Time-stamp based mutual authentication protocol for mobile RFID

Time-Stamp Based Mutual Authentication Protocol for Mobile RFID System Wu Xiaoqin

Zhang Min, Yang Xiaolong

College of Communication & Information Engineering University of Electronic Science and Technology of China Chengdu, China

College of Computer & Communication Engineering University of Science & Technology Beijing Beijing, China the security of the protocol depends on the randomness of the random numbers and the strength of the hash function computation. Fortunately, the new hash SQUASH[2] with fewest gates can implement on the devices like RFID tags. Secondly, protocols are discussed based on the communication environment assumptions that the channel between the reader and the tag is unsecure and the channel between the reader and the server is secure, which is too idealist and simplistic. Actually, it is also possible to use nonsecure wireless channel between the server and the reader in practice application.

Abstract—Recently, there are many information security and privacy issues related to the Radio Frequency Identification (RFID) system, hence further pervasive application is seriously restricted. Recently two RFID authentication protocols named ESAP and WISP for RFID security authentication are designed based on the monotonically increasing time-stamp. Message exchange becomes much more dynamical and anonymous in these two protocols because of the time-stamp. However they are vulnerable to the timing attack and the counterfeit attacks. Inspired by the monotonically increasing time-stamp mechanism in the two protocols, we present a novel mutual security authentication protocol TMAP which can resist tag counterfeit attack, reader counterfeit attack, replay attack and desynchronization attack, especially the timing attack. The protocol TMAP provides mutual authentication for the server and the reader, decreases the computation both of the tag and the server and operates in the mobile RFID systems, which is promising practical application especially in the mobile Internet and cloud computing developing rapidly nowadays.

Therefore in this paper, we propose a novel mutual authentication protocol TMAP for mobile RFID system, which uses the monotonically increasing time-stamp and the hash function to achieve both the message anonymous and information privacy. The reminder of the paper is organized as follows: some related works are reviewed briefly in section II. A novel RFID protocol named TMAP is described in detail in section III. The security and the performance of this new protocol are analyzed in the section IV. Finally, a conclusion is made.

Keywords—RFID; authentication protocol; security; privacy˗ time-stamp

I.

INTRODUCTION II.

Radio Frequency identification (RFID) is a non-contact automatic identification technology through wireless radio frequency recognizing [1].

RELATE WORK

Gene Tsudik firstly adopted the time-stamp to provide tracking resistant in the RFID authentication protocol called YA-TRAP[3]. In this protocol, the reader sends time-stamp Tr to the tag as the challenge message. The tag compares it with the stored time-stamp at last session to distinguish whether it is valid or not once it receives the time-stamp.

Because of the wireless channel sharing between the reader and the tag, the message exchange is vulnerable to many malicious attacks, hence the RFID system is under the security and privacy threatens. Once the information in the tags is exposed, users’ private information such as income, age, location and healthy status may be exploited by attackers. For the security and privacy problem, the secure and effective access control and authentication mechanism by RFID security authentication protocol is a generally accepted solution. However due to the limitation of the energy, computing and storage resources of RFID tags, the mature encryption algorithms and authentication mechanisms in the field of communication security cannot be transplanted to the low-cost RFID system directly. Therefore, it is the research focus and difficulty in RFID security field that how to design a security authentication protocol for low-cost RFID system with enough security strength and low cost on communication, computation and storage.

Because of strictly monotonically increasing property of the time-stamp, the tag regards this time-stamp valid and responses a message computed with the new time-stamp and the key when the received timestamp is greater than the stored one. Inspired by YA-TRAP, the paper [4][5][6] present OTRAP protocol, YA-TRAP+ protocol, a 2-Pass and a 1-pass optimistic anonymous protocol, and YA-TRAP* protocol. These protocols are vulnerable to DoS attack mainly. The attacker could send a brutal inaccurate future time-stamp ( Tr ) to incapacitate a tag fully (to reach the maximal timestamp)[7]. Although there are security vulnerabilities in these protocols, they provide a new idea for the RFID authentication protocol designing. The time-stamp is utilized mainly for its unable to locate and track. In the paper [8], the author proposes a protocol ESAP using the static ID and one-way randomized hash function based on the monotonically

Recent years, lots of RFID authentication protocols have been proposed. Unfortunately, some common security drawbacks and vulnerabilities exist in these protocols. Firstly, ____________________________________ 978-1-4673-5699-2 /13/$31.00 ©2013 IEEE



messages no matter the messages come from a valid reader or not. For that, the tag could not resist the reader counterfeit attack. The attacker may send a continuous random numbers to the tag to make the counter Tc fully and invalidate this tag permanently. Thirdly, this protocol cannot ensure the forward security because there is no key updating measurement. Most importantly, all tags share the same keys pair with the server in one classify. Once one tag is compromised by malicious adversary and its key is divulged, all the authentication keys are revealed for the whole tags in the group. Lastly, this protocol assumes that the communication channel between the server and the reader is absolutely secure as other protocols mentioned above, which is a bad assumption for more and more RFID systems applied in mobile network.

increasing time-stamp which keeps the response message unidentifiable and anonymous. The problems involved with the time-stamp are not analyzed. The attacker could send a successive increasing future time-stamp to the tags and make the stored time-stamp in tags fully. Therefore attack aimed at time-stamp still exists. In addition, this protocol cannot be operated in mobile RFID system. Inspired by the time-stamp, Gul N.Khan et al. proposed a new protocol named WISP[9]. In this protocol, the server groups the tags by key classes. The tags in the same class share the same keys pair ( Keyc1, Keyc 2) to encrypt their response messages. The tag ID consists of the lower half and the upper half part, and the half part is unique in one classify. The author uses the monotonically increasing counter Tc instead of the time-stamp. Server

Reader

Use the key pair ( Keyc1, Keyc 2) to IDh h 1 (h1, Keyc1) † ( Rr || 0) Look up lower part of ID and Tcstored and reveal Rt Rt

h 1 (h1, Keyc1) † ( Rr || 0) † ( IDh || IDl )

Ĺ Rr || m ĺ m1

ĸm

Rr

Generate: Rt Increment: Tc kc || h1 || h 2 Compute: h1 h(( Rr || Rt ) † ID, Keyc1) h 2 h(( Rr || 0) † ( Rt || Rt ) † ID † Tc, Keyc 2)

and real Tc Tc h1 (h2, Keyc 2) † ( Rt || Rt ) † ( Rr || 0) † ( IDh || IDl ) Compare Tc with Tcstored if (Tc ! Tcstored ) m1 =Authentication

update

Tc

TMAP PROTOCOL

Aim at the security and performance vulnerabilities on WISP, we design a new protocol TMAP. The new protocol operates in mobile RFID system on assumption that the channel between the server and the reader is not secure. The server and the reader mutual authenticate each other as well as the reader and the tag based on the monotonically increasing time-stamp and the value Flag to markup the last session success or failure. The value Flag determines the algorithm of current authentication session. The main idea of our protocol is using time-stamp both the server and reader to guarantee the authentication message encrypted by the time-stamp and cannot be cloned or replayed.

Tag ķ

Get the key pair what belongs to kc

III.

Tcstored

else m1 =Not Authentication

Fig. 1. WISP protocol

The protocol operation is shown in Fig. 1. The reader sends a random number Rr to the tag as query. Receiving the random number Rr , the tag generates a random number Rt and increases the counter Tc by 1. After that, the tag computes h1 h(( Rr || Rt ) † ID, Keyc1) , h 2 h(( Rr || 0) † ( Rt || Rt ) † ID † Tc, Keyc 2) . Once the computations is finished, the tag sends m to the reader, where m is concatenated by kc , h1 and h 2 . Receiving the message m , the reader transmits m and Rr to the server.

A. Notions The protocol involves three components: the tag, the reader and back-end server. TABLE I. Notions TIDi KTi , KRi

After receiving the message from reader, the server firstly gets the random number Rr , the key classify kc and then gets the keys pair . The server ( Keyc1, Keyc 2)

TT , TR , TS Flag

reveals IDh h 1 (h1, Keyc1) † ( Rr || 0) to get the low part IDl of ID and Tcstored according to IDh . And then, the server calculates and Rt h 1 (h1, Keyc1) † ( Rr || 0) † ( IDh || IDl )

Rid Kold , Knew Rt , Rr PRNG || † hb(a )

. Tc h 1 (h 2, Keyc 2) † ( Rt || Rt ) † ( Rr || 0) † ( IDh || IDl ) Receiving the counter value Tc , the server compares it with its stored Tcstored . Only when Tc is strictly greater than Tcstored , the server authenticates the tag and replies an authenticated message to the reader.

PROTOCOL NOTIONS

description The identity of the tag The secret key of the tag, the secret key of reader The tag time-stamp, the reader time-stamp, the server time-stamp The sign of success or failure for authentication, 0 success and 1- failure The identity of the reader The old key, the new key of tag stored in the server The random number of tag and reader by PNRG Pseudo-random number generator Concatenation operator Exclusive or operator Computation of hash function over a by b

The communication channels connected the components is not secure. We assume that the server and the reader own enough storage and computation, keeping the clock synchronization. The patent [10] has achieved the clock synchronization between the backend server and the reader in RFID system. The server must check the validity of the reader before authenticating the tag. The time-stamp is strictly monotonically increasing and the tag only accepts the timestamp greater than the stored one. The operation notions in our protocol list as follows in TABLE I.

WISP uses the monotonically increasing counter to provide the anonymity for the label to some extent. However, there are still some drawbacks in the security and performance. Firstly, although the key classify measure decreases the computation of the server, the computation on tag is still heavy for two hash encryptions and four XOR operations in each session. Besides, this protocol lacks authentication to reader for tag, therefore the tag must response to all challenge



B. Initialization Each tag stores TIDi as its identity, KTi as its authentic key which is updated in each session, the time-stamp TT initialized as 0 and the value Flag is set 0 presenting the authentication of last session success or 1 failure. The reader stores Rid as its identity, KRi as key authenticated to the server and the time-stamp TR synchronous with the server. The server stores TIDi , the new key Knew , the old key Knew corresponding to each tag, and a hash-table about the of the reader as shown in TABSLE II. The hash-table updates through the time-stamp, as well as the time-stamp TS equal to the time-stamp TR of the reader. TABLE II.

( R1, K 1)

( R 2, K 2 )

ĂĂ

( Rn, Kn)

h( R 2, K 2,1)

ĂĂ

h( Rn, Kn,1)

Ts =2 ĂĂ

h( R1, K 1, 2)

h( R 2, K 2,1)

ĂĂ

h( Rn, Kn, 2)

ĂĂ h( R1, K 1, i )

ĂĂ h ( R 2, K 2, i )

ĂĂ ĂĂ

ĂĂ h( Rn, Kn, i )

Else if Flag is equal to 1, the last authenticated session fails, the tag computes:

C1

(TIDx, Kold , Knew)

1)Lookup the hash table to verify A to authenticate the Reader

B Ci Rr A Ĺ Aǃǃǃ

(3) Reader o Server: A , B , Ci , Rr

A

hKR ( Rid † TR )

and transmits A , B , Ci , Rr to the database server. (4) Server o Reader: D , E 1) Verify the reader from A : The server lookups A' hKR ( Rid † TR ) . If A' A , the authentication is passed. Otherwise, the server terminates the session and returns ERROR message.

Tag (TIDx,KTi,TT ,Flag )

2) Obtain the Flag value ( Flag 0 or Flag from B and the random number Rt of the tag.

hKR ( Rid † TR )

Rt

2)Obtain Flagǃ Rt from B 3)Verify C to authenticate the Tag If the verification pass, then

1 )

TR † Rt † TS (Because of TR TS )

3) Verify the tag from Ci :

(1)Update key˖ Kold m Knew Knew Knew † Rt

If Flag obtained in previous step is equal to 0, the server lookups TIDx and computes:

(2)Compute D D hKnew((TID † TR ) || ( Rt † Rr )) (3)Encrypt the Data˖ E hKR ( Rid † TR † Rr )

hKT ((TID † TR ) || ( Rt † Rr ))

The tag sends B , C1 to the reader.

ķ TRǃRr B (TR † Rt ) || Flag If(Flag=0)Compute˖ C 0 hTID ((TID † TR ) || ( Rt † Rr )) set Flag 1 If(Flag=1)Compute˖ ĸ B ǃCi C1 hKT ((TID † TR ) || ( Rt † Rr ))

TS h( Ri , KRi , TR , )

(TR † Rt ) || Flag

B

C. Operation Process Reader TR ˈKRi ˅ ˄ Rid ˈ

1

The reader computes:

h( R1, K 1,1)

Server

hTID ((TID † TR ) || ( Rt † Rr ))

The tag sends B , C 0 to the reader, and set Flag simultaneously.

THE HASH LOOK-UP TABLE

Ts =1

Ts =i

C0

ĺ DǃE Authenticate the server

Ļ D

Verify D 1)Update key: Knew

C0 ' Knew † Rt

2)Update time-stamp: TT

TR

3)Update flag:

0

Flag

If C 0 ' and C 0 is equal, the server authenticates the tag, else reject the tag. If Flag obtained in previous step is equal to 1, the server lookups (TIDx, KTi _ new) or (TIDx, KTi _ old ) and computes:

Fig. 2. TMAP protocol

The process of TMAP is shown as Fig. 2, and the protocol operates as follows: (1) Reader o Tag: TR , Rr The reader sends the time-stamp and the random number to the tag as the challenge message.

C1 _ new '

hKTx ((TIDx † TR ) || ( Rt † Rr ))

C1 _ old '

hKTx ((TIDx † TR ) || ( Rt † Rr ))

If C1 C1 _ new ' or C1 C1 _ old ' , the server authenticates the tag, else rejects the tag.

(2) Tag o Reader: B , Ci

4) Key updating and sending D and E to the reader

Receiving the challenge message, the tag compares TR with the stored time-stamp TT . If TT is greater than TR , the tag verifies TR not valid. Else the tag regards the time-stamp TR valid and goes onto the authentication process.

If the tag is authenticated, the server updates the secret key if C1 C1 _ new ' in last step: Kold m Knew , Knew

Next the tag checks the stored value Flag . If it is equal to 0, the last session is successful, the tag computes:

B

hTIDx ((TIDx † TR ) || ( Rt † Rr ))

Knew † Rt

The server does not update the secret key if C1 C1 _ old ' .Then the server computes the value D and E by the updated Knew to ensure the forward security.

(TR † Rt ) || Flag



D

hKnew((TID † TR ) || ( Rt † Rr ))

De-synchronization attack or DoS attack: Aiming at desynchronization attack, most protocols use the secret key updating mechanism. There are two ways to update the private key. The first method, the server and the tag update the key simultaneously after authentication. The second method, the server sends the updated key to the tag, and then the tag keeps this key for next session. These two ways couldn’t resist the de-synchronization attack effectively. In our protocol, the server stores the old and new key for the tag to avoid losing synchronization. Besides, once the tag receives the message computed by the new key, the tag firstly updates the key stored before verifying. Secondly, the tag computes the value D ' by its updated key, Rt and TR . Next compares the computed D ' with the received D , if equal, the tag uses the new key for next session. When the step 4 or 5 is interrupted by the adversary, the tag would not reset Flag and consider this session unsuccessful. Next session, the reply message for reader query is encrypted by the secret key, and the server may use the value Kold to authentic the tag. In this protocol, the server stores the new and the old key for the tag in case lose synchronization, and shares the key updating mechanism with the tag at the same time. In this way, the Desynchronization attack is resisted.

hKR ( Rid † TR † Rr )

E (5) Reader o Tag: D

The reader computes: hKR ( Rid † TR † Rr )

E'

The reader compares E ' with E . If they are equal, this message is regarded from a reliable back-end server and the server transmits the message D to the tag. Otherwise, the message is regarded invalid. (6) Tag updates the key: The tag firstly updates the secret key: Knew

Knew † Rt

And then it computes D ' using the updated key. Comparing D ' with D , the tag stores the updated key and sets TT TR , Flag 0 to markup this session success for next session if equal, otherwise the tag ignores this message and do nothing.

Forward security: The tag updates its secret authentication key in each session to ensure the forward security which is very important in ownership transfer.

The authentication process is finished. IV.

PROTOCOL ANALYSIS

The protocols’ security comparison is shown as the TABLE III. .

A. Security Analysis Our protocol operates in mobile RFID system, which could resist the tag counterfeit attack, reader counterfeit attack, relay attack, timing attack and de-synchronize attack.

TABLE III. Protocol Tag counterfeit Reader Counterfeit Replay attack De-synchronization attack Forward security Reader authentication

Tag counterfeit attack: The protocol could resist the tag counterfeit attack for that the reply message to the query of the reader is different in each session. This message is encrypted by hash function which is based on time-stamp and random number by PRNG. In addition, the algorithm to encrypt the message is different according the Flag value.

SECURITY COMPARISON ESAP Yes No Yes No No No

WISP Yes No Yes No No No

TMAP Yes Yes Yes Yes Yes Yes

B. Efficiency Analysis For comparison, the parameters are defined as following reference the paper[9]:

Reader counterfeit attack: For this protocol operates in mobile RFID system, server need to authenticate the reader as well as the tag. For the time-stamp used varies in each session and synchronizes with the server, the authentication message A is different in each session and counterfeited impossibly. So the protocol can resist the reader counterfeit attack. Besides, in the step 1, the tag only accepts the time-stamp greater than store time-stamp, while tags reply all the query messages no judging in other protocols.

z

Replay attack: The message exchanged in each round is distinct. And it is based on the monotonically increasing timestamp. The random number and timestamp becomes invalid in next session. Hence the adversary cannot replay the message.

Key is at length of b bits.

z

TID is at length of b bits as well as the Rid .

z

Random number, the timestamp is at length of 0.5bits.

z

Flag is at length of 1 bits.

Besides the RFID system contains n tags and m readers. Computation: Our protocol operates over low-cost tag, so the computation must be as little as possible. It reduces the computation from the following three aspects:

Timing attack: The tag stores the new timestamp and replaces the old only after successful authenticating. When getting a great future timestamp message from the attack, the tag respond it but never update the timestamp. So our protocol can resist timing attack effectively.

(1) Tag responses the query message of the reader with the simple XOR and single hash operation only after considering the challenge message valid. This reduces the computation remarkably comparing with most other protocols responding all query messages directly.



(2)Our protocol employs the hash table query to authenticate the reader, which costs little constant computation.

V. CONCLUSION In this paper, we have proposed a tripartite mutual authentication protocol. The main idea of this protocol is using the monotonically increasing to ensure the message unique and random. The protocol can resist tag counterfeit attack, the reader counterfeit attack, the replay attack, the timing attack as well as Dos attack. Our protocol works in mobile RFID system. It is both high-security and high- performance.

(3)This Flag scheme reduces the computation of the backend server greatly. The table IV. shows the computation comparison among the existing protocols and our new protocol. From this table, the computation in tag for the protocol TMAP is less. For authentication to server, the reader needs one hash computation. From the comparison, the computation is less than the other two protocols. TABLE IV. Protocol ESAP WISP TMAP

ACKNOWLEDGMENT This work was supported by the 973 Program (No.2012CB315905), National Natural Science Foundation of China(No. 60873263, 60932005, 61172048,61100184), NECT Program of MoE of China (No. NCET-09-0268).

COMPUTATION COMPARISON

Tag 2 hash 2 hash 1 hash

Reader 1 hash

Server For Tag 2hash 3hash 2hash

REFERENCES [1]

Pedro Peris Lopez. Lightweight Cryptography in Radio Frequency Identification(RFID) Systems. PhD thesis, Computer Science Department, Carlos Ϫ University of Madrid, November 2008. [2] Adi Shamir. SQUASH – A New MAC with Provable Security Properties for Highly Constrained Devices Such as RFID Tag. Fast software Encryption – FSE, pp. 144-157, Springer – Verlag(2008). [3] Gene Tsudik. YA-TRAP: Yet another trivial RFID authentication protocol. In Fourth IEEE Annual Conference on Pervasive Computing and Communications – PerCom 2006, pages 640-643, Pisa, Italy, March 2006. IEEE Computer Society. [4] M. Burmester, T. van Le, B. de Medeiros. Provably Secure Ubiquitous System: Universally Composable RFID Authentication protocols.IEEE/Createnet Securecomm, September 2006. [5] C. Chatmon, T. van Le , M. Burmester. Secure Anonymous RFID Authentication Protocols. Technical Report TR-060112, Florida State University, Computer Science Dept, 2006. [6] Gene Tsudik. A Family of Dunces: Trivial RFID identification and authentication Protocols. In N.Borisov and P. Golle, editors, Privacy Enhancing Technologies, 7th International Symposium – PET 2007, Vol. 4776: 45-61, Ottawa, Canada. Springer-Verlag, Berlin. [7] M. Rahman, M. Soshi, A. Miyaji. A Secure RFID Authentication Protocol with Low Communication Cost. Mar. 2009, PP. 559-564. [8] Md.Monzur Morshed, Anthony Atkins, Hongnian Yu. An Efficient and Secure Authentication Protocol for RFID Systems. Proc. of the 17th International Conference on Automation & Computing, September 2011. [9] G.N. Khan, M.B. Moessner. Secure Authentication Protocol for RFID Systems. Computer Communications and Networks(ICCCN), 2011. [10] R. Greeff, F.W. Smith, D.K. Ovard. RFID Device Time Synchronization From a Public Source[P]. US: Related U.S. Application Data, US 8,154,407, B2, Apr. 10, 2012.

Communication: Our protocol achieves two mutual authentications: the server and the tag, the server and the reader. Only five rounds are required for two mutual authentications in mobile RFID environment. The communication comparison is shown in the table V. TABLE V. Protocol ESAP WISP TMAP

A1 Ĝ Ĝ Ĝ

A2 h h h

COMMUNICATION COMPARISON

B 5 4 5

C1 b 0.5b b

C2 3b 2.5b 1.5b+1

C3 3b 3.5b 2.5b+1

C4 1.5b b 2b

C5 1.5b b

A1: the authentication between the reader and the tag. A2: the authentication between the server and the reader. B: the communication rounds. C1: the cost for the reader to the tag in the first round. C2: the cost for the tag to the reader. C3: the cost for the reader to the server. C4: the cost for the server to the reader. C5: the cost for the reader to the tag in the last round.

Storage: Our new protocol is efficient in terms of nonvolatile memory. The storage comparison is shown in the table VI. TABLE VI. Protocol ESAP WISP TMAP

Tag 3b 6b 3b

STORAGE COMPARISON

Reader 2b

Server 2bn 6bn 3bn+0.5b+2bm