Super lightweight mobile RFID authentication protocol for bit replacement operation

Abstract

In the traditional RFID (Radio Frequency IDentification) system, a secure wired channel communication is used between the reader and the server. The newly produced mobile RFID system is different from the traditional RFID system, the communication between the reader and the server is based on a wireless channel, and the authentication protocol is suitable for traditional RFID systems, but it cannot be used in mobile RFID systems. To solve this problem, a mutual authentication protocol MSB (Most Significant Bit) for super lightweight mobile radio frequency identification system is proposed based on bit replacement operation. MSB is a bitwise operation to encrypt information and reduce the computational load of communication entities. Label, readers, and servers authenticate first and then communicate, MSB may be used to resistant to common attacks. The security analysis of the protocol shows that the protocol has high security properties, the performance analysis of the protocol shows that the protocol has the characteristics of low computational complexity, the formal analysis of the protocol based on GNY logic Gong et al. (1990) provides a rigorous reasoning proof process for the protocol.

Keywords

Radio frequency identification (RFID)mobile system mutual authentication ultra-lightweight bit replacement operation (Bro)

1 Introduction

With the development of information technology, RFID technology and communication network technology are bound to be deeply integrated. Optimistically in the long run, RFID technology has a broad prospect and is in the ascendant. However, due to cost, security risks, etc., the application of RFID is still subject to some restrictions and full of challenges.

Radio frequency identification technology appeared in the 1930s and 1940s, it was widely spread in the 1990s. Due to the limited technology at the time and the low demand from people, RFID technology was used in the RFID system application to exchange information between the reader and the server based on a wired connection. This exchange method is generally considered as safe and reliable. This system is called the traditional RFID system (Liu et al., 2016; Wang et al., 2018).

In the 21st century, with the rapid development of science and technology and the growth of human needs, traditional RFID systems have been unable to meet people’s needs, it leads to the emergence of mobile RFID systems (Zhao et al. 2019). The biggest difference between a mobile RFID system and a traditional RFID system is that the communication between the reader and the server in the mobile RFID system is not based on a wired connection link, but a wireless connection line is used for information transmission. Due to its inherent properties, wireless links have certain security risks (Xie et al., 2018, Bai, & He, 2019). The mutual authentication protocol applicable to the traditional RFID system is no longer applicable to the mobile RFID system, so it is necessary to design a new mutual authentication protocol for the mobile RFID system.

The wireless communication network has three characteristics:

Compared with wired network, wireless communication network has great openness;

The wireless communication network is mobile;

The transmission channel of the wireless communication network is unstable and will change.

It is precisely because of these three characteristics that the security problem of wireless communication networks is more serious than that of wired communication networks. The specific manifestations are as follows:

The wireless communication network is vulnerable to monitoring attacks, and the signal will be intercepted;

The wireless communication network is subject to insertion attacks, which leads to control of the wireless communication network system;

Users can use wireless communication networks without authorization;

The wireless communication network has obvious robustness;

The mobile IP security problem of the wireless communication network is relatively serious;

The wireless communication network will be subject to wireless interference.

Based on the security problem of wireless communication networks, an ultra-lightweight mutual authentication protocol for mobile RFID systems is presented based on bit replacement operations. In order to achieve the goal of reducing the computational load of communication entities, bit operations are used to encrypt the information in the designed protocol. At the same time, GNY logical formal analysis and security analysis of the protocol are carried out. GNY logic was proposed by Gong, Needham and Yahalom in 1990, Gong et al. (1990). It is a logic for analyzing authentication protocols. A completely different state search tool is used in GNY Logic, which includes a set of beliefs that are maintained by each topic and a set of inference rules to obtain new beliefs from old beliefs. BAN logic has a very simple and intuitive rule set, so it is easy to use. GNY logic can be used to find serious errors in the protocol, which has attracted widespread attention from security researchers. The application of GNY logic has epoch-making significance. It has greatly promoted the development of formal verification of security protocols and inspired many methods of formal verification of security protocols.

2 Related work

In the one-way authentication mobile authentication protocol, it is found that the protocol cannot resist man-in-the-middle attacks and replay attacks Sandhya, & Rangaswamy, (2011). An elliptic curve mobile authentication protocol was proposed (Zhou et al., 2012), but this solution could not ensure the privacy of the reader side. At the same time, the computational load on the label side is also large.

A lightweight mobile mutual authentication protocol was given (Sun, & Li, 2019). The protocol’s encryption of information was mainly based on the PUF (Physical Unclonable Function). Asynchronous attacks cannot be resisted in the protocol. The attacker can obtain the complete communication message by listening. When the communication entity’s session is blocked, the attacker can replay the information which is obtained by listening multiple times, the encryption key is shared between the tag end and the back-end server, they lose consistency, and the asynchronous attack that is initiated by the attacker succeeds.

An ultra-lightweight mobile authentication protocol was designed (Fan et al., 2018), information is encrypted based on bitwise operations. An attacker can obtain private information through certain physical means, so that the attacker can impersonate a tag or other communication entity to conduct further attacks, more privacy information may be obtained. The impersonation attack that was launched by the attacker was successful.

The Edwards curve mobile protocol was proposed (Yang et al., 2014). This protocol does not implement the reader to authenticate the label during the authentication process. An attacker can send information by impersonating the label, so label counterfeiting attacks cannot be resisted in the protocol.

Mobile mutual authentication protocol has certain security (Sundaresan et al., 2017). The protocol does not provide authentication of the reader at the tag end. An attacker can impersonate the reader to send information to the tag, so that the attacker can verify the tag, the feedback information of the tag is obtained, the message is analyzed, and the impersonation attack that is launched by the attacker is effective. If the limited space is given, more mutual authentication protocols can be found for mobile RFID systems in the literature (Cho et al., 2011; Yeh et al. 2011, 2014; Doss et al., 2013; Liao & Hsiao, 2014; Niu et al., 2014; Wang et al., 2017; Kaul & Awasthi, 2017; Ibrahim, & Dalkiliç 2019; Zhan, 2019; Fan et al., 2019). Asynchronous attack is when the attacker uses some means to update the shared key that is used by one of the communicating entities in the communication system, while the shared key that is used by the other communicating entity is not updated or the used parameter values in the update process are different, so that the shared keys between the two communicating entities lose consistency.

In view of the shortcomings of the above-mentioned mobile mutual authentication protocol, such as a large amount of calculation, complicated communication, or security flaws, an authentication protocol MSB is capable of meeting higher security requirements. In the MSB protocol, bit-replacement operations is used to encrypt the information to be transmitted, the computational load of communication entities is reduced as much as possible. In order to increase the difficulty for attackers to crack, all information is mixed with random numbers during the encryption process. The security analysis and performance analysis of the protocol show that the protocol has high security, and the protocol can be applied to mobile passive label systems.

3 MSB design

3.1 Symbol description and protocol initialization

For the convenience of description in this article, the symbol Bro(X, Y) is used to indicate the Bit Replacement Operation (Bro). The bit replacement operation is calculated as follows: X and Y are binary sequences with length L bits, X and Y are traversed in sequence from left to right. When the number on X is 0, the corresponding number is traversed on Y, they are replaced (0 is replaced by 1, and 1 is replaced by 0). When the number on X is 1, Y does not perform any operation, and a new binary sequence Z is formed, that is, Z = Bro(X, Y).

In order to facilitate the understanding of the bit replacement operation, the following examples are given to explain: L = 8 bits, X = 01100101, Y = 00001100, are taken, according to the above definition of bit replacement operation, Z = Bro(X, Y) = 10010110 can be obtained. The specific schematic is shown in Fig. 1.

Fig. 1

Bit replacement operation diagram.

The symbols appearing in the protocol are described in Table 1.

Table 1

Symbol Description

Symbol	Meaning
Tag	Tags
Reader	Mobile reader
DataBase	Server
ID _Tag	Tag identifier
ID _Reader	Reader identifier
K	Shared keys between communicating entities
K _L	Left half of the shared secret
K _R	Right half of shared key
K ^old	Communication entity’s last round authentication shared key
K ^new	Communicating entity authenticative shared secret in this round
r ^Tag	Random number generated by the label
r ^Reader	Random number generated by reader
r ^DataBase	Random number generated by the server
⊕	XOR operation
&	AND operation
Bro(X, Y)	Bit replacement operation

Before the authentication protocol starts, all communication entities are initialized in the protocol. After the initialization is complete, each communication entity stores information as follows: tag-side storage (K_L, K_R, ID_Tag), mobile reader side storage (K_L, K_R, ID_Reader), Server-side storage (K_L, K_R, ID_Tag, ID_Reader).

3.2 MSB certification process

Figure 2 is for authentication process description of the mutual authentication protocol MSB.

Fig. 2

MSB certification diagram.

The symbols of the mutual authentication protocol in Fig. 2 are described by the formula in Table 2.

Table 2

Formula description

Symbol	Meaning
A	r^Reader ⊕ K_R
B	r^Reader ⊕ K_L
C	(r^Reader & K_R) ⊕ r^Tag
D	(ID_Tag & K_L) ⊕ r^Tag
E	Bro (r^Tag, r^Tag ⊕ K_R)
F	Bro (r^Reader & K_L, r^Tag)
G	r^Reader ⊕ ID_Reader
H	Bro (r^Reader ⊕ (ID_Reader & K_L) , r^Reader & ID_Reader)
I	r^DataBase ⊕ (r^Reader & ID_Reader)
J	r^DataBase ⊕ (r^Tag & ID_Tag)
M	Bro (r^Reader, r^DataBase & ID_Reader)
N	Bro (r^Tag, r^DataBase & ID_Tag)
Q	r^Reader & r^DataBase & r^Tag

With reference to Fig. 2, the specific process of the mutual authentication protocol MSB is described as follows:

Step 1: The reader generates a random number r^Reader, then calculates A and B, and finally sends < Query, A, B > to the tag together. The calculation process of A and B is shown in Table 2.

Step 2: Check whether A⊕ K_R and B⊕K_L are equal. If A⊕ K_R=B⊕ K_L, the reader passes verification, then the tag generates a random number r^Tag, then calculates C, D, E, F, and finally sends < C, D, E, F > to the reader to indicate the tag’s response to the reader. If A⊕ K_R ≠ B⊕ K_L, it indicates that the reader is forged and the protocol stops. Among them, the calculation process of C, D, E, F is shown in Table 2.

Step 3: The reader obtains the random number r^Tag by calculating (r^Reader & K_R) ⊕C, then the calculated random number r^Tag is combined with r^Reader and K_L to calculate F^′, and compare whether F^′ and F are equal.

If F^′=F, it indicates that the random number r^Tag calculated by the reader is the same as the random number r^Tag generated by the tag, and the tag is verified, then the reader calculates G and H again, and finally it will be < D, E, G, H>is transmitted to the server together.

If F^′ ≠ F, the label is forged and the protocol is stopped. Among them, F^′=Bro(r^Reader & K_L, (r^Reader & K_R) ⊕C), the calculation process of G and H is shown in Table 2.

Step 4: The server is performed in two steps. The reader is verified first, and the tag is verified if and only if the reader is verified.

(1) Verification of the reader

The server obtains the random number r^Reader by calculating G⊕ID_Reader, then calculates the random number r^Reader and combines ID_Reader and K_L to calculate H^′, and compares whether H^′ and H are equal.

If H^′=H, it indicates that the random number r^Reader calculated by the server is the same as the random number r^Reader generated by the reader, and the reader passes the verification, and then the server starts to verify the tag.

If H^′=H, the server will replace K^new with K^old to calculate H^′′ again. It will again check whether H^′′ and H are equal. If H^′′=H, it indicates that the reader passed the verification, and then the server starts to verify the tag. If H^′′=H, it means that the reader is forged and the protocol stops.

Where H^′=Bro((G⊕ID_Reader)⊕(ID_Reader & K_L), (G⊕ID_Reader) & ID_Reader), H”=Bro ((G⊕ID_Reader) ⊕ (ID_Reader & $K_{L}^{old}$ ), (G⊕ID_Reader) & ID_Reader).

(2) Verification of labels

The server obtains a random number r^Tag by calculating (ID_Tag & K_L) ⊕D, and then calculates the random number r^Tag in combination with K_R to obtain E^′, and compares whether E^′ and E are equal.

If E^′=E, it indicates that the random number r^Tag calculated by the server is the same as the random number r^Tag generated by the tag, and the tag is verified, and then the server proceeds to step (a).

If E^′ ≠ E, the server will replace K^new with K^old and calculate E^′′ again. It will check whether E^′′ and E are equal again. If E^′′=E, it means that the tag is verified, and then the server performs step (a). If E^′′ ≠ E, it means that the tag is forged and the protocol is stopped. Where E^′=Bro((ID_Tag & K_L) ⊕D, ((ID_Tag & K_L) ⊕D) ⊕ K_R), $E^{''} = Bro (({ID}_{Tag} & K_{L}^{old}) \oplus D, (({ID}_{Tag} & K_{L}^{old}) \oplus D) \oplus K_{L}^{old})$ .

Step (a): the server generates a random number r^DataBase, and then calculates I, J, M, N, then the server starts to update the information K^old= K, K = K^new, and finally transmits < I, J, M, N>to reader, to indicate the server’s response to the reader. Among them, K^new = Bro(r^DataBase⊕r^Tag⊕r^Reader, K), the calculation process of J, M, N is shown in Table 2 in detail.

Step 5: The reader obtains the random number r^DataBase by calculating I⊕(r^Reader & ID_Reader), and then calculates the random number r^DataBas^e in combination with ID_Reader and r^Reader to obtain M^′, and compares whether M^′ and M are equal.

If M^′=M, it indicates that the random number r^DataBase calculated by the reader is the same as the random number r^DataBase generated by the server, and the server passes the verification, then the reader calculates Q, the reader starts to update the information K = Bro(r^DataBase⊕r^Tag⊕r^Reader, K). Finally, send < J, N, Q>to the tag together.

If M^′ ≠ M, the server is forged and the protocol is stopped. Wherein M^′=Bro(r^Reader, (I⊕(r^Reader & ID_Reader)) & ID_Reader). Q calculation process is shown in Table 2 in detail.

Step 6: The tag needs to complete verification of the reader and server.

(1) Verification of the server

The tag obtains a random number r^DataBase by calculating J⊕ (r^Tag & ID_Tag), and then calculates the random number r^DataBase and combines r^Tag and ID_Tag to calculate N^′, and compares whether N^′ and N are equal.

If N^′=N, it indicates that the random number r^DataBase calculated by the tag is the same as the random number r^DataBase generated by the server, and the server passes the verification, and then the tag starts to verify the reader.

If N^′ ≠ N, the server is forged and the protocol is stopped. Where N^′=Bro(r^Tag, (J⊕ (r^Tag & ID_Tag)) & ID_Tag).

(2) Verification of the reader

The tag uses the random number r^DataBase in (1) above to calculate Q^′, it is combined wih r^Tag and r^Reader to compare whether Q^′ and Q are equal.

If Q^′=Q, it indicates that the reader has passed the verification, and then the tag starts to update the information K = Bro(r^DataBase⊕r^Tag⊕r^Reader, K), after the information update is completed, the authentication ends between the communicating entities.

If Q^′ ≠ Q, the reader is forged and the protocol is stopped. Where Q^′=r^Reader & (J⊕ (r^Tag & ID_Tag)) & r^Tag.

4 Formal analysis based on GNY logic

GNY logic is a formal logic analysis method based on rules and assumptions. It gradually derives from the initial assumptions what the protocol needs to achieve purpose by receiving and sending messages during the operation of the authentication protocol. In this paper, according to the formal model and initialization assumption of the agreement, the formal proof of the agreement is obtained step by step from the inference rules of GNY logic.

4.1 Formal description of the protocol

Message 1: T< *[A, B, Query];

Message 2: R< *[C, D, E, F];

Message 3: DB< *[D, E, G, H];

Message 4: R< *[I, J, M, N];

Message 5: T< *[J, N, Q].

Wherein, T represents the tag, R represents the reader, DB represents the server.

4.2 Protocol initialization hypothesis

Hypothesis 1: T ϶ (K, r^Tag, ID_Tag), it indicates that the tag has a shared key K, the tag identifier ID^Tag, and the tag generates a random number r^Tag.

Hypothesis 2: R ϶ (K, ID_Reader, r^Reader), it indicates that the reader has a shared key K, the reader identifier ID_Reader, and the reader generates a random number r^Reader.

Hypothesis 3: DB ϶ (K, ID_Reader, r^Reader, r^Tag, r^DataBase, ID_Tag); it indicates that the server has a shared key K, reader ID ID_Reader, tag identifier ID_Tag, reader generated random number r^Reader, server generated random number r^DataBase, tag generates a random number r^Tag.

Hypothesis 4: R |≡ #(r^Reader, r^DataBase, r^Tag), it indicates that the reader believes that the random number r^Reader, r^DataBase, r^Tag are fresh.

Hypothesis 5: T |≡ #(r^Reader, r^DataBase, r^Tag), it indicates that the tag believes that the random numbers r^Reader, r^DataBase, and r^Tag are fresh.

Hypothesis 6: DB |≡ # (r^Reader, r^DataBase, r^Tag), it indicates that the server believes that the random numbers r^Reader, r^DataBase, and r^Tag are fresh.

Hypothesis 7: $T | \equiv R \overset{K}{\leftrightarrow} T \overset{K}{\leftrightarrow} DB$ , which means that the tag believes that the key K is shared between the tag, reader, and server.

Hypothesis 8: $R | \equiv R \overset{K}{\leftrightarrow} T \overset{K}{\leftrightarrow} DB$ , it indicates that the reader trusts the key K is shared between the tag, the reader and the server.

Hypothesis 9: $DB | \equiv R \overset{K}{\leftrightarrow} T \overset{K}{\leftrightarrow} DB$ , it indicates that the server trusts the key K is shared between the tag, the reader and the server.

Hypothesis 10: $T | \equiv DB \overset{I D_{Tag}}{\leftrightarrow} T$ , it indicates that the tag believes the information ID_Tag is shared between the tag and the server.

Hypothesis 11: $DB | \equiv T \overset{I D_{Tag}}{\leftrightarrow} DB$ , it indicates that the server believes the information ID_Tag is shared between the tag and the server.

Hypothesis 12: $R | \equiv DB \overset{I D_{Reader}}{\leftrightarrow} R$ , it indicates that the reader believes the information ID_Reader is shared between the reader and the server.

Hypothesis 13: $DB | \equiv R \overset{I D_{Reader}}{\leftrightarrow} DB$ , it indicates that the server believes the information ID_Reader is shared between the reader and the server.

4.3 Proof of agreement

There are five goals that a two-way authentication protocol needs to prove. They are as follows:

Objective 1: T | ≡ R | ∼ # (A, B);

Objective 2: R | ≡ T | ∼ # (C, D, E, F);

Objective 3: DB | ≡ R | ∼ # (D, E, G, H);

Objective 4: R | ≡ DB | ∼ # (I, J, M, N);

Objective 5: T | ≡ R | ∼ # (J, N, Q).

4.4 Protocol certification process

GNY logic contains multiple algorithms, where T is used to denote logical reasoning rules, P is used to inform rules; F is used to represent fresh rules; and I is used to represent possession rules (Zhang et al., 2019; Gong et al., 1990).

The proof process of the above five proof goals is similar. Here, the goal Goal1 is selected as an example for proof. Due to the limited space, the detailed certification process of other certification objectives will not be explained.

∵ Rule P1: $\frac{P < X}{P ϶ X}$ and Message 1: T< *[A, B, Query]

∴ T ∋ {A, B}

∵ Rule F1: $\frac{P | \equiv (X)}{P | \equiv (x, y), P | \equiv # F (X)}$ and Hypothesis 4: R | ≡ # (r^Reader, r^DataBase, r^Tag)

∴ T=# {A, B}

∵ Rule P2: $\frac{P ϶ X, P ϶ Y}{P ϶ (X, Y), P ϶ F (X, Y)}$ , Hypothesis 1: T ϶ (K, r^Tag, ID_Tag), Hypothesis 2: R ϶ (K, ID_Reader, r^Reader)

∴ T ϶ {A, B}

∵ Rule F10: $\frac{P | \equiv (X), P ϶ X}{P | \equiv # (H (X))}$ and the derived T=# {A, B}, T ϶ {A, B}

∴ T | ≡ # {A, B}

∵ Rule I3: $\frac{P < H (X, < S >) > P ϶ (X, s), P | \equiv P \leftrightarrow Q, P | \equiv # (X, S)}{P | \equiv Q | \sim (X, S), P | \equiv Q \sim H (X, < S >)}$

∵ Hypothesis 7: $T | \equiv R \overset{K}{\leftrightarrow} T \overset{K}{\leftrightarrow} DB$ , Hypothesis 8: $R | \equiv R \overset{K}{\leftrightarrow} T \overset{K}{\leftrightarrow} DB$ , and Message 1: T< * [A, B, Query]

∴ T |=R ∼ {A, B}

∵ The definition of freshness and the derived T=# {A, B}, T |=R ∼ {A, B,}

∴ Objective 1: T | ≡ R | ∼ # (A, B) is proved.

5 Protocol security analysis

5.1 Replay attack

If an attacker wants to initiate a replay attack, he needs to eavesdrop and to obtain the previous round of communication messages, and then send the eavesdropping to a party in the communication system again in an attempt to pass the verification, and the corresponding privacy information is obtained. The protocol in this paper is to resist the replay attack that is launched by the attacker, and all the random numbers are mixed in the encryption process of all communication messages, which makes the messages inconsistent in the previous two rounds of communication. Because the random number is randomly generated and has non-repeatability, the encrypted communication message with the random number is different before and after, and it cannot be predicted. Therefore, when the attacker replays and listens to obtain the last round of messages, the message value that is used in the current communication has already changed, so the attacker’s replay attack fails, and the protocol can resist the replay attack.

5.2 Asynchronous attack

In a communication system, an attacker uses some means to update the shared key that is used by one communication entity for encryption, while the shared key that is used by the other communication entity for encryption is not updated, or parameters’ values are different in the update process, this makes the shared key inconsistent between the two communicating entities. In order to resist asynchronous attacks, the protocol in this article specifically stores the shared key value in the current round of communication on the server side, and also stores the shared key value that is used in the previous round of communication. When the server cannot verify the reader or tag with the current key, it will call the previous round of keys to initiate verification of the tag or reader again. In this way, it can resist asynchronous attacks that are initiated by the attacker. Based on the above, the protocol can resist asynchronous attacks.

5.3 Man-in-the-middle attack

The attacker obtains communication messages by eavesdropping on a conversation process, and deletes or tampers with the acquired messages, a man-in-the-middle attack is launched to achieve the purpose of passing the verification of the communication entity. In order to resist this kind of attack, the protocol in this article introduces random numbers in the process of information encryption. For the attacker, they do not know the random numbers that are used in each round of encryption. Without knowing the random number, if a man-in-the-middle attack want to be launched, a number can only randomly selected to modify or tamper with the message. When any communication entity in the system receives the message, it can be identified through a simple calculation that the source of the message is forged, and the protocol stops immediately. Based on the above, the protocol can resist man-in-the-middle attacks.

5.4 Forward security

Forward security means that the attacker obtains the message in the current communication by some means, the message is analyzed in various ways, and the value of the message in the next round of communication cannot be predicted, this ensures the privacy safety of the information. To ensure that forward security requirements can be provided, the tag-end uses a random number r^Tag to ensure the freshness of the message, the reader-end uses a random number r^Reader to ensure the freshness of the message, the server-end uses a random number r^DataBase to ensure the freshness of the message. Each round of random numbers is randomly generated, and it has unpredictability and non-repetition, it is impossible for an attacker to predict the random number for encryption in the next round of communication. Naturally, the attacker cannot analyze any useful privacy information from the currently obtained messages. Based on the above, the protocol can provide forward security.

5.5 Fake attack

A counterfeit attack means that an attacker pretends to be one of the communicating entities and sends a message to another communicating entity, verification is passed and relevant private information is obtained. There are three communication entities in this protocol: tags, readers, and servers. For attackers, they can pretend to be one of them to launch a replay attack. In view of the limited space, only the attacker is disguised as a tag to launch a fake attack.

When an attacker masquerades as a tag, a message is sent to the reader. If the attacker sends the message to the reader, the verification of the reader is passed, the attacker needs to calculate the correct < C, D, E, F>values. However, it is impossible for the attacker to correctly calculate the values of the above four communication messages for the following reasons. If the attacker does not know the shared key K, it is impossible to calculate the correct random number r^Reader through messages A and B, without the correct value of the random number r^Reader, correct calculations of < C, D, E, F>are impossible. When the attacker cannot obtain the value of the random number r^Reader, the attacker can only choose a random number as the random number for calculation. From this, it can be inferred that the calculated value < C, D, E, F>of the attacker must be wrong. When the reader receives the message, it performs a simple calculation, it can be distinguished that the source of the message is forged, the protocol is stopped, and the attacker does not obtain any useful information. Therefore, the protocol is resistant to counterfeiting attacks.

5.6 Mutual authentication

Mutual authentication is the most basic security requirement for an authentication protocol. The mutual authentication in the protocol includes three parts: mutual authentication between the reader and the tag, mutual authentication between the reader and the server, and mutual authentication between the tag and the server. The three-part mutual authentication analysis process is similar. In view of the limited space, the mutual authentication between the reader and the tag is selected as an example for illustration.

According to the above description of the MSB protocol, it can be known that in step 2, the tag authenticates the reader for the first time through A and B, in step 6, the tag passes Q to authenticate the reader again. The reader’s authentication of the tag is done in steps 3 through C and F. Regarding how the specific mutual authentication is implemented between the two, please refer to the steps of the MSB protocol in the previous article for details. Based on the above, the protocol can provide mutual authentication between communicating entities.

The protocol in this paper performs security comparison with other such protocols, and the comparison results are shown in Table 3.

Table 3
Protocol security comparison

Attack type Ref. Gong, et al. (1990) Ref. Zhou, et al. (2012) Ref. (Sun &amp Li 2019) Ref. (Fan, et al., 2018) Ref. (Yang, et al., 2014) This article protocol

Replay attack × √ √ √ √ √

Asynchronous authentication √ × √ √ √ √

Man-in-the-middle attack × √ √ √ √ √

Forward security √ √ √ √ √ √

Impersonation attack √ √ × × × √

Mutual authentication √ √ √ √ √ √

Attack type	Ref. Gong, et al. (1990)	Ref. Zhou, et al. (2012)	Ref. (Sun &amp Li 2019)	Ref. (Fan, et al., 2018)	Ref. (Yang, et al., 2014)	This article protocol
Replay attack	×	√	√	√	√	√
Asynchronous authentication	√	×	√	√	√	√
Man-in-the-middle attack	×	√	√	√	√	√
Forward security	√	√	√	√	√	√
Impersonation attack	√	√	×	×	×	√
Mutual authentication	√	√	√	√	√	√

Note: ×means cannot resist, √ means able to resist.

6 Protocol performance analysis

In a mobile RFID system, there are three communication entities: a tag, a reader, and a server. Both the reader and the server have large storage space and strong computing power, but the tag does not have the above advantages. Therefore, in the performance analysis, the tag is generally selected as the research object, and the calculation amount and storage from one end of the tag are generally selected to measure performance. The performance analysis results of this protocol and other types of protocols are shown in Table 4.

Table 4
Protocol performance comparison

References Protocol Calculation capacity Storage capacity

Ref. Gong et al. (1990) pa 3l

Ref. Sandhya &Rangaswamy, (2011) 4pb + pa 2l

Ref. Zhou. et al. (2012) 3pc + 2pd + 2pe 5l

Ref. (Sun &amp Li 2019) pc + pf 3l

Ref. (Fan et al., 2018) 2pa 2l

Ref. (Yang et al., 2014) 5pc + 3pd 4l

Protocol in the article pg + 4ph + 10pi 2l

References Protocol	Calculation capacity	Storage capacity
Ref. Gong et al. (1990)	pa	3l
Ref. Sandhya &Rangaswamy, (2011)	4pb + pa	2l
Ref. Zhou. et al. (2012)	3pc + 2pd + 2pe	5l
Ref. (Sun &amp Li 2019)	pc + pf	3l
Ref. (Fan et al., 2018)	2pa	2l
Ref. (Yang et al., 2014)	5pc + 3pd	4l
Protocol in the article	pg + 4ph + 10pi	2l

The following explanations are made to the symbols appearing in Table 4: pa indicates the calculation amount of the hash function, pb indicates the calculation amount of the scalar multiplication operation, pc indicates the calculation amount of the pseudo-random number function, pd indicates the calculation amount of the modulo operation, pe represents the amount of calculation for a physical unclonable function, pf is the amount of calculation for a crossover operation, pg is the calculation amount for generating a random number, ph is the amount of calculation for a bit replacement operation, pi is the amount of calculation for a bit operation (Bit operations here include AND operations, XOR operations, etc.).

Among the above calculations, pa, pb, pc, pd, pe, and pg belong to lightweight calculations. pf, ph, and pi belong to super lightweight calculations. Experts and scholars generally believe that a lightweight calculation is equivalent to dozens or even hundreds of super lightweight calculations. Therefore, during the operation of the protocol, compared to lightweight calculations, the number of ultra-lightweight calculations is several times, and even more than ten times. The impact is very small on the overall calculation amount of the entire system, and it is almost negligible. The protocol in this article includes three types of calculations: calculations to generate random numbers, bit replacement operations, and bit operations. The calculations to generate random numbers are one and only one, that is, the number of lightweight operations is only one time. Other operations are super lightweight calculations. The protocol in this paper is compared with other such protocols in terms of calculation volume. The protocol in this paper has certain advantages in the calculation volume on the label side, and the total calculation volume is significantly less than that of other protocols.

One end of the tag is mainly used to store the two parameters of the tag identifier ID_Tag and the shared key K between the communication entities. The lengths of the ID_Tag and K are both l bits. Therefore, the storage capacity at the end of the protocol tag in the text is 2l.

7 Conclusion

The radio frequency identification system generally consists of three parts: a background database, tags and readers. In the traditional sense, a wired connection between the reader and the back-end database is generally regarded as secure communication. However, with the close integration of the Internet of Things and wireless communications, and the rapid development of mobile payment and other services, mobile RFID systems have begun to receive widespread attention. In the mobile RFID system, the reader and the back-end database communicate wirelessly, which has the advantages of strong mobility and convenience. However, due to the wireless connection, the communication under this link has security risks and is vulnerable to attacks such as counterfeiting and replay, which leads to the leakage of user privacy. Therefore, it is very important to design a safe and effective two-way authentication protocol for mobile RFID systems.

The traditional RFID system cannot meet people’s needs, it leads to the creation of mobile RFID systems. However, the protocols that is applicable to traditional RFID systems cannot meet the requirements of mobile RFID systems. In order to solve this problem, an authentication protocol that can be applied to mobile RFID systems is proposed. The proposed protocol implements encryption of transmission information based on bit-replacement operations. Bit-replacement operations can be implemented by bit-wise operations, the computational load of communication entities is reduced to a certain extent. In order to ensure the security of communication messages, all information is encrypted before transmission. At the same time, random numbers are mixed in all information encryption processes, it increases the difficulty for attackers to crack. The security of the protocol from the perspective of different types of attacks indicates that the protocol has high security, the performance analysis of the protocol with labels as the object shows that the protocol can be applied to passive label systems. At the same time, formal reasoning proof of the protocol is made based on GNY logic. The next research direction is to apply the designed protocol to a specific mobile RFID system, and statistical research and analysis are made on parameters such as the specific time of protocol operation.

Footnotes

Acknowledgments

This work was sponsored by the Scientific Research Project (No. 19B329) of Hunan Provincial Education Department, China

References

Bai,

, He,

Y. G.

(2019). Recognition of the anti-collision algorithm for RFID systems based on tag grouping. International Journal of Information & Computation Technology, 14(1), 81–88.

Cho,

J. S.

, Yeo,

S. S.

, Kim,

S. K.

(2011). Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value. Computer Communications, 3(3), 391–397. Doi: 10.1016/j.comcom.2010.02.029

Doss,

, Sundaresan,

, Zhou,

W. L.

(2013). A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems. Ad hoc Networks, 1(1), 383–396. Doi: 10.1016/j.adhoc.2012.06.015

Fan,

, Jiang,

, Li,

et al. (2018). Lightweight RFID protocol for medical privacy protection in IoT. IEEE Transactions on Industrial Informatics, 14(4), 1656–1665.

Fan,

, Zhu,

S. S.

, Zhang,

et al. (2019). A lightweight authentication scheme for cloud based RFID healthcare systems. IEEE Network, 33(2), 44–49.

Gong,

, Needham,

, Yahalom,

(1990). Reasoning about belief in cryptographic protocols. In Proceeding softhe IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, 7–9 May 1990; pp. 234–248.

Gong,

, Needham,

, Yahalom,

(1990). Reasoning about belief in cryptographic protocols. IEEE Computer Society Symposium on Security and Privacy, pp. 234–248. Oakland, CA

Ibrahim,

, Dalkiliç.

(2019). Review of different classes of RFID authentication protocols. Wireless Networks, 25(3), 961–974.

Kaul,

S. D.

, Awasthi,

A. K.

(2017). Privacy model for threshold RFID system based on PUF. Wireless Personal Communications, 95(3), 2803–2828.

10.

Liao,

Y. P.

, Hsiao,

C. M.

(2014). A secure ECC-based RFID authentication scheme integrated with ID-verifier transfer protocol. Ad hoc Networks, 7(7), 133–146. Doi: 10.1016/j.adhoc.2013.02.004

11.

Liu,

D. W.

, Ling,

, Yang,

(2016). Improved RFID Authentication Protocol with Backward Privacy. Computer Science, 43(8), 128–130. doi: 10.11896/j.issn.1002-137X.2016.8.027

12.

Niu,

, Zhu,

X. Y.

, Chi,

H. T.

et al. (2014). Privacy and Authentication Protocol for Mobile RFID Systems. Wireless Personal Communications, 3(3), 1713–1731. Doi: 10.1007/s11277-014-1605-6

13.

Sandhya,

, Rangaswamy,

T. R.

(2011). A secure and efficient authentication protocol for mobile RFID systems. Journal of Digital Information Management, 9(3), 99–105.

14.

Sun,

Z. W.

, Li,

(2019). Lightweight Authentication Protocol for Location Privacy Using PUF in Mobile RFID System. Journal of Frontiers of Computer Science & Technology, 13(3), 418–428.

15.

Sundaresan,

, Doss,

, Piramuthu,

et al. (2017). A secure search protocol for low cost passive RFID tags. Computer Networks, 122, 70–82.

16.

Wang,

W. C.

, Yona,

, Diggavi,

S. N.

et al. (2018). Design and analysis of stability guaranteed PUFs. IEEE Transactions on Information Forensics and Security, 13(4), 978–992.

17.

Wang,

G. W.

, Jia,

Z. P.

, Peng,

W. P.

(2017). A Mutual Authentication Protocol of Mobile RFID Based on Dynamic Shared-Key. Acta Electronica Sinica, 45(3), 612–618. doi: 10.3969/j.issn.0372-2112.2017. 03.016.

18.

Xie,

, Jian,

B. Y.

, Liu Daowei,

D. W.

(2018). An improved ownership transfer for RFID protocol. International Journal of Network Security, 20(1), 149–156.

19.

Yang,

Y. L.

, Peng,

C. G.

et al. (2014). Edwards curves based security authentication protocol for mobile RFID systems. Journal on Communications, 35(11), 132–138 10.3969/j.issn.1000-436x.2014. 11.015

20.

Yeh,

T. C.

, Dai,

J. L.

, Wang,

S. S.

(2014). A secure mutual authentication protocol for mobile RFID systems. Information, 17(6), 2751–2763.

21.

Yeh,

T. C.

, Wu,

C. H.

, Tseng,

Y. M.

(2011). Improvement of the RFID authentication scheme based on quadratic residues. Computer Communications, 3(3), 337–341. Doi: 10.1016/j.comcom.2010.05.011

22.

Zhan,

S. H.

(2019). Mobile RFID Bidirectional Authentication Protocol Based on Cross-Bitwise Operation. Computer Engineering and Applications, 55(7), 120–126. doi: 10.3778/j.issn.1002-8331. 1801-0227.

23.

Zhang,

Y. L.

, Chen,

S. G.

, Zhou,

et al. (2019). Monitoring bodily oscillation with RFID tags. IEEE Internet of Things, 6(2), 3840–3854. Doi: 10.1109/JIOT.2019.2892000

24.

Zhao,

T. F.

, Yin,

, Zhao,

S. T.

(2019). Anti-Desynchronization and Efficient RFID Mutual Authentication Protocol. Computer Engineering and Applications, 55(12), 90–96. doi: 10.3778/j.issn.1002-8331.1804-0343

25.

Zhou,

, Zhou,

, Xiao,

et al. (2012). Mutual authentication protocol for mobile RFID systems. Journal of Computational Information Systems, 8(8), 3261–3268.