An Enhanced RFID-Based Authentication Protocol using PUF for Vehicular Cloud Computing

Kumar, Vikas; Kumar, Rahul; Jangirala, Srinivas; Kumari, Saru; Kumar, Sachin; Chen, Chien-Ming

doi:https://doi.org/10.1155/2022/8998339

Security and Communication Networks

On this page

Abstract Introduction Related Works Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Data Security and Privacy for Fog/Edge Computing-Based IoT 2022

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 8998339 | https://doi.org/10.1155/2022/8998339

An Enhanced RFID-Based Authentication Protocol using PUF for Vehicular Cloud Computing

Vikas Kumar,¹Rahul Kumar,¹Srinivas Jangirala,²Saru Kumari,³Sachin Kumar,⁴and Chien-Ming Chen⁵

Academic Editor: Jie Cui

Received08 Mar 2022

Revised02 May 2022

Accepted19 May 2022

Published30 Jul 2022

Abstract

RFID (radio frequency identification) is an Internet of Things (IoT) enabling technology. All physical devices can be connected to the Internet of Things thanks to RFID. When RFID is extensively utilized and fast increasing, security and privacy concerns are unavoidable. Interception, manipulation, and replay of the wireless broadcast channel between the tag and the reader are all possible security threats. Unverified tags or readers provide untrustworthy messages. IoT requires a safe and consistent RFID authentication system. PUFs are also physical one-way functions made up of the unique nanoscopic structure of physical things and their reactivity to random occurrences. PUF includes an unclonable feature that takes advantage of physical characteristics to boost security and resistance to physical attacks. We analyze the security of the RSEAP2 authentication protocol that has been recently proposed by Safkhani et al., a hash-based protocol, and elliptic curve cryptosystem-based protocol. Our security analysis clearly shows important security pitfalls in RSEAP2 such as mutual authentication, session key agreement, and denial-of-service attack. In our proposed work, we improved their scheme and enhanced their version using physically unclonable function (PUF), which are used by the proposed protocol in tags. This research proposes a cloud-based RFID authentication technique that is both efficient and trustworthy. To decrease the RFID tag’s overhead, the suggested authentication approach not only resists the aforementioned typical assaults and preserves the tag’s privacy, but also incorporates the cloud server into the RFID system. According to simulation results, our approach is efficient. Moreover, according to our security study, our protocol can withstand a variety of attacks, including tracking, replay, and desynchronization assaults. Our scheme withstands all the 18 security features and further consumes the computation cost as 14.7088 ms which is comparable with the other schemes. Similarly, our scheme consumes the communication cost as 672 bits during the sending mode and 512 bits during the receiving mode. Overall, the performance of our proposed method is equivalent to that of related schemes and provides additional security features than existing protocols. Mutual authentication, session key generation, and ephemeral session security are all achieved. Using the real-or-random concept, we formalize the security of the proposed protocol.

1. Introduction

Recognition technologies are deserving of our attention as they are both essential parts of the Internet of Things. Recognition of barcodes, optical characters, biometric identity, and magnetic card identification and contact IC card identification are all examples of traditional automated identification technologies. However, when employed in the IoT, they have a number of drawbacks. Bar codes, for example, can only hold a limited amount of data; optical character recognition is too expensive; biological recognition is flawed; and magnetic card and contact IC card identification need intimate touch, which is inflexible. Currently, some of these identification methods are unable to protect personal information [1]. In contrast, RFID is a noncontact automatic identification technology that does not need mechanical or visual contact between the system and the target, and security protections can help keep user information private. Because of these advantages, RFID has emerged as one of the most promising IoT technologies [2].

An RFID system consists of RFID tags, RFID readers, and a database server. Tag-affixed objects are uniquely identifiable, and their identifying information is saved. They communicate with the reader using radio waves. In a typical RFID system, the database server is a local back-end server.

When RFID devices generate a large number of data, back-end servers’ performance is limited. Cloud computing overcomes this problem in the IoT context. As a result, the integration of the cloud platform with the RFID system is required [2, 3]. RFID systems’ reliability and data processing capabilities have dramatically enhanced since the introduction of cloud computing. Almost all of the data acquired by RFID sensors are processed on the cloud, which can aid in the resolution of issues such as data loss and latency [4]. In the IoT, the most commonly used public cloud servers are only semi-trustworthy. Because of the properties described above, the RFID system is vulnerable to attack. As a result, IoT necessitates the use of a secure and reliable RFID authentication system.

Similarly, a number of protocols based on physically unclonable functions (PUFs) have been proposed [12–14]. PUFs are, in reality, physical one-way functions derived from the unique nanoscopic structure of physical things (e.g., integrated circuits, crystals, magnets, lenses, solar cells, or papers) and their reactivity to random occurrences. The quirks in the manufacturing process of the items are responsible for the innate uniqueness of the structure and reactivity. It enables for both the unique identification and authentication of an object. Furthermore, it is considered that copying an object’s PUF (and hence the object itself) is impossible, which might be seen as a security-by-design feature that prevents impersonation and cloning attacks. As a result, PUFs are regarded as a trustworthy and well-known physical security method for developing IoT authentication protocols. Physical devices are protected by PUF-based protocols, which are resistant to physical attacks and provide multilayer protection. Furthermore, even if the device is stolen, the attacker will not be able to use the PUF. However, the majority of proposed VANET solutions are still subject to different security concerns such as replay attacks, impersonation attacks, forgery attacks, and non-repudiation attacks. As a result, it is critical to build a viable VANET solution to address the existing issues.

Several RFID authentication schemes have used elliptic curve cryptography in recent years (ECC). Due to the difficulties of resolving the discrete logarithm problem (DLP), ECCs have demonstrated their efficiency in assuring security and privacy. The state-of-the-art of ECC-based RFID, mobile computing, and VCC authentication protocols are reviewed in this section and are shown in Table 1. Also, the details of PUF-based recent works are given in Table 2.

2.1. Problem Definition

Security protocols, such as authentication methods, are supposed to ensure the confidentiality, integrity, and availability (CIA triangle) of security. The parties to the protocols must be able to authenticate and synchronize with one another at any moment. Desynchronization attacks can break this condition by blocking protocol messages or forcing protocol parties to modify their shared secret values to different values, preventing the parties from authenticating each other and destroying service availability. Many protocols have been developed in the literature to satisfy CIA security standards; however, multiple instances of attacks [2, 10–14] against them show that they have failed to achieve the needed security. As a result, attempts to build a secure protocol are still continuing, and new attacks are emerging that provide designers fresh insight into how to (not) design a protocol. As a result of these assaults and security evaluations, the protocols have progressed.

2.2. Motivation and Contributions

In recent years, a number of key agreement and authentication techniques have been created. Most of these protocols have a greater calculation cost, making them unsuitable with devices with limited resources. We also noticed that the literature reviewed above did not take into account the physical factors of security for vehicle RFID communication systems in VCC situations. However, in the automotive RFID communication environment, the necessity of PUF receives a lot of attention in the literature.

A PUF-based protocol is capable of dealing with physical security risks. Even stealing the PUF from the on-board memory will not allow an attacker to obtain it. As a result, for VCC, we developed a PUF-enabled RFID-based authentication protocol. The following are some of the many contributions made by this research:(1)To build an authentication protocol for VCC communication, the system and threat models are defined first.(2)We created a PUF-enabled RFID-based authentication mechanism using the hypothesized attack model.(3)To keep the proposed protocol’s cost minimal, only fundamental cryptographic operations such as ECC, XOR, concatenation, and hash function are used. PUF is also used to protect against recognized physical security risks.(4)Our approach ensures that possible security threats are avoided, based on formal and informal security assessments.(5)The results of the performance study show that our protocol is superior to other similar protocols.

2.3. Roadmap of Article

The rest of the article is structured as follows: The preliminaries are presented in Section 3. The RSEAP2 system is described in detail in Section 4. We give a security study of the RSEAP2 protocol as well as various efficient and strong attacks against it in Section 5. The improved protocol is presented in Section 6. In Section 7, we provide a verifiable security analysis of our approach. The performance analysis is presented in Section 8. Section 9 concludes the article.

3. Definitions and Mathematical Preliminaries

The key size comparison between the public-key cryptosystems like ECC and RSA shows that the communication messages can utilize the elliptic curve cryptosystem to reduce the communication bandwidth. The key size comparison between ECC and RSA is given in Table 3.

3.1. Background of ECC

“Let denotes an elliptic curve over the prime finite field , where be the large prime number. An equation of elliptic curve over is given by , where . The elliptic curve is said to be nonsingular if . The additive elliptic curve group is defined as , where the point is known as asymptotic point which work as the identity element or zero element in .”

Some operations on the group are as follows [2, 7]:(1)Let , then define and .(2)If and , then , where and (3)Let , then scalar multiplication in is defined as: .(4)If is the generator of with order , then .(a)“Elliptic curve discrete logarithm problem (ECDLP)”: Finding such that , for a given is difficult.(b)“Elliptic curve computational Diffie–Hellman problem (ECCDHP)”: If is the generator of and , are supplied (, , ), then computing in is difficult.

3.2. Physically Unclonable Function

The hardware primitive accepts a challenge and generates the matching response from the physical properties of its integrated chip and . A may easily be thought of as a one-way function since both the accepted challenge and the produced answer are bit strings [14].

In essence, security is based on the fact that, even if various s use the same production processes, each will be somewhat different owing to manufacturing variances. The following are the characteristics of [15]:(i)Uniqueness: A PUF cannot be duplicated;(ii)Unidirectionality: In the real manufacturing circuit, the variances between input and output function mapping are both fixed and unpredictable. It is the hardware counterpart of the one-way function in this regard;(iii) Invulnerability: Any effort to tamper with the device containing the will cause the to modify its behaviour and, as a result, it will be destroyed [14];

3.3. Network Model

Figure 1 represents the architecture which we applied for the design of communication among the participants. The RFID tag communicates with the roadside RFID reader and thereby the communication passes through the vehicular cloud server. In order to communicate efficiently, the communication parties have to undergo the authentication and key agreement phase to establish a session key. More details regarding how the participants actually take part in the authentication and key agreement and communication process is discussed in the next section.

3.4. Threat Model

The “CK-adversary model” is widely regarded as the “current de facto standard model in modeling key-exchange protocols.” Using the “CK-adversary model,” the adversary can “deliver messages (as in the DY model),” and in addition, can also “compromise other information, such as session state, private keys, and session keys.” “Since the sessions as procedures run inside a party, the internal state of a session is well-defined. An important point here is that what information is included in the local state of a session. For instance, the information revealed in this way may be the exponent used by a party. Typically, the revealed information will include all the local state of the session and its subroutines, except for the local state of the subroutines that directly access the long-term secret information.” Therefore, it is important that “the leakage of some forms of secret information, such as session ephemeral (short-term) secrets or session key, should have the least possible effect on the security of other secret credentials of the communicating entities in an authenticated key-exchange protocol.” We demonstrate that the proposed technique is secure against well-known attacks and offers session key security and strong credentials’ privacy under the CK-adversary model through a comprehensive formal security analysis.

3.5. Security Requirements for an IoT-Based RFID Communication System

To the best of our knowledge and based on the available literature, many authentication algorithms for RFID communication systems have been proposed in recent years. The best ways for making RFID systems appropriate for a wide variety of applications are authentication and key agreement. Several forms of security threats might arise during the transfer of messages between RFID tags and readers.

Any authentication mechanism attempting to secure a viable RFID-based system should meet the following security requirements: Impersonation attack: By repeating a message recorded from the channels, an attacker might try to imitate genuine protocol participants (such as the cloud database server, RFID reader, or RFID tag). At all costs, any impersonation should be avoided. Replay attack: In this attack, an outsider tries to deceive other certified participants by restating intercepted data. This attack is aimed at a user whose data have been intercepted by an untrustworthy third party. Mutual authentication: The authentication procedure takes place between the RFID tag and the back-end database server. Messages are exchanged across an unprotected communication route between the tag, reader, and server. This is the most crucial feature of any authentication system. Mutual authentication must also be accomplished with all three RFID system players present. Tag anonymity: This is the most critical and required security criterion to reduce forgeries and assure security. Furthermore, the RFID authentication method retains its anonymity if an opponent is unable to trace an RFID tag during message transmission over a public channel. There are two types of anonymity, namely strong anonymity and weak anonymity. Furthermore, in order to protect their security and privacy, participants in IoT communication do not reveal their true identities. Man-in-the-middle attack: In this attack, an adversary listens to the transmitted data before attempting to remove or change the data supplied to recipients. Insider attack: Any insider can play the role of adversary in the RFID communication system. Desynchronization attack: If a protocol’s authentication is reliant on shared values, an adversary may cause desynchronization difficulties. If the shared data are updated by the server but the tag is not, the server might be unable to validate the tag in the future. Attempts to desynchronize should be avoided at all costs. Untraceability: Untraceability in the RFID communication system means that no one can track the participants’ activity patterns or their relayed messages. Session key agreement: A session key agreement will be made between users and their mobile devices, as well as the network control centre, following the successful deployment of the proposed protocol. Confidentiality: The security of RFID communications between the tag and the reader is ensured by encrypting shared secrets on the public channel. Perfect forward secrecy: This is utilized in the authentication protocol architecture to keep previously transmitted messages private, so that an adversary who obtains the entities private and public keys will be unable to deduce a past session key. Availability: The authentication and key agreement mechanism between the RFID tag and the RFID back-end database server operates continuously in an RFID system. To accomplish the characteristic of accessibility, the shared secret information between the RFID tag and the RFID back-end database server must be updated in most authentication procedures. However, security issues such as denial-of-service (DoS) or desynchronization attacks may cause this process to be disrupted. As a result of these problems, the RFID system’s efficiency may be jeopardized. Hence, this issue should be considered while creating an authentication mechanism.

4. RSEAP2 Protocol

We offer a brief explanation of RSEAP2 [2] in this section. The tag and the cloud database server interact through the reader to establish a session key in this protocol. It is divided into two parts. The tag enrollment or startup phase is the first step, in which the tag talks with via a secure connection to provide the needed data. The login and authentication phase is the second phase of the protocol, and it is used to perform mutual authentication and share the session key . This part of the communication takes place via a public network. We have made use of the notations as shown in Table 4.

In the initialization phase of RSEAP2, the server chooses an elliptic curve over and a generator over . It also selects as its secret key and its public key will be . Any tag which aims to register with S inputs its and , generates a random value , computes , and sends the tuple to S. Once S received , verifies the timestamp, that is x at the first. Next, it generates and sets it as the ’s serial number, computes , , , and stores corresponding to . It then sends tuple to . The tag stores .

The description of the protocol is as follows: L1. uses it credentials , computes , , and verifies . If verification is successful, generates , calculates and , and sends to the reader . L2. The reader checks the timestamp, that is, , generates , computes , and then sends to S. L3. Once S received , it verifies the timestamps, that is, x and . Next extracts = , retrieves from the database, and evaluates to authenticate . After the successful authentication on parameters, S extracts , verifies , retrieves the related using , computes , and verifies . Further generating , computing the session key , , and sending to . L4. verifies the timestamp, that is, x and to authenticate S. Subsequently, it extracts and then sends to . L5. Similarly, verifies the timestamp, that is, x and x, and then computes and checks . If so, it sets as the session key.

5. Security Analysis of RSEAP2

5.1. Inefficient Mutual Authentication Attack

On receiving the message from the reader , the cloud database server extracts and computes to validate the user and reader. The details are as follows:(1)The cloud server performs the computations and validates the timestamps such as x and .(2)Next extracts = , retrieves from the database, and evaluates to authenticate .(3)After the successful authentication on parameters, S extracts , verifies , retrieves the related using , computes , and verifies the authenticity of the user.(4)It further generates and computes the session key .

But the conflict here is that the cloud server fails to compute the proper session key to pass it on to the tag for the validation. The reason is that the cloud server could not retrieve the random values generated by the tag and reader such as , and in the session key the cloud server uses value without the knowledge of the random numbers. Though the cloud server performs this computation, it would be certainly a garbage value which the tag cannot validate at any given point of time. Thus, this scheme holds the inefficiency to perform mutual authentication.

5.2. Inefficient Session Key Establishment Attack

On receiving the message from the cloud server, the tag performs the mutual authentication verification. But, the verification gets fails. The details are as follows:(1)As discussed in the above Section 5.1, we understood that the cloud server fails to compute the authentic session key. However, on receiving the message from the cloud server, verifies the timestamp, that is, x and x, and then computes and checks . If so, it sets as the session key.(2)Now you can see that the tag did not retrieve or has the potential to draw out the value but still perform the computation to validate the session key.

This validation never gets successful as it is a known fact that without the proper parameters and values the verification fails and the tag and the cloud server cannot establish the session key for the future communications. Thus, this scheme holds the inefficiency to perform session key establishment.

5.3. Denial-of-Service Attack

According to RSEAP2’s scheme, the legitimate participants tries to communicate to each other and get the services as and when required, but from the security flaw as shown above in Sections 5.1 and 5.2, we understood that the scheme fails to establish the session key and mutual authentication. This shows the enough conclusive evidence that the scheme fails to provide services to the participants thought the tag and readers are the legitimate participants in the system. Hence, this scheme is prone to the denial-of-service attack.

6. Our Proposed Scheme

This section presents the proposed secure authentication protocol and the program architecture which is divided into a tag, a reader, and a cloud server for parallel processing, with each component working independently. In this architecture as shown in Figure 2, the tag initiates the communication by computing the validating message and transmits the validating message with a virtual ID to the reader. Upon receiving the message, it challenges the reader to validate the message. Thus, the reader computes the validating message and transmits the validating message with the virtual ID to the cloud server for further process. Once the message is received by the cloud server, it validates the reader message thereby the cloud server authenticates the reader and tag. After the successful authentication, it computes the session key to establish the key. Further, at the next stage, the reader receives the Ack1 and Ack2 from the cloud server as an acknowledgment. Then the check happens in the next stage, where the tag receives Ack1 from the reader and simultaneously the reader checks the received Ack2. Finally, once the check is successful, the tag establish the session key and end the process (see process flow diagram in Figure 2).

In this section, we present our proposed scheme. In the initialization phase, the server chooses an elliptic curve over and a generator over . It also selects as its secret key and its public key will be . Any tag which aims to register with , inputs its , generates challenge , computes , , and sends the tuple to . Once received , verifies in the records whether exists or not. If the is new, it generates , computes , , and stores corresponding to . It then sends tuple to . The tag computes and stores . Similarly, reader aims to register with , generates challenge , computes , ), and sends to the cloud database server . computes by its private key and , , ; sends ; and stores in its database. Further also stores . The illustration of the tag registration and reader registration is shown in Table 5 and Table 6, respectively.

6.1. Login and Authentication Phase

To access the services from , needs to establish a session key with . The following steps are followed by , and during this phase. The illustration is shown in Table 7. LA1: The tag logs on by , computes , verifies , generates to compute , and sends to . LA2: On receiving the request, verifies ; computes , , and ; and sends to . LA3: On receiving the request, verifies and ; extracts ; validates ; and extracts to verify and on success, generates , computes , , , and sends as a response to . LA4: After receiving the response from , checks , verifies , and sends to . LA5: On receiving the response from , verifies , computes , and checks . On successful verification, sets as the session key.

6.2. Revocation and Reissue Phase

To revoke the access of , checks for the availability of during the subsequent login attempts. The tag will be given or refused access on the basis of the check. Since all dynamic identities have a finite lifetime, it is also impossible to continuously use the same dynamic identity.

In addition, the next steps to get new credentials are crucial when a tag from an approved registered user is stolen/lost. RR1: The tag keeps the same , but chooses a password and generates challenge to compute , . Further submitting the revocation request to the cloud database server through secure channel. RR2: On receiving the request, checks the database for the availability of where is computed by private key of S. If is not available, the cloud database server computes and sends to over the secure channel. RR3: Finally, for each tag, the cloud server issues the new credentials. RR4: After receiving the new credentials, completes the registration process as processed in the registration phase.

6.3. Tag’s Password/Update Phase

A registered tag can update his/her current password and follow the steps without contacting : PU1: The tag logs on by , computes , and verifies . Upon unsuccessful verification, this process gets terminated by . Otherwise, uses new password. PU2: picks ; computes , , and ; and stores to complete the process.

7. Formal Security Analysis

Formal security examination strategies are usually used to inspect and evaluate diverse check plans. According to literature [25], various security assessment systems can be used to evaluate authentication methods. In this article, we used ROR security theories.

7.1. ROR Model-Based Proof

Under this model, adversaries say that has access to a set of executing entity queries including CorruptTi , Test , , Execute , and Reveal , which perform simulation to check the real attack. The query descriptions of such queries are given in Table 8. The ROR model components are as follows:(i)Participants: The associated participants with the proposed scheme are the tag , reader , or a cloud server . The instances and of and are marked as and which are known as oracles.(ii)Accepted state: If the peer points achieve an accepted status when the final communication has been authenticated, the instance “” comes under “accepted state.” For the ongoing session, is a session ID created in a sequence by after the sent and received messages were rearranged.(iii)Partnering: The following things must be accomplished to be partnered between and :(1)They are in “accepted states.”(2)They possess the same . Further also “authenticate mutually with each other.”(3)They are also “mutual partners of each other.”(iv)Freshness: or is fresh when the constructed session key between and is not leaked to using the Reveal query listed in Table 8.

The proposed scheme undergoes “semantic security” as defined in Definition 1.

Definition 1. If is the “advantage of an adversary running in polynomial time in breaching the semantic security of to extract the session key among a tag and a cloud server ,” , where are the correct bits and indicate the guessed bits.
Furthermore, Definition 2 is about “collision-resistant one-way hash function” and Definition 3 is about “elliptic curve decisional Diffie–Hellman problem (ECDDHP),” for briefing .

Definition 2. A “deterministic function,” say : , is a “one-way collision-resistant hash function” if it produces fixed length of bits output string as “hash value or message digest” upon an arbitrary length input string . Let an adversary want to find a hash collision. Then, the “advantage” of in attacking “hash collision” is provided by . here shows the chance that the pair will be randomly picked by in the case of “random event ” and . The attack of -adversary of to the resistance of collision of indicates that the maximum runtime of to the .

Definition 3. Consider an elliptic curve and a point , the ECDDHP is “for a quadruple , , , , decide whether or it is a uniform value,” where , , (=\{1, 2, , \}).
To make ECDDHP intractable, the chosen prime needs to be at least 160-bit number.

Theorem 1. Suppose our scheme runs in “polynomial time ” and the adversary is working to gain advantage on . If , , and indicate the “cardinality of hash queries,” “size of one-way hash function ,” and “’s advantage in breaching ECDDHP in t ime (see Definition III-A),” respectively, and chosen passwords follow the Zipf’s law [26], then the bit-lengths of the PUF key where refers to and the tag identity are and , respectively, and are the Zipf’s parameters [26] respectively, ’s advantage in compromising the semantic security of the proposed scheme is

Proof. This proof is presented in the similar way as presented by authentication protocols. Here four games are played, such as , related to the evidence where is the starting and is the finishing game. We define as “an event wherein can guess the random bit in the game correctly” and also the “advantage of in winning the game as .” The detailed study of these games is as follows: : is the same as the real ROR model protocol. Therefore, the semantic security of is defined in Definition 1. : In this game, we model for the “eavesdropping attack” in which can intercept all the communicated messages , , , and while executing “authentication and key agreement phase” in Section A using query as discussed in Table 8. To confirm whether the “calculated session key between and is real or a random number,” can execute both and queries. The established session key is . It is worth noting that the key to session security is dependent on both and “temporary secrets” and and ’ for long-term secretions that cannot be disregarded by eavesdrops of the messages , , , and . Therefore, this “eavesdropping attack” does not give any advantage/increase of winning probability of in . This shows and games become “indistinguishable,” and thus obtains the following result: : In this game, the hash searches are simulated. Both and are altered in the message. Similarly, , , and are also equally unexpected, as they include random timestamps and random numbers, such as , , , , , and are equally unforeseeable. So, no collision occurs when does hash queries. Since both and are “indistinguishable” except for the inclusion of the simulations, we obtain birthday paradox outcomes as : The CorruptTi query was implemented in this final game. Therefore, the opponent is extracted depending on the performance of the query for the credentials from a compromised tag . The probability to properly guess the physically unclonable function secret key of bit-length and user identity of bit-length are and , respectively. The advantage of is more than 0.5, if , since the passwords of the users selected tend to obey the law of Zipf’s, by using assaults via trawling. If can exploit user’s personal data for a targeted assault, then gives him an edge over 0.5.Furthermore, will have all the intercepted messages , , , and . To derive the session key shared between and , needs to calculate , which in a polynomially restricted time is computationally costly owing to the intractability of ECDDHP. Since and games are “indistinguishable,” the following is excepted to include the question and ECDDHP of CorruptTi Now, all the relevant queries related to the above games are executed, and then the query is executed along with query to guess the random bit . Thus, we getCombining equations (1), (2), and (5) derives:Next, combining equations (3), (4), and (6) provide the following result:Finally, the equation (7) is multiplied by 2 on both sides to get

7.2. Informal Security Analysis

Proposition 1. Location privacy (non-traceability)

Proof. The tag simply transmits the message , with . Only of this message can be utilized to identify the tag. On each session, the variables and masked and randomized the token described above. The attacker has no control over any of these values. If a collision happens on the specified value by in the worst-case scenario, the adversary could detect it by monitoring the fraction of , and then could be monitored. However, the adversary’s advantage in finding a collision after protocol sessions is , which is modest enough in practice. Furthermore, makes no mention of or .
The reader delivers to , where may be used to monitor the reader and determine whether the fraction has a collision. Similarly, after protocol executions, the adversary has an advantage of in detecting a collision. As a result, the opponent’s chances of success are slim.
is sent by the server , where , . The reader and the server , on the other hand, in each of the and tokens are randomized in each session. As a result, an adversary is unable to retrieve data that could aid in the breach of the protocol’s location privacy.
Finally, sends to . The adversary’s only target in this communication could be . This token is a function of , which is randomized by , and on each session.
Overall, the location privacy of all of our entities (i.e., , and ) is guaranteed by our protocol.

Proposition 2. Mutual authentication and session key agreement

Proof. It is obvious that the pairs and are mutually authenticated if a legitimate tag connects with an honest server through a valid reader and within acceptable time thresholds. However, we do not require mutual authentication between the reader and the tag in this protocol. In more detail, is the source of trust for , while is only a gateway to . The following is a list of the session key’s correctness and mutual agreement:
Correction Proof:Because the tag and the server have mutual authentication, has already authenticated , and may trust the reader . As a result, our technique ensures mutual authentication and establishes suitable session key agreement.

Proposition 3. Physical security

Proof. . Any alteration or damage to the device with built-in will cause to respond differently or the device to become unavailable, according to ’s characteristics. It is impossible to collect any relevant information in an accessible environment since car sensors do not preserve any information. Physical attacks, aside from rendering the hardware components in the proposed protocol ineffective, are unable to extract any relevant information. As a result, the suggested protocol can ensure the system’s physical security.

Proposition 4. Achieving forward secrecy

Proof. In our proposed scheme, the session key is computed as . This session key is established between the tag and the server . If wishes to compromise the session key, requires the knowledge of the session-specific random values , fixed value , and the identities of the participants involved in the session key establishment. Now, even if are compromised by , due to the lack of knowledge of or random values and fixed value , attacker fails to compute . Thus, does not gain any advantage even if he compromises . Therefore, cannot compute the previous/current/future session keys.

Proposition 5. Message authentication

Proof. In this protocol, the server authenticates and . The reader authenticates , partially and the tag totally. The use of random integers and the one-way hash function ensure the integrity of all messages. Any alteration to the conveyed message causes the receiver to reject the message.
For instance, consider message, where , which should be authenticated by . is checked by the server first. As a result, if the adversary replicates the message, will reject it. Then, extracts , retrieves the related value using and , and computes and verifies to accept the message. It is clear that any modification in , , or renders the probability of to , where is the hash length, for example for . The other messages in the protocol can be reasoned about in the same way. As a result, our protocol ensures message authentication between the parties involved.

Proposition 6. Replay attack

Proof. In a replay attack, the adversary attempts to use a previously traded message at a later time . Any message received outside of the threshold time (a preset factor of ) is likely to be rejected in our protocol. Aside from that, the one-way hash function ensures the integrity of timestamps. As a result, replay attacks against our protocol are impossible. Finally, the adversary may break the tag’s anonymity if he extracted from the and pair. It is most likely the same as solving , which is known to be a difficult task (see Section 3.1).

Proposition 7. Impersonation attack
Tag:

Proof. Due to the integrity of , the only way to spoof the tag is to construct a valid . It is not possible, however, without guessing or computing a valid , where is the attack time’s timestamp. The enemy also lacks and . As a result, the adversary’s chance of successfully impersonating the tag is , where is the hash function’s bit-length. To put it another way, the repeat attack is a waste of time.
Reader:

Proof. Because the integrity of is guaranteed in our protocol, the adversary cannot replay messages to impersonate a reader. As a result, generating a legitimate is the only way to impersonate the in front of . The opponent, on the other hand, lacks , , and . Even if she/he obtains the values , and in some other way, she/he must extract from in order to determine . It necessitates reverse engineering of the one-way hash function, which is a difficult challenge that makes the assault impracticable. As a result, impersonating to is not feasible under this protocol.
Server:

Proof. To impersonate the server in front of , the adversary would have to compute , where and . would be required. Aside from , which is contributed by through sending , this token is randomized by . Solving a problem, which is a difficult problem, would be required for the disclosure of and . Even if the adversary reveals the band and adapts it appropriately, the adversary still needs to know due to in , which is not the case. As a result, cheating and successfully mimicking gives the opponent a advantage. Furthermore, impersonating in front of is a prerequisite for impersonating in front of . As a result, the attacker cannot effectively impersonate the server in front of using . Only , where . Unlikely as it may seem, the attacker lacks . As a result, the adversary’s advantage in committing this impersonation attack is negligible (i.e., ).

Proposition 8. Offline password guessing attack

Proof. The rationale for security against this attack is nearly comparable to that of . In a nutshell, calculates the tag’s temporary password. Even if the adversary could estimate , the value , which is a random integer created by the tag , is still required. As a result, the opponent who could not foresee will be defeated by this assault.

Proposition 9. Desynchronization attack

Proof. Because there is no updating phase of shared parameters after the protocol execution concludes, our proposed technique is immune to desynchronization assaults. The attacker may only block the message if the tag is used to set the session key . Because has not received in a timely manner, this entity may need to restart the login and authentication step in order to reestablish the session key. We wish to underline that the aforementioned situation is distinct from an impersonation assault—as previously stated, an adversary cannot impersonate a valid tag. In addition, the tag must start the protocol; otherwise, the server would reject the request.

Proposition 10. Insider attack

Proof. In the initialization phase of our scheme, sends to and receives in return. Further computes, where . Likely, the chances for an insider attacker to disclose are almost null (i.e., ).

Proposition 11. Man-in-the-middle attack

Proof. To carry out a successful man-in-the-middle attack, an adversary must be able to impersonate a protocol entity or modify a message without being discovered. Nonetheless, the aforementioned attack will fail in our suggested protocol for the following reasons. For starters, as we explained in Section 7, the adversary’s advantage in impersonating the tag, the reader, or the server is insignificant. Second, we have shown (5) that any change to the transmitted message causes the receiver to reject the received message. Finally, we demonstrated how an opponent cannot properly relay a message to deceive about his distance or replay an earlier message in Sections 6. As a result, the suggested protocol is impenetrable to a man-in-the-middle assault.

Proposition 12. Ephemeral secret leakage (ESL) attack:

Proof. As described in the Proposition 2, both and establish a common session key during the execution of the proposed scheme. The session key is computed as . The SK-security of the proposed scheme relies on the secret credentials as discussed in the following two cases: Case 1. Let us consider knows the ephemeral (short-term) secret credentials and . It is computationally infeasible for to create the valid session key without the knowledge of the long-term secrets , , , and . Case 2. We assume that the long-term secrets , , , and some or all of them are revealed to , and the attacker ’s task to generate without the ephemeral secret credentials and this again turns out to be computationally infeasible task.This shows that can generate a valid session key only if both the ephemeral and long-term secret credentials are revealed. Furthermore, if a particular session is compromised, the session key established in previous/future sessions are completely different to the compromised session key due to the application of both long-term secrets and newly generated random nonces, which are secret and not revealed to . Therefore, both forward as well as backward secrecy along with the SK-security are preserved in the proposed scheme. Moreover, in the proposed scheme, with the help of the session hijacking attack, a session key is leaked in a particular session; it has no affect to compromise the security of other previous as well as future sessions. By summing up all these cases, the proposed scheme is secure against the ESL attack.

8. Observations and Performance Analysis

We use the implementation results in [2] “(CPU: Intel(R) Core(TM)2T6570 2.1 GHz, Memory: 4G, OS: Win7 32-bit, Software: Visual C++ 2008, MIRACL C/C++ Library)” to estimate the computation time. Because SHA-2 occupies 15.8 cycles per bytes [27], it takes milliseconds to compute. To be clear, the number corresponds to a single call to the SHA-2 compression function . The SHA-2 compression function has a message-block length of 512 bits. We built the new protocol in detail to reduce the amount of calls to this compression function, particularly on the tag side, which is the most limited device. Finally, the time required to calculate scalar multiplication on ECC-160, represented by , is 7.3529 milliseconds, whereas the time required to calculate a chaotic map is = [28]. The needed time for encryption/decryption of a symmetric scheme varies depending on the employed symmetric encryption method; however, the stated time for AES is milliseconds. The details are shown in Table 9.

The hash function output, nonces, timestamps, tag/reader identities, a symmetric encryption output block, and elliptic curve points all have bit widths of , and 320 bits, respectively, for the performance analysis. We compare the computational and communication expenses of RSEAP2 with our method in Table 10. Because tags are the most limited devices in the system, we focus our investigation on them. There are no major changes in consuming time when compared to , as shown in Figure 3, simply a minor improvement in our approach. Our scheme is much more efficient than in terms of bits sent (and received), as shown in Figure 4. It entails a significant reduction in power consumption, which is a critical metric in such devices. Finally, in Table 11, we compare and contrast the security qualities afforded by comparable systems with our scheme (see Figure 5 for an instance). To summarize, the new protocol is more efficient and secure than the old one.

9. Concluding Remarks

In this article, we designed a PUF and RFID-based authentication protocol for vehicular cloud computing environment which ensure the secure communication among the participating entities such as tag, reader, and the cloud server. The uniqueness property of PUF and ECC allows significant functional advantages in ensuring and designing the secure key establishment and communication. Our proposed protocol efficiently supports for the revocation and reissue features and tag’s friendly password update/change mechanism. Using the provable random oracle model, we presented the advantages of an adversary in violating the security features. Moreover, through the informal security analysis, we have shown that the proposed scheme successfully prevents all the well-known security attacks for authentication protocols. Our scheme withstands all the 18 security features and further consumes the computation cost of = 14.7088 ms which is comparable with the other schemes. Similarly, our scheme consumes the communication cost as 672 bits during the sending mode and 512 bits during the receiving mode. Overall, the performance of our proposed scheme is comparable with the related schemes and provides more security features compared to the other related existing protocols.

Data Availability

No data collection method is applied.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This study did not receive any funding in any form.

References

P. Bagga, A. K. Das, M. Wazid, J. J. P. C. Rodrigues, K.-K. R. Choo, and Y. Park, “On the design of mutual authentication and key agreement protocol in internet of vehicles-enabled intelligent transportation system,” IEEE Transactions on Vehicular Technology, vol. 70, no. 2, pp. 1736–1751, 2021.
View at: Publisher Site | Google Scholar
M. Safkhani, C. Camara, P. Peris-Lopez, and N. Bagheri, “Rseap2: an enhanced version of RSEAP, an RFID based authentication protocol for vehicular cloud computing,” Vehicular Communications, vol. 28, Article ID 100311, 2021.
View at: Publisher Site | Google Scholar
Q. Jiang, J. Ni, J. Ma, L. Yang, and X. Shen, “Integrated authentication and key agreement framework for vehicular cloud computing,” IEEE Network, vol. 32, no. 3, pp. 28–35, 2018.
View at: Publisher Site | Google Scholar
Q. Jiang, N. Zhang, J. Ni, J. Ma, X. Ma, and K.-K. R. Choo, “Unified biometric privacy preserving three-factor authentication and key agreement for cloud-assisted autonomous vehicles,” IEEE Transactions on Vehicular Technology, vol. 69, no. 9, pp. 9390–9401, 2020.
View at: Publisher Site | Google Scholar
A. A. Alamr, F. Kausar, J. Kim, and C. Seo, “A secure ECC-based RFID mutual authentication protocol for internet of things,” The Journal of Supercomputing, vol. 74, no. 9, pp. 4281–4294, 2018.
View at: Publisher Site | Google Scholar
N. Dinarvand and H. Barati, “An efficient and secure RFID authentication protocol using elliptic curve cryptography,” Wireless Networks, vol. 25, no. 1, pp. 415–428, 2019.
View at: Publisher Site | Google Scholar
V. Kumar, M. Ahmad, D. Mishra, S. Kumari, and M. K. Khan, “RSEAP: RFID based secure and efficient authentication protocol for vehicular cloud computing,” Vehicular Communications, vol. 22, Article ID 100213, 2020.
View at: Publisher Site | Google Scholar
M. Hosseinzadeh, O. H. Ahmed, S. H. Ahmed et al., “An enhanced authentication protocol for RFID systems,” IEEE Access, vol. 8, 2020.
View at: Publisher Site | Google Scholar
F. Zhu, “Secmap: a secure RFID mutual authentication protocol for healthcare systems,” IEEE Access, vol. 8, p. 192, 2020.
View at: Publisher Site | Google Scholar
S. Gabsi, Y. Kortli, V. Beroulle, Y. Kieffer, A. Alasiry, and B. Hamdi, “Novel ECC-based RFID mutual authentication protocol for emerging IoT applications,” IEEE Access, vol. 9, 2021.
View at: Publisher Site | Google Scholar
D. Mishra, V. Kumar, D. Dharminder, and S. Rana, “SFVCC: chaotic map‐based security framework for vehicular cloud computing,” IET Intelligent Transport Systems, vol. 14, no. 4, pp. 241–249, 2020.
View at: Publisher Site | Google Scholar
U. Chatterjee, R. S. Chakraborty, and D. Mukhopadhyay, “A PUF-based secure communication protocol for IoT,” ACM Transactions on Embedded Computing Systems, vol. 16, no. 3, pp. 1–25, 2017.
View at: Publisher Site | Google Scholar
M. N. Aman, K. C. Chua, and B. Sikdar, “Mutual authentication in IoT systems using physical unclonable functions,” IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1327–1340, 2017.
View at: Publisher Site | Google Scholar
Q. Jiang, X. Zhang, N. Zhang, Y. Tian, X. Ma, and J. Ma, “Three-factor authentication protocol using physical unclonable function for IoV,” Computer Communications, vol. 173, pp. 45–55, 2021.
View at: Publisher Site | Google Scholar
H. Xu, X. Chen, F. Zhu, and P. Li, “A novel security authentication protocol based on physical unclonable function for RFID healthcare systems,” Wireless Communications and Mobile Computing, vol. 2021, Article ID 8844178, 14 pages, 2021.
View at: Publisher Site | Google Scholar
P. Gope and B. Sikdar, “Privacy-aware authenticated key agreement scheme for secure smart grid communication,” IEEE Transactions on Smart Grid, vol. 10, no. 4, pp. 3953–3962, 2018.
View at: Google Scholar
Y.-N. Cao, Y. Wang, Y. Ding, H. Zheng, Z. Guan, and H. Wang, “A PUF-based lightweight authenticated metering data collection scheme with privacy protection in smart grid,” in Proceedings of the 2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom), pp. 876–883, IEEE, New York City, NY, USA, October 2021.
View at: Publisher Site | Google Scholar
Z. Zhang, Y. Liu, Q. Zuo, L. Harn, S. Qiu, and Y. Cheng, “PUF-based key distribution in wireless sensor networks,” Computers, Materials & Continua, vol. 64, no. 2, pp. 1261–1280, 2020.
View at: Publisher Site | Google Scholar
P. Mall, R. Amin, A. K. Das, M. T. Leung, and K.-K. R. Choo, “PUF-based authentication and key agreement protocols for IoT, WSNS and smart grids: a comprehensive survey,” IEEE Internet of Things Journal, vol. 9, 2022.
View at: Publisher Site | Google Scholar
Y. Liu, Y. Cui, L. Harn et al., “PUF-based mutual-authenticated key distribution for dynamic sensor networks,” Security and Communication Networks, vol. 2021, Article ID 5532683, 13 pages, 2021.
View at: Publisher Site | Google Scholar
D. Mukhopadhyay, “PUFs as promising tools for security in internet of things,” IEEE Design & Test, vol. 33, no. 3, pp. 103–115, 2016.
View at: Publisher Site | Google Scholar
W. Wang, C. Qiu, Z. Yin et al., “Blockchain and PUF-based lightweight authentication protocol for wireless medical sensor networks,” IEEE Internet of Things Journal, vol. 9, 2021.
View at: Publisher Site | Google Scholar
T.-F. Lee and W.-Y. Chen, “Lightweight fog computing-based authentication protocols using physically unclonable functions for internet of medical things,” Journal of Information Security and Applications, vol. 59, Article ID 102817, 2021.
View at: Publisher Site | Google Scholar
V. Hassija, V. Chamola, V. Gupta, S. Jain, and N. Guizani, “A survey on supply chain security: application areas, security threats, and solution architectures,” IEEE Internet of Things Journal, vol. 8, no. 8, pp. 6222–6246, 2020.
View at: Google Scholar
X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and K.-K. R. Choo, “A three-factor anonymous authentication scheme for wireless sensor networks in internet of things environments,” Journal of Network and Computer Applications, vol. 103, pp. 194–204, 2018.
View at: Publisher Site | Google Scholar
D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in passwords,” IEEE Transactions on Information Forensics and Security, vol. 12, no. 11, pp. 2776–2791, 2017.
View at: Publisher Site | Google Scholar
W. Dai, “Crypto++ 5.6. 0 benchmarks,” 2009, https://www.cryptopp.com/benchmarks.html.
View at: Google Scholar
J. Srinivas, A. K. Das, N. Kumar, and J. J. P. C. Rodrigues, “Tcalas: temporal credential-based anonymous lightweight authentication scheme for internet of drones environment,” IEEE Transactions on Vehicular Technology, vol. 68, no. 7, pp. 6903–6916, 2019.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Vikas Kumar et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

931

Downloads

542

Citations

Security and Communication Networks

Data Security and Privacy for Fog/Edge Computing-Based IoT 2022

An Enhanced RFID-Based Authentication Protocol using PUF for Vehicular Cloud Computing

Abstract

1. Introduction

2. Literature and Related Works

2.1. Problem Definition

2.2. Motivation and Contributions

2.3. Roadmap of Article

3. Definitions and Mathematical Preliminaries

3.1. Background of ECC

3.2. Physically Unclonable Function

3.3. Network Model

3.4. Threat Model

3.5. Security Requirements for an IoT-Based RFID Communication System

4. RSEAP2 Protocol

5. Security Analysis of RSEAP2

5.1. Inefficient Mutual Authentication Attack

5.2. Inefficient Session Key Establishment Attack

5.3. Denial-of-Service Attack

6. Our Proposed Scheme

6.1. Login and Authentication Phase

6.2. Revocation and Reissue Phase

6.3. Tag’s Password/Update Phase

7. Formal Security Analysis

7.1. ROR Model-Based Proof

7.2. Informal Security Analysis

8. Observations and Performance Analysis

9. Concluding Remarks

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright