Enabling Technologies towards 5G Mobile NetworksView this Special Issue
ULMAP: Ultralightweight NFC Mutual Authentication Protocol with Pseudonyms in the Tag for IoT in 5G
As one of the core techniques in 5G, the Internet of Things (IoT) is increasingly attracting people’s attention. Meanwhile, as an important part of IoT, the Near Field Communication (NFC) is widely used on mobile devices and makes it possible to take advantage of NFC system to complete mobile payment and merchandise information reading. But with the development of NFC, its problems are increasingly exposed, especially the security and privacy of authentication. Many NFC authentication protocols have been proposed for that, some of them only improve the function and performance without considering the security and privacy, and most of the protocols are heavyweight. In order to overcome these problems, this paper proposes an ultralightweight mutual authentication protocol, named ULMAP. ULMAP only uses Bit and XOR operations to complete the mutual authentication and prevent the denial of service (DoS) attack. In addition, it uses subkey and subindex number into its key update process to achieve the forward security. The most important thing is that the computation and storage overhead of ULMAP are few. Compared with some traditional schemes, our scheme is lightweight, economical, practical, and easy to protect against synchronization attack.
IoT  is a large network that consists of various information sensing devices and the Internet. As a new technology, the NFC [2, 3] is one of the core technologies of IoT and is listed as one of the most promising technologies.
NFC is a short-range, high-frequency, noncontact automatic identification wireless communication technology using the 13.56 MHz frequency band at a distance of less than 10 cm. It is a development and breakthrough of the RFID [4–6] technology. NFC now has been widely used in electronic ticket, product security, and other fields. But the security issues, especially the authentication problem between the reader and the tag, have become an important factor restricting its development. The problem of authentication is to confirm the validity of the tag and the reader. Since NFC communication is completely exposed to the wireless environment, it faces a lot of malicious attacks such as clone attack [7, 8], man-in-the-middle attack, and packet losses attack. Once the authentication protocol is under the above attack, the authentication will be failed. Meanwhile, because the NFC system is limited by many factors, such as computing power, storage space, and power supply, it is a challenging task to design a secure and efficient NFC authentication protocol.
So far, although a lot of security authentication schemes for NFC are presented, researchers at home and abroad do not put forward a universal applicability scheme. For example, Yun-Seok et al.  proposed a scheme that uses the asymmetric encryption and hash function to try to eliminate the security and privacy thread. Although the solution can solve the problem of mutual authentication and prevent replay attack and the man-in-the-middle attack, it lacks some necessary security attributes, such as the message authentication. In 2013, Eun et al.  presented a new conditional privacy preserving security protocol to protect the user’s privacy. In 2015, Kannadhasan et al.  proposed the similar approach as presented in CPPNFC. In the same year, He et al.  proposed a pseudonym-based NFC protocol, but it cannot solve the forward security. In order to better promote the NFC technology, a scheme is needed to be proposed to solve the security and privacy thread.
Therefore, in this paper, we propose an ultralightweight mutual authentication protocol (ULMAP). Compared with the old NFC scheme, this protocol not only solves the security and privacy problem but also reduces the computation and storage cost.
Our Contributions. In this paper, we propose an ultralightweight mutual authentication protocol (ULMAP) for NFC using less memory storage and computational power for low-cost NFC tags. Our scheme has the following features:(1)Ultralightweight: the scheme is designed only with simple shift and XOR operations, not hash or other encryption operations.(2)Secure and efficient: the scheme we proposed could meet requirements of forward security, mutual authentication, synchronization, and non-denial of service by subkey and pseudonym.
Paper Organization. The remainder of the paper is organized as follows: In Section 2, we will present the detailed protocol of our new NFC mutual authentication protocol (ULMAP). In Section 3, the security proof with BAN logic of the proposed protocol will be provided. Section 4 provides the security and performance analysis of our protocol. Finally, our conclusion is shown in Section 5.
2. NFC Authentication Protocol for Mobile Device
In this section, we will propose ULMAP and basic ideas are as follows: the scheme only with a simple shift and XOR operations, greatly reducing the cost of operations. And it uses the concept of pseudonym, thus improving the system of security. And the scheme uses the concept of subkeys, preventing the man-in-the-middle attack as compared to the related existing authentication protocols.
The explanations of symbols are shown in Abbreviation.
 is defined as follows: ; for ;
In this scheme, the message is stored in each tag. Meanwhile, is stored in the server corresponding to each tag.
2.2. The Authentication Process
The authentication process of ULMAP is shown in Figure 1. The protocol involves three entities: tag, reader, and database. The channel between the reader and the database is assumed to be secure, but that between the reader and the tag faces all the possible potential attacks [13–15]. Each tag has a unique static identification () and preshares a pseudonym () and two keys with the database.
Each database actually has two entries of : one is for the old values and the other is for the potential next values. The reader first sends “Query” and message to the tag. The tag will respond with its after it verifies that the timestamp is larger than . Then, the reader will use the tag’s response to find a matched entry in the database and goes to the mutual authentication stage if a matched entry is found no matter what or . In the mutual authentication phase, the reader and the tag authenticate each other, and they, respectively, update their local pseudonym and the keys after successful authentication, which are shown in Figure 1.
There are four stages in the scheme that we proposed, such as initialization, tag identification, mutual authentication, and index-pseudonym and key updating. Then, we will in detail introduce the four stages as follows.
Initialization. The database selects a pseudorandom generator PRNG  to generate pseudorandom number. The database generates the key , which is initialized to and , and places it in a valid tag and the legitimate reader. is the random number of the tag in the initialization phase, The database, reader, and tag will store the and corresponding to the tag.
Tag Identification. The reader generates the random timestamp and the random number and sends authentication queries , , and to the tag. Then, the tag judges whether ; if is not larger than , the authentication is failed. Otherwise, the mutual authentication phase will begin.
Mutual Authentication. After identification phase, the tag will generate a random number , calculate , , and as shown in Figure 1, and send , , , and to the reader. Using the , the reader tries to find an identical entry in the database. If this search succeeds, the reader can get the nonce from submessages and . Then, the reader will compute and and build a local version of submessage as shown in Figure 1. It will be compared with the received value. If it is verified, the tag is authenticated. Finally, the reader sends message to the tag. When the message is received by the tag, it will be compared with a computed local version . If comparison is successful, the reader is authenticated. Otherwise, the authentication protocol is failed.
Index-Pseudonym and Key Updating. After successfully completing the mutual authentication phase between the tag and the reader, they locally update and key as indicated in Figure 1.
3. Security Proof with BAN Logic
The security assurance of the proposed protocol is the secure mutual authentication, which means the following security aims should be achieved.
Security Aim 1. The database needs to make sure the received message is exactly the one sent by the tag. This means that we need to achieve and .
Security Aim 2. The tag needs to make sure the received message is exactly the one sent by the database, which means the following formulas need to be achieved: and .
3.1. Security Assumption
According to the given protocol and the assumption that the server and the reader are connected securely, the following conditions can be achieved: AS1: . AS2: . AS3: . AS4: . AS5: . AS6: . AS7: .
3.2. Security Analysis
According to the proposed protocol (ULMAP) and , together with the assumptions and , we can deduce and , because, in this scheme, the database will receive the message forwarded from the reader, where . As we have achieved as secret between the database and the tag, we can take as the secret key to protect messages. So we can simply write the received message of database as , and we have . For the reason of “message-meaning rule” of BAN , we can deduce .
From the assumption and the BAN rule of , we know . Because we have achieved , together with the “nonce-verification” rule , we will achieve , and the first security aim of the given protocol is achieved.
For the same reason, we can also deduce and , and the second security aim is also achieved, and the security of mutual authentication of the proposed protocol has been proved.
In this section, we will analyze the proposed protocol (ULMAP) from the security and performance point of view.
4.1. Security Analysis
It is obvious, from the protocol specification, that not only can the tag and the reader successfully authenticate each other, but also ULMAP is able to resist the common NFC attacks effectively. In particular, it makes the scheme have the anti-DoS attack capability through using the timestamp. We now analyze our proposed scheme from the point of view of security as follows.
4.1.1. Mutual Authentication
The tag and the reader can authenticate each other by messages and , because only the genuine tag has the subkeys and which generate the consistent message with random numbers , . Similarly, only the genuine reader keeps the that is used to generate the response message . In this way, the reader and the tag can achieve mutual authentication.
4.1.2. Tag Anonymity
The tag uses the pseudonym in the whole authentication process. The pseudonym of each tag will be updated after every successful authentication by the random numbers , . So the pseudonym from the same tag looks different at each session authentication and the attackers cannot get the real identity of the tag. Moreover, even if the attackers intercept authentication pseudonym , they cannot analyze the practical information from it.
4.1.3. Resistance to Tracking
The data stored in the database and the tag will be updated after the successful authentication process. So the message and the response message are different at each session authentication, making it almost impossible for the attackers to track the tag. In addition, the tag uses the pseudonym which improves the difficulty of tracking.
4.1.4. Data Confidentiality 
The calculation of each value of , and involves at least two secret values, including the subkey and random number. So, it is very hard to get the tag except for the tag itself that has and , .
4.1.5. Forward Security
After each successful session, the key and value will be updated in the tag and the database. So even if the attacker achieves some session information, he cannot use it to trace back to previous communications. In addition, ULMAP makes the subkey and random number involved in the entire update process, which makes the entire update process have stronger stochastic properties. So ULMAP is forward security.
Because the value of will be updated after the successful authentication process, the response message from the same tag is different in each session authentication process. Moreover, the timestamp is constantly changing over time. Therefore, the attacker cannot priorly disguise information to achieve legality certification.
4.1.7. Non-Denial of Service (Non-DoS) 
When the reader starts a new session, the tag will judge whether > . If not, the authentication is failed. Otherwise, the authentication process will continue. Compared with all most schemes responding to the query, ULMAP can reduce the number of denial of service attacks to some extent and prevent unauthorized readers from continuing to send queries which consume lots of resources of the tag. Therefore, this scheme can resist denial of service attacks in some cases.
It is very obvious, in Table 1, that neither of SASI and LMAP can resist desynchronization and DoS attacks. However, in addition to the forward security, data confidentiality, nonreplaying, and so forth, the proposed protocol ULMAP can prevent synchronicity attacks effectively and prevent DoS attacks to some extent. In summary, ULMAP improves the security.
In a normal session, if the tracker heads off the last message that the database sends to the tag, the database cannot be successfully verified. Once this case happens, the tag cannot be updated, but the database has been updated successfully. So the tag and the database will lose the synchronization. However, in the ULMAP protocol, the , , , used in the last session is stored in in the database, so that this tag is still able to finish the authentication and get the synchronization again successfully.
4.2. Performance and Complexity Analysis
We will compare ULMAP with SASI and LMAP in performance and complexity. In order to compare easily, assume there are tags in the system and the length of data is .
4.2.1. The Cost of Storage
To achieve the authentication, in SASI protocol, the tag stores the message and is stored in the database, so the cost of storage in the tag and database is and , respectively. As it is shown in Table 2, in LMAP, the tag storage space needs and the corresponding database storage space requires . But in our protocol, the cost of storage space in the tag is and the cost of storage space in the database is .
Usually, the database has more resources than the tag, so the resource of tag is more valuable. Comparing with other protocols, the ULMAP needs smaller storage space in the tag that will greatly reduce the cost of the tag and increase a little cost of storage space in the database. Therefore, the proposed protocol can greatly reduce input cost. The specific storage overhead is shown in Table 2.
4.2.2. The Cost of Communication
The cost of communication consists of the number of interactions and the length of the communication data. From Table 3, we can know that the interaction times of both SASI and LMAP are 4. Although the transmitted data is increased a little, our protocol is just transmitted three times between the reader and the tag, which are four times in other protocols. Therefore, ULMAP has a relatively low communication overhead.
Comparing with other protocols, the ULMAP uses the timestamp for the first time. This will make the ULMAP resist the attack of DoS to a certain extent. Moreover, the subkey and random numbers are used widely in the database and the tag in the authentication update phase. This can make the whole protocol have stronger random feature which will greatly improve the ability of resisting desynchronization and the forward security of ULMAP.
4.2.3. The Cost of Computation Time
In order to better compare the computation performance of different protocols in Table 4, + represents AND operation, represents the XOR operation, is the displacement operation, is two displacement operations, and represents the pseudorandom number or timestamp.
From Table 4, it is shown that the tag in ULMAP needs one random number generation. In addition, ULMAP also needs more computation operation (like , ) in the tag compared with SASI and Gossamer. Although this will increase the cost of computation, the computations also become more secure and effective with it.
By comparing our protocol with other schemes, it shows that our proposed protocol not only can provide mutual authentication function but also has the advantage of higher level of security and performance.
This paper proposes a new NFC mutual authentication protocol, named ULMAP. ULMAP can achieve not only mutual authentication but also complete anonymity. Moreover, the proposed scheme possesses higher security and performance. Because the database stores the new and old session private key and IDS, when the new session private key of the tag fails to update, the corresponding old private key and IDS can also be used. So the proposed protocol can effectively resist the desynchronization attack.
|:||The pseudonym of tag identity|
|:||The index number used last time|
|:||The index number successfully used this time|
|:||The unique static identification of tag|
|:||The shared key of the tag and database, which is divided into two parts|
|:||The random timestamp generated by the reader|
|:||The last time timestamp|
|:||The key of the tag successfully used in the last round session|
|:||The key of the tag used in this session|
|:||The random number generated by the tag and the reader|
|:||The operation of rotation , where denotes Hamming weight of .|
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work has been financially supported by the National Natural Science Foundation of China (nos. 61303216, 61272457, U1401251, and 61373172), the National High Technology Research and Development Program of China (863 Program) (no. 2012AA013102), the Open Research Project of the State Key Laboratory of Industrial Control Technology, Zhejiang University, China (no. ICT170312), and National 111 Program of China (nos. B16037 and B08038).
H. Ning and B. Wang, RFID Major Projects and the State Internet of Things, Mechanical Industry Press, Beijing, China, 2008.
L. Yun-Seok, K. Eun, and J. Min-Soo, “A NFC based authentication method for defense of the man in the middle attack,” in Proceedings of the 3rd International Conference on Computer Science and Information Technology, Bali, Indonesia, January 2013.View at: Google Scholar
E. Haselsteiner, “Security in near field communication (NFC),” in Proceedings of the Workshop on RFID Security, Malaga, Hungary, 2006.View at: Google Scholar
K. Fan, Y. Gong, C. Liang, H. Li, and Y. Yang, “Lightweight and ultralightweight RFID mutual authentication protocol with cache in the reader for IoT in 5G,” Security and Communication Networks, vol. 9, pp. 3095–3104, 2016.View at: Google Scholar
Z. Kabir, User centric design of an NFC mobile wallet framework [M.S. thesis], The Royal Institute of Technology (KTH), Stockholm, Sweden, 2011.
A. Juels, “Strengthening EPC tags against cloning,” in Proceedings of the ACM Workshop on Wireless Security (WiSe '05), pp. 67–75, Cologne, Germany, September 2005.View at: Google Scholar
C. Mulliner, “Vulnerability analysis and attacks on NFC-enabled mobile phones,” in Proceedings of the 4th International Conference on Availability, Reliability and Security, pp. 695–700, IEEE, Fukuoka, Japan, March 2009.View at: Google Scholar
L. Francis, G. P. Hancke, K. Mayes et al., “Practical NFC peer-to-peer relay attack using mobile phones,” in Proceedings of the 6th International Workshop on Radio Frequency Identification: Security and Privacy Issues (RFID-SEC '10), pp. 35–49, Istanbul, Turkey, 2010.View at: Google Scholar
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador et al., “LMAP: a real lightweight mutual authentication protocol for low-cost RFID tags,” in Proceedings of the Workshop on RFID Security, Graz, Austria, July 2006.View at: Google Scholar