A Privacy Preserving Improvement for SRTA in Telecare Systems

8173 words (33 pages) Full Dissertation in Full Dissertations

06/06/19 Full Dissertations Reference this

Disclaimer: This work has been submitted by a student. This is not an example of the work produced by our Dissertation Writing Service. You can view samples of our professional work here.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UK Essays.

A Privacy Preserving Improvement for SRTA in Telecare Systems

 

Abstract

Radio Frequency Identification (RFID) is a modern communication technology, which provides authentication and identification through a nonphysical contact. Recently, the use of this technology is almost developed in healthcare environments. Although RFID technology can prepare sagacity in systems, privacy and security issues ought to be considered before. Recently, in 2015, Li et al. proposed SRTA, a hash-based RFID authentication protocol in medication verification for healthcare. In this paper, we study this protocol and show that SRTA protocol is vulnerable to traceability, impersonation and DoS attacks. So it does not provide the privacy and security of RFID end-users. Therefore, we propose an improved secure and efficient RFID authentication protocol to enhance the performance of Li et al.’s method. Our analyze show that the existing weaknesses of SRTA’s protocol are eliminated in our proposed protocol.

Keyword: RFID Authentication protocol, Privacy, Security, Telecare, Traceability attack, DoS attack, Impersonation attack.

1. Introduction

Radio Frequency Identification (RFID) technology has outlined a novel future for our world. Aviation, building management, financial services, livestock and animal tracking, marina, passenger transport, supply chain, rail way and health-care are some examples of RFID usages which describe the variety of  its application in our life [1-4]. Nowadays, the increased utilization of RFID systems in healthcare has been grown substantially, for instant patient tracking, wait-time monitoring, medication authentication and control asset management, docum-

main parts: tag, reader and back-end server. The tag is placed inside the products or the proposed items, for authentication and identification in contact with the readers. Tags are categorized in one of the three classes: active, passive and semi-active. A passive tag does not have any battery, so it cannot start a new connection unless locates in the electromagnetic field of the reader, to gain enough power for transmitting its messages. An active tag normally operates at 433MHz Ultra High Frequency (UHF) and has an inner battery which lets it to start a new conversation with the reader whenever it wants; Of course these properties increase the cost and the volume of this type of tags which constrain its usage in military applications, at microwave and ultra-wide band frequency ranges [7]. A semi-active tag has a battery, which only uses it to perform internal operations; rely on the reader’s signal to power their antenna and modulator [8]. The back-end server connects to the readers through the secure or unsecure channels and stores all the identification information of the readers and the tags in its database for further processing.

“98000 people annually die due to medication related mistakes in the United States,” reported by the Institute of Medicine (IOM) [9] which is the result of three main facts: similarity in the name of medicine, packing  and  types  of  labels  [10].  Nowadays, in

F:\Salman\univ\SRBI\Thesis\Paper\Paper2- Li\pic\rfid sys tmis2.png

Figure 1. RFID system

order to establish confidentiality and privacy, and solve the problems of existing methods, new protocols have been proposed [11]; According to the state of the IOM, a number of those are specifically considered for Telecare Medicine Information System (TMIS). It is undeniable that an efficient RFID security scheme can increase the security and privacy of RFID end-users significantly [12].

In 2011, Chen et al. [13] proposed a tamper resistant prescription RFID access control protocol for different certified readers where both authentication and access right authorization mechanisms were and it was claimed to guarantee patient’s right. In the same year, a new hash-based RFID mutual authentication protocol was proposed by Cho et al. [14]; they believe that their protocol makes it difficult for an attacker to launch an effective brute-force attack against RFID users. But Kim et al. [15] showed that Cho et al.’s protocol is weak against desynchronization attack and proposed a hash-based mutual authentication protocol to solve the security problems in Cho et al.’s protocol and privacy problems in previous RFID authentication protocols. In 2012, Yu et al. proposed a grouping proof protocol [16] for low cost RFID tags and showed that not only the number of logic gates in their protocol was reduced but also it requires fewer computational power and operation costs versus the last proposed protocol. In the same year, Wu et al. [17] showed that Yu et al.’s protocol was still vulnerable to impersonation attacks and proposed a lightweight binding proof protocol to overcome their weaknesses.

Srivastava et al. [5] proposed a protocol in 2015 to strengthen the security level of common protocol, using hash algorithm and synchronized secret value shared between the tag and the back-end server; which was believed to be safe against various active and passive attacks. However, Li et al. [6] showed in SRTA (Secure RFID Tag Authentication) protocol that Srivastava et al.’s tag authentication protocol has security problem which let an adversary use the lost reader to connect to the medical back-end server. Moreover, they believe that Srivastava et al.’s protocol fails to provide mutual authentication between the reader and the back-end server, so they have proposed a secure and efficient RFID tag authentication protocol to overcome the mentioned weaknesses.

In this paper, we analyze the SRTA protocol [6] and show that there are still weaknesses with their protocol. Using timestamp in the structure of their protocols was the novelties of Srivastava et al. and Li et al. which prevents data forgery and replay attacks. However, we show that declaring timestamps explicitly through the protocol in one hand and inaccuracy in producing the messages on the other hand, lead to the tag impersonation and reader impersonation attacks. Moreover, expressing the reader and tag’s identification values through the authentication phases and lack of appropriate updating procedure put the privacy of their protocol at risk. In order to investigate the privacy of this protocol, we use Ouafi and Phan privacy model [18] and by consuming the mentioned vulnerabilities, we present the tag and reader traceability attacks on SRTA protocol [6]. Besides, it should be known that low cost of RFID’s tag results in computation and complexity restrictions in the tag side, but this restriction is not so serious in the back-end server due to the presence of powerful processors [12]. Therefore, we propose an improved version of SRTA protocol [6] that prevents the mentioned attacks and decreases the computation cost in the tag side.

The rest of the paper is organized as follows: the privacy model of Ouafi and Phan is described in Section 2. SRTA protocol is reviewed in Section 3. In Section 4, SRTA protocol is analyzed and its weaknesses are discussed. An improved version of Li et al.’s protocol is proposed in Section 5 and analyzes of our improved version are discussed in Section 6. Finally, the paper is concluded in Section 7.

2. Privacy model of Ouafi and Phan

Providing a confidential communication for RFID users is one of the main goals of each RFID communications scheme. As a result, studying privacy of the proposed authentication protocols always is more prominent for researchers [19, 20]. In order to evaluate the privacy of RFID protocols, different models have been proposed, and one of the appropriate and well-known model is Ouafi and Phan privacy model [18], which is described in this section. It is an Untraceable Privacy (UPriv) model which can briefly mentioned as follows:

The reader

Rand the tag

Tare the components of the model and the communications between all protocol parties are managed by an adversary

A, based on the protocol definition. The following queries can be run by an adversary

A:

∎Execute R,T,i query

: This query is categorized as passive attack and let the attacker

Aeavesdrop the transmitted messages between the reader

Rand the tag

Tin the

ith session of the protocol.

∎Send U,V,i,mquery

: An active attack is modeled with this query by sending the message

mfrom the

U∈tag

T(reader

R) to the

V∈reader

R(tag

T) in the

ith session of protocol. Besides, the adversary

Acan alter or block the exchanged messages.

∎Corrupt T,k query

: The attacker

Ais able to obtain

K’, the secret value of the tag

Tand set it to

K.

          Back-end Server                                                     Reader                                                           Tag

 

(IDk, Vk, Wk,xj,

xj-1,

sj,

sj-1,

RIDk)

xj,RIDk                                                     

sj,IDk

4.1

if T3-T2>T

Reveal the Protocol

else for each tuple ( xj

,

xj-1)

4.2 computes

Rr*

=

A⊕Vk

B*

=

h(Vk⊕T1⊕Rr*)

for each tuple ( sj

,

sj-1)

If

B*=B,  go to step 4.3

Else Reveal the protocol

4.3 computes

Rt*(1)=hsj∥IDk⊕C

Rt*(2)=hsj-1∥IDk⊕C

D*(1)

=

h(hsj∥IDk⊕T2⊕Rt*(1))

D*(2)

=

h(hsj∥IDk⊕T2⊕Rt*(2))

If   

D*(1)=D       or    

D*(2)=D,

 go to step 4.4

Else Reveal the protocol

4.4 E=h(xj∥RIDk∥T1∥Rr*∥h(xj⊕Rr*)

4.5 F=Data⊕h(xj⊕Rr*)

4.6 G=h(sj∥IDk∥T2∥Rt*∥h(sj⊕Rt*)

4.7

→E, F, G

4.8 After successful authentication updates

xj-1←xj

;

xj←hxj⊕Rr

sj-1←sj

;

sj←hsj⊕Rt

1    input RIDk and RPWk

1.1 Vk=h(xj∥RIDk)

1.2 Wk=h(xj∥RIDk)⊕RIDk⊕RPWk

1.3 Vk’=Wk⊕RIDk⊕RPWk

if Vk=Vk’

1.4 Generates

Rr

1.5 A=Vk’⊕Rr

1.6 B=h(Vk’⊕T1⊕Rr)

1.7

→A, B, RIDk, T1

3.1

if T2-T1>T

Reveal the Protocol

else

3.2

←A, B, RIDk, T1,C, D, IDk, T2

5.1

Compute

E*=h(xj∥RIDk∥T1∥Rr∥h(xj⊕Rr)

5.2 Check E*  = ?  E

5.3 Updating

xj←hxj⊕Rr

5.4 Data=F⊕h(xj⊕Rr)

5.5

→G

2.1 Generates

RtRandomly

2.2 C=hsj∥IDk⊕Rt

2.3 D=h(hsj∥IDk⊕T2⊕Rt)

2.4

←C, D, IDk, T2

6.1 Compute

G*=h(sj∥IDk∥T2∥Rt∥h(sj⊕Rt)

6.2 Verify G* = ? G

6.3 After successful authentication

sj←hsj⊕Rt

Fig. 2 The SRTA protocol [6].

∎Test T0,T1,i query

: This query allows to express the indistinguishability based concept of UPriv. After sending a

Test T0,T1,i queryto an entity in the

ith session, depending on a randomly chosen bit

b∈{0,1}generated by challenger,

Tb ϵ {T0,T1}is delivered to the attacker. Adversary

Awill succeed, if it can truly guess the bit

b.

Untraceable Privacy (UPriv): In this definition a game

Gbetween the attacker

Aand a collected instances of reader and tag is taking place. An adversary

Aruns the game

Gwhich has the following phases:

Learning phase: In this phases, an adversary

Ais permitted to send each of

Execute,

Sendand

Corruptqueries.

Challenge phase: An adversary

Ais given a tag

Tb ϵ {T0,T1}and sends any of

Execute,

Sendand

Corruptqueries to

Tb.

Guess phase: Finally, the adversary

Aterminates the game

Gand outputs a bit

b0as a guess of the value

of

b.

The attacker is succeeded during playing the game

G, if it recognizes correctly whether received

T0or

T1. The traceability level of the protocol is denoted by

AdvAUPiv(K), where

kis the security parameter:

AdvAUPivk=|pr(A wins)-pr(random coin flip)|

=|pr(b’=b)-12|                               (1)

where

0≤AdvAUPivk≤12. If

AdvAUPivk<(k), the protocol is traceable with negligible probability.

3.  SRTA Protocol

In [6], Li et al. proposed a secure RFID tag authentication protocol in TMIS. The connection between the reader and the back-end server and the connection between the tag and the reader is insecure. Their protocol is a hash based one, which uses timestamps in the structure of its messages to prevent attacks. Their protocol is depicted in Fig. 2 and notations that are used in this protocol are listed below:

IDk

: The identifier of the

kthtag.

RIDk

: The identifier of the

kthreader.

RPWk

: The password of the

kthreader.

RNG

: The Random Number Generator.

T

: The timestamp.

Rr

: The random number generated by reader.

Rs

: The random number generated by tag.

sj

: The secret value used in the current

jthsession and it is mutual shared between back-end server and tag.

sj-1

: The secret value used in the previoussession. Initially, the value is set to null.

xj

: The secret value used in the current

jthsession and it is mutual shared between back-end server and reader.

xj-1

: The secret value used in the previoussession. Initially, the value is set to null.

h.:

A one-way hash function.

ΔT

: The expected legitimate time interval for transmission delay.

∥: Concatenation operation.

A⊕B : Message A is XORed with message B.

4. Analyzes of SRTA Protocol

a. Tag Impersonation

Li et al. try to increase the security in authentication procedure by using timestamps, which means that the reader and the back-end server will not continue the authentication phase, unless the inequalities {

T2-T1<T ,T3-T2<T} occurred. So by knowing the values of

Tand

T1,

T2and

T3, the attacker tries to impersonate a legitimate tag to receive responses from the reader. It is shown that an attacker can perform this attack on Li et al.’s protocol [5]. This attack can be performed as follows,

Learning phase: In the th round, the attacker eavesdrops four successful steps of the protocol and obtains {

RIDk,

A,

B,

T1,

IDk,

C,

D,

T2} and by changing

T2into

T’2, in which

T’2-T1>T, he/she leaves the protocol unfinished. So the secret values of the reader and the tag are not updated.

Attack phase: In the ( + 1)th round, the attacker starts a new session with the reader and acts as follows,

  1. The attacker receives {

    RIDk,

    A,

    B,

    T1(i+1)} from the reader. By knowing the value of

    T1(i+1)in this session and

    Tfrom the learning phase, he/she generates an appropriate amount for

    T2(i+1). Moreover, as

    IDkis not updated during this protocol, the attacker responses with {

    IDk, , ,

    T2(i+1)} which and are generated as follows,

β=h(sj∥IDk)⊕Rt                   (2)

γ=h(h(sj∥IDk)⊕T2i+1⊕Rt)         (3)

It should be mentioned that and are messages that the attacker generates them as messages C and D in SRTA protocol.

  1. After confirming the value of

    T2(i+1)by calculating

    Tin a legitimate reader, {

    RIDk,

    A,

    B,

    T1(i+1),

    IDk, , ,

    T2(i+1)} will be sent to the back-end server by the reader.

  2. By receiving the response messages from the reader, the back-end server checks for the inequality (

    T3(i+1)- T2(i+1)) < ΔT which will be accepted by choosing a correct value for

    T2(i+1)via the attacker. As the above inequality holds, the back-end server acts as follows:

  1. Computes

    Rr*=A⊕h(xj∥RIDk).

  2. Computes

    B*=h(hxj∥RIDk⊕T1(i+1)⊕Rr*)and checks if

    B*≟B. As all the messages {

    A,

    xj, RIDk,

    T1(i+1)} are generated by a legal reader, therefore the back-end server successfully authenticates the reader.

  3. Computes

    Rt*=β⊕h(sj∥IDk).

  4. Computes

    D*=h(h(sj∥IDk)⊕T2i+1⊕Rt*)and checks if

    D*≟γ. As the secret value of the tag has not been updated, the above equality is confirmed.

Although the SRTA protocol claims that an attacker will be detected through checking the amount of the received message {D}, as it is shown above, eavesdropping one round of protocol and choosing an appropriate amount for

T2i+1will result in authentication of the attacker as a legitimate tag.

b. DoS Attack

It can be shown that Li et al.’s protocol is not safe against DoS attack. To perform this attack, in the

ith session of the protocol, after running four steps, when the back-end server wants to send messages to the reader, the attacker intercepts the transmitted messages and stops the protocol. As a result, the back-end server updates

sj(i)and

sj-1(i)with

h(sj⊕Rt)and

sj, respectively, but the tag dose not update its secret values. Now, the attacker performs the tag impersonation attack, presented in Section 4.a, in (

i+1)th session of the protocol. After this attack, the back-end server updates

sj(i+1)and

sj-1(i+1)with

h(sj(i)⊕Rt)and

sj(i), respectively, but the tag dose not update its secret values. Consequently the tag and the back-end server are desynchronized in the next session and the back-end server cannot authenticate the tag.

In addition, the DoS attack can be performed by running two consecutive tag impersonation attacks, described in subsection 4.a.

c. Reader Impersonation

In this subsection, it is shown that an attacker can impersonate a legitimate reader in Li et al.’s protocol [6]. This attack can be performed as follows:

Learning phase: In the th round, the attacker eavesdrops two successful steps of the protocol and obtains {

RIDk,

A,

B,

T1}, intercepts the transmitted messages to the tag and then stops the protocol. So the secret values are not updated in this session. The attacker calculates as follows:

α=Vk’⊕Rr                             (4)

Attack phase: In the ( + 1)th round, an adversary starts a new session with the tag

T0and acts as follows:

  1. In this phase, the attacker starts a session with a tag by sending

    RIDkand , stored from the last an unfinished session.

    T1(i+1)generated by the attacker which shows the current timestamp and

    λwhich is calculated as

λ=h(Vk’⊕T1(i+1)⊕Rr)                    (5)

  1. Then, the target tag responds {

    IDk,

    C,

    D,

    T2i+1} to the attacker.

  2. The attacker sends {

    RIDk,

    α,

    λ,

    T1(i+1),

    IDk,

    C,

    D,

    T2i+1} to the back-end server .

  3. The back-end server checks if

    (T3i+1-T2i+1)<T. As shown in Fig. 2, this inequality is verified because of generation of

    T2i+1and

    T3i+1by a legal tag and back-end server.

  4. By performing the above steps, the back-end server computes

    Rr*=α⊕h(xj∥RIDk).

  5. The back-end server calculates

    B*=h(hxj∥RIDk⊕T1(i+1)⊕Rr*)and checks whether

    B*≟λwhere

B*=hhxj∥RIDk⊕T1i+1⊕Rr*

=hVk’⊕T1i+1⊕Rr*

=λ                                                (6)

As a result, the back-end server authenticates the spoofed reader as a legitimate one.

  1. Now, the back-end server starts to authenticate the tag by calculating

    C*and

    D*and comparing them with the received

    Cand

    D. As the tag is legitimate, so the back end server authenticates it and computes

    E,

    Fand

    Gas follows and sends them to the attacker:

E=h(xj∥RIDk∥T1i+1∥Rr∥hxj⊕Rr)

(7)

F=Data⊕h(xj⊕Rr)                                 (8)

G=h(sj∥IDk∥T2i+1∥Rt∥hsj⊕Rt)   (9)

  1. The attacker sends

    Gto the tag.

Consequently, the attacker effectively impersonate the reader.

d. Tag traceability

In this subsection, it is shown that SRTA protocol [6] is vulnerable against traceability attack. According to SRTA protocol [6], it can be seen that the tag’s identification number

IDkis fixed in all rounds. Using this issue, an attacker can trace the target tag. This attack is performed as follows:

Learning phase: In round (

i), the attacker eavesdrops all transmitted messages between the tag

T0and the reader

Rby sending an

Execute query (R, T0,i)and obtaining {

RIDk,

A,

B,

T1,

IDk,

C,

D,

T2,

E,

F,

G}.

Challenge phase: The adversary selects two fresh tags

T0and

T1for test, and sends a

Test query(T0,T1,i+1). According to the randomly chosen bit

b ϵ {0,1}, the adversary is given a tag

Tb ϵ {T0,T1}. Afterwards, the adversary calculates

B#as

h(A⊕T1′)and sends an

Execute query(R, Tb,i+1)by sending

RIDk,

A,

B#,

T1’to the tag ,which

T1’is the current timestamp, and obtains

C’,

D’,

T’2and

IDk’.

Guess phase: The adversary

Astops the game

G, andoutputs a bit

b’ ϵ 0, 1as a guess of bit

bas follows.

b’=      0        if IDk=IDk’               1                otherwise

(10)

As a result, it can be written:

AdvAuprivk=

prb’=b-12=1-12=12 ≫ε

(11)

Proof: According to the structure of SRTA protocol [6], since the tag

T0does not ever update its identification number and uses the same

IDkin both learning and challenge phases, the attacker can trace the target tag. Moreover, as

IDkis fixed in all sessions, the attacker is able to trace the tag

T0, whenever he/she wants.

e. Reader traceability Attack on SRTA Protocol

Li et al. [6] distinguished that Srivastava et al.’s protocol [5] suffers from reader stolen/lost attack, so it fails in providing the privacy of tag during the authentication phases. To resist these attacks, Li et al. [6] use a secret value, identifier and a password for reader in their protocol. In this subsection, it is shown that in Li et al.’s protocol, an attacker can perform traceability attack and traces the location of a specific reader. As shown in Fig. 1, the adversary can trace the reader

R0as follows:

Learning phase: In round (

i), the attacker eavesdrops all transmitted messages between the tag

T0and the reader

R0by sending an

Execute query (R0 , T0,i), obtaining {

RIDk,

A,

B,

T1,

IDk,

C,

D,

T2,

E,

F,

G}, then he/she stores

RIDkas

ζ.

Challenge phase: The adversary eavesdrops every sessions between readers and tags and stores all the obtained

RIDkwith the name of

Zi, where

iϵ{1,2,…,number of Readers}. Afterwards, the adversary selects two fresh readers

R0and

R1for test, and sends a

Test query(R0,R1,i+1). According to the randomly chosen bit

b ϵ {0,1}, the adversary is given a reader

Rb ϵ {R0,R1}. Now the attacker sends an

Execute query (R0 , T0,i+1)and stores

Z0and

Z1.

Guess phase: The adversary

Astops the game

G, andoutputs a bit

b’ ϵ 0, 1as a guess of bit

bas follows:

b’=      0                if ζ=Z0               1                otherwise

(12)

As a result, it can be written:

AdvAuprivk=

= prb’=b-12=1-12=12ε

(13)

Proof: According to the structure of Li et al.’s protocol, the reader

R0will not update its identification number and uses the same

RIDkin both Learning and Challenge phases, therefore the attacker can trace the target reader. Furthermore, as

RIDkis fixed in all rounds, an adversary is able to trace the reader

R0in every arbitrary session.

5. Improvements on SRTA Protocol

Li et al. [6] try to improve the Srivastava et al.’s authentication protocol [5] by adding the secret value of the reader

xj, the

Kth reader identifier and password which are named, respectively, by

RIDkand

RPWk. However, SRTA protocol [6] is vulnerable to attacks declared in Section 4. In this Section, a strengthened versions of SRTA protocol [6] is proposed to overcome its weaknesses. Moreover, the security and privacy analysis of our proposed protocol is provided.

5.1 Improved Version of SRTA protocol

As reported in Section 4, there are several main drawbacks in the structure of the Li et al.’s protocol [6], which make it vulnerable to traceability attacks. Li et al. [6] try to increase the efficiency of the Srivastava et al.’s protocol [5] by expressing the tag’s identifier

IDkand

RIDkthrough the protocol, explicitly. Although SRTA protocol [6] decreases the waiting time for accessing the true readers and ensuring a high rate of efficiency in the tag authentication procedure, but it brings a drawback which ables the attacker to know the tag and reader’s identification value. This leads to trace them in every execution of the protocol.

F:\Salman\univ\SRBI\Thesis\Paper\Paper2- Li\pic\doctor5.jpgF:\Salman\univ\SRBI\Thesis\Paper\Paper2- Li\pic\server1.jpg          Back-end Server                                                               Reader                                                           Tag

 

(IDkold, IDknew,Vk, Wk,xj,

xj-1,

xj,RIDk

sj,IDk

sj

,

sj-1,

RIDk)                                                                

4.1

if T3-T2>T

Reveal the Protocol

else

for each( xj

,

RIDkold) and (xj-1,RIDknew)

4.2 computes Vk*

computes Rr*

computes B*

4.3 if B*=B

Reader is authenticated

else reveal the protocol

for each

( sj

,

IDkold) and (sj-1,IDknew)

4.4 computes Rt*, D*

4.5 if D*=D

Tag is authenticated

else reveal the protocol

4.6 E=h(xj∥RIDk∥T1∥Rr*∥h(xj⊕Rr*)

4.7 F=Data⊕h(xj⊕Rr*)

4.8 G=h(sj∥IDk∥T2∥Rt*∥h(sj⊕Rt*)

4.9

→                           E, F, G

4.10 After successful authentication

updates

xj-1←xj

;

xj←hxj⊕Rr

sj-1←sj

;

sj←sj⊕Rt

IDkold←IDk

IDknew←IDk⊕sj

1    input RIDk and RPWk

1.1 Vk=h(xj∥RIDk)

1.2 Wk=h(xj∥RIDk)⊕RIDk⊕RPWk

1.3 Vk’=Wk⊕RIDk⊕RPWk

if Vk=Vk’

1.4 Generates Rr

1.5 A=Vk’⊕Rr

1.6 B=hRVk’∥LRr⊕T1

1.7

→                A, B

3.1

if T2-T1>T

Reveal the Protocol

else

3.2

←                    A, B, T1,C, D, T2

2.1 Generates Rt Randomly

2.2 C=hsj∥IDk⊕Rt

2.3 D=h(Rt⊕T2 )

2.4

←                    C, D,  T2

5.1

Compute

E*=h(xj∥RIDk∥T1∥Rr∥h(xj⊕Rr)

5.2 Check E*  = ?  E

5.3 Updating

xj←hxj⊕Rr

5.4 Data=F⊕h(xj⊕Rr)

5.5

→                      G

6.1 Compute

G*=h(sj∥IDk∥T2∥Rt∥h(sj⊕Rt)

6.2 Verify G* = ? G

6.3 After successful authentication

sj←sj⊕Rt

IDk←IDk⊕sj

F:\Salman\univ\SRBI\Thesis\Paper\Paper2- Li\pic\medicine1.jpgFig. 3 Improved version of SRTA protocol.

In addition, the processors in the tags are limited and all computations cannot be performed in the tag side. On the other hand, there is little limitation for the computation cost in the back-end server side [12]. Therefore, we propose to omit sending

IDkthrough the protocol. Besides, there is not any inconsistency between the increased time for finding a correct

IDkand

RIDkwith the timestamp

T3. In other words, in SRTA protocol [6], the back-end server first investigates the correctness of an inequality (

T3-T2<T), then explores for the true identification number of the reader and the tag. Further, we omit sending

RIDkthrough our protocol. One of the other drawbacks of SRTA protocol [6] is announcing the value of timestamps T1, T2 and T3, through the protocol. After one run of the protocol acceptably, an adversary knows the value of T1, T2 and T3, so he/she can calculate the allowable

Tand applying the tag impersonation and reader impersonation attack which are discussed in Section 4. In order to improve Li et al.’s protocol [6], we change the message

Bto:

B=h(R(Vk’)∥L(Rr)⊕T1)              (14)

where

R(Vk’)means the right side of

Vk’and

L(Rr)refer to the left side of

Rr. By omitting T1, we send {

RIDk,

A,

B} to the tag in the second step of the protocol. In the third step of the protocol, we change the message

Dto:

D=h(Rt⊕T2)                              (15)

Not only by omitting the first hash function of the message

D, the computation cost in the tag side decreases, but also the back-end server can verify the value of

Rtusing the transmitted message

D. Moreover, in our proposed protocol the attacker will not be able to guess the correct message.

On the other hand, updating the tag’s identifier

IDkthrough the protocol causes another vulnerability, i.e., DoS attack. In other words, after running four steps of the protocol successfully, the attacker intercepts the protocol and leaves it unfinished. So the back-end server updates

IDkwith

IDk⊕Rt, while the value of

IDkin the tag is not updated. Now in the next run of the protocol, the tag will send

IDkto the reader but the back-end server will not admit it as a legitimate one. So, we store two values for

IDkin the back-end server as a new and old ones. Moreover, we update

IDkat the end of the protocol as follows:

IDk←IDk⊕sj                        (16)

and stores two last value of

IDkin the back-end server side. As we mentioned above, restriction of complexity in the tag side is an important issue, so by omitting one hash function in tag, we change the updated value of

IDas eq. 16. The improved protocol is depicted in Fig. 3.

6. Analyzes of our proposed protocol

In this Section, we analyze the security and privacy of the proposed protocol with respect to the aforementioned kinds of attacks, and we show that it improves the existing research vulnerabilities.

Eavesdropping and Tracing Resistance

Our proposed protocol is resistant to eavesdropping and tracing attacks. As discussed in subsection 4.d, the SRTA protocol is suffering from constancy of the value of

IDkwhich results in traceability and DoS attacks. In our proposed protocol an attacker is not able to trace the target tag

T0, because of updating

IDkas

IDk⊕sj, in addition

sjis updated at the end of protocol with

Rtwhich is generated randomly and is not known to the attacker . So, if the attacker eavesdrops one round of protocol and obtains {

A, B, C, D,E, F, G,T1, T2}, he/she will never be able to use the last stored messages to trace the target tag.

On the other hand, as stated in 4.e subsection, the SRTA protocol is vulnerable to reader traceability attack which is resulted by declaring and the constancy of the value of

RIDk. In our proposed protocol we prevent from announcing the amount of

RIDkthrough the protocol. Although this will result in increasing the amount of computation in 4.2 and 4.3 steps of the protocol as depicted in Fig. 3, the attacker will never be able to access the correct value for

RIDk. It should be mentioned that we enhance the immunity of our proposed protocol by creating complexity in the back-end server, but in an RFID system the back-end server is equipped with powerful processor [12]. Therefore, the performance of our improved protocol is not so much affected compared with the SRTA protocol.

So, in our proposed protocol, the barrier against tracing is raised through the use of random numbers and anonymity.

Desynchronization Attack Resistance

In desynchronization attack, the adversary forces the tag and the reader to update their secret values to different ones. So, they will not authenticate each other in further transactions. In an RFID authentication protocol, the adversary can perform this attack via various approaches including blocking exchanged messages between the tag and the back-end server and impersonating the tag and the reader [20]. In our proposed protocol an attacker is permitted to eavesdrop the transmitted messages {

A, B, C, D,E,F,

G,T1, T2

} between the elements of an RFID system. Moreover, he/she is able to alter the message

Gto

G’, which results in updating the secret values in the back-end server, but the tag will not accept the received message from a legal element. Therefore, the tag leave the protocol without updating its secret values. Even though, this will result in DoS attack in the SRTA protocol, our protocol is secure against this vulnerability. In our protocol, an adversary is not able to forge the  tag and  the  reader to  update their  secret

Table 1. Security level comparisons among the discussed protocol

 

              Feature         

  Protocols

F1

 

F2 F3 F4 F5
Cho et al. [14] NO YES NO NO NO
Srivastava et al. [5] NO YES NO NO YES
Li et al. [6] YES NO NO YES NO
Our protocol YES YES YES YES YES

F1

: Provision of mutual authentication

F2

: Provision of synchronized secret

F3

: Protection of data privacy

F4

: Prevention of reader stolen/lost attack

F5

: Prevention of impersonation attack

Table 2. Performance features of various protocols

 

       Feature

 

  Protocols

complexity of tag computation

 

complexity of reader computation

 

Communication rounds

 

Srivastava et al. [5] 5H+RNG RNG 5
Li et al. [6] 3H+RNG RNG 5
Our protocol 3H+RNG RNG 5

H hash function, RNG random number generator

values, because of storing two values of

IDkin the back-end server, which prevent desynchronization between the tag and the back-end server. As it is shown in Fig. 3, if the attacker blocks the protocol in step 5.5 by changing the value of

Gin a session, the back-end server will still be able to diagnose the legitimate tag, which is the result of storing two last values for

IDkand

sj.

Tag/Reader impersonation Attack Resistance

Tag (Reader) impersonation attack is a forgery attack, in which an RFID system accepts a spoofed tag (reader) as a legitimate tag (reader). In our improved protocol, there is not any likeness between the message

Cand

D, therefore the attacker is not able to use the last stored message

Cin the present session which resulted in preventing the tag impersonation attack. On the other hand, because of the new exposure of

Band

D, an adversary is not able to build the messages

Band

Dfrom

Aand

C. Furthermore, because of updating the secret values and generation of new random variables in each session, the eavesdropped messages from the last session are not acceptable in the new session.

6.1 Performance analysis of our proposed protocol

In this section, we present the performance analysis of our proposed authentication protocol and compare it with Li et al. [9], Srivastava et al. [8] and Cho et al.’s protocol [24] in terms of immunity against different attacks. As our improved protocol is based on the framework of the existing protocol, there is not so much difference in structure between the SRTA and proposed protocol. In Table 1, our improved protocol is compared with some similar protocols. As it can be seen, the proposed protocol solves the drawbacks in the existing protocols and provides security against the mentioned attacks including traceability, impersonation, mutual authentication and DoS. In addition, in Table 2, the efficiency of the proposed protocol is compared with the analyzed protocols, by comparing its computational cost. The improved protocol is consisted of three hash functions and one RNG in the tag side which are the same as the SRTA protocol, while it reduces two hash functions computation in the tag compared with the Sirvastava et al.’s protocol. As it can be seen in Table 2, all of the analyzed protocols included one RNG in the reader and they are consisted of five communication rounds. Therefore, privacy analysis shows without increasing the computational cost, our improved protocol removes all privacy concerns and provides secure and confidential communications for RFID users.

7. Conclusion

RFID Technology is rapidly developing and its applications are spreading in different fields, but providing their security and privacy is the goal of researchers in recent years. In this paper, we analyzed a hash based RFID protocol in TMIS, proposed by Li et al.. They claimed that their protocol provides privacy requirements for RFID systems. However, this paper showed that Li et al.’s protocol is still vulnerable to traceability, tag impersonation and DoS attacks and to fix the aforementioned weaknesses, we have proposed an improvement, which fixes the weak features of their protocol for healthcare environments. Finally, the computational complexity and the performance of the proposed protocol is compared with discussed protocols.

REFRENCE

[1] D. He and Z. Shi, “An analysis of RFID authentication schemes for internet of things in healthcare environment using elliptic curve cryptography,” IEEE Internet of Things Journal, vol. 2, pp. 72-83, 2015.

[2] Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, “Desynchronization attack on RAPP ultralightweight authentication protocol,” Information Processing Letters, vol. 113, pp. 205-209, 2013.

[3] A. Al-Lawati, S. Al-Jahdhami, A. Al-Belushi, D. Al-Adawi, M. Awadalla, and D. Al-Abri, “RFID-based system for school children transportation safety enhancement,” in GCC Conference and Exhibition (GCCCE), 2015 IEEE 8th, pp. 1-6, 2015.

[4] G. Yimin, L. Shundong, D. Jiawei, and Z. Sufang, “Deterministic cloned tag detection protocol for anonymous radio-frequency identification systems,” IET Information Security, 2015.

[5] K. Srivastava, A. Awasthi, S. Kaul, and R. C. Mittal, “A hash based mutual RFID tag authentication protocol in telecare medicine information system,” Journal of Medical Systems, vol. 39, pp. 1-5, 2014.

[6] C.-T. Li, C.-Y. Weng, and C.-C. Lee, “A secure RFID tag authentication protocol with privacy preserving in telecare medicine information system,” Journal of Medical Systems, vol. 39, pp. 1-8, 2015.

[7] Z. Bilal, “Addressing security and privacy issues in low-cost RFID systems,” PHD thesis, Royal Holloway, University of London, 2015.

[8] B. Glover and H. Bhatt, RFID Essentials: O’Reilly Media 2006.

[9] “The National Academies Institute of Medicine,” iom.nationalacademies.org.

[10] S. Crawford, M. Cohen, and E. Tafesse, “Systems factors in the reporting of serious medication errors in hospitals,” Journal of Medical Systems, vol. 27, pp. 543-551, 2003.

[11] K. Baghery, B. Abdolmaleki, B. Akhbari, and M. Aref, “Privacy analysis and improvements of two recent RFID authentication protocols,” presented at the 11th International ISC Conference on Information Security and Cryptology (ISCISC), Tehran, 2014.

[12] G. AVOINE, “cryptography in radio frequency identification and fair exchange protocols,” PHD thesis, University of EPFL, Lausanne, 2005.

[13] Y.-Y. Chen, D.-C. Huang, M.-L. Tsai, and J.-K. Jan, “A design of tamper resistant prescription RFID access control system,” Journal of Medical Systems, vol. 36, pp. 2795-2801, 2012.

[14] J.S. Cho, S.S. Yeo, and S. K. Kim, “Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value,” Computer Communications, vol. 34, pp. 391-397, 2011.

[15] H. Kim, “RFID mutual authentication protocol based on synchronized secret,” International Journal of Security and Its Applications, vol. 7, pp. 37-50, 2013.

[16] Y.-C. Yu, T.-W. Hou, and T.-C. Chiang, “Low cost RFID real lightweight binding proof protocol for medication errors and patient safety,” Journal of Medical Systems, vol. 36, pp. 823-828, 2012.

[17] S. Wu, K. Chen, and Y. Zhu, “A secure lightweight RFID binding proof protocol for medication errors and patient safety,” Journal of Medical Systems, vol. 36, pp. 2743-2749, 2012.

[18] K. Ouafi and R. W. Phan, “Privacy of recent RFID authentication protocols,” in Information Security Practice and Experience. vol. 4991, L. Chen, Y. Mu, and W. Susilo, Eds., ed: Springer Berlin Heidelberg, pp. 263-277, 2008.

[19] S. Alavi, K. Baghery, B. Abdolmaleki, and M. Aref, “Traceability analysis of recent RFID authentication protocols,” Wireless Personal Communications, vol. 83, pp. 1663-1682, 2015.

[20] I. Coisel and T. Martin, “Untangling RFID privacy models,” Journal of Computer Networks and Communications, pp. 1-26, 2013.

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have the essay published on the UK Essays website then please:

McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams Prices from
£124

Undergraduate 2:2 • 1000 words • 7 day delivery

Order now

Delivered on-time or your money back

Rated 4.1 out of 5 by
Reviews.co.uk Logo (30 Reviews)