Security and Communication Networks

Security and Communication Networks / 2019 / Article

Review Article | Open Access

Volume 2019 |Article ID 3295616 | 25 pages | https://doi.org/10.1155/2019/3295616

Ultralightweight RFID Authentication Protocols for Low-Cost Passive RFID Tags

Academic Editor: Petros Nicopolitidis
Received02 Mar 2019
Revised26 May 2019
Accepted23 Jun 2019
Published21 Jul 2019

Abstract

The field of pervasive computing especially the Internet of Things (IoT) network is evolving due to high network speed and increased capacity offered by the 5G communication system. The IoT network identifies each device before giving it access to the network. The RFID system is one of the most prominent enabling technologies for the node identification. Since the communication between the node and the network takes place over an insecure wireless channel, an authentication mechanism is required to avoid the malicious devices from entering the network. This paper presents a brief survey on the authentication protocols along with the prominent cryptanalysis models for the EPC C1G2 RFID systems. A comparative analysis is provided to highlight the common weaknesses of the existing authentication algorithms and to emphasize on the lack of security standardization for the resource constraint IoT network perception layer. This paper is concluded by proposing an ultralightweight protocol that provides Extremely Good Privacy (EGP). The proposed EGP protocol avoids all the pitfalls highlighted by the cryptanalysis of the existing authentication protocols. The incorporation of the novel ultralightweight primitives, Per-XOR and Inverse Per-XOR , makes the protocol messages more robust and irreversible for all types of adversaries. A comprehensive security analysis illustrates that the proposed protocol proves to be highly resistive against all possible attack scenarios and ensures the security optimally.

1. Introduction

The concept of creating low-cost, reliable, and secure Internet of Things (IoT) networks for current and future applications is evolving by the virtue of high network speed and increased capacity offered by the generation communication system. The IoT network consists of interrelated computing devices with unique identification, deployed in the environment to collect, process, and share the information, in order to facilitate the measurement of changes in the surroundings and to react independently primarily without human interaction [14]. The data collected by the network is also processed to generate valuable information that can be used to enhance the user experience in future [5]. The IoT platform is being used in various fields to achieve purposeful objectives such as logistics [6], smart cities [7], and supply chain management [8].

The IoT network initially identifies the electronic devices (nodes) before giving them access to the network. The Radio Frequency Identification (RFID) system is emerging as an enabling technology for the node discovery due to the features such as high speed, long range, and nonline of sight scanning [4]. The RFID enabled IoT networks are being preferred in various surveillance, monitoring, and healthcare applications. Table 1 highlights some of the prominent applications reported in the literature.


SystemFunction

Smart Home Mobile RFID based IoT system [9]This is a smart home service system to benefit the user in terms of cost, energy consumption and ease.

RFID & IoT for attendance monitoring system [10]This is a real time attendance monitoring system that can be accessed by various parties, i.e., teachers, students and parents.

Harvard hybrid system [11, 12]The system uses the RFID tags to track equipments, beds, patients and ICU babies.

Positive patient identification system [13]The system facilitates the patient identification and speed up access to the patient’s data.

Intel transfusion system [14]This system identifies blood bags, recipients and staff. The purpose of this system is to enhance the safety of the blood transfusion.

The architecture of the RFID enabled IoT network is composed of three components: the RFID system, the IoT middleware, and the Internet [15]. The RFID system facilitates the node identification and the data collection. The data gathered from the environment under observation is processed by the IoT middleware. The IoT middleware also acts as a gateway to the external Internet [16].

The architecture of the RFID system embedded in an IoT network consists of three main components; the Electronic Product Code (EPC) tag, the reader, and the database. The tag is a low-cost electronic chip with the unique identification number (). The reader identifies each tag associated with the system by receiving the over the wireless channel. The database supports the reader in an identification process by storing attributes of all the tags affiliated with the RFID system [17].

The EPC standards have segregated the tags into classes based on their functionality. The description of each EPC class is given in Table 2 [18].


Class Description

Class 5Class 5 tags are essentially active readers. They have the ability to communicate with all the EPC standard classes.

Class 4Class 4 tags are active in nature. They can communicate with the reader and other tags by using peer to peer communication model.

Class 3Class 3 tags are semi passive tags that can support broadband communication.

Class 2Class 2 tags are the passive tags with extended functionality such as memory and computational resources.

Class 1/0Class 1/0 tags are basic passive identity tags with limited resources.

In the RFID enabled IoT networks, the node is identified by communicating the tag’s to the reader over an insecure wireless channel. Therefore, the system is prone to many security and privacy threats [19]. A mutual authentication mechanism is an inevitable part of the tag identification process. In this paper, a brief survey on the existing mutual authentication protocols and the prominent cryptanalysis models for the EPC Class 1 Generation 2 (C1G2) RFID systems is presented. A comparative security analysis among the prominent protocols has been drawn to highlight some of the common weaknesses of the existing authentication algorithms for the resource constraint RFID systems. The paper also proposes the Extremely Good Privacy (EGP) protocol. The comprehensive security analysis of the EGP protocol ensures its security claims and robustness against all existing cryptanalysis models. The EPC C1G2 tags are the key component of the low-cost RFID systems due to characteristics like small size, low cost, and unlimited lifespan [20]. Other features of the EPC C1G2 identification system are enumerated as follows [18]:(i)Operating frequency: 860 MHz-960 MHz(ii)Memory capacity: 96-256 bits(iii)Field programmable(iv)Reprogrammable(v)Communication: 640Kbits/s(vi)Reads: 1700 tags/sec

The rest of the paper is organized as follows: Section 2 discusses the Ultralightweight Mutual Authentication Protocols (UMAPs) for the resource constraint RFID systems followed by Section 3 that describes multiple cryptanalysis models used for the security and privacy evaluation of the UMAPs. This section also presents a comparative analysis of the prominent UMAPs based on their strengths to provide Confidentiality, Integrity, Availability, and Authentication (CIAA) services. The EGP protocol is proposed in Section 4 along with the detailed cryptanalysis report. Finally, the paper is concluded in Section 5.

2. Ultralightweight Mutual Authentication Protocols

The node authentication mechanism during the identification process prevents the malicious users from entering the network through the perception layer. In 2007, Chien [21] divided the authentication protocols in four categories which are defined as follows:(1)Heavyweight: these protocols incorporate the classical cryptographic suits such as hash functions and private and public key cryptography.(2)Middleweight: this category includes the protocols that can support one-way hash functions and pseudorandom-number generators only.(3)Lightweight: these protocols can support the lightweight functions such as Cyclic Redundancy Checks (CRCs) and lightweight pseudorandom number generators.(4)Ultralightweight: this class allows the incorporation of simple bitwise logical function only, for the protocol design.

Table 3 presents a relationship among the protocol categorization and the EPC classes supported by some prominent examples.


Protocol ClassificationEPC Class associationExamples

HeavyweightClass 5/4Godor and Imre [22], Liu et al [23]

MiddleweightClass 3Wang et al [24], Chou [25], Zhang and Qi [26]

LightweightClass 2Lee et al [27], Liao et al [28]

UltralightweightClass 1/0Tewari and Gupta [29], SLAP [30], KMAP [31]

For low-cost systems, the silicon-based area of the EPC tags should be kept minimum to reduce the cost. Typically, an EPC C1G2 tag consists of response buffer [32] and can support maximum Gate Equivalent (GE) for the crypto based operations. One gate equivalent corresponds to the area required for the fabrication of two input NAND gate [33]. Hence smaller GE for the authentication protocol implementation corresponds to the lesser cost overhead associated with the security-based operations.

Table 3 suggests that for C1G2 tags implementation of the UMAP is the only cost-effective option for the node verification at the identification stage. Numerous UMAPs have been presented over the last decade. This section describes the general structure of the UMAPs along with a brief survey of the existing protocols. Since 2006, more than thousand protocols have been proposed; however the basic working principle of these protocols remains the same. The UMAPs ensure that both the entities, i.e., the tag and the reader, are authentic components of an identification system with the help of a static and unique along with the pseudoidentification number and the keys which are dynamic in nature. The dynamic variables update their status on both sides after every successful authentication session whereas the static remains constant. The mutual authentication process mainly consists of four steps which are as follows [34]:(1)Tag identification: the tag receives a request for the latest identity pseudonym after entering the communication range of the reader. The reader identifies the tag by retrieving the associated identification number and the keys from the database with the help of .(2)Reader authentication: after the tag authentication, the reader generates a private key for the authentication session and transmits message to the tag. The message consists of an encrypted version of the private key and the reader authentication challenge message. The reader’s identity is verified if the response calculated at the tag’s side is equal to the received challenge message.(3)Tag authentication: the successful reader identity verification leads to the calculation and the transmission of the tag authentication challenge message for the valid reader.(4)Dynamic variable update: the mutual authentication of communicating parties is followed by the dynamic variable updating process on both sides.

The block diagram of the generalized UMAP is presented Figure 1. The features that differentiate the UMAPs are the tag’s memory architecture and the protocol’s primitives. The UMAPs can be classified into three categories based on the nature of the operators used for the calculation of challenge/response messages. Description of each category along with the examples of prominent protocols is as follows.

2.1. UMAPs with Triangular Functions

In 2006, Peris-Lopez [3537] laid the foundation of the ultralightweight cryptography. The main idea was to use the triangular functions such as bitwise , and for the encryption of public messages which are being communicated among the resource constraint devices. The prominent UMAPs with triangular functions are Lightweight Mutual Authentication Protocol (LMAP) [35], Minimalistic Mutual Authentication Protocol (M2AP) [36], and Efficient Mutual Authentication Protocol (EMAP) [37].

2.1.1. Lightweight Mutual Authentication Protocol (LMAP)

The LMAP laid the foundation of UMAPs and falls under the umbrella of the triangular UMAPs. The memory architecture of the tag and the reader implementing the LMAP is given in Table 4. The protocol executes in following steps:(1)The reader sends the “” message to the tag.(2)The tag replies with to the reader. This acts as an index in the database to locate the and the related to the tag. If the required data is not found, the protocol is terminated; otherwise it moves to next step.(3)In step (3), the reader generates two pseudorandom numbers and . These random numbers are used for the calculation of the messages and .Finally, is transmitted to the tag.(4)The tag extracts and from the messages and , respectively. The message is a challenge token for the reader authentication. After successful reader authentication, the protocol moves to step (5).(5)The tag generates and transmits message . The message has two purposes: (a) concealed transfer of the tag’s ; (b) the tag authentication.After the transmission of the message , the dynamic variables at the tag’s end are updated using following equations:(6)The reader receives the message , authenticates the tag, and updates the dynamic variables using (5)-(9). The process of updating dynamic variables on the reader’s side only takes place in case of successful mutual authentication.


ProtocolStorage Location
ReaderTag

LMAP
M2AP
EMAP

The flow diagram of the LMAP is given in Figure 2. Despite being resource efficient, the LMAP is a weak protocol in terms of structure and equations. The triangular functions alone are unable to conceal the tag’s secrets in public messages due to their imbalance nature. Several cryptanalysis attacks on the LMAP have proved that the protocol cannot be used as a standard for the RFID authentication purposes.

2.1.2. Minimalistic Mutual Authentication Protocol (M2AP)

The second protocol from the triangular UMAP family is the M2AP. This protocol is similar to the LMAP in terms of the tag’s memory architecture and the protocol’s primitives. The basic difference between the two protocols is the composition of public message . The memory architecture of the tag implementing the M2AP is given in Table 4. The step by step execution of the protocol is elaborated as follows:(1)The reader “pings” the tag, detected in its vicinity.(2)The tag responds with the which acts as an index to locate the data associated with the tag in the database for successful tag identification.(3)After the tag identification, the reader generates two pseudorandom numbers and . The reader then computes and transmits challenge message to the tag.(4)The tag extracts and from and , respectively, and verifies the identity of the reader by calculating a response for message . After successful reader authentication, the tag calculates and transmits challenge message .The message is used for the tag authentication whereas the message is used for the communication.(5)After successful mutual authentication, the dynamic memory on both sides is updated using the following equations:The block diagram of the protocol is given in Figure 3. The cryptanalysis of M2AP was similar to that of LMAP due to similarity in composition of public messages equations and memory architectures.

2.1.3. Efficient Mutual Authentication Protocol (EMAP)

The EMAP is the third most prominent protocol from the triangular class. The primitives used for the encryption of communication between the tag/reader pair are , and . The memory architecture of the tag implementing the EMAP is given in Table 4. The working principle of the protocol is as follows:(1)The tag receives a “” message from the reader as it enters its communication range.(2)The reader receives the , which is used for the tag identification by locating the data associated with the communicating tag in the system’s database.(3)Once the tag is identified, the reader generates the random numbers and sends message to the tag.(4)The tag extracts from message and authenticates the reader by calculating the response for challenge message . After successful reader authentication the tag extracts from the message , to calculate and send challenge message .(5)The authentication session ends by updating the dynamic memory on both sides.The function generates a version of input . The input is divided into twenty-four groups by combining in each group. The final output is obtained by taking bitwise of all the entities present in each group and concatenating the result. The block diagram of the protocol is given in Figure 4.

2.2. UMAP with Single Nontriangular Function

The resource limitation of EPC C1G2 tags confines the computational cost of the UMAPs to GE. Initially, the UMAPs only used the triangular functions for the calculation of the messages. But triangular protocols were prone to multiple security attacks due to the lack of diffusion in the public messages. The reason behind the inability of encrypted string to conceal the secret values associated with the tag was the imbalance nature of the protocol’s operators.

In 2007, Chien [21] introduced the idea of the ultralightweight nontriangular primitive as the protocol’s operator. The use of single nontriangular primitive improved the strength of the UMAPs; however the cryptanalysis of nontriangular UMAPs still highlighted weaknesses in the protocol structure and operators. Some of the prominent UMAPs with single nontriangular primitives are Strong Authentication Strong Integrity (SASI) protocol [21], Gossamer’s protocol [38], and Yeh et al. protocol [39].

2.2.1. Strong Authentication Strong Integrity Protocol

The SASI protocol was the first protocol in the field of nontriangular UMAPs. The nontriangular function used in the SASI protocol is the rotation function (). The rotation function has two definitions: left rotation of by the hamming weight of and left rotation of . For this section, we will consider hamming weight-based rotation function. The memory architecture of the tag implementing the SASI protocol is elaborated in Table 5. The reason behind storing the pair of latest dynamic variables was to provide protection against Denial of Service (DoS) attacks. The working principles of the SASI protocol are as follows:(1)The reader requests the tag for a pseudoidentification number.(2)The tag transmits its latest . If the received is found in the database, the protocol proceeds further otherwise the reader requests the tag for the from the previous successful authentication session (). The successful tag identification leads to the step (3).(3)The reader generates two random numbers and . The dynamic variables and random numbers are used by the reader to generate and transmit .(4)The pseudorandom numbers and are concealed in and communicated to the tag via message and , respectively. The message is used for the reader authentication.(5)After successful reader authentication, the tag transmits message for the tag authentication and the transmission.(6)After mutual authentication, the dynamic variables on both sides are updated using following equations:The flowchart of the SASI protocol is given in Figure 5.


ProtocolStorage Location
ReaderTag

SASI
Gossamer’s Protocol
Yeh et al.’s Protocol

2.2.2. Gossamer’s Protocol

In 2008, Peris-Lopez presented nontriangular UMAPs to overcome the weaknesses of the SASI protocol. In the Gossamer’s protocol, the memory architecture of the system was enhanced by saving the latest copy of dynamic variables on the tag’s side. The memory architecture of the protocol is given in Table 5. The nontriangular primitive of the Gossamer’s protocol is mix bit function (). The mix bit function consists of two subfunction: the rotation and the modular addition function. These subfunctions are used independently and in collaborative manner to calculate the challenge/response messages. The working principle of is elaborated in Figure 7.

The protocol executes in five steps which are defined as follows:(1)The reader sends a request for the to the tag present in its vicinity.(2)The reader tries to locate the tags information by searching the database with the help of the received . The tag is identified if its information is found in the database.(3)The reader generates pseudorandom private keys and . The reader then sends message to the tag.(4)The reader is authenticated by generating a response to the message . After that, the tag calculates and transmits the challenge message .(5)The dynamic variable on both sides are updated after a successful mutual authentication.

The constant π used in the protocol assumes the value . The block diagram of the Gossamer’s protocol is presented in Figure 6.

2.2.3. Yeh et al. Protocol

In 2010, Yeh et al. [39] proposed a process oriented UMAP. The feature that differentiates this protocol from its predecessors is the DoS avoidance mechanism. In this protocol, the pairs of latest dynamic variables are stored at the reader side instead of the tag. The reader also maintains a flag to identify whether the tag/reader pair is fully synchronized or not. The nontriangular function used in the protocol is the rotation function . The memory architecture of the UMAP is given in Table 5. The working principle of the Yeh et al. protocol is as follows: the protocol is the rotation function . The memory architecture of the UMAP is as follows:(1)The reader initiates the communication by sending a “Hello” message to the tag.(2)As a response, the tag transmits the stored in its dynamic memory.(3)After successful tag identification through the database, the reader generates two pseudorandom numbers and . If the , the reader sets an internal flag ; otherwise the flag’s value sets to 1, the key updates and becomes equal to the tag’s . After key updation, the reader calculates and sends message to the tag.(4)Upon receiving the challenge message, the tag updates the value of the key based on the flag status. After that and are extracted and the reader is authenticated.(5)The successful reader verification leads to the calculation and transmission of the tag authentication challenge message .(6)In case of successful mutual authentication, the dynamic memory on both sides is updated.

The block diagram of the Yeh et al. protocol is given in Figure 8.

2.3. UMAPs with Hybrid Nontriangular Function

The cryptanalysis of the UMAPs with single nontriangular functions proved the inability of the protocols to provide Confidentiality, Integrity, Availability and Authentication (CIAA) to the communicating parties. In order to further improve the security, the concept of using hybrid nontriangular functions was introduced. This idea improved the security and privacy services offered by the UMAPs. There are many hybrid nontriangular UMAPs available in the literature. In this subsection, the protocols under consideration are RFID Authentication Protocol with Permutation (RAPP) [4], RFID Authentication Protocol for Low cost Tags (RAPLT) [40], Robust Confidentiality Integrity and Authentication (RCIA) protocol [41], and Succinct and Lightweight Authentication Protocol (SLAP) [30].

2.3.1. RFID Authentication Protocol with Permutation (RAPP)

The RAPP protocol was different from previously presented UMAPs, in terms of the primitives used for encryption and the sequence of interaction between the tag and the reader. The protocol only used three operations, i.e., , rotation and permutation ().

The corresponds to the left rotation of by the hamming weight of . The description of permutation function () is as follows. Let be a word and be the bit of where , and and be the LSB and MSB of the word , respectively. Suppose and are two L-bit words and hamming weight of is . Moreover if and if .

The permutation of according to , i.e., is equal to

Unlike conventional sequence of interaction, the dynamic memory of the tag is updated after getting a confirmation message of successful mutual authentication of the tag/reader pair. The aim of this message was to make the protocol resistant to the desynchronization attacks. The memory architecture of the protocol is given in Table 6 and the detail description of the protocol is as follows:(1)The tag receives a “Hello” message from the reader as soon as it enters its vicinity.(2)The tag responds with the value of stored in its dynamic memory. The reader identifies the tag by retrieving the information indexed by the value in the database.(3)After successful tag identification, the reader generates a random number and sends challenge message to the tag.(4)The tag verifies the reader’s identity and sends the challenge message to the reader.(5)In case of successful mutual authentication, the reader updates the dynamic variables, generates another random number , and sends the mutual authentication verification message to the tag.(6)The tag updates its dynamic memory after verifying the origin of message .


ProtocolStorage Location
ReaderTag

RAPP
RAPLT
RCIA
SLAP

The block diagram of the protocol is given in Figure 9.

2.3.2. RFID Authentication Protocol for Low Cost Tags (RAPLT)

In 2013, Jeon and Yoon improved the permutation function and proposed two new nontriangular function, i.e., Merge and separate operations in RFID Authentication Protocol for Low cost Tags (RAPLT). These operations are considered to be more reliable and secure compared to the permutation function.

Assume and are bit numbers whereas and are bit strings. The formation of and pseudocode for and operations are given in Figure 10.

Both operations have inverse relation and are extremely lightweight in nature. In RAPLT protocol, both the tag and the reader stores a pair of the latest , the latest keys and the tag’s . The working principle of the RAPLT protocol is as follows:(1)The reader initiates the protocol by sending a “Hello” message to the tag.(2)As a response, the tag sends the index pseudonym for the tag identification.(3)After the successful tag identification through , the reader generates two random numbers () and computes .(4)The tag authenticates the reader by generating a response for the message A successful reader verification leads to the calculation and transmission of (5)The tag authentication is followed by the update on both sides.

The flow diagram of the RAPLT protocol is given in Figure 11.

2.3.3. Robust Confidentiality Integrity and Authentication Protocol (RCIA)

The Robust Confidentiality Integrity and Authentication (RCIA) protocol is designed on the theme of the RAPP protocol. This protocol is associated with hybrid category of the UMAPs as it uses two nontriangular functions, i.e., rotation and recursive hash . The working principle of the recursive hash functions consists of following steps:(i)Consider as an bit string and decimate the input into chunks with equal numbers of bits per chunk. .(ii)Assume a seed value from the range .(iii)The seed calculated in above step selects the corresponding memory block () of the decimated string .(iv)Final answer of recursive hash function is obtained by concatenating the results of following operations.(a)Take between the selected memory block and all the other blocks except the block itself.(b)Left rotate the block by the hamming weight of itself .

For efficient hardware implementation, the input of the recursive hash function is decimated into chunks, each containing . Both the tag and the reader store seven strings associated with the tag. These numbers are and . The RCIA protocol executes in five steps which are as follows:(1)The reader sends a “Hello” message to the tag.(2)The tag sends to the reader. If the value is found in the database, the protocol proceeds otherwise the reader requests for and matches it with the database value. The protocol proceeds to the next step only when the received is found in the database.(3)The reader generates random numbers and . It also calculates . This value is used to find the seed value. The equation for seed calculation is . The calculation of seed value leads to calculation and transmission of messages.(4)The message is used for the reader authentication. After one sided successful authentication, the tag updates its dynamic variables and sends the message .(5)The reader uses the string for the tag authentication after which the dynamic variables also updates on the reader’s side. The update equations are as follows:

Figure 12 shows the block diagram of the RCIA protocol.

2.3.4. Succinct and Lightweight Authentication Protocol (SLAP)

In 2016, an ultralightweight authentication protocol named Succinct and Lightweight Authentication Protocol (SLAP) was proposed. The SLAP algorithm is composed of three operators, i.e., , rotation , and Conversion function. These functions are lightweight with respect to the implementation cost and are appropriate for the passive electronic chips. The conversion function is the main feature of the protocol that guarantees irreversibility, confidentiality, full confusion, and low complexity.

The conversion function consists of three subfunctions. Suppose the size of input strings is bits, i.e., The description of these functions is as follows:(i)Grouping. The inputs and are divided into segments based on the hamming weight and a threshold . Consider the input ; based on the hamming weight divide the input string into two parts, i.e., () and (). Continue the segmentation process based on hamming weight until the smallest segment size becomes equal to the threshold value . The input string is also segmented based on and the threshold . The respective segments are concatenated to form the output () of grouping function.(ii)Rearrange. In this step, the regrouping of and bits takes place. As the length of input strings is same, exchanging the grouping form between of and gives two L-bit numbers. Finally, each subgroup is left rotated by its hamming weight. The output of rearrange function () is the shuffled version of and .(iii)Composition. The final output of conversion function is obtained by taking of the shuffled version of and , i.e., .

The RFID system implementing the SLAP stores the latest pair of dynamic variables on both communicating ends. The working principle of the protocol is as follows:(1)The tag receives a “hello” message from the reader after entering its vicinity.(2)The tag responds with its identity pseudonym . This value is used for the tag identification at the reader’s side.(3)After successful identification, the reader generates a random number and conceal it in the message . The reader also generates a challenge message . The reader transmits message along with left or right half of based on . If =odd, ; otherwise .(4)The tag authenticates the reader by generating a response to message . After successful reader authentication, the tag calculates the message and transmits the left or right half of based on . If =odd, ; otherwise .(5)After identity verification, the dynamic variables of each side are updated using following equation:

The block diagram of the SLAP is given in Figure 13.

A brief survey on the existing protocols proves that increase in computational complexity of the authentication mechanism improves the CIAA capabilities of the protocol at the cost of increased gate equivalents. Section 3 presents a set of eminent cryptanalysis models that are being used to evaluate the security and the privacy features of the UMAPs. The literature review shows that almost all the existing UMAPs have been subjected to multiple cryptanalysis attacks. The unavailability of secure and reliable UMAP for RFID enabled IoT networks is one of the major challenges in the standardization of the secure architecture for the resource constraint IoT network perception layer. The subsequent sections present a comprehensive security analysis model to evaluate the strengths of the RFID node authentication protocols, the CIAA analysis of the existing UMAPs based on the presented model, and a secure and reliable UMAP termed as Extremely Good Privacy (EGP) protocol for the authentication of resource constraint IoT nodes.

3. Cryptanalysis Models for UMAPs

Since 2006, numerous UMAPs have been proposed for the EPC C1G2 identification system. However, most of these protocols were very weak and were found to be vulnerable within one year of their introduction [19, 42, 43]. The reason behind this hasty failure was lack of compact security analysis of the protocol at the design stage.

A comprehensive security analysis should perform the formal analysis of a protocol and the strength evaluation against at least three basic cryptanalysis models: desynchronization, traceability, and full disclosure attacks. This section provides a brief description of the above stated security analysis model along with the cryptanalysis of UMAPs defined in previous section, to highlight the need of secure and reliable authentication protocol for RFID based IoT networks.

3.1. Formal Analysis

The formal analysis is performed to evaluate the protocol’s ability to authenticate the communicating entities under multiple channel conditions. The sequence of challenge/response message exchange between the tag and the reader is examined by virtue of following methods.

3.1.1. Logic of Belief Analysis

This method analyzes the public message composition and sequence of interaction between the communicating parties to systematically evaluate the protocol’s functionality on an abstract level. The objectives of logic of belief analysis are as follows:(i)State what is accomplished by the protocol(ii)Draw attention to unnecessary actions that can be removed from a protocol(iii)Highlight any encrypted messages that could be sent in clear text

The prominent mathematical models used for the logic of belief analysis are Burrows–Abadi–Needham (BAN) logic model and Gong–Needham–Yahalom (GNY) logic model.

3.1.2. Automated Security Analysis

Automatic Security analysis verifies the ability of the protocol to achieve the designated security goals in the presence of malicious entities. The security analysis tools such as Casper-FDR and Avispa are mathematical frameworks which evaluate the protocol’s behavior in multiple hostile environments with the set of axioms.

3.2. Desynchronization Attack Model

This attack model aims to disconnect a valid tag from an identification system by overwriting its dynamic attributes. However, a successful desynchronization attack does not reveal any tag’s information to the adversary. The minimum requirements for the adversary to lunch a desync attack is the ability to eavesdrop and replay public messages. Based on the memory architecture of the RFID system, the execution of the attack can be defined for four different scenarios.

Scenario 1 (single copy of stored on tag and reader’s side). In this scenario the reader and the tag stores latest copy of identity pseudonym . The attack executes on such tag/reader pair in two steps.(1)The adversary keeps track of an authentication session and blocks the challenge message from the tag to the reader. As a consequence of this step, the tag’s memory updates whereas the on the reader’s side remains same.(2)In the next session, the protocol fails at identification stage when the provided by the tag is not found in the reader’s dynamic memory.

Table 7 shows the status of system’s dynamic memory for each step.


SessionsReader’s memory Tag’s memory
() ()

1

2

Scenario 2 (pair of latest stored at tag’s side). This scenario is defined for the identification system in which the tag stores a pair of latest identity pseudonyms whereas the reader only stores the most recent copy of . The model executes in following steps [44]:(1)Consider a synchronized pair of the tag and the reader. The adversary eavesdrops challenge message and blocks the challenge message . As a result, the tag’s dynamic memory updates whereas the reader’s database remains unchanged .(2)The adversary allows the tag/reader pair to undergo an uninterrupted authentication session. The identity verification takes place on the basis of . .(3)In this step the attacker imitates as a valid reader and communicates with the tag based on . The adversary replays the challenge message . As a result, the tag’s dynamic memory updates as and whereas the reader’s memory remains the same, i.e., .(4)Since the values of do not match at the communicating ends, the tag fails in identification stage of preceding authentication sessions.

Table 8 shows the values of index pseudonyms at the end of each step.


SessionsReader’s memory Tag’s memory

1

2

3

Scenario 3 (pair of latest stored at the reader’s side). The scenario is defined for such protocols in which the reader stores two copies of dynamic memory and the reader also sends a challenge message to the tag as the last message of the session. The purpose of this message is to intimate the tag about successful mutual authentication so that its dynamic memory can be updated. The step by step execution of the attack is as follows [45]:(1)The adversary sniffs the public messages from an ongoing authentication session and then blocks the message . This prevents the tag to update its dynamic variables, i.e., .(2)In the next session, the adversary allows the tag-reader pair to communicate on the basis of and blocks message . This step again updates the reader memory whereas the tag’s memory remains unchanged, i.e., .(3)In the last session the adversary impersonates as a reader and replays message recorded from step one. This replay attacks breaks the synchronization among the dynamic variables of the tag and the reader. The final values of dynamic variables at the tag and the reader’s side are .

The step by step values of index pseudonyms are given in Table 9.


SessionsReader’s memory Tag’s memory

1

2

3

Scenario 4 (pair of latest stored on both sides of the system). The last scenario is for the protocols that store the pair of latest dynamic variables on both communicating ends. The adversary requires five consecutive authentication sessions to completely disconnect a valid tag from the RFID system. The description of attack is as follows [34]:(1)In step one, the adversary eavesdrops all the public messages from an authentication session between a completely synchronized tag/reader pair.(2)In the next step, the adversary records and and block at the same time. The dynamic memory of both sides remains unchanged.(3)In step three, the adversary forces the tag/reader pair authentication on the basis of by blocking the first response of the tag to the reader’s message.(4)In this step, the adversary imitates as the reader and communicates with the tag based on the messages eavesdropped in session one. This step makes the tag partially desynchronized.(5)The last step comprises of the adversary’s communication with the tag on the basis of and . This step completely changes the values of identity pseudonyms stored in the tag’s and the reader’s memory.

The working example of the attack is presented in Table 10.


SessionsReader’s memory Tag’s memory

1

2

3

4

5

The scenarios covered in Tables 7, 8, 9, and 10 cover almost all the previous protocols. This proves that nearly every UMAP have been subjected to desynchronization attack which ultimately leads to Denial of Service (DoS). The basic theme of all the DoS attacks is to rewrite the tag’s memory with such previous values of that have been removed from the reader’s memory. The generalized desynchronization attack proved that if the pair of latest dynamic variables are stored at the reader’s side, the tag can be desynchronized in maximum five consecutive sessions, irrespective of its dynamic memory architecture [34].

An extended memory buffer for the tag’s dynamic variables at the reader’s database increases the number of sessions required by the adversary to overwrite the tag’s memory. The increase in number of adversary administered session requirements for the execution of desynchronization attack strengthens the protocol’s ability to withstand DoS attacks [46, 47].

3.3. Traceability Attack Model

One of the most prominent threats associated with the RFID system is traceability. In this model, the adversary gathers information related to the tag so that it can violate its location privacy at any point of time in future. The UMAPs can resist the traceability attacks by anonymizing the tag’s response to the reader’s queries.

According to the formal definition, the tag () is assumed traceable, if the adversary can correctly estimate the value of when presented with from the set [48, 49]. Two basic models are available in literature to evaluate the strength of the protocol for preserving the anonymity of the tag.

3.3.1. Guess and Determine Model

In guess and determine model, the attacker has following capabilities:(i). The attacker can snoop the communication between the tag and the reader during the authentication session.(ii). The adversary can block or alter the message being communicated between and entities during the identification session .

The traceability attack executes as follows [50, 51]:(i)Phase 1 (Learning). The attacker gathers information related to the tag under attack by implementing and command.(ii)Phase 2 (Challenge). The attacker is challenged to identify the tag being traced from the set of RFID identifiers.(iii)Phase 3 (Guess). The attacker continues to gather knowledge through learning phase until it can successfully trace the tag under consideration.

3.3.2. Metaheuristic Model

This model transforms the cryptanalysis of UMAP into a search problem solved with the help of metaheuristic algorithms. The main motivation behind using heuristic search algorithms is their ability to locate global maxima or minima efficiently. The step by step procedure for launching the metaheuristic traceability attack is presented as follows [52]:(1)The adversary eavesdrops an authentication session between the tag (