Ultralightweight RFID Authentication Protocols for Low-Cost Passive RFID Tags
The field of pervasive computing especially the Internet of Things (IoT) network is evolving due to high network speed and increased capacity offered by the 5G communication system. The IoT network identifies each device before giving it access to the network. The RFID system is one of the most prominent enabling technologies for the node identification. Since the communication between the node and the network takes place over an insecure wireless channel, an authentication mechanism is required to avoid the malicious devices from entering the network. This paper presents a brief survey on the authentication protocols along with the prominent cryptanalysis models for the EPC C1G2 RFID systems. A comparative analysis is provided to highlight the common weaknesses of the existing authentication algorithms and to emphasize on the lack of security standardization for the resource constraint IoT network perception layer. This paper is concluded by proposing an ultralightweight protocol that provides Extremely Good Privacy (EGP). The proposed EGP protocol avoids all the pitfalls highlighted by the cryptanalysis of the existing authentication protocols. The incorporation of the novel ultralightweight primitives, Per-XOR and Inverse Per-XOR , makes the protocol messages more robust and irreversible for all types of adversaries. A comprehensive security analysis illustrates that the proposed protocol proves to be highly resistive against all possible attack scenarios and ensures the security optimally.
The concept of creating low-cost, reliable, and secure Internet of Things (IoT) networks for current and future applications is evolving by the virtue of high network speed and increased capacity offered by the generation communication system. The IoT network consists of interrelated computing devices with unique identification, deployed in the environment to collect, process, and share the information, in order to facilitate the measurement of changes in the surroundings and to react independently primarily without human interaction [1–4]. The data collected by the network is also processed to generate valuable information that can be used to enhance the user experience in future . The IoT platform is being used in various fields to achieve purposeful objectives such as logistics , smart cities , and supply chain management .
The IoT network initially identifies the electronic devices (nodes) before giving them access to the network. The Radio Frequency Identification (RFID) system is emerging as an enabling technology for the node discovery due to the features such as high speed, long range, and nonline of sight scanning . The RFID enabled IoT networks are being preferred in various surveillance, monitoring, and healthcare applications. Table 1 highlights some of the prominent applications reported in the literature.
The architecture of the RFID enabled IoT network is composed of three components: the RFID system, the IoT middleware, and the Internet . The RFID system facilitates the node identification and the data collection. The data gathered from the environment under observation is processed by the IoT middleware. The IoT middleware also acts as a gateway to the external Internet .
The architecture of the RFID system embedded in an IoT network consists of three main components; the Electronic Product Code (EPC) tag, the reader, and the database. The tag is a low-cost electronic chip with the unique identification number (). The reader identifies each tag associated with the system by receiving the over the wireless channel. The database supports the reader in an identification process by storing attributes of all the tags affiliated with the RFID system .
In the RFID enabled IoT networks, the node is identified by communicating the tag’s to the reader over an insecure wireless channel. Therefore, the system is prone to many security and privacy threats . A mutual authentication mechanism is an inevitable part of the tag identification process. In this paper, a brief survey on the existing mutual authentication protocols and the prominent cryptanalysis models for the EPC Class 1 Generation 2 (C1G2) RFID systems is presented. A comparative security analysis among the prominent protocols has been drawn to highlight some of the common weaknesses of the existing authentication algorithms for the resource constraint RFID systems. The paper also proposes the Extremely Good Privacy (EGP) protocol. The comprehensive security analysis of the EGP protocol ensures its security claims and robustness against all existing cryptanalysis models. The EPC C1G2 tags are the key component of the low-cost RFID systems due to characteristics like small size, low cost, and unlimited lifespan . Other features of the EPC C1G2 identification system are enumerated as follows :(i)Operating frequency: 860 MHz-960 MHz(ii)Memory capacity: 96-256 bits(iii)Field programmable(iv)Reprogrammable(v)Communication: 640Kbits/s(vi)Reads: 1700 tags/sec
The rest of the paper is organized as follows: Section 2 discusses the Ultralightweight Mutual Authentication Protocols (UMAPs) for the resource constraint RFID systems followed by Section 3 that describes multiple cryptanalysis models used for the security and privacy evaluation of the UMAPs. This section also presents a comparative analysis of the prominent UMAPs based on their strengths to provide Confidentiality, Integrity, Availability, and Authentication (CIAA) services. The EGP protocol is proposed in Section 4 along with the detailed cryptanalysis report. Finally, the paper is concluded in Section 5.
2. Ultralightweight Mutual Authentication Protocols
The node authentication mechanism during the identification process prevents the malicious users from entering the network through the perception layer. In 2007, Chien  divided the authentication protocols in four categories which are defined as follows:(1)Heavyweight: these protocols incorporate the classical cryptographic suits such as hash functions and private and public key cryptography.(2)Middleweight: this category includes the protocols that can support one-way hash functions and pseudorandom-number generators only.(3)Lightweight: these protocols can support the lightweight functions such as Cyclic Redundancy Checks (CRCs) and lightweight pseudorandom number generators.(4)Ultralightweight: this class allows the incorporation of simple bitwise logical function only, for the protocol design.
Table 3 presents a relationship among the protocol categorization and the EPC classes supported by some prominent examples.
For low-cost systems, the silicon-based area of the EPC tags should be kept minimum to reduce the cost. Typically, an EPC C1G2 tag consists of response buffer  and can support maximum Gate Equivalent (GE) for the crypto based operations. One gate equivalent corresponds to the area required for the fabrication of two input NAND gate . Hence smaller GE for the authentication protocol implementation corresponds to the lesser cost overhead associated with the security-based operations.
Table 3 suggests that for C1G2 tags implementation of the UMAP is the only cost-effective option for the node verification at the identification stage. Numerous UMAPs have been presented over the last decade. This section describes the general structure of the UMAPs along with a brief survey of the existing protocols. Since 2006, more than thousand protocols have been proposed; however the basic working principle of these protocols remains the same. The UMAPs ensure that both the entities, i.e., the tag and the reader, are authentic components of an identification system with the help of a static and unique along with the pseudoidentification number and the keys which are dynamic in nature. The dynamic variables update their status on both sides after every successful authentication session whereas the static remains constant. The mutual authentication process mainly consists of four steps which are as follows :(1)Tag identification: the tag receives a request for the latest identity pseudonym after entering the communication range of the reader. The reader identifies the tag by retrieving the associated identification number and the keys from the database with the help of .(2)Reader authentication: after the tag authentication, the reader generates a private key for the authentication session and transmits message to the tag. The message consists of an encrypted version of the private key and the reader authentication challenge message. The reader’s identity is verified if the response calculated at the tag’s side is equal to the received challenge message.(3)Tag authentication: the successful reader identity verification leads to the calculation and the transmission of the tag authentication challenge message for the valid reader.(4)Dynamic variable update: the mutual authentication of communicating parties is followed by the dynamic variable updating process on both sides.
The block diagram of the generalized UMAP is presented Figure 1. The features that differentiate the UMAPs are the tag’s memory architecture and the protocol’s primitives. The UMAPs can be classified into three categories based on the nature of the operators used for the calculation of challenge/response messages. Description of each category along with the examples of prominent protocols is as follows.
2.1. UMAPs with Triangular Functions
In 2006, Peris-Lopez [35–37] laid the foundation of the ultralightweight cryptography. The main idea was to use the triangular functions such as bitwise , and for the encryption of public messages which are being communicated among the resource constraint devices. The prominent UMAPs with triangular functions are Lightweight Mutual Authentication Protocol (LMAP) , Minimalistic Mutual Authentication Protocol (M2AP) , and Efficient Mutual Authentication Protocol (EMAP) .
2.1.1. Lightweight Mutual Authentication Protocol (LMAP)
The LMAP laid the foundation of UMAPs and falls under the umbrella of the triangular UMAPs. The memory architecture of the tag and the reader implementing the LMAP is given in Table 4. The protocol executes in following steps:(1)The reader sends the “” message to the tag.(2)The tag replies with to the reader. This acts as an index in the database to locate the and the related to the tag. If the required data is not found, the protocol is terminated; otherwise it moves to next step.(3)In step (3), the reader generates two pseudorandom numbers and . These random numbers are used for the calculation of the messages and .Finally, is transmitted to the tag.(4)The tag extracts and from the messages and , respectively. The message is a challenge token for the reader authentication. After successful reader authentication, the protocol moves to step (5).(5)The tag generates and transmits message . The message has two purposes: (a) concealed transfer of the tag’s ; (b) the tag authentication.After the transmission of the message , the dynamic variables at the tag’s end are updated using following equations:(6)The reader receives the message , authenticates the tag, and updates the dynamic variables using (5)-(9). The process of updating dynamic variables on the reader’s side only takes place in case of successful mutual authentication.
The flow diagram of the LMAP is given in Figure 2. Despite being resource efficient, the LMAP is a weak protocol in terms of structure and equations. The triangular functions alone are unable to conceal the tag’s secrets in public messages due to their imbalance nature. Several cryptanalysis attacks on the LMAP have proved that the protocol cannot be used as a standard for the RFID authentication purposes.
2.1.2. Minimalistic Mutual Authentication Protocol (M2AP)
The second protocol from the triangular UMAP family is the M2AP. This protocol is similar to the LMAP in terms of the tag’s memory architecture and the protocol’s primitives. The basic difference between the two protocols is the composition of public message . The memory architecture of the tag implementing the M2AP is given in Table 4. The step by step execution of the protocol is elaborated as follows:(1)The reader “pings” the tag, detected in its vicinity.(2)The tag responds with the which acts as an index to locate the data associated with the tag in the database for successful tag identification.(3)After the tag identification, the reader generates two pseudorandom numbers and . The reader then computes and transmits challenge message to the tag.(4)The tag extracts and from and , respectively, and verifies the identity of the reader by calculating a response for message . After successful reader authentication, the tag calculates and transmits challenge message .The message is used for the tag authentication whereas the message is used for the communication.(5)After successful mutual authentication, the dynamic memory on both sides is updated using the following equations:The block diagram of the protocol is given in Figure 3. The cryptanalysis of M2AP was similar to that of LMAP due to similarity in composition of public messages equations and memory architectures.
2.1.3. Efficient Mutual Authentication Protocol (EMAP)
The EMAP is the third most prominent protocol from the triangular class. The primitives used for the encryption of communication between the tag/reader pair are , and . The memory architecture of the tag implementing the EMAP is given in Table 4. The working principle of the protocol is as follows:(1)The tag receives a “” message from the reader as it enters its communication range.(2)The reader receives the , which is used for the tag identification by locating the data associated with the communicating tag in the system’s database.(3)Once the tag is identified, the reader generates the random numbers and sends message to the tag.(4)The tag extracts from message and authenticates the reader by calculating the response for challenge message . After successful reader authentication the tag extracts from the message , to calculate and send challenge message .(5)The authentication session ends by updating the dynamic memory on both sides.The function generates a version of input . The input is divided into twenty-four groups by combining in each group. The final output is obtained by taking bitwise of all the entities present in each group and concatenating the result. The block diagram of the protocol is given in Figure 4.
2.2. UMAP with Single Nontriangular Function
The resource limitation of EPC C1G2 tags confines the computational cost of the UMAPs to GE. Initially, the UMAPs only used the triangular functions for the calculation of the messages. But triangular protocols were prone to multiple security attacks due to the lack of diffusion in the public messages. The reason behind the inability of encrypted string to conceal the secret values associated with the tag was the imbalance nature of the protocol’s operators.
In 2007, Chien  introduced the idea of the ultralightweight nontriangular primitive as the protocol’s operator. The use of single nontriangular primitive improved the strength of the UMAPs; however the cryptanalysis of nontriangular UMAPs still highlighted weaknesses in the protocol structure and operators. Some of the prominent UMAPs with single nontriangular primitives are Strong Authentication Strong Integrity (SASI) protocol , Gossamer’s protocol , and Yeh et al. protocol .
2.2.1. Strong Authentication Strong Integrity Protocol
The SASI protocol was the first protocol in the field of nontriangular UMAPs. The nontriangular function used in the SASI protocol is the rotation function (). The rotation function has two definitions: left rotation of by the hamming weight of and left rotation of . For this section, we will consider hamming weight-based rotation function. The memory architecture of the tag implementing the SASI protocol is elaborated in Table 5. The reason behind storing the pair of latest dynamic variables was to provide protection against Denial of Service (DoS) attacks. The working principles of the SASI protocol are as follows:(1)The reader requests the tag for a pseudoidentification number.(2)The tag transmits its latest . If the received is found in the database, the protocol proceeds further otherwise the reader requests the tag for the from the previous successful authentication session (). The successful tag identification leads to the step (3).(3)The reader generates two random numbers and . The dynamic variables and random numbers are used by the reader to generate and transmit .(4)The pseudorandom numbers and are concealed in and communicated to the tag via message and , respectively. The message is used for the reader authentication.(5)After successful reader authentication, the tag transmits message for the tag authentication and the transmission.(6)After mutual authentication, the dynamic variables on both sides are updated using following equations:The flowchart of the SASI protocol is given in Figure 5.
2.2.2. Gossamer’s Protocol
In 2008, Peris-Lopez presented nontriangular UMAPs to overcome the weaknesses of the SASI protocol. In the Gossamer’s protocol, the memory architecture of the system was enhanced by saving the latest copy of dynamic variables on the tag’s side. The memory architecture of the protocol is given in Table 5. The nontriangular primitive of the Gossamer’s protocol is mix bit function (). The mix bit function consists of two subfunction: the rotation and the modular addition function. These subfunctions are used independently and in collaborative manner to calculate the challenge/response messages. The working principle of is elaborated in Figure 7.
The protocol executes in five steps which are defined as follows:(1)The reader sends a request for the to the tag present in its vicinity.(2)The reader tries to locate the tags information by searching the database with the help of the received . The tag is identified if its information is found in the database.(3)The reader generates pseudorandom private keys and . The reader then sends message to the tag.(4)The reader is authenticated by generating a response to the message . After that, the tag calculates and transmits the challenge message .(5)The dynamic variable on both sides are updated after a successful mutual authentication.
The constant π used in the protocol assumes the value . The block diagram of the Gossamer’s protocol is presented in Figure 6.
2.2.3. Yeh et al. Protocol
In 2010, Yeh et al.  proposed a process oriented UMAP. The feature that differentiates this protocol from its predecessors is the DoS avoidance mechanism. In this protocol, the pairs of latest dynamic variables are stored at the reader side instead of the tag. The reader also maintains a flag to identify whether the tag/reader pair is fully synchronized or not. The nontriangular function used in the protocol is the rotation function . The memory architecture of the UMAP is given in Table 5. The working principle of the Yeh et al. protocol is as follows: the protocol is the rotation function . The memory architecture of the UMAP is as follows:(1)The reader initiates the communication by sending a “Hello” message to the tag.(2)As a response, the tag transmits the stored in its dynamic memory.(3)After successful tag identification through the database, the reader generates two pseudorandom numbers and . If the , the reader sets an internal flag ; otherwise the flag’s value sets to 1, the key updates and becomes equal to the tag’s . After key updation, the reader calculates and sends message to the tag.(4)Upon receiving the challenge message, the tag updates the value of the key based on the flag status. After that and are extracted and the reader is authenticated.(5)The successful reader verification leads to the calculation and transmission of the tag authentication challenge message .(6)In case of successful mutual authentication, the dynamic memory on both sides is updated.
The block diagram of the Yeh et al. protocol is given in Figure 8.
2.3. UMAPs with Hybrid Nontriangular Function
The cryptanalysis of the UMAPs with single nontriangular functions proved the inability of the protocols to provide Confidentiality, Integrity, Availability and Authentication (CIAA) to the communicating parties. In order to further improve the security, the concept of using hybrid nontriangular functions was introduced. This idea improved the security and privacy services offered by the UMAPs. There are many hybrid nontriangular UMAPs available in the literature. In this subsection, the protocols under consideration are RFID Authentication Protocol with Permutation (RAPP) , RFID Authentication Protocol for Low cost Tags (RAPLT) , Robust Confidentiality Integrity and Authentication (RCIA) protocol , and Succinct and Lightweight Authentication Protocol (SLAP) .
2.3.1. RFID Authentication Protocol with Permutation (RAPP)
The RAPP protocol was different from previously presented UMAPs, in terms of the primitives used for encryption and the sequence of interaction between the tag and the reader. The protocol only used three operations, i.e., , rotation and permutation ().
The corresponds to the left rotation of by the hamming weight of . The description of permutation function () is as follows. Let be a word and be the bit of where , and and be the LSB and MSB of the word , respectively. Suppose and are two L-bit words and hamming weight of is . Moreover if and if .
The permutation of according to , i.e., is equal to
Unlike conventional sequence of interaction, the dynamic memory of the tag is updated after getting a confirmation message of successful mutual authentication of the tag/reader pair. The aim of this message was to make the protocol resistant to the desynchronization attacks. The memory architecture of the protocol is given in Table 6 and the detail description of the protocol is as follows:(1)The tag receives a “Hello” message from the reader as soon as it enters its vicinity.(2)The tag responds with the value of stored in its dynamic memory. The reader identifies the tag by retrieving the information indexed by the value in the database.(3)After successful tag identification, the reader generates a random number and sends challenge message to the tag.(4)The tag verifies the reader’s identity and sends the challenge message to the reader.(5)In case of successful mutual authentication, the reader updates the dynamic variables, generates another random number , and sends the mutual authentication verification message to the tag.(6)The tag updates its dynamic memory after verifying the origin of message .
The block diagram of the protocol is given in Figure 9.
2.3.2. RFID Authentication Protocol for Low Cost Tags (RAPLT)
In 2013, Jeon and Yoon improved the permutation function and proposed two new nontriangular function, i.e., Merge and separate operations in RFID Authentication Protocol for Low cost Tags (RAPLT). These operations are considered to be more reliable and secure compared to the permutation function.
Assume and are bit numbers whereas and are bit strings. The formation of and pseudocode for and operations are given in Figure 10.
Both operations have inverse relation and are extremely lightweight in nature. In RAPLT protocol, both the tag and the reader stores a pair of the latest , the latest keys and the tag’s . The working principle of the RAPLT protocol is as follows:(1)The reader initiates the protocol by sending a “Hello” message to the tag.(2)As a response, the tag sends the index pseudonym for the tag identification.(3)After the successful tag identification through , the reader generates two random numbers () and computes .(4)The tag authenticates the reader by generating a response for the message A successful reader verification leads to the calculation and transmission of (5)The tag authentication is followed by the update on both sides.
The flow diagram of the RAPLT protocol is given in Figure 11.
2.3.3. Robust Confidentiality Integrity and Authentication Protocol (RCIA)
The Robust Confidentiality Integrity and Authentication (RCIA) protocol is designed on the theme of the RAPP protocol. This protocol is associated with hybrid category of the UMAPs as it uses two nontriangular functions, i.e., rotation and recursive hash . The working principle of the recursive hash functions consists of following steps:(i)Consider as an bit string and decimate the input into chunks with equal numbers of bits per chunk. .(ii)Assume a seed value from the range .(iii)The seed calculated in above step selects the corresponding memory block () of the decimated string .(iv)Final answer of recursive hash function is obtained by concatenating the results of following operations.(a)Take between the selected memory block and all the other blocks except the block itself.(b)Left rotate the block by the hamming weight of itself .
For efficient hardware implementation, the input of the recursive hash function is decimated into chunks, each containing . Both the tag and the reader store seven strings associated with the tag. These numbers are and . The RCIA protocol executes in five steps which are as follows:(1)The reader sends a “Hello” message to the tag.(2)The tag sends to the reader. If the value is found in the database, the protocol proceeds otherwise the reader requests for and matches it with the database value. The protocol proceeds to the next step only when the received is found in the database.(3)The reader generates random numbers and . It also calculates . This value is used to find the seed value. The equation for seed calculation is . The calculation of seed value leads to calculation and transmission of messages.(4)The message is used for the reader authentication. After one sided successful authentication, the tag updates its dynamic variables and sends the message .(5)The reader uses the string for the tag authentication after which the dynamic variables also updates on the reader’s side. The update equations are as follows:
Figure 12 shows the block diagram of the RCIA protocol.
2.3.4. Succinct and Lightweight Authentication Protocol (SLAP)
In 2016, an ultralightweight authentication protocol named Succinct and Lightweight Authentication Protocol (SLAP) was proposed. The SLAP algorithm is composed of three operators, i.e., , rotation , and Conversion function. These functions are lightweight with respect to the implementation cost and are appropriate for the passive electronic chips. The conversion function is the main feature of the protocol that guarantees irreversibility, confidentiality, full confusion, and low complexity.
The conversion function consists of three subfunctions. Suppose the size of input strings is bits, i.e., The description of these functions is as follows:(i)Grouping. The inputs and are divided into segments based on the hamming weight and a threshold . Consider the input ; based on the hamming weight divide the input string into two parts, i.e., () and (). Continue the segmentation process based on hamming weight until the smallest segment size becomes equal to the threshold value . The input string is also segmented based on and the threshold . The respective segments are concatenated to form the output () of grouping function.(ii)Rearrange. In this step, the regrouping of and bits takes place. As the length of input strings is same, exchanging the grouping form between of and gives two L-bit numbers. Finally, each subgroup is left rotated by its hamming weight. The output of rearrange function () is the shuffled version of and .(iii)Composition. The final output of conversion function is obtained by taking of the shuffled version of and , i.e., .
The RFID system implementing the SLAP stores the latest pair of dynamic variables on both communicating ends. The working principle of the protocol is as follows:(1)The tag receives a “hello” message from the reader after entering its vicinity.(2)The tag responds with its identity pseudonym . This value is used for the tag identification at the reader’s side.(3)After successful identification, the reader generates a random number and conceal it in the message . The reader also generates a challenge message . The reader transmits message along with left or right half of based on . If =odd, ; otherwise .(4)The tag authenticates the reader by generating a response to message . After successful reader authentication, the tag calculates the message and transmits the left or right half of based on . If =odd, ; otherwise .(5)After identity verification, the dynamic variables of each side are updated using following equation:
The block diagram of the SLAP is given in Figure 13.
A brief survey on the existing protocols proves that increase in computational complexity of the authentication mechanism improves the CIAA capabilities of the protocol at the cost of increased gate equivalents. Section 3 presents a set of eminent cryptanalysis models that are being used to evaluate the security and the privacy features of the UMAPs. The literature review shows that almost all the existing UMAPs have been subjected to multiple cryptanalysis attacks. The unavailability of secure and reliable UMAP for RFID enabled IoT networks is one of the major challenges in the standardization of the secure architecture for the resource constraint IoT network perception layer. The subsequent sections present a comprehensive security analysis model to evaluate the strengths of the RFID node authentication protocols, the CIAA analysis of the existing UMAPs based on the presented model, and a secure and reliable UMAP termed as Extremely Good Privacy (EGP) protocol for the authentication of resource constraint IoT nodes.
3. Cryptanalysis Models for UMAPs
Since 2006, numerous UMAPs have been proposed for the EPC C1G2 identification system. However, most of these protocols were very weak and were found to be vulnerable within one year of their introduction [19, 42, 43]. The reason behind this hasty failure was lack of compact security analysis of the protocol at the design stage.
A comprehensive security analysis should perform the formal analysis of a protocol and the strength evaluation against at least three basic cryptanalysis models: desynchronization, traceability, and full disclosure attacks. This section provides a brief description of the above stated security analysis model along with the cryptanalysis of UMAPs defined in previous section, to highlight the need of secure and reliable authentication protocol for RFID based IoT networks.
3.1. Formal Analysis
The formal analysis is performed to evaluate the protocol’s ability to authenticate the communicating entities under multiple channel conditions. The sequence of challenge/response message exchange between the tag and the reader is examined by virtue of following methods.
3.1.1. Logic of Belief Analysis
This method analyzes the public message composition and sequence of interaction between the communicating parties to systematically evaluate the protocol’s functionality on an abstract level. The objectives of logic of belief analysis are as follows:(i)State what is accomplished by the protocol(ii)Draw attention to unnecessary actions that can be removed from a protocol(iii)Highlight any encrypted messages that could be sent in clear text
The prominent mathematical models used for the logic of belief analysis are Burrows–Abadi–Needham (BAN) logic model and Gong–Needham–Yahalom (GNY) logic model.
3.1.2. Automated Security Analysis
Automatic Security analysis verifies the ability of the protocol to achieve the designated security goals in the presence of malicious entities. The security analysis tools such as Casper-FDR and Avispa are mathematical frameworks which evaluate the protocol’s behavior in multiple hostile environments with the set of axioms.
3.2. Desynchronization Attack Model
This attack model aims to disconnect a valid tag from an identification system by overwriting its dynamic attributes. However, a successful desynchronization attack does not reveal any tag’s information to the adversary. The minimum requirements for the adversary to lunch a desync attack is the ability to eavesdrop and replay public messages. Based on the memory architecture of the RFID system, the execution of the attack can be defined for four different scenarios.
Scenario 1 (single copy of stored on tag and reader’s side). In this scenario the reader and the tag stores latest copy of identity pseudonym . The attack executes on such tag/reader pair in two steps.(1)The adversary keeps track of an authentication session and blocks the challenge message from the tag to the reader. As a consequence of this step, the tag’s memory updates whereas the on the reader’s side remains same.(2)In the next session, the protocol fails at identification stage when the provided by the tag is not found in the reader’s dynamic memory.
Table 7 shows the status of system’s dynamic memory for each step.
Scenario 2 (pair of latest stored at tag’s side). This scenario is defined for the identification system in which the tag stores a pair of latest identity pseudonyms whereas the reader only stores the most recent copy of . The model executes in following steps :(1)Consider a synchronized pair of the tag and the reader. The adversary eavesdrops challenge message and blocks the challenge message . As a result, the tag’s dynamic memory updates whereas the reader’s database remains unchanged .(2)The adversary allows the tag/reader pair to undergo an uninterrupted authentication session. The identity verification takes place on the basis of . .(3)In this step the attacker imitates as a valid reader and communicates with the tag based on . The adversary replays the challenge message . As a result, the tag’s dynamic memory updates as and whereas the reader’s memory remains the same, i.e., .(4)Since the values of do not match at the communicating ends, the tag fails in identification stage of preceding authentication sessions.
Table 8 shows the values of index pseudonyms at the end of each step.
Scenario 3 (pair of latest stored at the reader’s side). The scenario is defined for such protocols in which the reader stores two copies of dynamic memory and the reader also sends a challenge message to the tag as the last message of the session. The purpose of this message is to intimate the tag about successful mutual authentication so that its dynamic memory can be updated. The step by step execution of the attack is as follows :(1)The adversary sniffs the public messages from an ongoing authentication session and then blocks the message . This prevents the tag to update its dynamic variables, i.e., .(2)In the next session, the adversary allows the tag-reader pair to communicate on the basis of and blocks message . This step again updates the reader memory whereas the tag’s memory remains unchanged, i.e., .(3)In the last session the adversary impersonates as a reader and replays message recorded from step one. This replay attacks breaks the synchronization among the dynamic variables of the tag and the reader. The final values of dynamic variables at the tag and the reader’s side are .
The step by step values of index pseudonyms are given in Table 9.
Scenario 4 (pair of latest stored on both sides of the system). The last scenario is for the protocols that store the pair of latest dynamic variables on both communicating ends. The adversary requires five consecutive authentication sessions to completely disconnect a valid tag from the RFID system. The description of attack is as follows :(1)In step one, the adversary eavesdrops all the public messages from an authentication session between a completely synchronized tag/reader pair.(2)In the next step, the adversary records and and block at the same time. The dynamic memory of both sides remains unchanged.(3)In step three, the adversary forces the tag/reader pair authentication on the basis of by blocking the first response of the tag to the reader’s message.(4)In this step, the adversary imitates as the reader and communicates with the tag based on the messages eavesdropped in session one. This step makes the tag partially desynchronized.(5)The last step comprises of the adversary’s communication with the tag on the basis of and . This step completely changes the values of identity pseudonyms stored in the tag’s and the reader’s memory.
The working example of the attack is presented in Table 10.
The scenarios covered in Tables 7, 8, 9, and 10 cover almost all the previous protocols. This proves that nearly every UMAP have been subjected to desynchronization attack which ultimately leads to Denial of Service (DoS). The basic theme of all the DoS attacks is to rewrite the tag’s memory with such previous values of that have been removed from the reader’s memory. The generalized desynchronization attack proved that if the pair of latest dynamic variables are stored at the reader’s side, the tag can be desynchronized in maximum five consecutive sessions, irrespective of its dynamic memory architecture .
An extended memory buffer for the tag’s dynamic variables at the reader’s database increases the number of sessions required by the adversary to overwrite the tag’s memory. The increase in number of adversary administered session requirements for the execution of desynchronization attack strengthens the protocol’s ability to withstand DoS attacks [46, 47].
3.3. Traceability Attack Model
One of the most prominent threats associated with the RFID system is traceability. In this model, the adversary gathers information related to the tag so that it can violate its location privacy at any point of time in future. The UMAPs can resist the traceability attacks by anonymizing the tag’s response to the reader’s queries.
According to the formal definition, the tag () is assumed traceable, if the adversary can correctly estimate the value of when presented with from the set [48, 49]. Two basic models are available in literature to evaluate the strength of the protocol for preserving the anonymity of the tag.
3.3.1. Guess and Determine Model
In guess and determine model, the attacker has following capabilities:(i). The attacker can snoop the communication between the tag and the reader during the authentication session.(ii). The adversary can block or alter the message being communicated between and entities during the identification session .
The traceability attack executes as follows [50, 51]:(i)Phase 1 (Learning). The attacker gathers information related to the tag under attack by implementing and command.(ii)Phase 2 (Challenge). The attacker is challenged to identify the tag being traced from the set of RFID identifiers.(iii)Phase 3 (Guess). The attacker continues to gather knowledge through learning phase until it can successfully trace the tag under consideration.
3.3.2. Metaheuristic Model
This model transforms the cryptanalysis of UMAP into a search problem solved with the help of metaheuristic algorithms. The main motivation behind using heuristic search algorithms is their ability to locate global maxima or minima efficiently. The step by step procedure for launching the metaheuristic traceability attack is presented as follows :(1)The adversary eavesdrops an authentication session between the tag () and the reader to obtain public messages .(2)The attacker initializes the secret values associated with tag by using Mersenne Twister pseudorandom number generator. These initialized values act as a seed for simulated annealing algorithm. The adversary then calculates public messages () based on assumed secret values.(3)Simulated Annealing (SA) algorithm is used derive an estimate of . The values obtained by implementing search algorithm produces public messages that are at minimum deviation from authentic (4) is calculated by using output of simulated annealing algorithm.(5)Repeat step (2)-(4) to obtain multiple approximations of Final estimate of dynamic pseudonym is obtained by taking majority vector of all approximations.(6)For the traceability attack final execution, the attacker is presented with . The successful cryptanalysis depends on correct guess of by the attacker. In order to estimate the value of , the attacker calculates a correlation function given in (95).
If the correlation between two values is greater than 75%, the tag presented to the adversary is otherwise it is .
3.4. Full Disclosure Attack Model
One of the primary features of a UMAP is provision of confidentiality services to the communicating parties. In this cryptanalysis model, the adversary intercepts the public messages to extract sensitive information related to the tag. The full disclosure attack models can be divided into two subcategories:
3.4.1. Ad Hoc Attacks
The ad hoc cryptanalysis also termed as unstructured attacks explore the protocol’s equations to find the mathematical weaknesses. The unstructured attacks exploit the linear behavior of the protocol’s operators to estimate the tag’s . Table 11 presents a list of UMAPs primitives which exhibit linear behavior. These operators are not preferred for the UMAP design due to their inability to hide the tag’s attributes in public messages.
3.4.2. Structured Attacks
In the structured cryptanalysis models, the adversary follows a predefined set of instructions to breach the confidentiality of an authentication session. The use of probabilistically imbalanced functions as protocol’s primitives reveals the tag’s information in public messages. Some of the common structured attack models are defined as follows:(i)Tango Attack. The passive tango cryptanalysis is a probabilistic attack which is extremely efficient for recovering the tag’s and other secret information related to a tag. The attack comprises two steps: (1) selection of good approximation (GA) equations and (2) manipulation of derived good approximation equations for disclosing the tag’s under attack. The details of the attack are elaborated as follows [53, 56]:(I)For selection of GA equation, the attacker locally initializes the tag’s and dynamic variables, who then simulates UMAP sessions based on the assumed data. The main aim of this step is to obtain a set of GA equations in terms of public parameters for the tag’s estimation. The combinations which exhibits poor diffusion of tag’s are selected as GA equations.Once a set of GA is derived, the tag of any identifier implementing the UMAP under consideration can be efficiently calculated using (II).(II)The idea behind this step is to combine the results of GA equations of eavesdropped sessions to obtain a single global estimation of which is highly correlated with tag’s original . The detail procedure of step (II) is elaborated as follows:(i)Define a matrix of size , where(ii)For each eavesdropped session, calculate the values of GA equations and store results as a row of matrix Repeat this process for authentication sessions.(iii)The estimation of tag’s is obtained by adding each of columns of matrix and returning a zero, if the sum of the said column is below a threshold . If the sum is greater than or equal to ; then one is returned. Formula for calculating is as follows:The success probability of tango attack is directly proportional to the number of simulated session and the number of eavesdropped sessions.(ii)Recursive Linear Cryptanalysis. The Recursive Linear Cryptanalysis (RLC)  is applicable to protocols in which the number of secret values associated with the tag under attack is less than or equal to the number of communicating messages per authentication session. This property of protocol makes RLC passive in nature. The attack executes by linearizing the public message encryption equations from a single authentication session in terms of attributes associated with the tag. The linear approximation defines the equation in terms of function only. The rules of linear approximation can be derived from Table 11. If the coefficient matrix of linear system of equations is nonsingular and the system is over defined, full disclosure attack can be successfully executed in bit by bit fashion.(iii)Recursive Differential Cryptanalysis. The Recursive Differential Cryptanalysis (RDC)  is similar to RLC and it is applied when the number of public messages from a single authentication session is less than the number of variables associated with the tag. The RDC is active in nature. The adversary forces the tag-reader set to communicate on the same set of dynamic variables for every session by blocking the and the message along with eavesdropping these compromised sessions.This expands the number of equations from which linearized system of equation can be formed. If the coefficient of resulting system of equations is nonsingular, the secrets related to the tag are successfully revealed. The success probability of RDC depends on the number of sessions that needs to be interfered by the adversary for successful execution.
The above stated attacks are the primary building blocks for the evaluation of CIAA services offered by the UMAPs. Table 12 provides a compact security analysis of existing UMAPs and highlights the vulnerability of authentication protocols to multiple cryptanalysis models.
The results of comparative analysis presented in Table 12 emphasize the need to develop a protocol that is computationally efficient and are robust against structured and nonstructured attacks. The design principles for the development of secure authentication protocol are continuously evolving by virtue of weaknesses highlighted by the cryptanalysis reports of existing UMAPs. Following are the design principles that have been deduced through the cryptanalysis of UMAPs discussed in Section 2.(i)The reader should store latest values of dynamic variables associated with the tag. The value of will be directly proportional to strength against desynchronization attack.(ii)Introduction of an ultralightweight primitive with strong confusion and diffusion capabilities will improve the confidentiality offered by the UMAP.
By incorporating the above-mentioned principles, we can design a UMAP with strong confidentiality, integrity, and availability features. Section 4 presents a novel UMAP termed as Extremely Good Privacy protocol along with the detailed security analysis to prove its ability to provide security and privacy to low-cost IoT nodes.
4. Extremely Good Privacy Protocol
In this section, we propose a new UMAP which requires few on-chip resources and provides Extremely Good Privacy (EGP). The proposed protocol avoids all unbalanced logical operations (such as ; ) and involves only two extremely lightweight operations: &. The new ultralightweight primitive “” inspired from permutation function () introduced in , since the later primitive discloses the information of operands, therefore found unsuitable for UMAPs. Moreover, we have also introduced the concept of “inverse permutation” at the tag side which utilizes the permutation function efficiently and with the incorporation of inverse function now it does not require any other primitive to protect its contents. For better understanding of primitive and , consider the following.
(A) Computation of Per-XOR . Suppose are two -bit strings, where
The computation of involves two following steps:(1)Permute (transposition) the string ′′ according to the string ′′, by checking each bit of the string ′′ (starting from LSB). If then the bit stored at will be placed at location (LSB); otherwise it will be placed at the same position. In the next clock cycle, if then the bit stored at will be placed at location; otherwise it will shifted-left (LSB side). This process will continue till we reach to MSB of string ′′. After completion, we will have a new string ′m∗′ which is the permuted version of string ′′.(2)Take between the new string ′m∗′ and the string ′′.
Figure 14 shows the example of Per-XOR computation with reduced bit length.
(B) Computation of Inverse Per-XOR . The tag uses primitive extensively in order to retrieve the concealed secrets. The computation of also involves two steps:(1)Take XOR between the received and preshared secret .(2)Perform inverse permutation in a sequential manner to get the concealed string ′′. For inverse permutation, we use one pointer/indexer for traversing over the result computed in step-1. If then the pointer moves to position and bit stored on location on string will be placed at location; otherwise the pointer moves to position and bit stored on location will be placed location. This process will continue till the last bit of the string ‘′′
For better understanding, Figure 15 shows the example of Inverse Per-XOR with reduced bit length.
4.1. Working of the EGP Protocol
Figure 16 shows the detailed working of the protocol. The EGP protocol involves three main components: Tag , Reader , and the backend database . Each ′′ contains the one static secret ; two sets of and keys (Old and new). To avoid the possible desynchronization attacks, the ′′ uses the buffer-based security framework proposed in . In the buffer-based security framework, the reader maintains a dynamic memory architecture and stores all previous pseudonyms and keys (depending upon buffer size). To avoid buffer overflow, a RTC (Real Time Clock) has also been integrated at the reader side that manages the storage of variable. The basic symbols and notations used in this protocol are presented in Table 13.
The specifications of the protocol are as follows:(1)The ′′ initiates the protocol session by sending “hello” message towards the ′′.(2)Upon receiving of this query, the ′′ responds with its current .(3)The ′′ looks for the received in its database and if a match occurs then it computes , and messages and sends to the reader. Otherwise, it will send another “hello” towards ′′ and repeat the same process of finding matched entry. If the ′′ does not find the matched entry in this second round, it will terminate the protocol session.(4)On receiving of , and messages, the ′′ performs following three tasks:(a)Extract random nonce from messages :(5)Compute the local value of and compare it with the received . If both of the values coincide, only then the ′′ authenticates ′′; otherwise it will terminate the protocol session with the particular ′′. After successful authentication, the ′′ computes the message and transmits towards ′′.(6)Update and key .(7)Upon receiving of message , the ′′ computes a local value of D and compares it with the received one. If both values coincide then the ′′ authenticates ′′ and updates IDS and key for the particular ′′ in its database for future correspondence.
Figure 16 presents the block diagram of the EGP protocol.
4.2. Security Analysis of EGP Protocol
We analyze the security of the proposed protocol in two aspects: formal verification and resistance of the protocol against rudimentary attacks. The detailed description of the security analysis is presented as follows.
4.2.1. Formal Security Analysis
For formal security verification, we use GNY logic. The formal analysis tool uses abstract language and verifies the assumptions and objectives of the security algorithms. The detailed description of the analysis is as follows.
(1) GNY Logic Analysis. GNY (Gong–Needham–Yahalom) logic is a mathematical formal verification tool that verifies the security assumptions and goals of security algorithms. The GNY logic is a multistep process which first translates the assumptions and public messages in abstract language and then starts validating goals. For validation of the goals, the GNY logic uses three rules: Being Informed, Possession, and Freshness Rules.(a)Being Informed Rules. Any formula that receives is considered as “being informed”.: if is informed the formula , which he did not convey in this run, then is informed : if is informed an encrypted formula with symmetric key then is informed the formula.(b)Possession Rules. If possesses a formula then it can possess other associated formulae as well.: can possess any variable which is being informed: if possess two different formulae then it can possess their concatenation and functions as well.Table 14 enlists the notations used in GNY logic analysis.(c)Freshness Rules. On the basis of belief, determines the freshness of messages.: if believes that a formula is fresh then he also believes that any concatenation and function will be fresh.
(2) Formal Proof of EGP Using GNY Logic. The first step in GNY analysis is to describe the assumptions of the protocols which are followed by the formalization of the exchanged messages. Finally, the goals of the protocols are verified using formal analysis postulates.
The authentication process mainly depends upon the pseudorandom numbers; therefore we apply analysis on first two messages only.
The messages can be formulated as follows:
The goal of sending such messages is
By applying the verification postulates, we can validate EGP’s goal as follows:
By considering , and we can have
According to rule , we get
Now for second message as we know,
If we consider , and then can be represented as
Further can be interpreted as
Hence from and , it can be observed that EGP optimally achieves its goal:
If adversary tries to modify , then effect of this alteration directly transfers to as well. The tag will not verify message , hence abort such protocol sessions, and will remain synchronized.
4.3. Desynchronization Attack
The desynchronization attacks presented in  force the legitimate readers and the tags to update different pair of pseudonyms and keys and therefore make the resources unavailable for the legitimate parties. To avoid such availability and desynchronization attacks, the EGP protocol uses dynamic memory architecture at the reader’s side. This memory architecture involves RTC (Real Time Clock) and Shift Registers to store the current and previous values of pseudonyms and keys of each associated tag. The memory architecture is located at the reader’s side and therefore does not increase the cost of the tag. If the adversary tries to block some genuine authentication sessions and uses replay attack models to desynchronize the EGP’ tag and the reader then this will be impossible for the adversary, since the reader keeps the records of authentication sessions. The size of dynamic variable buffer at the reader’s side primarily depends on the architecture of the database associated with the network. The increase in buffer size enhances the synchronization of the tag/reader pair at the cost of increased memory requirement at the reader’s side.
4.4. Traceability Attack
In EGP if an adversary tries to find the conjuncture through publically disclosed messages then because of optimal messages structure, she will get only ambiguous equation:
By keeping in view of computational complexity of (115), it will be almost impossible for an adversary to track the individual tag by resolving this equation. Moreover, most of the variables involved in EGP will get update after each authentication session; therefore EGP proves to be secure against all existing traceability attack models.
4.5. Full Disclosure Attack
The full disclosure attacks exploit the inherent weaknesses of the T-functions. The attackers usually perform different computational operations on public messages and try to obtain conjecture secret values. However, the inclusion of nontriangular primitive and makes EGP protocol almost impossible to retrieve the concealed secret from public messages. The protocol’s performance to unstructured and structured full disclosure attack is described as follows:(A) Ad Hoc Attack. The ad hoc attacks target the lack of randomness in public messages and the linear behavior of the protocol’s primitives. In EGP protocol, the structure of the public messages is designed to avoid the previously presented unstructured full disclosure attacks. Every public message increments the degree of randomness by one; i.e., message consists of random number , message consists of and , and message consists of , and . Even if the adversary keeps the dynamic variables constant for multiple sessions by blocking the message , the values of , and change for every session and hence the values of public messages vary making it theoretically impossible to derive the tag’s by just eavesdropping the authentication sessions. In addition to this, the operator provides improved confusion and diffusion services to the public messages due to the following features:(1)The operation masks the result of permutation making it impossible to reveal the LSB or MSB of the first operand of function without complete information of the second operand.(2)The operands of the function in the EGP protocol are the irreversible combination of dynamic variables. The analysis of message ) shows that even if the adversary obtains by exploiting the reversable nature of , the cannot be retrieved without the knowledge of and . This enables the presented primitive to effectively conceal the secret values associated with the session in public messages. In , an ad hoc full disclosure attack on the RAPP protocol is presented. In the proposed attack, the dynamic variables are kept constant by blocking the last message from the to the and then the weakness of permutation primitive is exploited to obtain the random number that eventually leads to disclosure of the tag’s . For the estimation of single random number, the adversary generates a database of two public messages consisting of constants , , and . In EGP protocol, the dynamic variables on the tag’s side can be kept constant by blocking message from the to the . This leaves the adversary with only three public messages based on constant and . Since the EGP protocol uses two random numbers (), the number of public messages is not sufficient to estimate the private keys generated by the . Therefore, due to nonlinear behavior of function and small number of public messages, the ad hoc attacks proposed for RAPP protocol are not applicable to the EGP protocol.(B) Tango Attack. The tango attack proves to be unsuccessful against nontriangular based UMAPs. The inventors of the tango attack also highlighted this inherent weakness of the attack model. In EGP, we have extensively used nontriangular primitives ( and ) in its design, which requires extensive computational complexity to retrieve . Therefore, it is almost impossible for an adversary to find the optimal GA equations and apply tango attack model on EGP.(C) Recursive Linear and Differential Cryptanalysis. The RLC model exploits the weak diffusion properties of the protocols and uses the public messages to construct the set of linear equations for each individual bit of the concealed secrets. After constructing the sufficient equations, the adversary solves the equations recursively and tries to get the concealed secrets bit by bit. However, the incorporation of (optimal) nontriangular primitives such as recursive hash , Psuedo-Kasami codes , and in protocol messages makes it almost impossible for an adversary (with RLC) to construct enough equations that may disclose the concealed secrets. On the other hand, RDC model is more powerful and requires an active attacker which can block the genuine authentication sessions (between the reader and the tags) and hence both the legitimate readers and the tag communicate with the previous pseudonyms and keys. The attacker then tries to find the differential relationship between the random nonce and finds conjecture secrets. However, RDC also fails to disclose the concealed secrets of nontriangular based UMAPs. This inventor of RLC and RDC also highlighted this inherent limitation of the models.
The cryptanalysis proves that the EGP protocol is robust against all the attack models presented in Section 3. None of the previous UMAPs (discussed here) can withstand all types of existing adversarial models discussed in the security analysis model which make them unsuitable for real world applications. On the other, the evaluation of EGP protocol based on robustness, reliability, and security proves that the presented authentication protocol is most suitable for the authentication of resource constraint IoT network perception layer.
The 5th generation mobile communication systems are envisioned to offer high-speed broadband service which is a key enabling factor for the development in the field of the IoT networks. The security and privacy of the IoT network are of utmost concern since a large amount of user-specific data is being generated on a real-time basis. The identity verification of the communicating parties is a primary part of the secure perception layer. The resource constraint IoT networks use ultralightweight protocols for the node authentication. This paper presents a brief survey on the existing UMAPs and their cryptanalysis models. The UMAPs can be broadly classified into three categories based on the primitives used for the challenge/response message calculation, i.e., UMAPs with triangular functions, UMAPs with single nontriangular function, and UMAP with hybrid nontriangular functions. The hybrid nontriangular functions provide enhanced confidentiality, integrity, availability, and authentication (CIAA) services at the cost of increased gate equivalents. However, the literature review shows that almost all the existing UMAPs are vulnerable to multiple cryptanalysis attacks, i.e., desynchronization attack, full disclosure attack, and traceability attacks. In this paper, we have proposed a new ultralightweight authentication protocol named EGP (Extremely Good Privacy) for IoTs. The proposed protocol introduced a new ultralightweight primitive, Per-XOR which is composed of two extremely lightweight operations: XOR and permutation. This newly proposed primitive increases the confusion and diffusion properties of the public messages optimally and avoids all the existing adversarial models. The performance comparison of the EGP protocol shows that it outperforms compared to its contending UMAPs in terms of security. This remarkable feature makes EGP the best choice for extremely low-cost IoTs sensors and RFID tags.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
A. P. Hsu, W. Lee, A. J. Trappey, C. V. Trappey, and A. Chang, “Using system dynamics analysis for performance evaluation of IoT enabled one-stop logistic services,” in Proceedings of the 2015 IEEE International Conference on Systems, Man and Cybernetics (SMC), pp. 1291–1296, IEEE, Kowloon, October 2015.View at: Publisher Site | Google Scholar
A. F. Harris, V. Khanna, G. S. Tuncay, and R. H. Kravets, “Smart LaBLEs: Proximity, Autoconfiguration, and a constant supply of gatorade(TM),” in Proceedings of the 1st IEEE/ACM Symposium on Edge Computing, SEC 2016, pp. 142–154, IEEE, USA, October 2016.View at: Google Scholar
J. Dedy Irawan, E. Adriantantri, and A. Farid, “RFID and IOT for attendance monitoring system,” in Proceedings of the 3rd International Conference on Electrical Systems, Technology and Information, ICESTI 2017, EDP Sciences, Indonesia, September 2017.View at: Google Scholar
M. McGee, “Health-care IT has a new face,” Information Week, vol. 988, p. 16, 2004.View at: Google Scholar
A. Aguilar, W. Van Der Putten, and F. Kirrane, “Positive patient identification using RFID and wireless networks,” in Proceedings of the in HISI 11th Annual Conference and Scientific Symposium, 2006.View at: Google Scholar
J. Dalton, C. Ippolito, I. Poncet, and S. Rossini, “Using RFID technologies to reduce blood transfusion errors,” White Paper by Intel Corporation, Autentica, Cisco systems and San Raffaele Hospital, 2005.View at: Google Scholar
A. G. Kulkarni, A. K. N. Parlikad, D. C. McFarlane, and M. Harrison, “Networked RFID systems in product recovery management,” in Proceedings of the 2005 IEEE International Symposium on Electronics and the Environment, 2005, IEEE, New Orleans, LA, USA, 2005.View at: Google Scholar
Z. Zhang, “Hierarchical multi-reader RFID systems for Internet-of-Things, 2010, US-AB”.View at: Google Scholar
K. Finkenzeller, RFID Handbook: Fundamentals and Applications in Contactless Smart Cards, Radio Frequency Identification and near-Field Communication, John Wiley & Sons, 2010.View at: Publisher Site
C. Bolan, “A review of the electronic product code standards for RFID technology,” in Proceedings of the 7th International Network Conference, INC 2008, pp. 171–178, UK, July 2008.View at: Google Scholar
Y.-l. Liu, C. Wang, X. l. Qin, and B. Li, “A lightweight RFID authentication protocol based on elliptic curve cryptography,” Journal of Computers, vol. 8, no. 11, 2013.View at: Google Scholar
W. Shao-hui, H. Zhijie, L. Sujuan, and C. Dan-wei, Security Analysis of RAPP an RFID Authentication Protocol Based on Permutation, College of Computer, Nanjing University of Posts and Telecommunications, Nanjing, 2012.
Y. K. Lee, L. Batina, and I. Verbauwhede, “EC-RAC (ECDLP based randomized access control): Provably secure RFID authentication protocol,” in Proceedings of the 2008 IEEE International Conference on RFID (Frequency Identification), IEEE RFID 2008, pp. 97–104, IEEE, USA, April 2008.View at: Google Scholar
Y. P. Liao and C. M. Hsiao, “A Secure ECC-Based RFID Authentication Scheme Using Hybrid Protocols,” in Advances in Intelligent Systems and Applications - Volume 2, vol. 2 of Smart Innovation, Systems and Technologies, pp. 1–13, Springer, Berlin, Heidelberg, Germany, 2013.View at: Publisher Site | Google Scholar
G. EPCglobal, EPC radio-frequency identity protocols generation-2 UHF RFID; specification for RFID air interface protocol for communications at 860 MHz960 MHz, EPCglobal Inc, November 2013.
C. Rolfes et al., “Security for 1000 Gate Equivalents”.View at: Google Scholar
M. Safkhani and N. Bagheri, “Generalized desynchronization attack on UMAP: application to RCIA, KMAP, SLAP and SASI+ protocols,” IACR Cryptology ePrint Archive, p. 905, 2016.View at: Google Scholar
P. Peris-Lopez, J. Hernandez-Castro, J. E. Tapiador, and A. Ribagorda, “LMAP: a real lightweight mutual authentication protocol for low-cost RFID tags,” in Proceedings of the 2nd Workshop on RFID Security, 2006.View at: Google Scholar
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, “M2AP: a minimalist mutual-authentication protocol for low-cost RFID tags,” in Proceedings of the in International conference on ubiquitous intelligence and computing, vol. 2, Springer, 2006.View at: Google Scholar
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Estevez-Tapiador, and A. Ribagorda, “EMAP: an efficient mutual-authentication protocol for low-cost RFID tags,” in Proceedings of the OTM Confederated International Conferences“ On the Move to Meaningful Internet Systems”, vol. 4277 of Lecture Notes in Computer Science, pp. 352–361, Springer, 2006.View at: Publisher Site | Google Scholar
P. Peris-Lopez, J. C. Hernandez-Castro, J. M. E. Tapiador, and A. Ribagorda, “Advances in ultralightweight cryptography for low-cost RFID tags: Gossamer protocol,” in Proceedings of the in International Workshop on Information Security Applications, Springer, 2008.View at: Google Scholar
U. Mujahid, M. Najam-Ul-Islam, and M. A. Shami, “RCIA: a new ultralightweight RFID authentication protocol using recursive hash,” International Journal of Distributed Sensor Networks, vol. 2015, Article ID 642180, 2015.View at: Google Scholar
U. Mujahid and M. Najam-ul-islam, “Pitfalls in ultralightweight RFID authentication protocol,” International Journal of Communication Networks and Information Security, vol. 7, no. 3, pp. 169–176, 2015.View at: Google Scholar
M. Khalid and U. Mujahid, “Security framework of ultralightweight mutual authentication protocols for low cost RFID tags,” in Proceedings of the 2017 International Conference on Communication, Computing and Digital Systems, C-CODE 2017, pp. 26–31, IEEE, Pakistan, March 2017.View at: Google Scholar
M. Khalid, U. Khokhar, and M. Najam-ul-Islam, “Advance strong authentication strong integrity (ASASI) protocol for low cost radio frequency identification,” in Proceedings of the 2018 International Conference on Smart Computing and Electronic Enterprise (ICSCEE), pp. 1–6, IEEE, Shah Alam, July 2018.View at: Publisher Site | Google Scholar
S. S. S. GhaemMaghami, A. Haghbin, and M. Mirmohseni, “Traceability Improvements of a New RFID Protocol Based On EPC C1G2,” IACR Cryptology ePrint Archive, vol. 2015, Article ID 872, 2015.View at: Google Scholar
J. C. Hernandez-Castro, J. M. Estevez-Tapiador, P. Peris-Lopez, J. A. Clark, and E. Talbi, “Metaheuristic traceability attack against SLMAP, an RFID lightweight authentication protocol,” International Journal of Foundations of Computer Science, vol. 23, no. 02, pp. 543–553, 2012.View at: Publisher Site | Google Scholar
J. C. Hernandez-Castro, P. Peris-Lopez, R. C.-W. Phan, and J. M. E. Tapiador, “Cryptanalysis of the David-Prasad RFID ultralightweight authentication protocol,” in Proceedings of the 6th International Workshop on Radio Frequency Identification: Security and Privacy Issues (RFID '10), pp. 22–34, Springer, Istanbul, Turkey, 2010.View at: Publisher Site | Google Scholar
G. Avoine, X. Carpent, and B. Martin, “Strong authentication and strong integrity (SASI) is not that strong,” in International workshop on radio frequency identification: security and privacy issues, Lecture Notes in Computer Science, pp. 50–64, Springer, Berlin, Germany, 2010.View at: Publisher Site | Google Scholar
M. Safkhani, N. Bagheri, M. Naderi, and S. K. Sanadhya, “Security analysis of LMAP ++, an RFID authentication protocol,” in Proceedings of the 2011 International Conference for Internet Technology and Secured Transactions, ICITST 2011, pp. 689–694, IEEE, UAE, December 2011.View at: Google Scholar
M. Umar, Khokhar, Ultralightweight Cryptography for low cost passive RFID [Ph.D. thesis], Bahria University, July 2016, Tags PhD dissertation.
L. Tieyan and D. Robert, “Vulnerability analysis of EMAP-an efficient RFID mutual authentication protocol,” in Proceedings of the 2nd International Conference on Availability, Reliability and Security (AReS '07), pp. 238–245, IEEE, Vienna, Austria, April 2007.View at: Publisher Site | Google Scholar
U. Mujahid, “probabilistic recursive cryptanalysis of ultralightweight mutual authentication protocols for passive RFID systems,” Pakistan Journal of Engineering and Applied Sciences, 2016.View at: Google Scholar
Z. Bilal, A. Masood, and F. Kausar, “Security analysis of ultra-lightweight cryptographic protocol for low-cost RFID tags: gossamer protocol,” in Proceedings of the 12th International Conference on Network-Based Information Systems, pp. 260–267, IEEE, Indianapolis, Ind, USA, August 2009.View at: Publisher Site | Google Scholar
E. Taqieddin and J. Sarangapani, “Vulnerability analysis of two ultra-lightweight RFID authentication protocols: RAPP and Gossamer,” in Proceedings of the 7th International Conference for Internet Technology and Secured Transactions, ICITST 2012, pp. 80–86, IEEE, UK, December 2012.View at: Google Scholar
P. Peris-Lopez, J. C. Hernandez-Castro, R. C.-W. Phan, J. M. E. Tapiador, and T. Li, “Quasi-linear cryptanalysis of a secure RFID ultralightweight authentication protocol,” in International Conference on Information Security and Cryptology, pp. 427–442, Springer, Berlin, Heidelberg, 2010.View at: Google Scholar
X. Zhuang, Z.-H. Wang, C.-C. Chang, and Y. Zhu, “Security analysis of a new ultra-lightweight RFID protocol and its improvement,” Journal of Information Hiding and Multimedia Signal Processing, vol. 4, no. 3, pp. 166–177, 2013.View at: Google Scholar
N. Bagheri, M. Safkhani, P. Peris-Lopez, and J. E. Tapiador, “Cryptanalysis of RAPP, an RFID authentication protocol,” IACR Cryptology ePrint Archive, p. 702, 2012.View at: Google Scholar
S. A. Yasear, N. H. Zakaria, and M. N. Omar, “Enhancing the security of RCIA ultra-lightweight authentication protocol by using Random Number Generator (RNG) technique,” Journal of Telecommunication, Electronic and Computer Engineering, vol. 9, no. 1-2, pp. 77–80, 2017.View at: Google Scholar