RFID technology has become popular in many applications; however, most of the RFID products lack security related functionality due to the hardware limitation of the low-cost RFID tags. In this paper, we propose a lightweight mutual authentication protocol adopting error correction code for RFID. Besides, we also propose an advanced version of our protocol to provide key updating. Based on the secrecy of shared keys, the reader and the tag can establish a mutual authenticity relationship. Further analysis of the protocol showed that it also satisfies integrity, forward secrecy, anonymity, and untraceability. Compared with other lightweight protocols, the proposed protocol provides stronger resistance to tracing attacks, compromising attacks and replay attacks. We also compare our protocol with previous works in terms of performance.
RFID (radio frequency identification) is a technique used for identifying objects via radio frequency. It has become very popular in many applications such as access control systems, supply chain management systems, transportation, ticketing systems, and animal identification. The global transaction of RFID system was US$2.65 billion in 2005 [
The RFID systems are composed of three components: a set of tags, RFID readers, and one or more backend servers. A backend server is responsible for storing the related information of tags, calculating the computational processes when authenticates a tag; in addition, a backend server is usually with a more powerful computation ability than RFID reader and tags. An RFID reader (called a reader in this paper) can access the backend server via secure network channel and then acquire the information related to the tags. Generally, backend servers and readers are treated as a whole entity since they are usually connected with each other through a wired line. RFID tags are small electronic devices composed of antennas, microprocessors, and memory storages. A tag can communicate with a reader by using radio frequency signals transmitting from the reader. Normally, RFID tags can be classified into three types: active tag, semiactive tag, and passive tag. Active tags contain batteries that can actively communicate with the readers. Semiactive tags also have batteries, but they will remain silent until they receive query from a reader. Passive tags contain no battery, and their energies come from the reader’s radio signals through antennas. Regarding the cost of the tag, the active and semiactive tags are expensive and each costs about US$20, while the passive tags are usually considered as
While RFID technology offers convenience, security and privacy issues are still the number one concern of most RFID applications today. Since an RFID tag can be continuously scanned within a 10 meter radius, the tag carrier’s location can be easily traced without awareness; thus privacy becomes an important issue in RFID applications. Moreover, RFID tags may contain sensitive information about the carrier in which the information should not be revealed to anyone, especially to an attacker. In other words, tags should first authenticate the reader’s validation before sending private data. Meanwhile, readers should also be able to authenticate tags to prevent counterfeit tags.
To address these problems, researchers have proposed many RFID protocols to achieve mutual authentication, untraceability, and other security requirements. However, with limited computational ability and insufficient memory storage on its embedded chip, low-cost RFID protocol design still remains a challenge. Previous studies showed that the number of logic gates available for security functionality on a low-cost RFID tag is 400 to 4000 [
In this paper, we propose a lightweight mutual authentication protocol based on error correction codes to provide a secure RFID mechanism. More specifically, our protocol provides mutual authenticity and untraceability to protect the security and privacy of tag carriers. We also present an evaluation on the security and performance level of our proposed protocol. Compared to other previous works, our protocol not only meets the fundamental security requirements but is also lightweight enough to be implemented on low-cost RFID tags.
The rest of this paper is organized as follows. Section
With the rapid growth of network technology, security issues have been a matter of concern in various network environments [
There are many RFID protocols using one-way hash functions (e.g., [
The RFID authentication protocol can be classified into 4 classes. The first class refers to those protocols that apply conventional cryptographic functions, such as symmetric encryption or public key algorithm. The second class refers to those protocols that apply random number generator and one-way hash function. The third class refers to those protocols that apply random number generator and cyclic redundancy code (CRC) checksum. The last one refers to those protocols that apply simple bitwise operations (such as XOR, AND, OR, etc.). Generally, the third class is treated as lightweight level. Although our protocol has to adopt one hash function, we can simply apply the lightweight hash functions mentioned in the previous paragraph to achieve the goal of lightweight computation. Hence, by applying those lightweight hash functions, we propose our lightweight RFID protocol.
Lightweight authentication protocols aim to achieve mutual authentication through simple operations like bitwise XOR and binary addition. In 2005, Juels and Weis proposed a multiround lightweight authentication protocol called HB+ [
The EPCglobal Class 1 Generation 2 UHF Air Interface Protocol Standard (generally known as Gen2 standard) [
In information theory and coding theory of computer science, error correction code (ECC) is a technique that enables the communication parties to correct the transmission errors which are incurred by the channel noise. This technique has been studied over 50 years, and substantial coding algorithms are proposed. In the following, we provide a brief introduction to one of the subclasses of ECC, called a linear block codes; in addition, if a linear block code fulfills some properties, it will form a special case of linear block codes, called perfect code. We will have a short description of perfect code in the end of this section as well.
During the transmission, the information source, or sender, will encode a
A block code of
Because a linear block code
To decode a codeword, we first construct a
A vector
Let
Hamming weight of a binary vector is defined as the number of 1 in the vector. We further define Hamming weight function Hw
The error correcting ability of a linear block code depends on the minimum Hamming distance (denoted as
For a
In this section, we propose a lightweight RFID authentication protocol. Our main idea is to provide a mutual authentication between reader and tag. Our protocol is designed for low-cost RFID tags; therefore, the requirement for implementing our protocol will not overload the capabilities of the tags. Besides, we also propose an advanced version of our protocol to provide key updating.
Our protocol is suitable for large scale RFID systems, such as ticketing systems, transportation systems, and supply chain systems. These applications are generally composed of millions of RFID tags and readers. More importantly, the proposed protocol is appropriated for the reader to find out a specific tag from a large group of tags. For example, an airport employee desires to find a specific RFID tagged luggage from a loaded cargo truck. The proposed scheme checks whether the specific tag is in this area. In these large scale systems, readers are normally held by authorized persons or are used under supervision. They can easily connect to servers and synchronize their data. The tags in these systems are generally carried by humans or attached to goods and baggage. They are frequently scanned by the valid readers, and, in some situations, the tags can be brought back to a secure check (e.g., the RFID tagged tickets can be recycled). Before introducing the proposed protocol, the notations used are presented in the Notation section at the end of the paper.
Initially, the administrator generates a pseudorandom number generator
The main objective of this protocol (Algorithm
(1) Generate a random challenge (2) (3) Generate a random challenge Compute Set Set (4) (5) Set Ignore (6) (7)
At the beginning,
In step 2,
Finally, no matter what their preassigned syndromes are, the tags respond
In Step 5,
In step 7,
As we stated before, the error vector generated by the reader must be selected carefully so that
Typically, the reader and the tag would exchange data after completing the authentication process. These data are sometimes considered private; for example, the tag used in a hospital would contain the records of its carrier. The threat of eavesdropping attacks makes the tag carriers feel insecure about transmitting sensitive data. To address this problem, we construct a mechanism to establish a session key and use it to encrypt the sensitive data. We suggest that the reader and the tag use the session key
The secret key should not be used permanently. In fact, if the key is compromised, the messages encrypted with this key are also compromised. Hence, both the probability of messages compromised and the probability of financial loss will increase with the length of time in which a key is in use. We think that the secret keys stored in the readers and the tags should update regularly. Previous works use two approaches to perform this updating procedure. One possible approach is to have tags carriers bring their tags back to an authorized institution so that the new keys can be written into the tags in a secure environment. Another approach is to have the tags use the one-way hash functions stored in them to calculate new keys by hashing the older one.
The first approach could be combined with our authentication protocol in some RFID systems like ticketing systems and supply chain systems, since the tags are generally returned to the backend server. The second approach is also adequate for our protocol. Both the tag and the reader can hash their current secret key
If the tag does not receive the verifier message
Now we present a modification of our protocol with the secret key updating mechanism in it. The steps of the modified protocol are depicted in Algorithm
(1) Generate a random challenge (2) (3) Generate a random challenge Set Set (4) (5) (6) (7)
Our protocol provides a convenient method for the tag and the reader to authenticate each other before exchanging data. Since the reader will receive many messages sent from other tags at the same time, our protocol uses the properties of error correction code to filter out the unnecessary messages. Therefore, the computational load of the reader is reduced. After mutual authentication, the relation between the reader and the tag is established. They will both update their secret keys to the new ones in order to defend against possible attacks. Furthermore, the two entities can also construct a session key to protect the message transmitted later.
In this section, we show that our protocols fulfill the security requirements for RFID systems.
A reader can easily authenticate the tag’s identity since only the valid tag has the secret key needed to construct the correct verifier message. The random challenge
The integrity of the exchanged messages is guaranteed since the messages are encrypted by the session keys. The modification of these messages will produce meaningless plaintext, and both reader and tag can detect such modifications. During the authentication process, the adversary can also eavesdrop and modify the exchanged messages. Nevertheless, any modification on
Our protocols maintain forward secrecy. Since the keys were updated by using one-way hash function in every session, the attacker cannot acquire the previous secret keys used in the prior sessions. Therefore, the previous session keys and the exchanged messages are secure.
Our protocols do not leak the tag’s identifier or any sensitive information. Therefore, our protocols fulfill the requirement of anonymity. During the authentication protocol,
Every tag stores the same generator matrix; therefore, all of them share the same probability of producing the same codeword. However, different tags will add different error vectors. As a result, the masked codewords produced by some tags can be decoded correctly while the others cannot. Once the parity check matrix is known by the adversary, this property may be used by the adversary to trace the tag. To defend against this, the tags further mask their messages with the secret keys. The adversary cannot apply decoding algorithm to the messages without first unmasking them. Hence, we can guard against tracing attacks as long as the target tag’s key is secure.
Now we analyze the probability that an attacker will successfully guess one secret key of a tag with different advantages provided. First, if the adversary knows no additional information, the success probability is surely
Estimated response time in different error correction codes.
Error correction code | Messages amount (bits) | Response time |
---|---|---|
|
|
24.8~198.1 |
|
|
53.1~424.5 |
|
|
84.9~679.2 |
|
|
110.0~877.4 |
|
|
110.0~877.4 |
|
|
166.3~1330.2 |
|
|
222.9~1783.0 |
|
|
222.9~1783.0 |
|
|
222.9~1783.0 |
|
|
449.3~3594.3 |
|
|
902.1~7217.0 |
Assume the adversary tries to launch the guessing attack by rapidly querying the tag before the tag’s stored key can be updated by the valid reader. Generally, in real-world applications, the adversary is unable to rapidly query a specific tag for a long time because of the mobility of the tag’s carrier. Therefore, attacks that require more than one hour may be regarded as useless. Nonetheless, the adversary may steal a tag from the system to avoid side effects caused by carriers. Nevertheless, in some existing RFID systems, tags will be recycled regularly. For example, in the public transportation systems, the RFID tagged tickets will be recycled and calculated every day. The system manager can find that if a tag has been stolen and remove that tag from the system. As a result, the stolen tag will be unusable hereafter, and the attacker can no longer threaten the system with the tag. In other words, if the required time of an attack is higher than one day, the system can be considered secure. In Table
Estimated success probability for key guessing attack.
Error correction code | Success probability of different attack periods | |
---|---|---|
Within one hour | Within one day | |
|
1 | 1 |
|
1 | 1 |
|
0.56~1 | 1 |
|
0.002~0.02 | 0.05~0.37 |
|
0.02~0.14 | 0.43~1 |
|
9.3 × 10−8~7.5 × 10−7 | 2.2 × 10−6~1.8 × 10−5 |
|
2.2 × 10−13~1.8 × 10−12 | 5.3 × 10−12~4.2 × 10−11 |
|
5.8 × 10−12~4.6 × 10−11 | 1.4 × 10−10~1.1 × 10−9 |
|
1.9 × 10−10~1.5 × 10−9 | 4.6 × 10−9~3.7 × 10−8 |
|
8.3 × 10−24~6.6 × 10−23 | 2.0 × 10−22~1.6 × 10−21 |
In the following, we show the comparisons between our protocol and other related protocols in terms of the security requirements. We take Chien’s SASI protocol [
Comparison of security properties.
Our Protocol |
Chien’s | Chien and Laih’s | Juels and Weis’s | Sun and Ting’s | |
---|---|---|---|---|---|
[ |
[ |
[ |
[ | ||
Authenticity |
|
|
|
|
|
Integrity |
|
|
|
|
|
Forward secrecy |
|
|
|
|
|
Anonymity |
|
|
|
|
|
Untraceability |
|
|
|
|
|
Resistance to compromising |
|
|
|
|
|
Resistance to desynchronizing |
|
|
|
|
|
SASI protocol was proposed in 2007. This ultralightweight authentication protocol requires only PRNG and simple bitwise operations which are supported by EPC Gen2 tags. However, studies [
We had analyzed the security of our protocol and showed that our protocol provides high security against the common security threats of the RFID systems. We also analyzed the adversary’s success probability of recovering the secret key. With careful parameter selection, the attacker will need a long time to break the protocol. Therefore, in most application scenarios, our protocol provides a good solution for securing the RFID system.
In this section, we will first describe the hardware constraints on selecting parameters for our lightweight protocol. Then we will have a discussion on the computational loads of the reader and the tag. Finally, based on the analysis, we will compare our protocol with previous works in terms of performance.
We analyze the memory storage and computational capability on the low-cost RFID tags in this section. Based on the analysis, we will select parameters that provide enough security to our protocol and show that the protocol is lightweight enough to be implemented on the tags.
Since our protocol requires tag to store the generator matrix
Next we turn our attention to the tag’s computational power. As estimated in [
When running our protocol, the tag has to perform vector-matrix multiplication for decoding and encoding. According to [
Estimated gate equivalents for different parameters.
Error correction code | Required gate equivalents |
---|---|
|
3141 |
|
3471 |
|
3802 |
|
3802 |
|
3802 |
|
5125 |
It is difficult to implement our protocol on the current low-cost RFID tags, since most of the RFID modules are not user-programmable. They run merely the processes that set in manufacturer phase. Therefore, we cannot evaluate the time consuming on the real tags. Hence, we calculated the average amount of transmitted messages in our protocol to estimate the average time of communicating.
Assume that a reader is going to authenticate a tag from
Now we can estimate the running time of our protocol. First note that all tags compute and transmit their messages in parallel; therefore, we should use the amount of total message of a single tag (
Estimated transmitting time for different parameters.
Error correction code | Required transmitting time (ms) | ||
---|---|---|---|
|
|
|
|
|
0.2~1.8 | 0.5~4.4 | 3.8~30.7 |
|
0.3~2.7 | 0.8~6.7 | 5.8~46.6 |
|
0.4~3.6 | 1.1~8.9 | 7.8~62.4 |
|
0.4~3.6 | 1.1~8.9 | 7.8~62.4 |
|
0.4~3.6 | 1.1~8.9 | 7.8~62.4 |
|
0.9~7.2 | 2.2~18.0 | 15.7~125.8 |
In order to minimize its computational load, the reader will attempt to filter out the unnecessary verifier messages
Probability of mistaking the random number as valid codeword.
Error correction code | Probability |
---|---|
|
1 |
|
0.206 |
|
0.001 |
|
0.038 |
|
1 |
|
|
Because the number of possible syndrome patterns is limited, a pattern might be shared by many tags. In other words, tags might store the same syndrome pattern. If the reader wants to authenticate one of these tags, each of them will respond with a valid codeword and verifier message. If that is the case, the reader will have to verify unnecessary verifier messages. The number of tags that share the same syndrome pattern is
Estimated number of unnecessary verifier messages.
Error correction code | Average number of extra verifier messages | ||
---|---|---|---|
|
|
|
|
|
1 | 10 | 100 |
|
0.2 | 2.1 | 20.6 |
|
|
|
0.1 |
|
|
0.4 | 3.8 |
|
1 | 10 | 100 |
|
|
|
|
We compare the amount of transmitted messages between different authentication protocols as follows. Still taking Chien’s SASI protocol [
Comparison of total messages transmitted.
Authentication protocol | Total amount of transmitted messages (bit) | ||
---|---|---|---|
|
|
|
|
Our protocol |
|
|
|
Chien’s SASI [ |
|
|
|
Chien and Laih’s ECC-based [ |
|
|
|
Juels and Weis’s HB+ [ |
|
|
|
Sun and Ting’s Gen2+ [ |
|
|
|
In SASI protocol, the tags first send pseudonyms
Compared with these protocols, the total amount of messages our protocol sent is no greater than most of the existing protocols. Although SASI protocol provides a very efficient identification mechanism based on tags’ pseudonyms, the fixed pseudonyms make the tags vulnerable to tracing attack before they can be updated again.
Security and privacy issues on RFID have been studied in recent years due to the rapid growth of RFID systems. Many researchers worry about the disadvantages of RFID technology, such as keeping their location privacy and confidentiality of private information. On the other hand, manufacturers do not provide security functionality on their products because of the native limitation of RFID tags. As a result, researchers have proposed substantial lightweight authentication protocols for securing low-cost RFID tags.
Some real-world RFID application scenarios require a reader to find out and authenticate a tag from a group of tags. In previous works, the reader has to authenticate each tag individually until the reader found the target one, thus greatly increasing the communication and computation time. To address this problem, our protocol provides an error correction codes based mechanism to minimize the computational load of reader. When receiving query, the tags respond with verifier messages along with different codewords in which some of them cannot be decoded. The reader can filter out the unnecessary verifier messages by examining these codewords, therefore improving its performance.
In this paper, we presented a single-round lightweight mutual authentication protocol. The protocol is designed with decoding and encoding operations on error correction codes, pseudorandom number generating, and a hash function. These operations are proved lightweight enough to be implemented on low-cost RFID tags or can be realized by using simple bitwise operations. Based on the secrecy of shared keys, the reader and the tag can establish a mutual authenticity relationship. Further analysis of the protocol showed that it also satisfies integrity, forward secrecy, anonymity, and untraceability. Compared with other lightweight protocols, the proposed protocol provides stronger resistance to tracing attacks, compromising attacks, and replay attacks.
RFID backend server
RFID reader
A RFID tag
Syndrome pattern
A syndrome pattern of
A secret key of
Pseudorandom number generator
One-way hash function
Generator matrix
Parity check matrix
ECC codeword from
ECC error vector from
Verifier message from
Random nonce from
Hamming weight.
The authors declare that there is no conflict of interests regarding the publication of this paper.
The work of Chien-Ming Chen was supported in part by the Project HIT.NSRIF.2014098 supported by Natural Scientific Research Innovation Foundation in Harbin Institute of Technology, in part by Shenzhen Peacock Project, China, under Contract KQC201109020055A, and in part by Shenzhen Strategic Emerging Industries Program under Grant ZDSY20120613125016389. The work of H.-M. Sun was supported in part by the National Science Council, Taiwan, under Grant NSC 100–2628-E-007-018-MY3.