1 Introduction

Radio-frequency identification (RFID) is an automatic identification technology that transmits data through the use of wireless communication using radio waves. The first use of RFID system was in the World War II for the friend or foe? identification system. Recently, there has been many applications that take advantage from RFID technology such as: point of sale (POS), automated vehicle identification (AVI) systems, asset tracking, pet ownership identification, product security, library books check-in/check-out, and e-passports. The principal advantage of this technology is that it automatically identifies objects using electromagnetic waves without requiring contact and line of sight. Which at the same time raise various vulnerabilities. In general, RFID system composed of three main parts: tags, readers, and server or backend database. Tags can be passive or active according to the power source. The active tag contains its built in power supply so it gets the power from itself. While the passive tag need to be charged by the electromagnetic field produced by the reader by the transmitted signal so it gets the power from external resources (reader). Also the tags can be low frequency (LF), high frequency (HF), or ultra high frequency (UHF) based on the used frequencies as shown in Table 1.

Table 1 Comparison of LF, HF, and UHF
Full size table

Recently, internet of things (IoT) is becoming as one of the most dominant communication model in the modern world. IoT allowed all the physical object in our daily life connect to internet and create an environment where these object can identify and communicate with each other through different communication methods including RFID, WIFI, QR codes or other sensor technologies [1]. Some of the prevalent applications of IoT include, but not limited to: home automation, smart city, wearable, industrial internet, connected car, smart grid, smart retail, and telehealth. Security is a big issue in case when with IoT, the physical world is becoming one big information system by connecting billions of devices together to make sure that their information stays secure. RFID systems use wireless channel for communication between reader and tags which is vulnerable to various security and privacy threats such as eavesdropping, cloning, traceability, and skimming. Therefore, the need to include security approaches to protect transmitted data is becoming urgent. RFID authentication protocols are one of these approaches used to authorize each party (reader and tags) in the communication process which connected to the IoT infrastructure.

Various authentication protocols have been proposed to achieve certain security and privacy goals. The limited resources of RFID system in term of storage capacity, computational capacity, and power restrict the use of strong and complex authentication protocols. Based on the RFID system resources, RFID authentication protocols can be classified into full-fledge, simple, lightweight, ultra-lightweight authentication protocols [2]. In the full-fledge class, the protocol requests the support of conventional cryptographic functions such as public key cryptographic (PKC) or one-way cryptographic function. In fact, PKC assures highest level of security and privacy protection, but it is not fully supported by RFID system because of its high capacity requirement in term of key size and computational cost. One of the most attractive PKC solution is elliptic curve cryptography (ECC) as it provides the same level of security with the smaller key sizes, faster computations, lower power consumptions as well as memory and bandwidth savings in contrast to the other PKC such as RSA. An elliptic curve is defined as a set of points (x,y) that satisfy an elliptic curve equation: \(E: y^{2} = x^3 + ax + b\), where xya and b are within a field. For cryptographic purpose those over the finite field of Fp and F2m are most suitable. The strength of our proposed protocol is based on two elliptic curve computational problem which are: elliptic curve discrete logarithm problem (ECDLP) and elliptic curve factorization problem (ECFP). ECDLP is to find \(k \in [1,n-1]\) such that \(Q = k . P\) where Q and P are two points over E. And the ECFP is to find the points s . P and t . P from \(Q = s . P + t . P\) where \(P, Q \in E\) and \(s, t \in [1, n-1]\).

2 Related work

Recently, RFID technology deployed in various applications, especially as an identity management system, such as supply chain management, e-passports, and credit card. [3]. These applications request different level of security based on their requirements and capacity which can be achieved by authentication protocols. RFID authentication protocols can be classified into three major classes based on used mechanisms, available resources, and cryptographic technique. Each of these classes can be classified into more subclasses [2]. Currently, series of full-fledge RFID authentication protocols have been proposed. In 2012, Benssalah et al. [4] proposed an efficient challenge-response protocol based on elliptic curve ElGamal encryption schemes. They minimize the computation amount on the tag side by a pseudorandom number generation (PRNG), an elliptic curve point addition, and two scalar multiplications. They mentioned that their protocol resist from the following security attacks: passive attacks, man-in-the-middle attacks, replay attacks. While Chou et al. [5] proposed a new RFID mutual authentication protocol based on ECC. This protocol possesses the properties of location privacy, forward secrecy, and mutual authentication. In addition, it can resist replay attack, man-in-the-middle attack, impersonation attack and physical attack. It can achieve a good performance in term of number of multiplication points and hash function. In 2013, Chou [6] adopt ECC to design an efficient RFID mutual authentication protocol operating under the constraint of a tags limited computational ability. His protocol possesses the following security properties: location privacy and mutual authentication. Also it can resist replay attacks, man-in-the-middle attacks, impersonation attacks. Farash in 2014 [7], analyze Chou protocol and found that it suffers from lack of tag privacy, lack of forward privacy, lack of mutual authentication weaknesses. Also, it is defenseless to impersonation attacks, tag cloning attacks and location tracking attacks. Then he proposes a more secure and efficient scheme to cover all the security flaws and weaknesses of Chous protocol. Moreover, by combining a secure ID-verifier transfer protocol and challenge-response protocol, Liao and Hsiao [8] introduce a new ECC-based RFID authentication scheme using hybrid protocols. Their scheme can satisfy the security requirements of RFID, such as mutual authentication, ID-verifier confidentiality, anonymity, availability, forward security and scalability. Also, it resists some attacks like replay attack, tag masquerade attack, server spoofing attack, DoS attack, location tracking attack and cloning attack. However, all of these protocols were not sufficient enough and thy still suffer from different issues. In our paper, we introduce a new ECC-based RFID authentication protocol to overcome these issues and improve their efficiency. We use ECDH as a key agreement protocol so establish a secure communication between tag and reader.

Hannes et al. [9] presents an IPSec conform mutual authentication protocol with added attribute of privacy awareness for IoT infrastructure based on the Diffie–Hellman Integrated Encryption (DHIES) scheme [10]. It has been shown that the tag does not reveal the sensitive information unless it has assured that communication is initiated by the genuine backend reader which achieve privacy preservation concern of RFID carriers.

Debiao et al. [11] presents an in-depth survey of ECC-based RFID authentication schemes and shows their suitability for the IoT based healthcare environment in term of security and performance requirements. The analysis shows that none of these currently available schemes is provably secure against different types of malicious attacks.

3 Essential RFID security requirement

Several security requirements for RFID systems were defined [7, 8]. To enhance the security of our proposed protocol, we need to define the security requirements that must be considered in designing an RFID authentication protocol. The major requirements are mutual authentication, confidentiality, anonymity, availability, scalability, forward security, and location privacy. Also, we should specify potential attacks, such as man-in-the-middle attack (MIMA), replay attack, impersonation attack, brute force attack, denial-of-service (DoS) attack, and tracking attack [68]. As the wireless communication between tag and reader is the most vulnerable part of the RFID system, we consternate on the most related requirements and attacks, such as:

  • Mutual authentication Where each party in RFID system authenticate the other (tag authenticate the reader and vice versa).

  • Confidentiality Where all the secret information is securely exchanged during all communications. This required the encryption of information in a way that can be recognized only by authorized party.

  • Anonymity It is the most important security requirement for privacy. Where the attacker can learn the tags identifier that is used in the authentication process.

  • Forward security Where the previously transmitted data cannot be traced by the current tag transmission. That means, the attacker however exposes a tag and obtain its data, cannot trace the tag through previous conversations.

  • Location privacy Where the attacker cannot track or monitor the tag by keeping the user location private as well as tags identifier.

  • Man-in-the-middle attack (MIMA) Where the attacker interrupts the communication between tag and reader and redirects or may modify the exchange messages without knowledge of them.

  • Replay attack It is the ability of the attacker to eavesdrop and capture the conversation between the tag and the reader and replay the same message previously sent to pass the verification of the system.

  • Impersonation attack It is the ability of the attacker to successfully impersonate a tag (reader) to authenticate himself to the reader (tag) while he does know the tags (readers) secret key.

Table 2 Notations
Full size table

4 The proposed ECC based authentication protocol

This paper proposes a new ECC-based mutual authentication protocol that fulfill the RFID security requirements. Also, it uses elliptic curve Diffie–Hellman (ECDH) key agreement protocol to establish a secure communication between tag and reader. It allows each parties having its elliptic curve public-private key pair then use it to authenticate each other and derive a new changeable key which can be used to encrypt communication. The proposed protocol achieves most of the RFID security requirements and resists various attacks. The notations being used in rest of paper are described in Table 2.

Our protocol is based on ECC and derived its strength from ECDLP and ECFP. It consists of two phases: initialization phase, and authentication phase described below.

4.1 Initialization phase

In this phase, the server generates system parameters. It chooses a random number \(Pr_R \in F_p\) as a reader private key and sets \(Pu_R = Pr_R . P\) as its public key. Also choses \(Pr_T \in F_p\) as the tag private key and sets \(Pu_T = Pr_T . P\) as the tags public key. Then each tag and reader store its key pair with the system parameters in the memory. Table 3 summarize the system parameters and the storage of each party.

Table 3 System parameters
Full size table

4.2 Authentication phase

The authentication phase of our protocol is illustrated in Fig. 1. Here, we describe the interaction between tag and reader as follow:

Fig. 1
figure 1

The proposed authentication protocol

Full size image

Step 1: The reader generates a random number \(r_1 \in F_p\) and computes

$$\begin{aligned} R_1 = r_1 . P \end{aligned}$$
(1)

Then the reader sends \(R_1\) to the tag.

Step 2: After the tag receives the \(R_1\), it generates random number \(t_1 \in F_p\) and computes

$$\begin{aligned} T_1 = t_1 . P \end{aligned}$$
(2)

Then the tag calculates two secret keys

$$\begin{aligned} SK1_T = Pr_T . R_1 \end{aligned}$$
(3)
$$\begin{aligned} SK2_T = t_1 . R_1 \end{aligned}$$
(4)

Finally, the tag computes

$$\begin{aligned} C_1 = SK1_T + SK2_T \end{aligned}$$
(5)

to encrypt the tag secret keys and sends \(T_1\) and \(C_1\) to the reader.

Step 3: After receiving \((T_1, C_1)\), the reader calculate two temporary secret keys

$$\begin{aligned} SK1_R = r_1 . Pu_T \end{aligned}$$
(6)
$$\begin{aligned} SK2_R = r_1 . T_1 \end{aligned}$$
(7)

to recover the tag encrypted secret keys. Then calculates

$$\begin{aligned} X = SK1_R + SK2_R \end{aligned}$$
(8)

and compare X to \(C_1\) if \(X = C_1\) the reader authenticates the tag to be genuine. Then it calculates

$$\begin{aligned} C_2 = T_1 . Pr_R \end{aligned}$$
(9)

Moreover, generates new random number \(r_2 \in F_p\) and computes

$$\begin{aligned} R_2 = r_2 . P \end{aligned}$$
(10)

to be use it for key agreement. Finally, the reader sends \(C_2\) and \(R_2\) to the tag.

Step 4: The tag compute

$$\begin{aligned} Y= t_1 . Pu_R \end{aligned}$$
(11)

then compare it to \(C_2\) if \(Y = C_2\) the tag authenticates the reader as a genuine.

Step 5: Both parties set the key agreements between them. The tag key agreement

$$\begin{aligned} TK_\mathrm{ag} = t_1 . R_2 \end{aligned}$$
(12)

and the reader key agreement

$$\begin{aligned} RK_\mathrm{ag} = r_2 . T_1 \end{aligned}$$
(13)
Fig. 2
figure 2

Protocol example

Full size image

4.3 Protocol exemplify

For more clarification of our proposed protocol, we take an example to prove the correctness of our protocol as shown in Fig. 2. We use SECP112R1 as a curves domain parameters. The parameters of this curve is as bellow:

Field type: prime-field

  • Prime 4451685225093714772084598273548427.

  • A 4451685225093714772084598273548424

  • B 2061118396808653202902996166388514

  • Order 4451685225093714776491891542548933.

  • Seed 5464641678502306533941025049572469019726331825.

  • Cofactor 1

To calculate the operation in our protocol (point addition and scalar multiplication) we use the built in elliptic curve calculator tool [12].

5 Security analysis

In this section, we analyze the proposed protocol and prove its correctness and strength in terms of five major RFID security requirements (mutual authentication, confidentiality, anonymity, forward security and location privacy). Also, it resists from three main attacks (MIMA, replay attack, and impersonation attack). First of all, we make some reasonable assumption to support the security analysis.

A1::

all the random numbers are fresh in every session.

A2::

the tag private key is unknown to anyone except the tag itself.

A3::

the reader private key is unknown to anyone except the reader itself. Also, we set some inferences to guide us in the analysis:

I1::

the tags private key is embedded in C1 and securely transmitted to the reader. In step2, the tag sends C1 to the reader if the attacker can get C1 he cannot extract the private key of the tag from it based on the ECFP. Also, the generated temporary secrets key cannot be predicted because they base on ECDLP.

I2::

the readers private key is embedded in C2 and securely transmitted to the tag. In step3, C2 = PrR . T1 the attacker cannot extract the readers private key based on the ECDLP.

I3::

According to A1, all the generated random numbers are variant in every session so the freshness of the exchange messages are assured

Therefore, the attacker cannot reuse the previous messages to impersonate the tag or the reader or to track the tag. We analyze our protocol for the following properties

  1. 1.

    Mutual authentication In our protocol, the reader can authenticate the tag by the ability to calculate the correct value of X which must be equal to \(C_1\). According to I1 and A2, only the genuine reader can calculate the correct value without knowledge of the tag private key. In other hand, the tag can authenticate the reader by the ability of calculating the same value of \(C_2 (Y)\). From I2 and A3, only the genuine tag can calculate the correct value of Y without knowledge of reader private key. Hence, we prove that both parties authenticate each other.

  2. 2.

    Confidentiality According to I1 and I2, the attacker cannot extract private key of any party from the exchange messages \((C_1, C_2)\).

  3. 3.

    Anonymity From the confidentiality property the rags identifier (private key) cannot be extracted. Moreover, because of the freshness of random numbers the exchange messages will by varies for each session which prevent attacker from predicting tag identifier.

  4. 4.

    Forward security By assuming that an attacker knows the tag key pairs \((Pu_T, Pr_T)\) by physical attacks he still cannot know the fresh random number temporary generated and used by its party. So the attacker cannot predict the previous exchanged messages and use it later.

  5. 5.

    Location privacy According to confidentiality property and I3, the exchange messages between the tag and reader is well protected and provided on unpredictable variation in every session. This making it difficult for the attacker to track the tag.

  6. 6.

    Resistance of MIMA From the I1 and I2, the value of exchange messages \((C_1 or C_2)\) cannot be calculated correctly unless by the genuine parties. So if an attacker intercepts the communication channel between tag and reader he cannot extract any secret or useful data that initiate an attack. For example, if an attack intercepts the exchange message \((C_1)\) from I1 he cannot extract the private key so he cannot reuse it to send it to the reader. And if he used uncorrected private key the reader cannot calculate the correct value of X.

  7. 7.

    Resistance of replay attack If the attacker tries to intercept the previous communication and replay the same message to pass the verification process. According to I3, because of the freshness of the transmitted messages this attacker will be fail to reuse the previous exchange messages \((C_1 or C_2)\) to masquerade as the reader or tag.

  8. 8.

    Resistance of impersonation attack From I1 and A2, if an attacker tries to impersonate a tag to a reader he will fail because he must use the tags private key to compute \(C_1\). On the other hand, from I2 and A3, the attacker fails to impersonates a reader to a tag because he need to use readers private key to calculate \(C_2\).

Table 4 conclude the security comparisons of the related ECC-based RFID authentication protocols with our proposed protocol.

Table 4 Security comparison
Full size table

6 Performance evaluation

To evaluate the performance and functionality of our protocol in term of time and memory space, we choose to implement it in real RFID system. For hardware, we use a laptop (ASUS 46 bit windows with Operating system windows 8.1), Omnikey smartcard reader (Omnikey 5421) [13], and smartcards (J3A040) [14]. Our smart cards are Jcop J3A040 version 2.4.1 with dual interface, \(T = 1\), 40 KB EEPROM. These are an NXP [15] implementation cards with support for PKC (both ECC and RSA).

For software, we use eclipse IDE for Java Developer (Mars.2 Release (4.5.2)), Java Runtime Environment (jre7), Java Development Kit (jdk 1.7.0_79), and Java Card Kit (java_card_kit_2_2_2) for building smart card applets. And GPShell (GPShell-1.4.4) for writing script that communicate with the reader. See Appendix for more description of software installation and our applets. In our ECC implementation, we use secp192r1 [16]. It is specified by the six tuple \(T = (p, a, b, G, n, h)\) where:

  • \(P = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF\)

  • \(a = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFFFF FFFFFFFC\)

  • \(b = 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1\)

  • \(G = 04 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF101207192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811\)

  • \(n = FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831\)

  • \(h = 01\)

We compare the performance of our proposed protocol with one of the similar ECC-based RFID authentication protocol [8] in term of time and memory space requirement.

Table 5 Performance comparison
Full size table

As it is known, the tag’s computing capability and memory are restricted which make the computation cost and storage requirements as most important characteristics for practical applications. Therefore, we constraint in our comparison in tag side only. We measure the time and storage cost for the tag only. The storage cost is denoted as (SC) and time cost as (TC). For more clarification, we use \(T_\mathrm{GKey}, T_\mathrm{RSet}, T_\mathrm{AutC}, T_\mathrm{AutR}, T_\mathrm{End}\) for key pair generation, random points setting, authenticate card step, authenticate reader step and end operation, respectively. Also, we use \(SC_\mathrm{PRS}, SC_\mathrm{TRN}, SC_\mathrm{TRNRST}\) for memory type persistent, transient, and transient with reset, respectively.

Table 5 summarizes the performance comparison of our proposed protocols with [8] by computing time and storage cost of each of the above mentioned measures. From the storage cost point of view, we found that they are the same and no difference which in fact means that our protocol is better because it has more extra step for key agreement based on ECDH. In contrast, our protocol outperforms the Liao et al. [8] protocol in term of time cost. The total time cost of our protocol equal 2822 ms, whereas the total time cost of Liao et al. protocol [8] is 4536 ms. It shows that our proposed protocol reduces around half of the time cost for Liao et al. protocol [8].

Table 6 shows the comparison of our proposed protocol with other related protocol [4, 7, 8] in term of number of operations required in each protocol. It has been found that our protocol performed better to Liao et al. [8] because it has one less point addition operation in both parties and one less scalar multiplication operation in the tag side.

Further, our protocol is proposed for applications that does not depend on database. It stores the sensitive data information on its’ corresponding tag memory and need to authenticate the reader before allowing access to these sensitive data. In addition, the reader also need to authenticate the tag to avoid cloned tag. These authentication is done without referring to the backend database. After each party authenticate each other, the ECDH key agreement protocol is added to encrypt the data transmitted later as the data required is stored in the tag memory.

Table 6 Number of operations
Full size table

7 Conclusion

Limited resources of RFID systems making the introducing of a strong and efficient security system very challenging process. In our paper, we propose a secure ECC-based authentication protocol to eliminate the current RFID vulnerabilities raised be insecure communication channel between tag and reader. The strength of our protocol is based on the two main ECC computational problem: ECDLP and ECFP. We used ECDH as a key agreement protocol to agree on a shared used to encrypt the later exchanged messages to protect the tag data. Our security analysis show that the proposed protocol will fulfill the requirements of mutual authentication, confidentiality, anonymity, forward security and location privacy. Also, our protocol resist from the following attacks MIMA, replay attack and impersonation attack. Performance evaluation shows that our proposed protocol is more efficient and requires much less time as compared to others [8].