An radio-frequency identification security authentication mechanism for Internet of things applications

Abstract

Among various Internet of things technologies, radio-frequency identification technology is currently one of the most critical. Radio-frequency identification tags store messages collected by the reader; thereafter, the messages are transmitted to the backend system for processing and analysis, thereby forming a huge knowledge network and achieving the objective of intelligent management of objects. However, the personal information and privacy exposure, malicious tracking, and counterfeiting behaviors remain the unresolved issues in the security area. In this study, we developed a matrix-based authentication protocol that was protected by Hill Cipher Hard Problem by which it can provide confidentiality, anti-counterfeiting, and users’ location privacy. In addition, the identity verification of this scheme based on matrix needs only once matrix multiplication operation to know the outcome. Consequently, the analysis of computational complexity demonstrated that our scheme can handle the mass data from the reader, thereby achieving system extensibility.

Keywords

Internet of things radio-frequency identification tags privacy malicious tracking matrix-based radio-frequency identification authentication protocol

Introduction

Internet of things (IoT) or the Internet of everything (IoE) is the realization of a panoply of smart and networked devices that serve human needs such as food, clothing, accommodation, transportation, and entertainment.^1,2 Future consumers will be able to use smartphones to lock or unlock their homes, to switch lights on or off, to monitor energy consumption, to monitor security, and to control home appliances; IoT applications are becoming ubiquitous.³

Machines and devices have been intelligentized and networked because of the emergence of the IoT; relevant devices and systems have used networks more frequently in various fields and environments. Therefore, hackers have begun to target IoT devices. In the past, hackers targeted vulnerabilities in information systems and webpages, whereas current information security challenges mainly include mobile data theft, automobile system cracking, and medical equipment invasion. Therefore, information security and privacy protection are crucial topics for the IoT.^4,5

Radio-frequency identification (RFID) is a widely used technology in the IoT area. Tags of RFID store standardized and interoperable messages that are collected by RFID readers and transmitted to backend systems through wireless networks for processing. In this vision, the IoT forms a vast and interconnected knowledge network and achieves the intelligent management of objects.

Related protection/authentication mechanisms have been continuously developed. Weis et al.⁶ first developed the concept of RFID reader authentication, whereby only authenticated readers could notify tags to enter their locked/unlocked state. Ohkubo et al.⁷ subsequently proposed a one-way authentication protocol based on a hash chain. Dimitriou⁸ devised a method ensuring mutual authentication (MA) between the backend database and tags, thus helping reduce the database load. Burmester et al.⁹ developed an authentication mechanism known as O-TRAP, in which the server and tags stored a random number N_r to protect location privacy and reduce server load when authenticating tags. Other mechanisms for protecting location privacy include the following. Fu et al.¹⁰ used a tag ID alias that was updated in each authentication round to protect privacy. Albert et al.¹¹ used pseudorandom number generators (PRNGs) to produce an unpredictable pseudorandom sequence to achieve location privacy. Gui et al.¹² proposed a hash function and key encryption scheme for ownership transfer. Chen and Chen¹³ applied a dynamic token for RFID systems, thus ensuring anonymity through random token initialization, although more tag storage was required for updating. Dass and Om¹⁴ thus proposed an improved protocol with lower storage and performance costs. Cloud-based RFID MA protocols have also been proposed for use in enterprises, such as the virtual private network (VPN) agent system of Xie et al.,¹⁵ the anti-tracing scheme of Abughazalah et al.,¹⁶ the supply chain system of Lin et al.,¹⁷ and the enhanced scheme for forward security and anonymity protection of Chen et al.¹⁸

The aforementioned research results remained the problems with IoT devices that lie in unsecure communication and inadequate identity verification, which may easily result in user data leakage.^19,20 According to the Global Risks Report published by the World Economic Forum in 2015, IoT risks have contributed to security challenges such as large-scale cyber-attacks, massive data forgery and theft, and the suspension of key information infrastructure and networks. From the aforementioned points, it can be seen that IoT-related devices and Internet infrastructure are expected to face severe information security problems, which will result in major losses.

In this study, we proposed a matrix-based RFID authentication approach for IoT applications. The proposed approaches can not only provide privacy with regard to location, but also fulfill the requests of confidentiality, unforgeability, and scalability. Moreover, this mechanism can improve server performance when processing a large amount of RFID data and effectively protect against denial-of-service (DoS) attacks.

The proposed protocol

In extending the O-TRAP protocol, this study developed a matrix-based authentication protocol that provides confidentiality and anti-counterfeiting, and protects users’ location privacy. The matrix’s low-level computation also enhances the server’s mass data processing capacity, thereby achieving system extensibility. The mechanism of this protocol is described in the following paragraphs.

The reader, the backend server, and the RFID tag are the three main hardware components of the proposed protocol. During communication, the server and the reader’s channel is secure, while the reader and the tag’s channel is not. The following notations are defined clearly in Table 1.

Table 1.

Parameter definition.

Symbol	Definition
id	The identification number of the tag
K_T	The secret key of the tag T, generated by the server
Key	The secret key of the server
n_R, n_T	The nonces, which are chosen by a reader and a tag, respectively
A ⁻¹	The inverse of A
AB	A multiplication of two matrices A and B, where the columns of A are equivalent to the rows of B
⊕	The bitwise exclusive OR operation
H(·)	A collision-resistant hash function

Setup phase

In the primary setup, the server can select three secret square d × d binary matrices Key₁, Key₂, and Key₃. Key₁ is a non-singular matrix and Key₃ is a singular matrix. Furthermore, the server produces two matrix keys for each tag, that is, K_T₁ = Key₁Key₃S_T and K_T₂ = Key₂Key₃S_T, where S_T is a random matrix of size d × d. The size d × d of each matrix defined here will definitely be able to ensure the security goal, that is, the value of d must be large enough to resist malicious attacks. With this, it will be unavoidably increasing the cost of the tag. Each tag’s identification number id and the corresponding matrix K_T₂ will be saved by the server in the database. It is noted that a value n or id with l bits can be represented in the protocol as a d × r binary matrix such that l = d × r. Figure 1 shows the complete session of the protocol.

Figure 1.

The proposed protocol.

Execution phase

The proposed protocol includes the following steps. Especially, the random values used here will be generated by cryptographically secure pseudorandom number generator (CSPRNG). A PRNG proper for security applications is known as a CSPRNG. A need for a CSPRNG is that an adversary not realizing the seed has only negligible advantage in distinguishing the generator’s output sequence from a random sequence. In other words, as a PRNG is only required to pass some statistical experiments, a CSPRNG must succeed in all statistical experiments that are restricted to polynomial time in the size of the seed. In C# program, the class RNGCryptoServiceProvider of cryptographic service provider (CSP) implements the concept.

Step 1. A query signal and a random value n_R will be delivered to the tag by the reader.

Step 2. The tag produces a random value n_T and computes c₁ = K_T₁n_T and c₂ = K_T₂n_T⊕id. Subsequently, the tag answers the challenge of the reader by computing c₃ = H₁(c₁, K_T₂n_R). Finally, the tag sends c₁, c₂, and c₃ to the reader. Then, the reader forwards the value n_R and the received messages c₁, c₂, and c₃ to the server.

Step 3. In order to require the id, the value K_T₂n_T has to be derived first. The server computes c₄ = Key₂Key₁⁻¹c₁ and recovers the id′ by computing c₄⊕c₂. Subsequently, the server discovers whether the corresponding matrix key $K'_{T 2}$ verifies the response c₃ by the following equation

c_{3} = H_{1} (c_{1}, K_{T 2}' n_{R})

(1)

If equation (1) is true, then the server believes that the received message has been sent by a valid tag. Otherwise, the server informs the reader to restart the communication or reject this communication.

Step 4. The server calculates the hash value c₅ = H₂(c₄) and sends it to the tag. Upon receiving c₅, the tag determines whether equation (2) is true or not. If equation (2) is true, the tag believes that this message is from a valid reader

c_{5} = H_{2} ({K_{T}}_{2} n_{T})

(2)

In the proposed protocol, the server uses a pair of keys Key₁ and Key₂ to retrieve some id from a pair of ciphertexts c₁ and c₂ without comparing every record in the database, even if the server has received a meaningless message. It is clear that the proposed protocol provides scalability. In addition, by means of the random parameter n_T generated by the tag, the proposed protocol delivers location privacy (the formal proof is described in section “Security analysis and comparison”).

Security analysis and comparison

We illustrate our proposed protocol that can achieve the aforementioned requests. In addition, we compare the performance of the proposed protocol with other related protocols.^{14,15,18,21–24} We make ID_x and (K_x₁, K_x₂) represent the identification number and the key pair of T_x separately. Since the Hill Cipher (HC) is applied to the proposed protocol, we determine the HC problem and HC assumption as follows:

HC problem. We make K ∈ F^d×d become the secret key of the HC. We make p ∈ F^d×r the meaningless plaintexts. Hardly, can we retrieve K and p from Kp because the HC is opposite to the ciphertext-only attack.^15,25 The following determines how a polynomial time algorithm A solves the HC problem

Ad v_{HC} = | \Pr {[K \in F]}^{d \times d}, p \in F^{d \times r} : A (Kp) \to K |

HC assumption. The HC assumption claims that the advantage of Adv_HC is negligible for any polynomial time algorithm A that solves the HC problem.

Location privacy

We assume an argumentation through the Location-Privacy game in order to ensure that the proposed protocol offers location privacy. The following Location-Privacy game is conducted between a challenger B and an adversary A. This security mode is one thing that an adversary attempts to judge whether the received message is a known tag. Namely, if the proposed protocol set the location privacy, no one can differentiate any received message from the same tag. The adversary A can also decompose other tags, while it cannot destroy the target tag.

Location-Privacy game

Initial phase

The challenger B randomly selects the target tags T₀ and T₁.

Query phase

A calls any pertinent queries of T₀ or T₁, such as the hash query and the executing queries. In the following, we explain these queries:

Hash query. We make H(T_x) manifest the hash query of T_x. When we deliver an input and request H(T_x), A acquires some outputs from the challenger B. Without loss of generality, we may assume that the adversary has precisely q_h₁H₁-queries and q_h₂H₂-queries.

Send query. We make S(T_x) manifest the anonymous query of T_x. When we deliver a random number n_A and request S(T_x), A acquires the following response according to the proposed protocol and the authenticator h(K_Txn_Tx) of the server where n_Tx is a random number produced by T_x. Without loss of generality, we may assume that the adversary has precisely q_se-queries.

Challenge phase

A delivers some random number n_A and B flips a fair coin bit b ∈ {0, 1}. If b = 0, B supplies the transmitted values, such as c₁, c₂, c₃, and c₅, according to the secret keys and ID of T₀. In addition, B supplies the messages of T₁. Then, A outputs his or her guess b′ and he or she wins if b′ = b. The advantage of A which wins in this game is Adv_Location = |Pr[b′ = b] – 0.5|.

Theorem 1

Adv_Location is the one that breaks the location privacy of the proposed protocol. Under the HC assumption, A is not aware of the private location of T_x in the proposed protocol. If A can break down the location privacy of the proposed protocol after q_h₁H₁-queries, q_h₂H₂-queries, and q_se-queries, the HC problem attackers will have some non-negligible probability to break the security of the HC problem. That is

Ad v_{Location} \leq \frac{q_{se}^{2} + q_{h_{1}}^{2} + q_{h_{1}}^{2}}{2^{l + 1}} + Ad v_{HC} (1 + \frac{1}{2^{l}})

Proof

The security of the proposed scheme can be formally determined as a game played between a challenger and an adversary A. The security model can be considered that an adversary A covets to differentiate whether the transmitted messages have been sent out from the same tag or not. We sketch the process of the game and describe the transformation from game S₀ to S₃. The advantage of A will be derived from the end of the sequence game. We describe the process of the game as follows:

In this sequence game, we require the difference lemma to help our transformation of the games. In the following, we describe the lemma.

Lemma 1: difference lemma

We make A, B, F become the events which also determine some feasibility distribution and suppose that A ∧ F ⇔ B ∧ F. Then

| \Pr [A] - \Pr [B] | \leq \Pr [F]

Game S₀. Previously, we have described S₀ as a simple game. Thus, game S₀ corresponds to a real attack. We determine E₀ to become the event b′ = b in game S₀. The advantage of A is

Ad v_{Location} = | \Pr [E_{0}] - \frac{1}{2} |

(3)

Game S₁. Apart from hash query H₁, the process of game S₁ is no distinct from game S₀. We utilize S₁ instead of the hash function H₁ which is demonstrated as $H_{1}^{list}$ . The form of each entry in $H_{1}^{list}$ is <K_x₁n_Tx, K_x₂n_A, Q>, where Q is a random number. Hash list $H_{1}^{list}$ is primarily empty. As for every hash query, if the input <Kx₁n_Tx, Kx₂n_A> already exists in $H_{1}^{list}$ , then the answer is Q. On the contrary, an output value Q is chosen randomly, and a new record <K_x₁n_Tx, K_x₂n_A, Q> is added to $H_{1}^{list}$ . Obviously, game S₁ and game S₀ are actually indistinguishable, except the possible collision of the hash function. Namely, if the collision does not occur, we will have the same output of both games. We determine event F₁ to become the occurrence of the collision of the hash function in game S₁. Similarly, we can say that S₀ ∧ ¬F₁ ⇔ S₁ ∧ ¬F₁. As a result, by Lemma 1 we have

| \Pr [E_{0}] - \Pr [E_{1}] | \leq \frac{q_{h_{1}}^{2}}{2^{l + 1}}

(4)

Game S₂. The process of game S₂ is no distinct from that of game S₁ except for hash query H₂. We substitute hash function H₂ in S₂ with the hash list denoted as $H_{2}^{list}$ . The form of each entry in $H_{2}^{list}$ is <K_x₂n_Tx, O>, where O is a random number. Hash list $H_{2}^{list}$ is initially empty. For every hash query, if the input <K_x₂n_Tx> already exists in $H_{2}^{list}$ , then the answer is O. Otherwise, an output value O is selected randomly, and a new record <K_x₂n_Tx, O> is added to $H_{2}^{list}$ .

Obviously, the games S₂ and S₁ are practically indistinguishable, except for the possible collision of the hash function. Namely, if the collision does not occur, we will have the same output of both games. We determine F₂ to become the occurrence of the hash function collision in game S₂. Similarly, we can say that S₁ ∧ ¬F₂ ⇔ S₂ ∧ ¬F₂. As a result, by Lemma 1 we have

| \Pr [E_{1}] - \Pr [E_{2}] | \leq \frac{q_{h_{2}}^{2}}{2^{l + 1}}

(5)

Game S₃. The process of game S₃ is no distinct from that game S₂ except for the forwarded value c₂. In game S₂, A is able to acquire the correct c₂. In game S₃, when A requests S(T_x), the value c₂ = K_x₂n_Tx⊕ID_x is substituted by some random number u. Both c₁ = K_x₁n_Txi and c₂ are fixed. Let F₃ be the event n_Txi = n_Txj for some i ≠ j and F₄ be the event that A can calculate K_x₂n_Tx from c₁. Therefore, S₂ and S₃ are practically indistinguishable, except for possible occurrences of the event F₃ or F₄. As a result, by Lemma 1, we have

| \Pr [E_{3}] - \Pr [E_{2}] | \leq \frac{q_{se}^{2} + 2 Ad v_{HC}}{2^{l + 1}}

(6)

Game S₄. The process of game S₄ is no distinct from that of game S₃ except for the forwarded value c₁. In game S₃, when we acquire the correct c₁, A has some advantage Adv_HC to solve the HC problem and retrieve K_x₁. In game S₄, when A sends a query, the answer is a random value z ∈_R {0, 1}^l. As a result, by Lemma 1, we have

\begin{matrix} | \Pr [E_{3}] - \Pr [E_{4}] | \leq | \Pr {[K \in F}^{d \times d}, p \in F^{d \times r} : A (Kp) \to K] | = Ad v_{HC} \end{matrix}

(7)

Obviously, if we make any queries, when A gets the random number z in game S₄, it is shown that

| \Pr [E_{4}] | = \frac{1}{2}

(8)

Combining equations (3)–(8), we obtain

\begin{matrix} Ad v_{Location} & = | \Pr [E_{0}] - \frac{1}{2} | \\ \leq | \Pr [E_{1}] + \frac{q_{h_{1}}^{2}}{2^{l + 1}} - \frac{1}{2} | \\ \leq | \Pr [E_{2}] + \frac{q_{h_{2}}^{2}}{2^{l + 1}} - \frac{1}{2} | + \frac{q_{h_{1}}^{2}}{2^{l + 1}} \\ \leq | \Pr [E_{3}] + \frac{q_{se}^{2} + 2 Ad v_{HC}}{2^{l + 1}} - \frac{1}{2} | + \frac{q_{h_{1}}^{2} + q_{h_{2}}^{2}}{2^{l + 1}} \\ \leq | \Pr [E_{4}] + Ad v_{HC} - \frac{1}{2} | + \frac{q_{se}^{2} + 2 Ad v_{HC} + q_{h_{1}}^{2} + q_{h_{1}}^{2}}{2^{l + 1}} \\ = \frac{q_{se}^{2} + q_{h_{1}}^{2} + q_{h_{1}}^{2}}{2^{l + 1}} + Ad v_{HC} (1 + \frac{1}{2^{l}}) \end{matrix}

Confidentiality

In the proposed protocol, the id number is decrypted by the key pair (K₁, K₂). Theorem 2 indicates that the id number cannot show up within the communication.

Theorem 2

Confidentiality exists in the proposed protocol. Namely, all the private information, such as the id number, will not show up in the proposed protocol.

Proof

We make E_L become the event that A is able to break the location privacy of the proposed protocol. We make E_C become the event that A is able to break the confidentiality of the proposed protocol. In addition, the event that A cannot break the location privacy can be represented as ¬E_L and the event that A cannot break the confidentiality can be represented as ¬E_C. The value id is unique in the proposed protocol. Consequently, if the id number is revealed, the location will be revealed and the location privacy will be broken. Namely, if the proposed protocol cannot protect the id number, it cannot protect location privacy as well. E_C ⇒ E_L is the relationship between E_C and E_L. Since the proposed protocol can offer location privacy by Theorem 1, we get ¬E_C ⇐ ¬E_L. As a result, the proposed system seems confidential.

Unforgeability

In order to offer unforgeability, the proposed protocol must provide MA. This subsection determines the security of MA and also presents it through the following MA model.

MA security

The MA of the proposed protocol is derived from the challenge–response method. An adversary A is designed for violating the MA if adversary A can offer the correct authenticator for any challenge. Namely, if adversary A cannot fake some authenticator, the proposed protocol provides unforgeability. We make Adv_MA represent the advantage that the adversary A is against the MA of the proposed protocol. We determine Adv_MA,_T as the advantage of adversary A that forges the authenticator of some tag and Adv_MA,S as the advantage of adversary A that forges the authenticator of some server. It is quite obvious that Adv_MA = Adv_MA,_T+Adv_MA,_S. The proposed protocol is MA secure if Adv_MA is negligible.

The MA model

Protocol participants

The tag and the server are the two participants of the proposed protocols. The tag and the server have to authenticate each other. Oracle is one thing that a participant may have many cases in the distinct concurrent executions of the proposed protocol. The notation $Π_{U}^{i}$ represents some instance i of participant U.

Long-term keys

The long-term secret key pair (K_x₁, K_x₂) must be shared between the tag T_x and the server S.

Oracle query

Within time t, we make A₂ become the adversary that has an advantage e in breaking the MA security of the proposed protocol. The oracle queries model the capabilities of A₂ describing the following:

$Send (Π_{U}^{i}, M)$ . This query models adversary A₂ sending message M to instance $Π_{U}^{i}$ and receives the following responses which is based on the proposed protocol. Adversary A₂ can initiate an execution of the proposed protocol by delivering a query $Send (Π_{U}^{i}, ″ s t a r t ″)$ to instance $Π_{U}^{i}$ .

$Reveal (Π_{U}^{i})$ . When we use a reveal query, adversary A₂ obtains a key pair (K₁ and K₂) of instance $Π_{U}^{i}$ . This query models a known key attack. It means that compromising this key pair of the tag does not make the keys of the other tags become dangerous.

Hash(M). This query models adversary A₂ accepting the hash result of his or her input M. When we acquire the input M, the simulator will examine whether the input M has been recorded in the hash list or not. If so, the simulator will return some result r to A₂. Otherwise, the simulator will return a random number r ∈_R {0, 1}^l and increase a record (M, r) to the hash list.

$Test (Π_{U}^{i}, r)$ . During an execution of the proposed protocol, when A₂ makes a test query, instance $Π_{U}^{i}$ flips a fair coin b. If b = 1, it will return the correct response for A₂’s challenge r. Otherwise, it returns a random value to A₂.

Theorem 3

We make Adv_con become an advantage to break the confidentiality of the proposed protocol within time t′. If adversary A₂ breaks the confidentiality of the proposed protocol after q_h₁ hash queries and q_h₂ hash queries, the simulator B₂ will have an advantage Adv_MA to break the MA security of the proposed protocol within t. That is

Ad v_{MA} = Ad v_{con} (1 + Ad v_{HC})

where t′ ≤ t+(q_se+q_h₁+q_h₂)·t_re with t_re being the time to relay a query.

Proof

By Theorem 2, advantage Adv_con is negligible. Within time t, we make A₂ become an adversary with an advantage Adv_con to break the MA security of the proposed protocol. We make B₂ become a simulator which aims to break confidentiality. We give a proposed protocol, in which simulator B₂ begins to conduct A₂ and answers the oracle queries which are made by A₂.

When A₂ requests a Send query, B₂ returns the message flow of the proposed protocol to A₂. Note that the Send queries made by A₂ to B₂ are relayed to the proposed protocol by B₂, and the answers are subsequently returned to A₂. When A₂ produces Reveal queries, B₂ must return the key pair (K₁, K₂) to A₂.

When A₂ terminates, B₂ makes a Test query and gets the value id′ from the proposed protocol. If the value id′ which is based on the entry of the hash list can be derived, B₂ will return 1. Otherwise, B₂ will flip a coin and output the coin value. If A₂ is able to fake the authenticator, H₁(K₂n_T), of the server, A₂ will request for the input entry <K₂n_T>. Thus, the value id′ can be handed over. The probability is equivalent to the advantage by which A₂ can break the confidentiality of the value. As a result, Adv_MA,_S = Adv_con. If A₂ is able to falsify the authenticator, H₂(K₁n_T, K₂n_R), of the tag, A₂ requests the input value <K₁n_T, K₂n_R>. The probability that B₂ retrieves K₂ and derives the id is as Adv_HC. Therefore, Adv_MA,_T = Adv_con×Adv_HC. We have

Ad v_{MA} = Ad v_{con} (1 + Ad v_{HC})

Moreover, B₂ has the greatest time complexity, t, and requests (q_se+q_h₁+q_h₂) relay queries. We make t_re become the time to relay a query. As a result, the running time of B₂ is less than that of A₂ added to the time of relaying a query

t' \leq t + (q_{se} + {q_{h}}_{1} + {q_{h}}_{2}) \times t_{re}

Scalability

In the proposed protocol, the server exclusively implements one matrix multiplication, Key₂Key₁⁻¹×c₁ (the matrix Key₂Key₁⁻¹ can be computed offline) and one XOR operation, (c₄⊕c₂), to get the id. Then, the server can identify the tag and authenticate it. Even though the system extends and then includes the extra members, the burden on the server will not increase. As a result, the proposed protocol accomplishes scalability.

In addition, when an attacker submits meaningless messages, the server can promptly authenticate them without matching other data again. This protocol can thus help resist DoS attacks.

Comparison

This subsection compares the proposed protocol with related protocols in terms of the aforementioned security requirements in Table 2. Chien and Huang²¹ presented a lightweight authentication protocol which can achieve confidentiality and unforgeability, and resist DoS attacks, but the provided tag can be traced so that it cannot satisfy the requirement of location privacy. The same problem appears in the schemes of Huang et al.,²³ Xie et al.,¹⁵ and Huang and Jiang.²⁴ Zuo²² proposed the mechanism using XOR operation and one-way hash function to reduce mechanism loading, but it caused the desynchronization and impersonation problem. Although Dass and Om’s¹⁴ mechanism achieves three requirements of security, because the number of transmitted messages between the tag and the reader (tag overhead) is high, the cost is higher in practice. In addition, Chen et al.’s¹⁸ scheme also fulfills these requirements, but time cost is high (as shown in Table 3).

Table 2.

Comparison table with security requirements.

	(1)	(2)	(3)	(4)	(5)
Chien and Huang²¹	O	X	O	O(1)	low
Huang et al.²³	O	X	O	O(1)	low
Xie et al.¹⁵	O	X	O	O(1)	low
Huang and Jiang²⁴	O	X	O	O(1)	low
Zuo²²	X	O	O	O(1)	low
Dass and Om¹⁴	O	O	O	O(1)	medium
Chen et al.¹⁸	O	O	O	O(1)	low
The proposed scheme	O	O	O	O(1)×d²	low

(1): confidentiality; (2): location privacy; (3): unforgeability; (4): complexity; (5): tag overhead.

K_T₁ and K_T₂ are d × d matrices, and n_R and n_T are two constants in our scheme; the latter constants will be multiplied with d² elements in the key, resulting in O(1)×d² time complexity.

Table 3.

Comparison table with computation costs.

	Tag computation cost	Reader computation cost	Backend database computation cost
Chien and Huang²¹	1ROT+1XOR+ 1R+3H	1R	1ROT+ 2XOR+3H
Huang et al.²³	1R+4XOR	1R	32MOD
Xie et al.¹⁵	1R+4H+ 1XOR	1R+3H+1SYM+ 1XOR	1H+1XOR
Huang and Jiang²⁴	2R+4XOR	1R+1XOR	1CRC
Zuo²²	6R+9XOR	6R+9XOR	–
Dass and Om¹⁴	4R+2H+ 1XOR	3R	2R+3H+6XOR
Chen et al.¹⁸	1R+4H	2H+1SYM	2H+1SYM
The proposed scheme	1R+2H+3M+ 1XOR	1R	1H+2M+ 1XOR

R: computation cost of producing a random number; H: computation cost of a hash function; M: computation cost of matrix scalar multiplication; ROT: computation cost of rotation; CRC: computation cost of running a cyclic redundancy code; XOR: computation cost of XOR operation; SYM: computation cost of symmetric encryption or decryption; MOD: computation cost of modulo.

Table 3 shows the comparison of tag, reader, and backend database computation costs. Notably, the proposed protocol has the lowest reader computation cost because only the time to produce one random number is required. Regarding tag computation, because the cost of producing random numbers, performing XOR operations, and processing hash functions is extremely low, all the compared protocols require roughly the same time. Finally, the proposed protocol requires one matrix computation at most for the backend database (in this mechanism, as K_T₁ = Key₁Key₃S_T and K_T₂ = Key₂Key₃S_T stored in the tag and the matrix multiplication Key₂Key₁⁻¹ for the server verifying tags can be calculated in advance, in the calculation of time complexity in Table 2, there is no time added for matrix operations, so the complexity is reduced to O(1)). The time consumed is thus shorter than that required by other protocols (from security perspective^14,18).

Discussion

In recent years, the security of IoT devices has been debated; the security of a carefully designed IoT system can be compromised by unauthorized intrusion, but the security of a poorly designed IoT system may be compromised by poor design. How to balance the performance and security of embedded systems such as wireless network routers and network cameras will be a challenge for future end device developers.²⁶ According to the relevant information security literature, over the past 3 years, hackers have begun to shift their focus from web applications to IoT devices. Therefore, reinforcing the security of end devices has become an imperative topic to be addressed by developers in various areas: (1) Improper access control can enable unauthorized users to arbitrarily modify the relevant settings of an end device and even to control the entire device. (2) Lack of rigorous data protection mechanisms may enable hacks. Specifically, the absence of regulated encryption in transmission protocols or limitations in hardware specifications undermines the security of encryption. This enables hackers to easily extract and analyze the transmitted data in communication connections, thereby causing the problems of data leakage and tampering. (3) DoS attacks can use a small amount of abnormal data transfer to crash a system, resulting in failure in normal operations or services. (4) A device may involve insecure default password, a backdoor program, or a hidden account. Such an end device employs a relatively simple default password and does not provide users with any password-changing function. Backdoor programs or built-in hidden accounts may exist and enable illegitimate users to directly log in to the system as the system administrator to access and modify data or to control the end device.^27,28

The 802.11x standard was the major wireless communication technology that previous network equipment adopted for wireless networks. However, alternative network communication technologies such as radio-frequency, near-field communication, and Bluetooth have begun to prevail in the IoT. However, these communication technologies can only transmit limited quantities of data over limited bandwidth at one time; they cannot provide a relatively safe and reliable communication mechanism. In addition, when most smart devices upload and save data to the cloud, the data pass through the connection layer, router layer, communication protocol layer, and the Internet layer before reaching the cloud, during which the data are transmitted through various devices and equipment; these diverse devices increase the risk of unauthorized data transfer. When an end device is transmitting unencrypted data through an unencrypted channel, if hackers steal the data, then the result appears as plain text. This may include the users’ account numbers, passwords, personal information, or other sensitive information. In addition, apart from the risk of unencrypted data leakage, the connection process may also be hijacked by hackers. Hackers may tamper with or counterfeit packet data to bypass security check mechanism, avoid identity authentication to achieve unauthorized access, or modify the configuration files in a device or backend system.²⁹

Of the various components of the IoT, backend systems play an essential role, and such systems are mostly implemented on the cloud. A typical end device passes time-consuming operations to a backend host for execution. For example, end devices can send their data back to the cloud host system directly or through a home gateway, after which the backend system can perform processing based on the data. At this point, the security of the cloud host plays an extremely crucial role: if the host is compromised by a hacker, it not only causes leakage of data on the cloud, but may even grant the hacker control over the user’s device through the interconnected features of the cloud and the device. Operating systems and application suites must be inspected regularly to ensure that hackers cannot exploit known vulnerabilities in outdated software to invade the system. Apart from the security of the applications or operating systems in the host system, attention should also be paid to the use of correct parameters and secure protection on cloud servers to ensure the security of the backend system.³

Mobile devices are now commonly used in personal life, and almost everyone possesses a smartphone. In the future, mobile devices such as smart bracelets or smart glasses will be more closely linked with users. They will also be closely connected to the IoT. Numerous end devices or backend systems will enable users to access data through mobile applications; thus, security measures for mobile devices and mobile applications are as essential as those for ordinary end devices or backend systems. The common security problems in mobile devices are and will continue to be similar to the aforementioned problems of end devices, including improper authority management, lack of encryption protection, bypassing of authentication and authorization, and logic loopholes. Hackers can determine a mobile device’s security vulnerabilities by analyzing its applications, can steal users’ accounts and passwords or relevant personal data, and can control end devices through mobile device applications.³⁰

As mentioned previously on IoT-related security issues, it can be found that a mechanism of low-level computation, protection of information privacy, prevention of fake identity, as well as maintenance of system functioning is needed, in particular the RFID-based system to be widely and generally used.

Constrained by inherent restrictions,³¹ however, RFID tags have two major drawbacks: first, when the reader issues a query, the RFID tag automatically responds to the reader without notifying the owner; second, due to cost constraints, RFID tags are not able to perform thorough encryption and decryption operations to prevent the private information from spreading. Because RFID tags and readers communicate through transmission,^6,7 it is noted that the two drawbacks lead to three major safety hazards: personal information and privacy exposure, malicious tracking, and counterfeiting behaviors.

In order to resolve the abovementioned security issues (personal information and privacy exposure, vicious tracking, and counterfeiting), this study suggested that a communication protocol for RFID systems should possess the following features:

Confidentiality. All messages in transmission should be protected from direct disclosure of sensitive information.

Unforgeability. Attackers cannot pretend neither as a tag nor as a reader to commit fraud.

Location privacy. The privacy of the user’s location ought to be preserved. Attackers cannot determine users’ past locations from their tag messages, that is, attackers cannot determine from the messages transmitted by the tags whether any user is their tracking target.

Scalability. The entire communication process between tags and servers ought to become quick and efficient, that is, even if the number of system members increases, the overall performance of the server should remain consistent.

Numerous protocols and mechanisms have been introduced to provide the necessary requirements for improving RFID communication security.^{9–18,25,32–36} However, cost- and security-related problems, such as additional hardware expenses, disclosure of users’ location privacy, or increasing server load, still exist and cannot be simultaneously resolved using only one mechanism. This study thus developed a security authentication mechanism that indeed achieves the following four advantages:

To be functionally carried out by a large amount of RFID data;

To satisfy confidentiality, anti-counterfeiting, and privacy protection;

To effectively protect against DoS attacks.

To be applicable to various conditions with the IoT RFID system (medical, logistics, transportation, access security, and so on).

Conclusion

In this study, we proposed a matrix-based RFID authentication approach for IoT applications. Not only can the proposed approach provide privacy with regard to location, but also fulfill the requests of confidentiality, unforgeability, and scalability. Specifically, we prevent some typical problems of RFID systems, that is, revealing users’ tracks and causing server overhead issues. Analyses and proofs prove that the proposed scheme is secure, suitable, and efficient for implementation in various IoT environments. This authentication mechanism will be accomplished and validated soon.

Footnotes

Handling Editor: Luca Catarinucci

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: The paper is funded by the Ministry of Education in Taiwan for developing the characteristics of national vocational and technological colleges and universities, with the Leap Program Number 107G0049 of the 107th academic year.

ORCID iD

Zhen-Yu Wu

References

Drira

Renault

Zeghlache

. Towards a secure social sensor network. In: Proceedings of the IEEE international conference on bioinformatics and biomedicine, Shanghai, China, 18–21 December 2013, pp.24–29. New York: IEEE.

Fernandes

Paupore

Rahmati

et al . FlowFence: practical data protection for emerging IoT application frameworks. In: Proceedings of the 25th USENIX security symposium, Austin, TX, 10–12 August 2016. Berkeley, CA: USENIX Association.

Yan

Zhang

Vasilakos

. A survey on trust management for Internet of things. J Netw Comput Appl 2014; 42: 120–134.

Arias

Wurm

Hoang

et al . Privacy and security in Internet of things and wearable devices. IEEE T Multiscale Comput Syst 2015; 1(2): 99–109.

Riahi

Natalizio

Challal

et al . A systemic and cognitive approach for IoT security. In: 2014 international conference on computing, networking and communications (ICNC), Honolulu, HI, 3–6 February 2014, pp.183–188. New York: IEEE.

Weis

Sarma

Rivest

et al . Security and privacy aspects of low-cost radio frequency identification systems. In: Hutter

Müller

Stephan

et al . (eds) Security in pervasive computing, Vol. 2802 (Lecture Notes in Computer Science). Berlin; Heidelberg: Springer, 2004, pp.201–212.

Ohkubo

Suzuki

Kinoshita

. Cryptographic approach to privacy-friendly tags. In: RFID privacy workshop, November 2003, https://rfidprivacy.media.mit.edu/2003/papers/ohkubo.pdf

Dimitriou

. A lightweight RFID protocol to protect against traceability and cloning attacks. In: Security and privacy for emerging areas in communications networks 2005, Athens, 5–9 September 2005, pp.59–66. New York: IEEE.

Burmester

Medeiros

. Provably secure ubiquitous systems: universally composable RFID authentication protocols. In: 2006 SecureComm and workshops, Baltimore, MD, 28 August–1 September 2006. New York: IEEE.

10.

Chen

et al . Scalable pseudo random RFID private mutual authentication. In: 2nd IEEE international conference on computer engineering and technology (ICCET), Chengdu, China, 16–18 April 2010, pp.497–500. New York: IEEE.

11.

Fernandez-Mir

Trujillo-Rasua

Castellà-Roca

et al . A scalable RFID authentication protocol supporting ownership transfer and controlled delegation. In: 7th international workshop RFIDSec 2011, Amherst, MA, 26–28 June 2011, pp.147–162. Berlin; Heidelberg: Springer.

12.

Gui

Zhang

. A new authentication RFID protocol with ownership transfer. In: International conference on ICT convergence (ICTC), 14–16 October 2013, pp.359–364. New York: IEEE.

13.

Chen

. An efficient anonymous authentication protocol for RFID systems using dynamic tokens. In: IEEE 35th international conference on distributed computing systems, Columbus, OH, 29 June–2 July 2015, pp.756–757. New York: IEEE.

14.

Dass

. A secure authentication scheme for RFID systems. Procedia Comput Sci 2016; 78: 100–106.

15.

Xie

Zhang

et al . Cloud-based RFID authentication. In: 2013 IEEE international conference on RFID, Penang, Malaysia, 30 April–2 May 2 2013, pp.168–175. New York: IEEE.

16.

Abughazalah

Markantonakis

Mayes

. Secure improved cloud-based RFID authentication protocol. In: Garcia-Alfaro

Herrera-Joancomartí

Lupu

et al . (eds) Data privacy management, autonomous spontaneous security, and security assurance, Vol. 8872 (Lecture Notes in Computer Science). Cham: Springer, 2015, pp.147–164.

17.

Lin

Hsu

Cheng

. A cloud-based authentication protocol for RFID supply chain systems. J Netw Syst Manag 2015; 23(4): 978–997.

18.

Chen

Dong

. Cloud-based RFID mutual authentication protocol. J Cryptol Res 2018; 5(3): 231–241.

19.

Granjal

Monteiro

Silva

. Security for the Internet of things: a survey of existing protocols and open research issues. IEEE Commun Surv Tut 2015; 17(3): 1294–1312.

20.

Mukherjee

. Physical-layer security in the Internet of things: sensing and communication confidentiality under resource constraints. P IEEE 2015; 103(10): 1747–1761.

21.

Chien

Huang

. A lightweight authentication protocol for low-cost RFID. J Signal Process Syst 2010; 59(1): 95–102.

22.

Zuo

. Survivability experiment and attack characterization for RFID. IEEE T Depend Secure 2012; 9(2): 289–302.

23.

Huang

Lin

. Efficient implementation of RFID mutual authentication protocol. IEEE T Ind Electron 2012; 59(12): 4784–4791.

24.

Huang

Jiang

. Ultralightweight RFID reader-tag mutual authentication. In: Proceedings of 2015 IEEE 39th annual computer software and applications conference, Taichung, Taiwan, 1–5 July 2015. New York: IEEE.

25.

Duc

Park

Lee

et al . Enhancing security of EPC global Gen-2 RFID tag against traceability and cloning. In: Proceedings of the 2006 symposium on cryptography and information security, Hiroshima, Japan, 17–20 January 2006. Berlin: Springer.

26.

Costin

Zaddach

Francillon

et al . A large-scale analysis of the security of embedded firmwares. In: Proceedings of the 23rd USENIX security symposium, San Diego, CA, 20–22 August 2014. Berkeley, CA: USENIX Association.

27.

Babar

Stango

Prasad

et al . Proposed embedded security framework for Internet of things (IoT). In: Proceedings of the 2nd international conference on wireless communication, vehicular technology, information theory and aerospace & electronic systems technology (Wireless VITAE), Chennai, India, 28 February–3 March 2011. New York: IEEE.

28.

Roman

Najera

Lopez

. Securing the Internet of things. IEEE Comput 2011; 44(9): 51–58.

29.

Heer

Morchon

Hummen

et al . Security challenges in the IP-based Internet of things. Wireless Pers Commun 2011; 61(3): 527–542.

30.

Singh

Pasquier

TFJ

Bacon

et al . Twenty security considerations for cloud-supported Internet of things. IEEE Internet Things 2016; 3(3): 269–284.

31.

Chen

Liao

et al . RFID-based operation room and Medicare system for patient safety enhancement—a case study of Keelung Branch, Chang Gung Memorial Hospital. J Inform Manag 2008; 15: 97–122.

32.

Karthikeyan

Nesterenko

. RFID security without extensive cryptography. SASN 2005; 2005: 63–67.

33.

Lin

Chung

et al . A secure RFID authentication scheme for medicine applications. In: Seventh international conference on innovative mobile and internet services in ubiquitous computing, Taichung, Taiwan, 3–5 July 2013, pp.175–181. New York: IEEE.

34.

Chen

. A reliable RFID mutual authentication scheme for healthcare environments. J Med Syst 2013; 37(2): 9917.

35.

Najera

Lopez

Roman

. Real-time location and inpatient care systems based on passive RFID. J Netw Comput Appl 2011; 34(3): 980–989.

36.

Katz

Rice

. Public views of mobile medical devices and services: a US national survey of consumer sentiments towards RFID healthcare technology. Int J Med Inform 2009; 78: 104–114.