solving problems such as the management of epidemic material data and the management of epidemic information. Although the RFID system has many advantages in epidemic prevention and control, it faces the risks of security and privacy due to the usage of bottomed wireless media that enables (T, RE)’s mutual communication.

In order to design the secure RFID authentication solution, many protocols have been put forward to guarantee the security of RFID, but they have all been proved to have problems. In 2019, Khwaja et al. [1] proposed the lightweight authentication protocol. The authors claim that their protocol meets the necessary security requirements and solves most security issues. This paper finds that the protocol [1] is susceptible to database spoofing attacks, reader spoofing attacks, and asynchronous attacks. Therefore, this article proposes the new protocol on this basis, which can not only solve the problems of the abovementioned protocols but also can make the comprehensive comparison of multiple protocols, which has higher efficiency and security. The security of RAPUS + protocol is analyzed formally and informally through GNY logic, security verification tool AVISPA model. Through the above scheme, it is expected to improve the automation and decision-making efficiency of the epidemic prevention auxiliary information system.

This article analyzes the protocol [1] and improves realistic and lightweight certification protocol to guarantee protection against the known attacks:(1)The protocol [1] is susceptible to database impersonation attacks and reader impersonation attacks(2)The improved authentication protocols are proposed to resist all known attacks(3)RAPUS + protocol performs formal and informally security analysis and compares it with relevant existing protocols on security features and performance

A variety of certification protocols have been put forward to protect RFID systems [1022], especially for lightweight cryptographic primitives. But many schemes based merely on the lightweight primitives were verified to be insecure, as shown in Table 1.

In 2014, Cho et al. [10] put forward the hash-based protocol. Later, Safkhani et al. [11] pointed out that the protocol [10] cannot withstand DoS attacks and impersonation attacks. In the same year, the ECC-based RFID authentication protocols [12, 13] were proposed to ensure communication security in the medical environment and improve patient safety. However, Farash et al. [14] proved through analysis that the protocols [12, 13] cannot ensure forward secrecy. In 2015, Gope et al. [15] proposed the lightweight protocol. But Khwaja et al. [1] pointed out that their protocol is susceptible to collision, DoS attacks, and stolen attacks. In 2018, Fan et al. [16] proposed the ultralightweight LRMI protocol to protect medical privacy. However, Aghili et al. [17] analyzed that the LRMI protocol cannot withstand traceability attacks and simulation attacks and proposed the SecLAP protocol. However, under the analysis of Safkhani et al. [18], it is found that the protocol in [17] is susceptible to traceability attacks and asynchronous attacks. In the same year, Fan et al. [21] put forward the lightweight authentication scheme on the basis of quadratic. Later, Zhu et al. [22] analyzed and proved that their scheme is susceptible to forward secrecy and impersonation attacks. In 2019, Zhou et al. [19] put forward the protocol on the basis of secondary residues. But the protocol [20] cannot withstand asynchronous attacks. Naeem et al. [23] presented an RFID authentication protocol and suggested an improvement to cater to the correctness and scalability issues. Li et al. [24] presented a mutual-healing group key distribution scheme based on the blockchain which can effectively resist various attacks with small overhead on time and storage. Amin et al. [25] provided an effective solution to solve all existing problems regarding key protocol methods to enhance security. The AVISPA simulation results in the solution ensure that active and passive attacks are protected. Lin et al. [26] constructed a novel secure mutual authentication system and proved the security and privacy requirements, including anonymity, traceability, and confidentiality. Shahidinejad et al. [27] introduced a lightweight authentication protocol for IoT devices named Light-Edge using a three-layer scheme.

Section 3 reviews the protocol [1]. Section 4 demonstrates RAPUS + protocol. In Section 5, the security analysis of the RAPUS + protocol is checked. Section 6 compares RAPUS + protocol with existing protocols. At last, Section 7 summarizes the article.

3. The Analysis of RAPUS Protocol

By examining the limitations of the RAPUS protocol, this section points out that it is susceptible to database impersonation attacks. Table 2 demonstrates the symbols used in the RAPUS protocol.

The doctor and many patients make up every cluster. Patients are moved from one cluster to another. Via the DB Server, the registered patients are authenticated by the doctor and the cluster. The symmetric key Krs is shared between each Doctor and DB. The improved authentication scheme is made up of two parts: the tag registration part and the tag certification part. We have the medical data through the protocol. Besides, we use the decentralization, traceability, and nontampering characters of blockchain technology to guarantee the security of data storage and sharing.

T registrations steps are as follows, as shown in Figure 1.

Step PTR 1. IDTi is submitted to the DB by each tag.

Step PTR 2. (1)A random number ns is generated by DB.(2)DB calculates Kts = h(IDTi||ns) ⊕ IDs.(3)DB randomly generates ri and encrypts it with sx to calculate one-time alias tagi’s identity AID = Esx(IDTi||rTi).(4)DB authenticates tagi based on AIDT.(5)DB stores and delivers M2 to tag.

Step PTR 3. Tagi stores the information M2 = {IDTi, Kts, AID} in its memory after receiving the messages from DB.
The registered T starts the certification procedure, which is presented in Figure 2. The specific steps are as follows:Step PTA 1:(1)Nt is generated by an RFID tag with IDTi.(2)Nx = Kts ⊕ Nt and V1 = h(AIDTi||Kts||Nx||Ri) are derived.(3)T delivers to Ri to start the authentication request.Step PTA 2:(1)Ri of the ith cluster verifies the timestamp freshness as (T2 − T1) ≤ ∆T.(2)Nr is generated and Ny = Krs ⊕ Nr, V2 = h(MA1||Nr||Krs) is calculated by Ri.(3)Ri delivers to S.Step PTA 3:(1)S proves (T3T2)≤∆T and then stems from Nt = Kts ⊕ Nx and Nr = Krs ⊕ Ny.(2)V1 = h(AIDTi||Kts||Nx||Ri) and V2 = h(MA1||Nr||Krs) are calculated and verified by S.(3)S decrypts AIDTi as DSx (IDTi||ri).(4)After successful authentication, S calculates V3 = h(Ri||Nr||Krs) and V4 = h(Kts||IDTi||Nt).(5)AIDTi(new) = ESx(IDTi||ri(new)) is updated and ZT = AIDTi(new) ⊕ Kts is computed by S.(6)S delivers to Ri.Step PTA 4:(1)Ri checks the freshness of the timestamp (T4T3)≤∆T.(2)Ri calculates h(Ri||Nr||Krs) and verifies its equality with the received V3.(3)Ri delivers to tagi.Step PTA 5:(1)Tagi checks the freshness of the timestamp after receiving MA4.(2)Tagi calculates and renews AIDTi(new)=(ZT ⊕ Kts), AIDTi = AIDTi(new), if Tagi successfully verifies the messages (T5T4) ≤ ∆T, V4? = h(Kts||IDTi||Nt).(3)Tagi saves the information.(4)Otherwise, AIDTi will not update.

3.1. Vulnerable to Database Impersonation Attacks for RAPUS Protocol
3.1.1. Phase 1 (Learning)

After receiving from the reader, the DB performs as follows:

STEP 1.1. S proves (T3T2)≤∆T and then stems from and .

STEP 1.2. and are calculated and verified by S.

STEP 1.3. S decrypts as in order to verify it.

STEP 1.4. and are calculated by S, after successful verification.

STEP 1.5. is updated and is computed by S.

STEP 1.6. S delivers to .

3.1.2. Phase 2 (Database Impersonation Attacks)

To imitate the database, the attacker starts a new session:

STEP 2.1. The attacker eavesdrops .

STEP 2.2. The attacker maliciously modifies .

STEP 2.3. The reader’s verification method does not check the integrity of .

STEP 2.4. At this time, the database impersonation attacks succeed.

3.2. Vulnerable to Reader Impersonation Attacks for RAPUS Protocol
3.2.1. Phase 1 (Learning)

After receiving from the DB, the reader performs the following steps.

STEP 1.1. checks freshness of the timestamp (T4T3)≤∆T.

STEP 1.2. calculates and proves that it equals .

STEP 1.3. delivers to .

3.2.2. Phase 2 (Reader Imitation Attacks)

To imitate the reader, the attacker imitates the new routine:

STEP 2.1. The reader continues to send the modified data to T.

STEP 2.2. T’s validation method does not verify the integrity of .

STEP 2.3. The reader's impersonation attacks succeed.

3.3. Vulnerable to Asynchronous Attacks

STEP 1. The above two processes lead to the wrong updating of cryptographic key AIDTi(new)=(Z′ T ⊕ KTs).

STEP 2. In the second round of conversation, T key AIDTi(new) and T key AIDTi(new)=(ZT ⊕ KTs) stored in the database are inconsistent.

STEP 3. Therefore, it results in asynchronous attacks.

4. The Improved RAPUS + Protocol

RAPUS + protocol is shown in Figure 3.Step PTA 1:(1)Nt is generated by RFID tag with IDTi.(2)Nx = Kts ⊕ Nt and V1 = h(AIDTi||Kts||Nx||Ri) are exported.(3)T delivers to Ri.Step PTA 2:(1)Ri of the ith cluster first proves the timestamp freshness as (T2T1)≤∆T, as soon as the request is received from T.(2)Nr is generated by Ri.(3)Ny = Krs ⊕ Nr and V2 = h(MA1||Nr||Krs||T2) are computed.(4)Ri delivers to S.Step PTA 3:(1)S proves (T3T2) ≤∆T and then stems from Nt = Kts ⊕ Nx and Nr = Krs ⊕ Ny.(2)S calculates and proves V1 = h(AIDTi||Kts||Nx||Ri) and V2 = h(MA1||Nr||Krs||T2).(3)S decrypts AIDTi as DSx(IDTi||ri) to verify it.(4)After verifying successfully, S renews V3 = h(Ri||Nr||Krs||ZT) and V4 = h(Kts||IDTi||Nt||ZT).(5)AIDTi(new) = ESx(IDTi||ri(new)) is updated and ZT = AIDTi(new) ⊕ Kts is computed by S.(6)S delivers to Ri.Step PTA 4:(1)Ri verifies the freshness of the timestamp (T4T3)≤∆T after receiving MA3.(2)Ri calculates and verifies h(Ri ||Nr ||Krs ||ZT) = V3.(3)Ri delivers to tagi after successful verification.(4)If not, Ri ends the session.Step PTA 5:(1)Tagi checks the freshness of the timestamp after receiving MA4.(2)Tagi calculates and renews AIDTi(new)=(ZT ⊕ Kts), AIDTi = AIDTi(new) if Tagi verifies the message V4? = h(Kts||IDTi||Nt||ZT).(3)Tagi saves the information.(4)Otherwise, AIDTi will not update.

5. The Analysis of RAPUS + Protocol

The security of the RAPUS + protocol is analyzed through formal analysis and explains the informal security features under the GNY logic model and AVISPA model.

5.1. The Informal Analysis

In the following subsections, we analyze the security of the RFID system.

5.1.1. Mutual Authentication between Tag and Server

The DB verifies AIDTi and V1 = h(AIDTi||Kts||Nx||Ri) in M1 to authenticate RFID tag. Only the legitimate T can form the effective request M1, which includes the two parameters. As effective AIDTi, it only knows legal T. Besides, the legal tag only knows (IDT, Kts). The RFID tag can use V4 and M3 in M4 to authenticate the legitimacy of the DB. The mutual authentication property can be achieved by RAPUS + protocol.

5.1.2. Anonymity

The most basic element of the secure protocol is anonymity. The personal information of the user is protected by a secure scheme so that the adversary has no access to any information. The protocol has achieved strong anonymity. During the registration part, the RFID tag used M = {IDTi, Kts, AID} to identify the S through RFID-Reader.

The messages MA1 = {AIDTi, Nx, V1, T1} have been delivered to the S through a public channel in the authentication part. The adversary cannot attain the identity of the RFID tag even if the adversary gets the message M1 for the reason that AIDTi is the one-time alias identity of T. The initial identity is kept encoded in AIDTi. It can only be encoded by the DB using Kts. Therefore, the adversary cannot destroy the RFID tag’s authentic identity. In this way, we achieve the anonymity of the protocol.

5.1.3. Traceability

A safe protocol can protect any identity information of the participants from illegal users. The traceability of the RFID tag may be caused by identifying information. RAPUS + protocol cannot reveal the login information of the conversation that causes the security attack.

The protocol needs to use (Nt, Nr, ri). It is impossible for the adversary to achieve any random number in the RFID system because the RFID tag’s new one-time alias identity AIDTi has already been used. Therefore, the protocol meets the untraceability.

5.1.4. Backward/Forward Secrecy

It is essential for security protocols to ensure that the information transferred during a phase is not threatened and traced by the adversary, as it may generate defects in the certification phase between T and S. In our proposed scheme, the previous and next sessions will not be affected, even if the identity IDT is lost. The encrypted AIDTi is updated in each new session to ensure it. Therefore, the backward and forward secrecy of the RAPUS + protocol can be guaranteed.

5.1.5. Scalability

In RAPUS + protocol, the detailed procedure is used to verify if any T is not performed by the RFID Server S. Oppositely, S disposes AIDTi to verify T and makes a quick response to T. Therefore, RAPUS + protocol gets more stable.

5.1.6. DoS Attacks

For any random key which is in charge of verification or authentication of T, the protocol is not based on them. Instead, it is on the basis of AIDTi. Moreover, it is well encoded and renewed for each transaction. Hence, the proposed scheme defenses against DoS attack.

5.1.7. Replay Attacks

In the replay attack, to authenticate S, the attacker may postpone and repeat the transferred information. (T, RE, DB) are included in RAPUS + protocol. For authentication, {M1, M2, M3, M4} are exchanged through the public channel. Accessible to the messages, the attackers try to launch the replay attacks.

Nevertheless, due to the messages delivered with the fresh timestamp T, the attempt will fail. The adversary request will be repulsed each time in the event of timestamp’s ineffectiveness. Besides, the adversary cannot launch the attacks if it cannot calculate the parameters of the messages, because all messages’ parameters are updated by the participants for every new session. RAPUS + protocol is able to resist replay attacks.

5.1.8. Location Tracking Attacks

The authentic identity of the RFID tag is not delivered firsthand. Therefore, it has been delivered in the encoded form for authentication between the RFID tag and S. And only the server can decrypt through its secret key. Besides, in every new session, the unpredictability of messages is continually renewed. Therefore, the adversary cannot seek out the location. Any attempt to find the location will finally become a failure.

5.1.9. Impersonation Attacks

To authenticate the server, adversary A holds up the messages of the valid T and changes it. On this occasion, adversary A needs to issue the legitimate message request including (Ny, Ri, V2, MA1, AIDTi). In order to achieve it, AIDTi is encrypted and calculated and cannot be forged by adversary A.

Besides, to submit the legitimate request for certification as the valid T, adversary A demands various other timestamps and parameters too. Adversary A is impossible to know the real parameters used for certification. Therefore, it has no ability to verify its validity as T to the DB. RAPUS + protocol for RFID system can resist any forgery attack reluctantly.

5.1.10. Stolen-Verifier Attacks

All the validation and verification keys are encrypted and stored in the DB. Although the data and keys are both stolen from the DB, they cannot be decrypted and extracted by adversary A. Moreover, the original data saved in DB cannot be altered or modified by adversary A. Therefore, the RAPUS + protocol resists the stolen-verifier attacks.

5.2. The Formal Analysis Using GNY Logic

In order to guard against major attacks, the proposal of the security protocol design must be analyzed ahead of execution. The fundamental assumptions are presented in Table 3.

The aims verified by RAPUS + protocol are as follows:(i)Goal 1: Ri | ≡ (ii)Goal 2: Ri| ≡ T| ≡ (iii)Goal 3: Sj | ≡ (iv)Goal 4: Sj | ≡ Ri| ≡ (v)Goal 5: Ri | ≡ (vi)Goal 6: Ri| ≡ Sj | ≡ (vii)Goal 7: T| ≡ (viii)Goal 8: T| ≡ Ri | ≡

The protocol messages generated by the parser are as follows:(i)M1: T ⟶Ri: AIDT, Nx:< Nt>Kts, V1, T1(ii)M2: Ri⟶Sj: M1, Ny:< Nr>Krs, Ri, V2, T2(iii)M3: Sj⟶Ri: V3, V4, Zt:<AIDTi>Kts, T3(iv)M4: Ri⟶ T: V4, T4, Zt:< AIDTi>Kts

The goals (G1, G2, G3, G4, G5, G6, G7, G8, G9) are made to verify the RAPUS + protocol that has been certified. The sequence of logical assumptions is employed in the parser export to achieve the security goals by considering the various assumptions.

In M1, T1 is the timestamp of T. Using the seeing rule, we can get

Applying the message-meaning rule and the previous step result,

Using the freshness-conjuncatenation rule and the previous step results,

According to the jurisdiction rule and the previous step result,

Applying the previous step result and the session-key rule,

Using the nonce-verification rule,

In M2, T2 is the timestamp of Ri. Applying the seeing rule, we get

According to the message-meaning rule and the previous step result,

By the freshness-conjuncatenation rule and the previous step result, we get

Through the jurisdiction rule and the previous step result,

Applying the S10 and the SK rule,

According to the nonce-verification rule and the previous step result,

In M3, T3 is the timestamp of Sj. Through the seeing rule, we get

Applying the message-meaning rule and S13,

Through S14 and the freshness-conjuncatenation rule,

According to the assumption S15 and jurisdiction rule,

Applying S16 and the session-key rule,

Using the nonce-verification rule,

In M4, T4 is the timestamp of Ri. Applying the seeing rule,

Through the message-meaning rule and S19,

According to S20 and the freshness-conjuncatenation rule,

Applying the jurisdiction rule and S21,

By the session-key rule, we get

Finally, according to the nonce-verification rule,

As a result, it is proved that (T, Ri, Sj) achieve successful reciprocal certification and obtain the session-key agreement safely.

5.3. The Protocol Verification Using AVISPA Tool

The AVISPA is the formal security protocol analysis tool. It uses the High-Level Protocol Specification Language (HLPSL) to specify the sequence of messages exchanged among different entities. The basic role is the module consisting of the action of each entity. The entities combine multiple basic roles into the composed role to interact with each other. The analyzed protocol’s security goals are specified in the goal phase. It has four back ends, including OFMC, CL-Atse, SATMC, and TA4sp, which use different kinds of techniques to show whether the RAPUS + protocol is safe or not. The tool supplies tracking of the steps that lead to the attack and uses the Dolev-Yao intruder model that can eavesdrop, intercept messages, modify passing traffic, or insert bogus data. In our proposed scheme, we describe different entities’ actions by defining the basic role and how the entities in the composed role interact with each other. The results present that our proposed scheme is “safe” against OFMC with regard to the security goal in Figure 4. Appendix A shows all source programs by AVISPA.

5.4. Performance Analysis and Comparison

This phase conducts the comparative analysis between the RAPUS + protocol and the existing protocol. First of all, we compare the existing protocol with the RAPUS + protocol in terms of security requirements. Besides, based on the calculation cost, we compare the RAPUS + protocol with the existing protocol. Lastly, we compare the RAPUS + protocol with existing protocols in regard to model analysis.

5.4.1. Security Requirements

This section analyzes the existing authentication protocols based on symmetric keys from the perspective of security requirements. Table 4 presents the comparisons between the proposed agreement and the existing agreement [1, 10, 15, 2830].

Table 4 shows the insecurities of existing protocols [1, 10, 15, 2830]. The result shows that only RAPUS + protocol can provide all the above security features, such as mutual authentication, untraceability, anonymity, the backward/forward secrecy, scalability, collision attacks, DoS attacks, replay attacks, location tracking attacks, stolen-verifier attacks, database impersonation attacks, and reader impersonation attacks.

5.4.2. Computational Cost

The computation cost analysis of existing related protocols [1, 10, 15, 2830] with RAPUS + protocol is given in this section. Table 5 presents the analysis of computation cost.

In the protocol proposed in [15], the computational cost of each (T, R, S) is 5Th, 2Th, and 7Th, so the total cost is 14Th. The protocol proposed in [29] needs 2Th, 2Th, and 3Th for each (T, R, S), and the total cost is 7Th. The cost of protocol demonstrated in [30] is 4Th, 2Th, and 6Th correspondingly, amounting to 12Th. In the protocol proposed in [10], each (T, R, S) generates 3Th, 2Th, and 5Th cost correspondingly, so the total cost is 10Th. The cost of protocol demonstrated in [28] is 2Th, 3Th, and 5Th correspondingly, amounting to 10Th. The protocol proposed in [1] needs 2Th, 2Th, and 4Th +2Tse for each (T, R, S), so the total cost is 8Th + 2Tse. In comparison, T requires 2Th, the reader requires 1Th, and the server requires 3Th + 2Tse, and the total cost is 6Th + 2Tse in the protocol proposed in this article. In general, the protocol proposed in this article has a relatively smaller computation cost and is the only one that can withstand all known attacks.

5.5. Comparisons of Model Analysis

This section describes a model analysis of RAPUS + protocol with existing multitag authentication protocols in Table 6.

The results show that most protocols lack or have no model analysis. In the proposed authentication protocol, the secrecy attacks are analyzed by automatic cryptographic protocol verifier tools AVISPA. GNY logic is applied to verify the reciprocal certification.

6. Conclusion

The auxiliary information system for epidemic prevention and control has integrated traditional medical systems with RFID technology. However, the antitampering of logistics data and management and control of epidemic materials are still challenges. In this article, we prove that the RAPUS protocol is susceptible to database impersonation attacks, reader impersonation attacks, and asynchronous attacks. Then, the RAPUS + protocol is proposed. The security analysis of the RAPUS + protocol has been conducted through GNY logic, AVISPA model. Additionally, the comparisons of RAPUS + protocol with the existing protocols prove the superiority in security, computational cost, and model analysis. Based on RAPUS + protocol, the safety and management of epidemic prevention materials will be greatly improved.


A. The Source Programs under AVISPA Model

role reader( R,T,S:agent, H:hash_func, SND_TR,RCV_TR,SND_SR,RCV_SR:channel(dy))played_by Rdef =    local  State:nat,  R0,DID,C0,RID,C1,R1,  C2,Tid,C3,TID,OID,C4,  C5,C6,TS1,TS3,C7,SR,C8,KRC,C9,  Tidnew,C10,C11,C12:textconsttag_reader_c3,tag_reader_c7,reader_tag_c7:protocol_idinit State: = 0transition(1)State = 0/\RCV_SR(start) = |> State': = 1 /\R0': = new() /\C0':=H(R0'.DID) /\C1': = xor(DID,RID) /\SND_TR(R0'.C0'.C1′)(2)State = 1/\RCV_TR(C2'.C3'.C4'.C5'.C6'.R1′) = |> State': = 2 /\C7': = xor(C3′,xor(H(RID.DID),TS1)) /\C8': = xor(OID,SR) /\SND_SR(TS1.C7'.C8'.H(RID).H(TS1.C7'.C8'.H(RID).KRC).R1′) /\witness(R,T,reader_tag_c7,C7′)(3)State = 2/\RCV_SR(C9'.H(C9'.KRC)) = |> State': = 3 /\Tidnew': = xor(R1,Tid) /\C10': = xor(Tidnew',SR) /\SND_SR(C10'.TS3.H(C10'.TS3.KRC))(4)State = 3/\RCV_SR(C11'.H(C11′,KRC)) = |> State': = 4 /\C12': = xor(H(TID.DID.OID),R1) /\SND_TR(C12′)end rolerole tag( R,T,S:agent,H:hash_func, SND_RT,RCV_RT:channel(dy))played_by Tdef =    local  State:nat,  R0,DID,C0,RID,C1,R1,  C2,Tid,C3,TID,OID,C4,  C5,C6,TS1,TS3,C7,SR,C8,KRC,C9,  Tidnew,C10,C11,C12:textconst tag_reader_c3,tag_reader_c7,reader_tag_c7:protocol_idinit State: = 0transition(1)State = 0/\RCV_RT(R0'.C0'.C1′) = |> State': = 1 /\R1': = new() /\C2': = xor(RID,xor(Tid,R1′)) /\C3': = xor(DID,xor(H(TID.DID.R1′),RID)) /\C4': = xor(OID,H(RID.R0′)) /\C5':=H(OID.R0'.C3′) /\C6':=H(RID.R0'.R1′) /\SND_RT(C2'.C3'.C4'.C5'.C6'.R1′) /\witness(T,R,tag_reader_c3,C3′) /\witness(T,R,tag_reader_c5,C5′)(1)State = 1/\RCV_RT(C12′) = |> State': = 2end rolerole server( R,T,S:agent, H:hash_func, SND_RS,RCV_RS:channel(dy))played_by Sdef =    local  State:nat,  R0,DID,C0,RID,C1,R1,  C2,Tid,C3,TID,OID,C4,  C5,C6,TS1,TS3,C7,SR,C8,KRC,C9,  Tidnew,C10,C11,C12:textconst tag_reader_c3,tag_reader_c7,reader_tag_c7:protocol_idinit State: = 0transition(1)State = 0/\RCV_RS(TS1.C7'.C8'.H(RID).H(TS1.C7'.C8'.H(RID).KRC).R1′) = |>State': = 1/\C9': = xor(Tid,SR)/\SND_RS(C9'.H(C9'.KRC))(2) State = 1/\RCV_RS(C10'.TS3.H(C10'.TS3.KRC)) = |>State': = 2/\Tidnew': = xor(C10′,SR)/\C11': = xor(H(TID.DID.OID),xor(Tidnew',SR))/\SND_RS(C11'.H(C11′,KRC))end rolerole session( R,T,S:agent,  H:hash_func  ) def =   local    SSR,RSR,STR,RTR,SRT,RRT,SRS,RRS:channel(dy)  compositionreader(R,T,S,H,STR,RTR,SSR,RSR)  /\tag(R,T,S,H,SRT,RRT)  /\server(R,T,S,H,SRS,RRS)end rolerole environment()  def =   const    r,t,s:agent,    h:hash_func,    tag_reader_c3,tag_reader_c7,reader_tag_c7:protocol_id  intruder_knowledge = {r,t,s}composition  session(r,t,s,h)  /\session(r,t,s,h)  /\session(r,t,s,h)end rolegoalauthentication_on tag_reader_c3authentication_on tag_reader_c7authentication_on reader_tag_c7end goalenvironment()

Data Availability

The data served to support the findings of this study are contained within the article.

Conflicts of Interest

The authors declare no conflicts of interest.


This work is supported in part by China Postdoctoral Science Foundation (Grant No. 2020T130098ZX) and National Key Research and Development Program (Grant No. 2020YFB1711500).