An Advanced Encryption Standard Powered Mutual Authentication Protocol Based on Elliptic Curve Cryptography for RFID , Proven on WISP

Information in patients’ medical histories is subject to various security and privacy concerns. Meanwhile, anymodification or error in a patient’s medical data may cause serious or even fatal harm. To protect and transfer this valuable and sensitive information in a secure manner, radio-frequency identification (RFID) technology has been widely adopted in healthcare systems and is being deployed in many hospitals. In this paper, we propose a mutual authentication protocol for RFID tags based on elliptic curve cryptography and advanced encryption standard. Unlike existing authentication protocols, which only send the tag ID securely, the proposed protocol could also send the valuable data stored in the tag in an encrypted pattern. The proposed protocol is not simply a theoretical construct; it has been coded and tested on an experimental RFID tag. The proposed scheme achieves mutual authentication in just two steps and satisfies all the essential security requirements of RFID-based healthcare systems.


Introduction
Radio-frequency identification (RFID) technology is one of the most promising advances in pervasive infrastructures that allow the contactless identification of tagged objects and people.RFID systems are composed of a tag, reader, and back-end database server.The reader is used to query the tag identity, which is forwarded to the back-end server.
The data in RFID systems can be read, without line of sight, through nonconducting materials such as cardboard or paper at a rate of hundreds of tags per second and at a distance of several meters.Tags have read/write memory capability, can store data, and are relatively insensitive to adverse conditions (dust, chemicals, and physical damage).Besides replacing optical barcode systems, the above advantages make RFID tags applicable in various scenarios, including access control, environmental sensing, livestock and automobile identification, inventory control, and theft detection.RFID technology is widely used in healthcare environments, where it has been applied to newborn and patient identification [1], tracking medical assets [2], medical treatment tracking and validation [3], surgical process management [4], and patient location and procedure management [5].
The legacy systems in hospitals could be integrated with middleware to provide a lot of smart services, such as drug administration, patient identification, and asset tracking.However, hospitals are open and unsecure environments in which radio waves are used for connections.An eavesdropper could read, modify, or even clone the data stored in patients' tags.Thus, security and privacy are major concerns for the use of RFID systems in healthcare environments.The US Food and Drug Administration (FDA) declared that "Hospira and an independent researcher confirmed that Hospira's Symbiq Infusion System could be accessed remotely through a hospital's network.This could allow an unauthorized user to control the device and change the dosage the pump delivers, which could lead to over-or underinfusion of critical patient therapies" [6].In future, the FDA may warn about other devices or even RFID-based healthcare systems.For instance, if the blood groups or laboratory test results were modified on the RFID tags attached to blood bags [7], patients could suffer fatal harm.To prevent and eliminate these potential hazards, strict and rigid mutual authentication protocols must be exploited between the tag and the reader using the latest cryptographic technologies.
Protocols conforming to the EPC Class 1 Generation 2 standard increasingly become inadequate, and there is a demand for stronger protocols.Furthermore, the development of integrated circuit techniques means that RFID tags could support the complicated operations of private and public key cryptography.In this paper, using the last revision of the Wireless Identification and Sensing Platform (WISP5) (Figure 1) [8], we propose a mutual authentication protocol based on elliptic curve cryptography (ECC) and advanced encryption standard (AES) algorithms.WISP5 is an EPC Class 1 Generation 2 UHF passive RFID tag that is embedded with AES and sensors and includes a fully programmable 16bit microcontroller (MSP430 16 Mhz CPU, 64 KB nonvolatile memory, 66 KB RAM [9]).Integrating passive RFID with sensing technologies is widely applicable in many productive sectors.
For instance, some application scenarios of the healthcare systems, as WISP, have built-in sensors; they can easily send temperature of WISP tagged blood bag to the system.Checking whether the box that contains glass tubes having specimens taken from the patients in the laboratory has been fallen or not or measuring the ambient temperature can be achieved via a WISP tagged to the box.Moreover, there are many valuable devices in the hospital and some of these devices are portable.It is possible to get information about the place of the WISP tagged devices and it can be easily determined whether a WISP tagged device has been moved or not.In the above scenarios, if the authentication is provided, we can trust that the tags are the legitimate tags.WISP5 is passively powered, obtaining power from the reader rather than a battery.Hence, this is essentially a maintenance-free system.
Compared with public key algorithms such as RSA, ECCbased systems are smaller and faster and consume less power (Table 1).Thus, the elliptic curve Diffie-Hellman scheme (ECDH) is used to produce the secret key that will encrypt the tag ID and data.The elliptic curve digital signature algorithm (ECDSA) is used to prevent man-in-the-middle attacks [10] and to achieve mutual authentication between the tag and the reader.

Related Work
Many ECC-based authentication schemes have been proposed to satisfy the security constraints of RFID tags.Tuyls and Batina [12] used the Schnorr identification protocol to develop an ECC-based RFID identification scheme.This scheme claimed to be resistant against tag counterfeiting.However, Lee et al. [13] showed that this scheme is vulnerable to location tracking attacks, does not achieve forward security and mutual authentication, and lacks scalability.Based on Okamoto's authentication protocol, Batina et al. [14] proposed an ECC-based RFID authentication protocol that they claimed could avoid active attacks.Lee et al. [13] mentioned that Batina et al. 's protocol is vulnerable to location tracking attacks and has scalability and forward secrecy issues.Lee et al. [13] claimed to solve all the issues mentioned above, but later studies [15,16] showed that Lee et al. 's scheme is vulnerable to tracking and forgery attacks and does not provide mutual authentication.In 2010, Lee et al. [17] proposed an ECC-based RFID authentication scheme to address the existing tracking problems [12,14].Only tag-to-reader authentication has been considered, rather than reader-totag authentication.In 2011, Zhang et al. [18] proposed an ECC-based randomized key scheme that improved previous schemes.Although secure against some relevant attacks, this approach still does not perform mutual authentication.
In 2014, Liao and Hsiao [19] proposed a secure ECCbased RFID authentication scheme with an ID-verifier transfer protocol to achieve mutual authentication.However, the weaknesses of this approach were detailed in three separate studies.First, Moosavi et al. [20] mentioned that the tag identification of Liao and Hsiao's scheme lacks efficiency in terms of the tag's computation time and its memory requirements.Second, He et al. [21] proposed a lightweight ECC-based RFID authentication integrated with an ID-verifier transfer protocol and pointed out that their proposal performs better than that of Liao and Hsiao in terms of computational cost and storage requirements.Third, Zhao [22] showed that Liao and Hsiao's method enabled an adversary to obtain the private key stored in the tag.Chou [23] proposed a new RFID authentication protocol using ECC and claimed that it could resist various attacks.Later, Zhang and Qi [24] pointed out that Chou's protocol [23] suffers problems with tag information privacy, backward traceability, and forward traceability.
In 2015, Jin et al. [25] proposed a secure RFID mutual authentication protocol for healthcare environments using ECC and claimed that their proposal could withstand various attacks while outperforming the protocols detailed in [21,22,24].In the same year, Lee and Chien [26] proposed an ECC-based RFID authentication protocol for e-health and reported that He et al. 's protocol [21] is vulnerable to active tracking attacks.In 2016, Farash et al. [27] proved that both Zhao's [22] and Zhang and Qi's [24] schemes do not provide forward privacy.Recently, in 2017, Benssalah et al. [28] proposed a secure RFID authentication protocol based on elliptic curve signature with message recovery (ECMR) suitable for m-Health environments and claimed that their proposal can achieve many security requirements, withstands the well-known attacks, and performs better compared to the well-known authentication protocols in the literature, but not applied and tested on RFID tag hardware.
In this point, wireless body area networks (WBAN) authentication protocols are worth mentioning.In 2013, Li et al. [29] proposed the first ECC-based WBAN authentication protocol.However, because of the limited resource of wearable devices, the scheme was unsuitable.To improve the performance, in 2014 Liu et al. [30] proposed two certificateless anonymous authentication protocols.However, Zhao [31] mentioned that protocols of Liu et al. [30] are vulnerable to stolen-verifier attacks and proposed an enhanced scheme.Meanwhile, Xiong [32] pointed that protocols of Liu et al. [30] are lack of forward secrecy and scalability and proposed a scalable and anonymous certificateless remote authentication protocol.In 2015, He and Zeadally [33] showed that Zhao's protocol [31] cannot provide privacy and proposed authentication protocol beyond WBAN for an ambient assisted living system that authenticates the user to the local server, but the authentication between local server and body sensors was not considered.In 2016, He et al. [34] pointed out that the schemes of Liu et al. [30] suffer from impersonation attack and they proposed an anonymous authentication scheme for WBAN.In the same year, Liu et al. [35] presented a 1-round anonymous authentication protocol.However, in 2017 Li et al. [36] pointed that scheme of Liu et al. [35] is vulnerable to impersonation, stolen-verifier, and denial-of-service attacks and proposed an enhanced 1-round authentication protocol with user anonymity.Later in the same year, Li et al. [37] mentioned that the above-reviewed authentication protocols for WBAN either present no revocation procedure to revoke the user's privilege or lack anonymity.Moreover, they proposed anonymous mutual authentication and key agreement scheme for wearable sensors in WBAN.

Contributions and Paper Organization
Unlike other existing schemes, the proposed scheme sends tag's ID and the valuable stored data in the tag securely (encrypted by AES), while existing protocols are trying to send only the tag's ID.The schemes that realize the mutual authentication are achieved at least in 3 steps, while in our work the mutual authentication is realized in only 2 steps.The proposed scheme is tested and realized on real devices.Unlike Jin et al. 's study [25] where precomputing method is used, the private and public keys are not static, but they are refreshing after each communication that strengthens the security and makes the keys untraceable and unpredictable.Moreover, contributions can be summarized as follows: (i) ECDH is used to produce the secret key that will be used in AES to encrypt both tag's ID and the valuable data stored in the tag.
(ii) ECDSA is used to prevent man-in-the-middle attack that ECDH suffers from, to realize the mutual authentication.
(iii) AES embedded in WISP5 is used to encrypt both tag's ID and tag's valuable data.
(iv) ECC almost is not applicable on resource constrained systems.So, the tiny ECC [38] has been used in this scheme.
(v) Shamir's trick optimization is used to compute ( 1 +  2   ) that is used in ECDSA verification.Direct implementation requires two scalar multiplications and a point addition, but with Shamir's trick, the cost is close to one scalar multiplication [39].
(vi) The efficiency of point multiplication has been increased by using Montgomery's ladder with co- coordinates [40].
The remainder of this paper is organized as follows.An RFID mutual authentication protocol has been proposed in Section 4, where Section 4.1 discusses the protocol.The security analysis has been given in Section 4.2, performance analysis in Section 4.3, and security and performance comparison in Section 4.4.Finally, conclusion and future works are explained in Section 5.

Proposed Protocol
WISP5 built-in random number generator has been used as the random number generator of our proposed protocol.We assume that communication between the reader and the back-end database server is secure, and the communication between the tag and the reader is not secure.The reader is fully equipped and connected directly to a power supply.The proposed scheme uses the WISP5, Impinj Speedway reader, MSP-FET430UIF debugging tool, WISP5 programming adapter, Code Composer Studio, and PC.
4.1.Discussion.The scheme has two participants: the trusted tag and the trusted reader, which is connected to the backend database server (Figure 2).Our protocol consists of two phases: setup phase and authentication phase.The notation used in this protocol is as follows: Setup Phase.In this phase, both the reader and tag agree on a curve with elliptic curve domain parameters , , , , , and ℎ.Elliptic curve secp160r1, recommended by NIST, is used for the domain parameter values [41].
(1) All tags' identifiers (ID) are stored in the back-enddatabase server.(2) The tag selects an integer   at random as its private key for ECDSA, where 1 ≤   ≤  − 1, and computes its public key   that will be used in ECDSA, where   =   .Then, the public key   of the tag is stored in the back-end-database server.(3) The reader selects an integer   at random as its private key for ECDSA, where 1 ≤   ≤  − 1, and computes its public key   that will be used in ECDSA, where   =   .Then, the public key   of the reader is set on all the tags manually.
Authentication Phase.At the end of this phase, the public keys  and  are produced,  and  are signed and verified, and  and  are exchanged.The secret key   is produced and mutual authentication is achieved in two steps as follows: (1) The reader picks an integer random number r as its private key used in ECDH, where 1 ≤  ≤  − 1, and computes its public key R (at the same time considered as a message for ECDSA) that will be used in ECDH, where R = rG.
(2) Before starting ECDH key exchange and sending R to the tag, the reader signs R using ECDSA as follows: (3) The reader sends  and its signature pair (, ) to the tag.
(4) Once the tag receives  and its signature (, ), it verifies  as follows: otherwise, the tag rejects the session.
(5) If the reader is authenticated, the tag picks a random integer t as its private key used in ECDH, where 1 ≤  ≤  − 1, and computes its corresponding public key  = .
(6) Before starting ECDH key exchange and sending  to the reader, the tag signs  using ECDSA as follows: (8) The tag encrypts its ID using AES:  = AES   (ID).
(9) The tag sends its public key  and its signature pair (, ℎ) and  to the reader.(12) To get the tag ID, the reader decrypts AES by ID = AES −1   ().( 13) The server will compare the ID with ID  from its database.If  2 =  mod  and ID = ID  , the tag is authenticated; otherwise, it is not and reader rejects the session.
As shown in Table 2, the mutual authentication has been achieved in only two steps.If sensing properties of WISP wanted to be exploited, data related to the sensors' readings can be sent with the tag ID.

Security Analysis.
Our proposed protocol is resistant to the known attacks detailed in Table 2.This section analyzes the security of our proposed protocol.
Mutual Authentication.Using the signature pair (, ) and the reader's public key used in ECDSA (  ), the tag can verify the signed public key (), herewith the reader can be authenticated.Tag authentication passes through two stages: stage one, using the signature pair (, ℎ) and the tag's public key used in ECDSA (  ), the reader can verify the signed public key () and hence authenticate the tag; stage two, since (1) the unique IDs of all tags are stored formerly in the back-end-database server, (2) the tag IDs are sent in an AES encrypted form, (3) each session uses a different secret key   , (4) the reader could decrypt AES and gets the ID, (5) the received ID matches the stored ID  , and the reader authenticates the tag.Hence, the proposed protocol provides mutual authentication.
Tracking Attack, Traceability, Location, and Information Privacy.Because the ID and confidential information on the tag are encrypted by AES using   , an attacker has to break AES or obtain   to access the ID or confidential information, which is computationally infeasible.Moreover,   is dynamic, meaning that, after each session, a new and different key is produced.Accordingly, the tag cannot be tracked, and the attacker cannot obtain the location and private information stored in the tag.Hence, it cannot be traced.
Desynchronization Attack, Denial-of-Service (DoS) Attack, and Availability.In the proposed scheme, neither the tag ID nor any critical data that can cause desynchronization is updated after each execution.Therefore, the proposed protocol can withstand desynchronization attacks, and both the tag and reader remain synchronized and available to communicate.Thus, DoS attacks can be withstood and availability is maintained.
Tag Anonymity.An adversary who intercepts R, z, s, T, , h, and C between the reader and the tag and attempts to obtain the tag ID cannot get the session key   , because this is computationally infeasible under the Diffie-Hellman problem and the elliptic curve discrete logarithm problem (ECDLP).Thus, the proposed protocol protects tag anonymity.
Eavesdropping and Man-in-the-Middle.Even if an adversary eavesdrops messages transmitted between the reader and the tag, the data are useless without the private keys ( and ).When trying to obtain , , or any valuable information, the attacker faces the computational Diffie-Hellman problem and ECDLP.Any modification on the messages will be detected, because  and  are signed by private keys   and   respectively, and the received ID is compared with the stored ID  .Thus, the proposed protocol is resistant to eavesdropping and man-in-the-middle attacks.
Tag Impersonation and Reader Spoofing Attacks.To impersonate a tag, an attacker must produce   or break AES, which is computationally infeasible under the Diffie-Hellman problem and ECDLP.As the public key of the tag () is signed by the private key   and verified by the public key   of the tag, an attacker cannot impersonate the tag.Similarly, attackers cannot spoof the reader, because this would require the signature pair (, ) and to produce   , all of which are unattainable without knowing  and .Thus, the proposed protocol can overcome tag impersonation and reader spoofing attacks.
Cloning Attacks.To clone a tag, attackers must obtain the ID of the tag they wish to clone.Obtaining the tag ID requires the computation of   , which is computationally infeasible under the Diffie-Hellman problem and ECDLP or the breaking of AES.Hence, the proposed protocol is resistant to cloning attacks.
Full Disclosure Attacks.The sent messages R, z, s, T, , h, and C do not disclose any secrets.Hence, even if an adversary could intercept these messages, it would be unable to progress without the random private keys t and r.Furthermore, any attempt to calculate  and  will encounter the computational Diffie-Hellman problem and ECDLP or AES.Thus, the scheme resists full disclosure attacks.
Replay Attacks.Intercepting , , and  and replaying them to the tag will not produce   from the previous session, because the tag chooses a new private key that is used to form the new session key   .Similarly, replaying , , ℎ, and  from the previous session will not cause the reader to produce   from the previous session.

Confidentiality.
As the tag ID is transmitted as ciphertext, and   changes for every session, an attacker cannot achieve

Tag
Reader Setup phase(i) Both reader and tag agree on a curve, on elliptic curve domain parameters , , , , , and ℎ(ii) (  ) is set manually on all the tags (iii) Pick   randomly as the private key; then the public key will be   =    Setup phase (i) Both reader and tag agree on a curve, on elliptic curve domain parameters , , , , , and ℎ(ii) Pick   randomly as the private key; then the public key will be   =

Authentication phase
Authentication phase (1) Computing public key : Pick  randomly as private key; then  =  (2) Signing :   3) from reader-totag involves transmitting the 320-bit reader public key and 320-bit reader signature (=640 bits), and the communication cost from tag-to-reader involves transmitting the 320-bit tag public key, 320-bit tag signature, and 128-bit encrypted tag ID (=768 bits).Unlike the proposal in [25], which used the pairing-based cryptography library with an embedding degree of 2 on an Intel Pentium(R) Dual-Core processor with 2.69 GHz and 2048 MB of RAM, and the proposal in [21], which assumed a hardware platform of a Pentium-IV 3 GHz processor with 512 MB memory and Windows XP [42], our proposed protocol is realized on a passive tag with a 16 MHz MSP430, 64 KB nonvolatile memory, and 66 KB RAM.As shown in Table 4, computing   requires 1.4578926250 s (=23,326,282 CPU cycles/16 MHz).However, adopting the same system used by Jin et al. [25], computing   would require 0.00867148 s (=23,326,282 CPU cycles/2.69GHz).Previous ECC-based protocols have been adopted under simulation scenarios, whereas the proposed protocol has been realized on a real device.
Although the proposed scheme uses the tiny ECC [38] and has AES embedded in the WISP5 platform, its heaviness is apparent from the results.However, taking the algorithms used in the proposed protocol, the results reported by Marin et al. [43] indicate that each point addition and point doubling on MSP430 require 22,981.05and 25,743.13CPU  [45], using the same codes, the response times may decrease to half within maximum two years.

Security and Performance Comparison.
In this section, a performance and functionality comparison is made between the proposed and some related ECC-based RFID authentication schemes.Table 5 shows the communication cost of our proposed and related schemes.Although our proposal achieves mutual authentication in just two steps, its communication cost is less than study [23] and very close to the other compared schemes.In terms of security services and attacks, Table 6 lists the security comparisons among our proposed scheme and other ECC-based schemes.It is visible that our protocol has additional security features than the related schemes and withstands the common attacks and satisfies the essential security requirements of RFID-based healthcare systems which make it more suitable than other healthcare related protocols in the field of healthcare systems.

Conclusion and Future Works
Following the FDA's declaration, efficient and rigid mutual authentication protocols are needed between the tag and the reader to prevent and eliminate potential hazards related to healthcare environments.Accordingly, this paper has proposed a stable and powerful mutual authentication protocol applied on WISP5.Both symmetric and asymmetric algorithms have been exploited.The protocol has been coded and tested, and its security has been thoroughly analyzed.The code size, RAM usage, and response time of the scheme are clearly not optimal.However, considering that MSP430 is being used with the SHA3, ECDH, and ECDSA algorithms, this is to be expected.ECC includes numerous time-consuming point multiplications.The cost of these operations could be reduced using methods to increase the

Figure 1 :
Figure 1: Front and back sides of WISP5.

Table 3 :
Communication cost.Integrity, Modification Attack, and Unforgeability.Since ECDSA is used by reader, modifications to the signature pair (, ) will be detected by the tag and any modifications to , , and ℎ will cause the verification to fail and cause wrong   and accordingly wrong ID.Hence, the proposed protocol provides integrity, rejects any modifications, and provides unforgeability.Forward/Backward Security.An adversary cannot compromise the previous/current confidential information, because the transferred messages , , , , , ℎ, and  change after each execution according to the random private keys  and .Adversaries cannot obtain the tag ID, because it is sent as ciphertext with a different   in each session.

Table 4 :
Response times.Marin et al. [44]found that producing a signature tiny ECC requires 19308 bytes ROM and 1510 bytes RAM, generating a signature requires 2 s, and verifying the signature requires 2.43 s.Considering these facts, our results are reasonable.Indeed, some enhancements have been achieved.In worst case, according to Moore's law