Essay Writing Service

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

A Privacy Preserving Improvement for SRTA in Telecare Systems

A Privacy Preserving Improvement for SRTA in Telecare Systems
 
Abstract
Radio Frequency Identification (RFID) is a modern communication technology, which provides authentication and identification through a nonphysical contact. Recently, the use of this technology is almost developed in healthcare environments. Although RFID technology can prepare sagacity in systems, privacy and security issues ought to be considered before. Recently, in 2015, Li et al. proposed SRTA, a hash-based RFID authentication protocol in medication verification for healthcare. In this paper, we study this protocol and show that SRTA protocol is vulnerable to traceability, impersonation and DoS attacks. So it does not provide the privacy and security of RFID end-users. Therefore, we propose an improved secure and efficient RFID authentication protocol to enhance the performance of Li et al.’s method. Our analyze show that the existing weaknesses of SRTA’s protocol are eliminated in our proposed protocol.
Keyword: RFID Authentication protocol, Privacy, Security, Telecare, Traceability attack, DoS attack, Impersonation attack.
1. Introduction
Radio Frequency Identification (RFID) technology has outlined a novel future for our world. Aviation, building management, financial services, livestock and animal tracking, marina, passenger transport, supply chain, rail way and health-care are some examples of RFID usages which describe the variety of  its application in our life [1-4]. Nowadays, the increased utilization of RFID systems in healthcare has been grown substantially, for instant patient tracking, wait-time monitoring, medication authentication and control asset management, docum-
main parts: tag, reader and back-end server. The tag is placed inside the products or the proposed items, for authentication and identification in contact with the readers. Tags are categorized in one of the three classes: active, passive and semi-active. A passive tag does not have any battery, so it cannot start a new connection unless locates in the electromagnetic field of the reader, to gain enough power for transmitting its messages. An active tag normally operates at 433MHz Ultra High Frequency (UHF) and has an inner battery which lets it to start a new conversation with the reader whenever it wants; Of course these properties increase the cost and the volume of this type of tags which constrain its usage in military applications, at microwave and ultra-wide band frequency ranges [7]. A semi-active tag has a battery, which only uses it to perform internal operations; rely on the reader’s signal to power their antenna and modulator [8]. The back-end server connects to the readers through the secure or unsecure channels and stores all the identification information of the readers and the tags in its database for further processing.
“98000 people annually die due to medication related mistakes in the United States,” reported by the Institute of Medicine (IOM) [9] which is the result of three main facts: similarity in the name of medicine, packing  and  types  of  labels  [10].  Nowadays, in
F:SalmanunivSRBIThesisPaperPaper2- Lipic
fid sys tmis2.png
Figure 1. RFID system
order to establish confidentiality and privacy, and solve the problems of existing methods, new protocols have been proposed [11]; According to the state of the IOM, a number of those are specifically considered for Telecare Medicine Information System (TMIS). It is undeniable that an efficient RFID security scheme can increase the security and privacy of RFID end-users significantly [12].
In 2011, Chen et al. [13] proposed a tamper resistant prescription RFID access control protocol for different certified readers where both authentication and access right authorization mechanisms were and it was claimed to guarantee patient’s right. In the same year, a new hash-based RFID mutual authentication protocol was proposed by Cho et al. [14]; they believe that their protocol makes it difficult for an attacker to launch an effective brute-force attack against RFID users. But Kim et al. [15] showed that Cho et al.’s protocol is weak against desynchronization attack and proposed a hash-based mutual authentication protocol to solve the security problems in Cho et al.’s protocol and privacy problems in previous RFID authentication protocols. In 2012, Yu et al. proposed a grouping proof protocol [16] for low cost RFID tags and showed that not only the number of logic gates in their protocol was reduced but also it requires fewer computational power and operation costs versus the last proposed protocol. In the same year, Wu et al. [17] showed that Yu et al.’s protocol was still vulnerable to impersonation attacks and proposed a lightweight binding proof protocol to overcome their weaknesses.
Srivastava et al. [5] proposed a protocol in 2015 to strengthen the security level of common protocol, using hash algorithm and synchronized secret value shared between the tag and the back-end server; which was believed to be safe against various active and passive attacks. However, Li et al. [6] showed in SRTA (Secure RFID Tag Authentication) protocol that Srivastava et al.’s tag authentication protocol has security problem which let an adversary use the lost reader to connect to the medical back-end server. Moreover, they believe that Srivastava et al.’s protocol fails to provide mutual authentication between the reader and the back-end server, so they have proposed a secure and efficient RFID tag authentication protocol to overcome the mentioned weaknesses.
In this paper, we analyze the SRTA protocol [6] and show that there are still weaknesses with their protocol. Using timestamp in the structure of their protocols was the novelties of Srivastava et al. and Li et al. which prevents data forgery and replay attacks. However, we show that declaring timestamps explicitly through the protocol in one hand and inaccuracy in producing the messages on the other hand, lead to the tag impersonation and reader impersonation attacks. Moreover, expressing the reader and tag’s identification values through the authentication phases and lack of appropriate updating procedure put the privacy of their protocol at risk. In order to investigate the privacy of this protocol, we use Ouafi and Phan privacy model [18] and by consuming the mentioned vulnerabilities, we present the tag and reader traceability attacks on SRTA protocol [6]. Besides, it should be known that low cost of RFID’s tag results in computation and complexity restrictions in the tag side, but this restriction is not so serious in the back-end server due to the presence of powerful processors [12]. Therefore, we propose an improved version of SRTA protocol [6] that prevents the mentioned attacks and decreases the computation cost in the tag side.
The rest of the paper is organized as follows: the privacy model of Ouafi and Phan is described in Section 2. SRTA protocol is reviewed in Section 3. In Section 4, SRTA protocol is analyzed and its weaknesses are discussed. An improved version of Li et al.’s protocol is proposed in Section 5 and analyzes of our improved version are discussed in Section 6. Finally, the paper is concluded in Section 7.
2. Privacy model of Ouafi and Phan
Providing a confidential communication for RFID users is one of the main goals of each RFID communications scheme. As a result, studying privacy of the proposed authentication protocols always is more prominent for researchers [1920]. In order to evaluate the privacy of RFID protocols, different models have been proposed, and one of the appropriate and well-known model is Ouafi and Phan privacy model [18], which is described in this section. It is an Untraceable Privacy (UPriv) model which can briefly mentioned as follows:
The reader
Rand the tag
Tare the components of the model and the communications between all protocol parties are managed by an adversary
A, based on the protocol definition. The following queries can be run by an adversary
A:
∎Execute R,T,i query
: This query is categorized as passive attack and let the attacker
Aeavesdrop the transmitted messages between the reader
Rand the tag
Tin the
ith session of the protocol.
∎Send U,V,i,mquery
: An active attack is modeled with this query by sending the message
mfrom the
U∈tag
T(reader
R) to the
V∈reader
R(tag
T) in the
ith session of protocol. Besides, the adversary
Acan alter or block the exchanged messages.
∎Corrupt T,k query
: The attacker
Ais able to obtain
K’, the secret value of the tag
Tand set it to
K.
          Back-end Server                                                     Reader                                                           Tag
 
(IDk, Vk, Wk,xj,
xj-1,
sj,
sj-1,
RIDk)
xj,RIDk                                                     
sj,IDk
4.1 
if T3-T2>T
Reveal the Protocol
else for each tuple ( xj
,
xj-1)
4.2 computes
Rr*
=
A⊕Vk
B*
=
h(Vk⊕T1⊕Rr*)
for each tuple ( sj
,
sj-1)
If
B*=B,  go to step 4.3
Else Reveal the protocol
4.3 computes
Rt*(1)=hsj∥IDk⊕C
Rt*(2)=hsj-1∥IDk⊕C
D*(1)
=
h(hsj∥IDk⊕T2⊕Rt*(1))
D*(2)
=
h(hsj∥IDk⊕T2⊕Rt*(2))
If   
D*(1)=D       or    
D*(2)=D,
 go to step 4.4
Else Reveal the protocol
4.4 E=h(xj∥RIDk∥T1∥Rr*∥h(xj⊕Rr*)
4.5 F=Data⊕h(xj⊕Rr*)
4.6 G=h(sj∥IDk∥T2∥Rt*∥h(sj⊕Rt*)
4.7
→E, F, G
4.8 After successful authentication updates
xj-1←xj
;
xj←hxj⊕Rr
sj-1←sj
;
sj←hsj⊕Rt
1    input RIDk and RPWk 
1.1 Vk=h(xj∥RIDk)
1.2 Wk=h(xj∥RIDk)⊕RIDk⊕RPWk
1.3 Vk’=Wk⊕RIDk⊕RPWk
if Vk=Vk’
1.4 Generates
Rr
1.5 A=Vk’⊕Rr
1.6 B=h(Vk’⊕T1⊕Rr)
1.7
→A, B, RIDk, T1
3.1
if T2-T1>T
Reveal the Protocol
else
3.2
←A, B, RIDk, T1,C, D, IDk, T2
5.1
Compute
E*=h(xj∥RIDk∥T1∥Rr∥h(xj⊕Rr)
5.2 Check E*  = ?  E
5.3 Updating
xj←hxj⊕Rr
5.4 Data=F⊕h(xj⊕Rr)
5.5
→G
2.1 Generates 
RtRandomly
2.2 C=hsj∥IDk⊕Rt
2.3 D=h(hsj∥IDk⊕T2⊕Rt)
2.4
←C, D, IDk, T2
6.1 Compute
G*=h(sj∥IDk∥T2∥Rt∥h(sj⊕Rt)
6.2 Verify G* = ? G
6.3 After successful authentication
sj←hsj⊕Rt

Fig. 2 The SRTA protocol [6].

∎Test T0,T1,i query
: This query allows to express the indistinguishability based concept of UPriv. After sending a
Test T0,T1,i queryto an entity in the
ith session, depending on a randomly chosen bit
b∈{0,1}generated by challenger,
Tb ϵ {T0,T1}is delivered to the attacker. Adversary
Awill succeed, if it can truly guess the bit
b.
Untraceable Privacy (UPriv): In this definition a game
Gbetween the attacker
Aand a collected instances of reader and tag is taking place. An adversary
Aruns the game
Gwhich has the following phases:

Learning phase: In this phases, an adversary
Ais permitted to send each of
Execute,
Sendand
Corruptqueries.

Challenge phase: An adversary
Ais given a tag
Tb ϵ {T0,T1}and sends any of
Execute,
Sendand
Corruptqueries to
Tb.

Guess phase: Finally, the adversary
Aterminates the game
Gand outputs a bit
b0as a guess of the value
of
b.
The attacker is succeeded during playing the game
G, if it recognizes correctly whether received
T0or
T1. The traceability level of the protocol is denoted by
AdvAUPiv(K), where
kis the security parameter:
AdvAUPivk=|pr(A wins)-pr(random coin flip)|
=|pr(b’=b)-12|                               (1)
where
0≤AdvAUPivk≤12. If
AdvAUPivk<(k), the protocol is traceable with negligible probability.
3.  SRTA Protocol
In [6], Li et al. proposed a secure RFID tag authentication protocol in TMIS. The connection between the reader and the back-end server and the connection between the tag and the reader is insecure. Their protocol is a hash based one, which uses timestamps in the structure of its messages to prevent attacks. Their protocol is depicted in Fig. 2 and notations that are used in this protocol are listed below:
IDk
: The identifier of the
kthtag.
RIDk
: The identifier of the
kthreader.
RPWk
: The password of the
kthreader.
RNG
: The Random Number Generator.
T
: The timestamp.
Rr
: The random number generated by reader.
Rs
: The random number generated by tag.
sj
: The secret value used in the current
jthsession and it is mutual shared between back-end server and tag.
sj-1
: The secret value used in the previoussession. Initially, the value is set to null.
xj
: The secret value used in the current
jthsession and it is mutual shared between back-end server and reader.
xj-1
: The secret value used in the previoussession. Initially, the value is set to null.
h.:
A one-way hash function.
ΔT
: The expected legitimate time interval for transmission delay.
∥: Concatenation operation.
A⊕B : Message A is XORed with message B.
4. Analyzes of SRTA Protocol
a. Tag Impersonation
Li et al. try to increase the security in authentication procedure by using timestamps, which means that the reader and the back-end server will not continue the authentication phase, unless the inequalities {
T2-T1<T ,T3-T2<T} occurred. So by knowing the values of
Tand
T1,
T2and
T3, the attacker tries to impersonate a legitimate tag to receive responses from the reader. It is shown that an attacker can perform this attack on Li et al.’s protocol [5]. This attack can be performed as follows,
Learning phase: In the th round, the attacker eavesdrops four successful steps of the protocol and obtains {
RIDk,
A,
B,
T1,
IDk,
C,
D,
T2} and by changing
T2into
T’2, in which
T’2-T1>T, he/she leaves the protocol unfinished. So the secret values of the reader and the tag are not updated.
Attack phase: In the ( + 1)th round, the attacker starts a new session with the reader and acts as follows,

  1. The attacker receives {RIDk,
    A,
    B,
    T1(i+1)} from the reader. By knowing the value of
    T1(i+1)in this session and
    Tfrom the learning phase, he/she generates an appropriate amount for
    T2(i+1). Moreover, as
    IDkis not updated during this protocol, the attacker responses with {
    IDk, , ,
    T2(i+1)} which and are generated as follows,

β=h(sj∥IDk)⊕Rt                   (2)
γ=h(h(sj∥IDk)⊕T2i+1⊕Rt)         (3)
It should be mentioned that and are messages that the attacker generates them as messages C and D in SRTA protocol.

  1. After confirming the value ofT2(i+1)by calculating
    Tin a legitimate reader, {
    RIDk,
    A,
    B,
    T1(i+1),
    IDk, , ,
    T2(i+1)} will be sent to the back-end server by the reader.
  2. By receiving the response messages from the reader, the back-end server checks for the inequality (T3(i+1)- T2(i+1)) < ΔT which will be accepted by choosing a correct value for
    T2(i+1)via the attacker. As the above inequality holds, the back-end server acts as follows:
  1. ComputesRr*=A⊕h(xj∥RIDk).
  2. ComputesB*=h(hxj∥RIDk⊕T1(i+1)⊕Rr*)and checks if
    B*≟B. As all the messages {
    A,
    xj, RIDk,
    T1(i+1)} are generated by a legal reader, therefore the back-end server successfully authenticates the reader.
  3. ComputesRt*=β⊕h(sj∥IDk).
  4. ComputesD*=h(h(sj∥IDk)⊕T2i+1⊕Rt*)and checks if
    D*≟γ. As the secret value of the tag has not been updated, the above equality is confirmed.

Although the SRTA protocol claims that an attacker will be detected through checking the amount of the received message {D}, as it is shown above, eavesdropping one round of protocol and choosing an appropriate amount for
T2i+1will result in authentication of the attacker as a legitimate tag.
b. DoS Attack
It can be shown that Li et al.’s protocol is not safe against DoS attack. To perform this attack, in the
ith session of the protocol, after running four steps, when the back-end server wants to send messages to the reader, the attacker intercepts the transmitted messages and stops the protocol. As a result, the back-end server updates
sj(i)and
sj-1(i)with
h(sj⊕Rt)and
sj, respectively, but the tag dose not update its secret values. Now, the attacker performs the tag impersonation attack, presented in Section 4.a, in (
i+1)th session of the protocol. After this attack, the back-end server updates
sj(i+1)and
sj-1(i+1)with
h(sj(i)⊕Rt)and
sj(i), respectively, but the tag dose not update its secret values. Consequently the tag and the back-end server are desynchronized in the next session and the back-end server cannot authenticate the tag.
In addition, the DoS attack can be performed by running two consecutive tag impersonation attacks, described in subsection 4.a.
c. Reader Impersonation
In this subsection, it is shown that an attacker can impersonate a legitimate reader in Li et al.’s protocol [6]. This attack can be performed as follows:
Learning phase: In the th round, the attacker eavesdrops two successful steps of the protocol and obtains {
RIDk,
A,
B,
T1}, intercepts the transmitted messages to the tag and then stops the protocol. So the secret values are not updated in this session. The attacker calculates as follows:
α=Vk’⊕Rr                             (4)
Attack phase: In the ( + 1)th round, an adversary starts a new session with the tag
T0and acts as follows:

  1. In this phase, the attacker starts a session with a tag by sendingRIDkand , stored from the last an unfinished session.
    T1(i+1)generated by the attacker which shows the current timestamp and
    λwhich is calculated as

λ=h(Vk’⊕T1(i+1)⊕Rr)                    (5)

  1. Then, the target tag responds {IDk,
    C,
    D,
    T2i+1} to the attacker.
  2. The attacker sends {RIDk,
    α,
    λ,
    T1(i+1),
    IDk,
    C,
    D,
    T2i+1} to the back-end server .
  3. The back-end server checks if(T3i+1-T2i+1)<T. As shown in Fig. 2, this inequality is verified because of generation of
    T2i+1and
    T3i+1by a legal tag and back-end server.
  4. By performing the above steps, the back-end server computesRr*=α⊕h(xj∥RIDk).
  5. The back-end server calculatesB*=h(hxj∥RIDk⊕T1(i+1)⊕Rr*)and checks whether
    B*≟λwhere

B*=hhxj∥RIDk⊕T1i+1⊕Rr*
=hVk’⊕T1i+1⊕Rr*
=λ                                                (6)
As a result, the back-end server authenticates the spoofed reader as a legitimate one.

  1. Now, the back-end server starts to authenticate the tag by calculatingC*and
    D*and comparing them with the received
    Cand
    D. As the tag is legitimate, so the back end server authenticates it and computes
    E,
    Fand
    Gas follows and sends them to the attacker:

E=h(xj∥RIDk∥T1i+1∥Rr∥hxj⊕Rr)
(7)
F=Data⊕h(xj⊕Rr)                                 (8)
G=h(sj∥IDk∥T2i+1∥Rt∥hsj⊕Rt)   (9)

  1. The attacker sendsGto the tag.

Consequently, the attacker effectively impersonate the reader.
d. Tag traceability
In this subsection, it is shown that SRTA protocol [6] is vulnerable against traceability attack. According to SRTA protocol [6], it can be seen that the tag’s identification number
IDkis fixed in all rounds. Using this issue, an attacker can trace the target tag. This attack is performed as follows:
Learning phase: In round (
i), the attacker eavesdrops all transmitted messages between the tag
T0and the reader
Rby sending an
Execute query (R, T0,i)and obtaining {
RIDk,
A,
B,
T1,
IDk,
C,
D,
T2,
E,
F,
G}.
Challenge phase: The adversary selects two fresh tags
T0and
T1for test, and sends a
Test query(T0,T1,i+1). According to the randomly chosen bit
b ϵ {0,1}, the adversary is given a tag
Tb ϵ {T0,T1}. Afterwards, the adversary calculates
B#as
h(A⊕T1′)and sends an
Execute query(R, Tb,i+1)by sending
RIDk,
A,
B#,
T1’to the tag ,which
T1’is the current timestamp, and obtains
C’,
D’,
T’2and
IDk’.
Guess phase: The adversary
Astops the game
Gandoutputs a bit
b’ ϵ 0, 1as a guess of bit
bas follows.
b’=      0        if IDk=IDk’               1                otherwise
(10)
As a result, it can be written:
AdvAuprivk=
prb’=b-12=1-12=12 ≫ε
(11)
Proof: According to the structure of SRTA protocol [6], since the tag
T0does not ever update its identification number and uses the same
IDkin both learning and challenge phases, the attacker can trace the target tag. Moreover, as
IDkis fixed in all sessions, the attacker is able to trace the tag
T0, whenever he/she wants.
e. Reader traceability Attack on SRTA Protocol
Li et al. [6] distinguished that Srivastava et al.’s protocol [5] suffers from reader stolen/lost attack, so it fails in providing the privacy of tag during the authentication phases. To resist these attacks, Li et al. [6] use a secret value, identifier and a password for reader in their protocol. In this subsection, it is shown that in Li et al.’s protocol, an attacker can perform traceability attack and traces the location of a specific reader. As shown in Fig. 1, the adversary can trace the reader
R0as follows:
Learning phase: In round (
i), the attacker eavesdrops all transmitted messages between the tag
T0and the reader
R0by sending an
Execute query (R0 , T0,i), obtaining {
RIDk,
A,
B,
T1,
IDk,
C,
D,
T2,
E,
F,
G}, then he/she stores
RIDkas
ζ.
Challenge phase: The adversary eavesdrops every sessions between readers and tags and stores all the obtained
RIDkwith the name of
Zi, where
iϵ{1,2,…,number of Readers}. Afterwards, the adversary selects two fresh readers
R0and
R1for test, and sends a
Test query(R0,R1,i+1). According to the randomly chosen bit
b ϵ {0,1}, the adversary is given a reader
Rb ϵ {R0,R1}. Now the attacker sends an
Execute query (R0 , T0,i+1)and stores
Z0and
Z1.
Guess phase: The adversary
Astops the game
Gandoutputs a bit
b’ ϵ 0, 1as a guess of bit
bas follows:
b’=      0                if ζ=Z0               1                otherwise
(12)
As a result, it can be written:
AdvAuprivk=
= prb’=b-12=1-12=12ε
(13)
Proof: According to the structure of Li et al.’s protocol, the reader
R0will not update its identification number and uses the same
RIDkin both Learning and Challenge phases, therefore the attacker can trace the target reader. Furthermore, as
RIDkis fixed in all rounds, an adversary is able to trace the reader
R0in every arbitrary session.
5. Improvements on SRTA Protocol
Li et al. [6] try to improve the Srivastava et al.’s authentication protocol [5] by adding the secret value of the reader
xj, the
Kth reader identifier and password which are named, respectively, by
RIDkand
RPWk. However, SRTA protocol [6] is vulnerable to attacks declared in Section 4. In this Section, a strengthened versions of SRTA protocol [6] is proposed to overcome its weaknesses. Moreover, the security and privacy analysis of our proposed protocol is provided.
5.1 Improved Version of SRTA protocol
As reported in Section 4, there are several main drawbacks in the structure of the Li et al.’s protocol [6], which make it vulnerable to traceability attacks. Li et al. [6] try to increase the efficiency of the Srivastava et al.’s protocol [5] by expressing the tag’s identifier
IDkand
RIDkthrough the protocol, explicitly. Although SRTA protocol [6] decreases the waiting time for accessing the true readers and ensuring a high rate of efficiency in the tag authentication procedure, but it brings a drawback which ables the attacker to know the tag and reader’s identification value. This leads to trace them in every execution of the protocol.

F:SalmanunivSRBIThesisPaperPaper2- Lipicdoctor5.jpgF:SalmanunivSRBIThesisPaperPaper2- Lipicserver1.jpg          Back-end Server                                                               Reader                                                           Tag 

 
(IDkold, IDknew,Vk, Wk,xj,
xj-1,
xj,RIDk
sj,IDk
sj
,
sj-1,
RIDk)                                                                
4.1 
if T3-T2>T
Reveal the Protocol
else
for each( xj
,
RIDkold) and (xj-1,RIDknew)
4.2 computes Vk*
computes Rr*
computes B*
4.3 if B*=B
Reader is authenticated
else reveal the protocol
for each
( sj
,
IDkold) and (sj-1,IDknew)
4.4 computes Rt*, D*
4.5 if D*=D
Tag is authenticated
else reveal the protocol
4.6 E=h(xj∥RIDk∥T1∥Rr*∥h(xj⊕Rr*)
4.7 F=Data⊕h(xj⊕Rr*)
4.8 G=h(sj∥IDk∥T2∥Rt*∥h(sj⊕Rt*)
4.9
→                           E, F, G
4.10 After successful authentication
updates
xj-1←xj
;
xj←hxj⊕Rr
sj-1←sj
;
sj←sj⊕Rt
IDkold←IDk
IDknew←IDk⊕sj
1    input RIDk and RPWk 
1.1 Vk=h(xj∥RIDk)
1.2 Wk=h(xj∥RIDk)⊕RIDk⊕RPWk
1.3 Vk’=Wk⊕RIDk⊕RPWk
if Vk=Vk’
1.4 Generates Rr
1.5 A=Vk’⊕Rr
1.6 B=hRVk’∥LRr⊕T1
1.7
→                A, B
3.1
if T2-T1>T
Reveal the Protocol
else
3.2
←                    A, B, T1,C, D, T2
2.1 Generates Rt Randomly 
2.2 C=hsj∥IDk⊕Rt
2.3 D=h(Rt⊕T2 )
2.4
←                    C, D,  T2
5.1 
Compute
E*=h(xj∥RIDk∥T1∥Rr∥h(xj⊕Rr)
5.2 Check E*  = ?  E
5.3 Updating
xj←hxj⊕Rr
5.4 Data=F⊕h(xj⊕Rr)
5.5
→                      G
6.1 Compute 
G*=h(sj∥IDk∥T2∥Rt∥h(sj⊕Rt)
6.2 Verify G* = ? G
6.3 After successful authentication
sj←sj⊕Rt
IDk←IDk⊕sj

F:SalmanunivSRBIThesisPaperPaper2- Lipicmedicine1.jpgFig. 3 Improved version of SRTA protocol.

In addition, the processors in the tags are limited and all computations cannot be performed in the tag side. On the other hand, there is little limitation for the computation cost in the back-end server side [12]. Therefore, we propose to omit sending
IDkthrough the protocol. Besides, there is not any inconsistency between the increased time for finding a correct
IDkand
RIDkwith the timestamp
T3. In other words, in SRTA protocol [6], the back-end server first investigates the correctness of an inequality (
T3-T2<T), then explores for the true identification number of the reader and the tag. Further, we omit sending
RIDkthrough our protocol. One of the other drawbacks of SRTA protocol [6] is announcing the value of timestamps T1T2 and T3, through the protocol. After one run of the protocol acceptably, an adversary knows the value of T1, T2 and T3, so he/she can calculate the allowable
Tand applying the tag impersonation and reader impersonation attack which are discussed in Section 4. In order to improve Li et al.’s protocol [6], we change the message
Bto:
B=h(R(Vk’)∥L(Rr)⊕T1)              (14)
where
R(Vk’)means the right side of
Vk’and
L(Rr)refer to the left side of
Rr. By omitting T1, we send {
RIDk,
A,
B} to the tag in the second step of the protocol. In the third step of the protocol, we change the message
Dto:
D=h(Rt⊕T2)                              (15)
Not only by omitting the first hash function of the message
D, the computation cost in the tag side decreases, but also the back-end server can verify the value of
Rtusing the transmitted message
D. Moreover, in our proposed protocol the attacker will not be able to guess the correct message.
On the other hand, updating the tag’s identifier
IDkthrough the protocol causes another vulnerability, i.e., DoS attack. In other words, after running four steps of the protocol successfully, the attacker intercepts the protocol and leaves it unfinished. So the back-end server updates
IDkwith
IDk⊕Rt, while the value of
IDkin the tag is not updated. Now in the next run of the protocol, the tag will send
IDkto the reader but the back-end server will not admit it as a legitimate one. So, we store two values for
IDkin the back-end server as a new and old ones. Moreover, we update
IDkat the end of the protocol as follows:
IDk←IDk⊕sj                        (16)
and stores two last value of
IDkin the back-end server side. As we mentioned above, restriction of complexity in the tag side is an important issue, so by omitting one hash function in tag, we change the updated value of
IDas eq. 16. The improved protocol is depicted in Fig. 3.
6. Analyzes of our proposed protocol
In this Section, we analyze the security and privacy of the proposed protocol with respect to the aforementioned kinds of attacks, and we show that it improves the existing research vulnerabilities.
Eavesdropping and Tracing Resistance
Our proposed protocol is resistant to eavesdropping and tracing attacks. As discussed in subsection 4.d, the SRTA protocol is suffering from constancy of the value of
IDkwhich results in traceability and DoS attacks. In our proposed protocol an attacker is not able to trace the target tag
T0, because of updating
IDkas
IDk⊕sj, in addition
sjis updated at the end of protocol with
Rtwhich is generated randomly and is not known to the attacker . So, if the attacker eavesdrops one round of protocol and obtains {
A, B, C, D,E, F, G,T1, T2}, he/she will never be able to use the last stored messages to trace the target tag.
On the other hand, as stated in 4.e subsection, the SRTA protocol is vulnerable to reader traceability attack which is resulted by declaring and the constancy of the value of
RIDk. In our proposed protocol we prevent from announcing the amount of
RIDkthrough the protocol. Although this will result in increasing the amount of computation in 4.2 and 4.3 steps of the protocol as depicted in Fig. 3, the attacker will never be able to access the correct value for
RIDk. It should be mentioned that we enhance the immunity of our proposed protocol by creating complexity in the back-end server, but in an RFID system the back-end server is equipped with powerful processor [12]. Therefore, the performance of our improved protocol is not so much affected compared with the SRTA protocol.
So, in our proposed protocol, the barrier against tracing is raised through the use of random numbers and anonymity.
Desynchronization Attack Resistance
In desynchronization attack, the adversary forces the tag and the reader to update their secret values to different ones. So, they will not authenticate each other in further transactions. In an RFID authentication protocol, the adversary can perform this attack via various approaches including blocking exchanged messages between the tag and the back-end server and impersonating the tag and the reader [20]. In our proposed protocol an attacker is permitted to eavesdrop the transmitted messages {
A, B, C, D,E,F,
G,T1, T2
} between the elements of an RFID system. Moreover, he/she is able to alter the message
Gto
G’, which results in updating the secret values in the back-end server, but the tag will not accept the received message from a legal element. Therefore, the tag leave the protocol without updating its secret values. Even though, this will result in DoS attack in the SRTA protocol, our protocol is secure against this vulnerability. In our protocol, an adversary is not able to forge the  tag and  the  reader to  update their  secret
Table 1. Security level comparisons among the discussed protocol

  
              Feature         
  Protocols
F1 
 
F2 F3 F4 F5
Cho et al. [14] NO YES NO NO NO
Srivastava et al. [5] NO YES NO NO YES
Li et al. [6] YES NO NO YES NO
Our protocol YES YES YES YES YES

F1
: Provision of mutual authentication
F2
: Provision of synchronized secret
F3
: Protection of data privacy
F4
: Prevention of reader stolen/lost attack
F5
: Prevention of impersonation attack
Table 2. Performance features of various protocols

  
       Feature
 
  Protocols
complexity of tag computation 
 
complexity of reader computation 
 
Communication rounds 
 
Srivastava et al. [5] 5H+RNG RNG 5
Li et al. [6] 3H+RNG RNG 5
Our protocol 3H+RNG RNG 5

H hash function, RNG random number generator
values, because of storing two values of
IDkin the back-end server, which prevent desynchronization between the tag and the back-end server. As it is shown in Fig. 3, if the attacker blocks the protocol in step 5.5 by changing the value of
Gin a session, the back-end server will still be able to diagnose the legitimate tag, which is the result of storing two last values for
IDkand
sj.
Tag/Reader impersonation Attack Resistance
Tag (Reader) impersonation attack is a forgery attack, in which an RFID system accepts a spoofed tag (reader) as a legitimate tag (reader). In our improved protocol, there is not any likeness between the message
Cand
D, therefore the attacker is not able to use the last stored message
Cin the present session which resulted in preventing the tag impersonation attack. On the other hand, because of the new exposure of
Band
D, an adversary is not able to build the messages
Band
Dfrom
Aand
C. Furthermore, because of updating the secret values and generation of new random variables in each session, the eavesdropped messages from the last session are not acceptable in the new session.
6.1 Performance analysis of our proposed protocol
In this section, we present the performance analysis of our proposed authentication protocol and compare it with Li et al. [9], Srivastava et al. [8] and Cho et al.’s protocol [24] in terms of immunity against different attacks. As our improved protocol is based on the framework of the existing protocol, there is not so much difference in structure between the SRTA and proposed protocol. In Table 1, our improved protocol is compared with some similar protocols. As it can be seen, the proposed protocol solves the drawbacks in the existing protocols and provides security against the mentioned attacks including traceability, impersonation, mutual authentication and DoS. In addition, in Table 2, the efficiency of the proposed protocol is compared with the analyzed protocols, by comparing its computational cost. The improved protocol is consisted of three hash functions and one RNG in the tag side which are the same as the SRTA protocol, while it reduces two hash functions computation in the tag compared with the Sirvastava et al.’s protocol. As it can be seen in Table 2, all of the analyzed protocols included one RNG in the reader and they are consisted of five communication rounds. Therefore, privacy analysis shows without increasing the computational cost, our improved protocol removes all privacy concerns and provides secure and confidential communications for RFID users.
7. Conclusion
RFID Technology is rapidly developing and its applications are spreading in different fields, but providing their security and privacy is the goal of researchers in recent years. In this paper, we analyzed a hash based RFID protocol in TMIS, proposed by Li et al.. They claimed that their protocol provides privacy requirements for RFID systems. However, this paper showed that Li et al.’s protocol is still vulnerable to traceability, tag impersonation and DoS attacks and to fix the aforementioned weaknesses, we have proposed an improvement, which fixes the weak features of their protocol for healthcare environments. Finally, the computational complexity and the performance of the proposed protocol is compared with discussed protocols.
REFRENCE
[1] D. He and Z. Shi, “An analysis of RFID authentication schemes for internet of things in healthcare environment using elliptic curve cryptography,” IEEE Internet of Things Journal, vol. 2, pp. 72-83, 2015.
[2] Z. Ahmadian, M. Salmasizadeh, and M. R. Aref, “Desynchronization attack on RAPP ultralightweight authentication protocol,” Information Processing Letters, vol. 113, pp. 205-209, 2013.
[3] A. Al-Lawati, S. Al-Jahdhami, A. Al-Belushi, D. Al-Adawi, M. Awadalla, and D. Al-Abri, “RFID-based system for school children transportation safety enhancement,” in GCC Conference and Exhibition (GCCCE), 2015 IEEE 8th, pp. 1-6, 2015.
[4] G. Yimin, L. Shundong, D. Jiawei, and Z. Sufang, “Deterministic cloned tag detection protocol for anonymous radio-frequency identification systems,” IET Information Security, 2015.
[5] K. Srivastava, A. Awasthi, S. Kaul, and R. C. Mittal, “A hash based mutual RFID tag authentication protocol in telecare medicine information system,” Journal of Medical Systems, vol. 39, pp. 1-5, 2014.
[6] C.-T. Li, C.-Y. Weng, and C.-C. Lee, “A secure RFID tag authentication protocol with privacy preserving in telecare medicine information system,” Journal of Medical Systems, vol. 39, pp. 1-8, 2015.
[7] Z. Bilal, “Addressing security and privacy issues in low-cost RFID systems,” PHD thesis, Royal Holloway, University of London, 2015.
[8] B. Glover and H. Bhatt, RFID Essentials: O’Reilly Media 2006.
[9] “The National Academies Institute of Medicine,” iom.nationalacademies.org.
[10] S. Crawford, M. Cohen, and E. Tafesse, “Systems factors in the reporting of serious medication errors in hospitals,” Journal of Medical Systems, vol. 27, pp. 543-551, 2003.
[11] K. Baghery, B. Abdolmaleki, B. Akhbari, and M. Aref, “Privacy analysis and improvements of two recent RFID authentication protocols,” presented at the 11th International ISC Conference on Information Security and Cryptology (ISCISC), Tehran, 2014.
[12] G. AVOINE, “cryptography in radio frequency identification and fair exchange protocols,” PHD thesis, University of EPFL, Lausanne, 2005.
[13] Y.-Y. Chen, D.-C. Huang, M.-L. Tsai, and J.-K. Jan, “A design of tamper resistant prescription RFID access control system,” Journal of Medical Systems, vol. 36, pp. 2795-2801, 2012.
[14] J.S. Cho, S.S. Yeo, and S. K. Kim, “Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value,” Computer Communications, vol. 34, pp. 391-397, 2011.
[15] H. Kim, “RFID mutual authentication protocol based on synchronized secret,” International Journal of Security and Its Applications, vol. 7, pp. 37-50, 2013.
[16] Y.-C. Yu, T.-W. Hou, and T.-C. Chiang, “Low cost RFID real lightweight binding proof protocol for medication errors and patient safety,” Journal of Medical Systems, vol. 36, pp. 823-828, 2012.
[17] S. Wu, K. Chen, and Y. Zhu, “A secure lightweight RFID binding proof protocol for medication errors and patient safety,” Journal of Medical Systems, vol. 36, pp. 2743-2749, 2012.
[18] K. Ouafi and R. W. Phan, “Privacy of recent RFID authentication protocols,” in Information Security Practice and Experience. vol. 4991, L. Chen, Y. Mu, and W. Susilo, Eds., ed: Springer Berlin Heidelberg, pp. 263-277, 2008.
[19] S. Alavi, K. Baghery, B. Abdolmaleki, and M. Aref, “Traceability analysis of recent RFID authentication protocols,” Wireless Personal Communications, vol. 83, pp. 1663-1682, 2015.
[20] I. Coisel and T. Martin, “Untangling RFID privacy models,” Journal of Computer Networks and Communications, pp. 1-26, 2013.



Recommendation
EssayHub’s Community of Professional Tutors & Editors
Tutoring Service, EssayHub
Professional Essay Writers for Hire
Essay Writing Service, EssayPro
Professional Custom
Professional Custom Essay Writing Services
In need of qualified essay help online or professional assistance with your research paper?
Browsing the web for a reliable custom writing service to give you a hand with college assignment?
Out of time and require quick and moreover effective support with your term paper or dissertation?