1 Introduction

Radio frequency identification (RFID) is a technology that uses radio waves for identifying and authenticating unique items. RFID technology uses a small electronic chip for identification of objects that called “tag”. RFID tags are smarter than barcodes, which makes RFID easier to use and more efficient than barcodes. The data stored on this “tag” can be read by wireless devices, called RFID readers. Generally, RFID systems are consists of three main parts, that the third part is named back-end server. All information and secret values of all tags are stored in the back-end server. Recently, this technology is found in almost every authentication applications such as access control systems, public transportation, product authentication and etc. [1, 2]. Furthermore, RFID is key enabler of internet of things (IoT) that is the next generation of future internet [3]. In the IoT systems, physical things in our environment and people will be connected anyplace and anytime via any service [3]. These connections can be made with RFID systems, intelligent sensors, GPS or any sensing devices which can exchange data between two objects [4]. In the next generation of internet, generally devices will be connected to the internet directly or using a connection gateway that RFID readers will play role of an IoT gateway. In the RFID systems, the reader is located among the tag and the back-end server and exchanges data between them. In each connection, the reader receives data from the target tag and sends it to the back-end server. Then, the back-end server performs some authentication processes, and after successful authentication, the back-end server provides access to the data [5].

Although RFID systems provide useful services in different areas, they can put in danger the security and the privacy of RFID users. In the last decade, in order to provide secure communication between RFID users and also for user privacy, different authentication protocols have been proposed [612]. Due to some limitation on tag’s memory and computation capabilities, RFID authentication are lightweight and are designed based on lightweight cryptographic operators and functions. Although, all RFID authentication protocols have tried to provide security and privacy requirements of RFID end-users, in some cases it is shown that they have various security and privacy weaknesses and they need more efforts to optimize their security and privacy.

Privacy of RFID users is one of the most important issues that lots of researchers have studied in the last decade [9, 11, 13, 14]. Traceability, backward traceability and forward traceability are usual attacks that are related to privacy concerns in RFID systems. With traceability attacks, an attacker can trace a specific tag any time in any place. In many applications, RFID users do not like to be tracked by illegal system or person. Therefore, in designing a RFID authentication protocol, it is very important that the designed protocol provides privacy of end-users.

In general, the privacy of RFID authentication protocol can be investigated based on ad-hoc [15, 16] and formal methods [9, 17]. In privacy analysis with ad-hoc method, the attacker can perform special attacks with some defined notations, but in formal methods, the abilities of the attacker are classified to different categories. Different formal methods are proposed as a formal privacy model for RFID systems [14, 1821]. In [20], Ouafi and Phan proposed a formal privacy model to evaluate privacy of RFID protocols. In this model, the attacker can eavesdrop all channels between tags and readers and also it can attack them actively or passively. In this study, we use Ouafi and Phan privacy model for our privacy analysis.

In this paper, we investigate the privacy of three RFID authentication protocols that proposed recently. In 2012, Cho et al. [22] proposed a new hash-based RFID authentication protocol. In 2014, Dehkordi and Farzaneh [12] showed that Cho et al.’s protocol still has some weaknesses and cannot ensure the security and the privacy of RFID users. They illustrated that Cho et al.’s protocol has some vulnerability against tag impersonation, reader impersonation, and Denial-of-Service (DoS) attack. Then, they proposed an improved version of Cho et al.’s protocol that eliminates all weaknesses of Cho et al.’s protocol (referred to as Dehkordi–Farzaneh protocol). They claimed that their protocol is secure against various attacks and also provide user privacy. In this paper, we show that the privacy of the Dehkordi–Farzaneh protocol has some problems and does not secure against backward traceability and forward traceability attacks.

In 2013, Khedr [23] proposed a novel hash-based security scheme for RFID systems. He analyzed the proposed authentication protocol against various attacks and claimed that the security and privacy of his protocol is complete and it is secure against different attacks. In this paper, it is shown that his protocol has some privacy weaknesses yet and traceability and forward traceability attacks can be performed on Khedr’s protocol. Aforementioned attacks based on Ouafi and Phan formal privacy model are reported in Sect. 4.

In 2007, Chien and Chen [24] proposed an improved RFID mutual authentication protocol conforming to the EPC Class 1 Generation 2 (EPC C1 G2) standard. In 2010, Yeh et al. [25] showed that their protocol has some weaknesses and cannot provide secure communication for RFID users. Then, Yeh et al. proposed an improved version of Chien and Chen protocol that eliminates Chien and Chen protocol weaknesses. In 2011, Habibi et al. [13] analyzed the security and the privacy of Yeh et al. protocol. They showed that Yeh et al.’s protocol is not secure against some practical attacks such as, reveal secret keys, tag impersonation, reader impersonation and DoS attack. Also, they showed that the privacy of Yeh et al.’s protocol has some problems and cannot provide user privacy. Then, Habibi et al. applied some changes in Yeh et al.’s protocol and present an improved protocol of Yeh et al.’s protocol. Habibi et al. claimed that with new revisions, all the mentioned vulnerabilities in Yeh et al.’s protocol have eliminated. In this paper, we show that still there are some flaws on the Habibi et al.’s protocol and privacy of their protocol has some weaknesses. It is shown that an attacker can perform traceability and forward traceability attacks on Habibi et al.’s protocol. These attacks presented in Sect. 5.

Then, in order to enhance the privacy of Dehkordi–Farzaneh and Habibi et al.’s protocols, we apply some changes on their structures and present two improved versions of them that eliminate existing weaknesses. For more evaluation, we analyze the computational cost and the privacy of proposed protocols and we show that with our changes the privacy of protocols is increased and they are safe against different privacy attacks. In addition, we provide a comparison between privacy of analyzed protocols and some similar protocols which proposed recently.

The structure of paper is organized as follows: In Sect. 2, the privacy model of Ouafi and Phan is described. We investigate Dehkordi–Farzaneh protocol and its weaknesses in Sect. 3. In Sect. 4, we analyze the privacy of Khedr’s protocol. In Sect. 5, firstly we introduce Habibi et al.’s protocol and after that we present two practical attacks on their protocol. Two improved versions of Dehkordi–Farzaneh and Habibi et al.’s protocols are presented in Sect. 6. Also in Sect. 6, we investigate communication cost and the privacy of proposed protocols and then compare with some similar new-found protocols. Finally, conclusions are provided in Sect. 7.

2 Privacy Model

In RFID systems, privacy is one of the most important issues for RFID end-users. As a result, the privacy has become one of the most challenging field in RFID systems and their applications. In the last few years, different RFID privacy models have been proposed for evaluate the privacy level of RFID authentication protocols [14, 1821]. In the privacy models, attacker’s abilities are classified in different categories. Using the privacy models for privacy analysis of RFID authentication protocols, is a better solution for evaluate the reliability of RFID protocols [26, 27]. In [20], Ouafi and Phan presented a formal privacy model to evaluate RFID protocols. In this paper, we present our privacy analysis based on this privacy model. So, first we review Ouafi and Phan privacy model.

In this model, the attacker \( {\mathcal{A}} \) can eavesdrop all channels between tags and readers and also it can attack them actively or passively. As well, the attacker \( {\mathcal{A}} \) has been allowed to run the following queries:

  • Execute query (R,T,i) Passive attacks take place in this query. In other words, the attacker can eavesdrop all transmitted messages between the tag T and the reader R in ith session. As a result, the attacker obtains all exchanged data between the tag T and the reader R.

  • Send query (U,V, m,i) This query models the active attacks in RFID systems. In this query, the attacker \( {\mathcal{A}} \) has permission to impersonate a reader U in the ith session, and forwards a message m to a tag V. In addition, the attacker \( {\mathcal{A}} \) has permission to alert or block the exchanged message m between the tag and the reader. Note that U and V are members of readers and tags sets, respectively.

  • Corrupt query (T,K) In this query, the attacker \( {\mathcal{A}} \) has permission to access secret keys of the tag. In fact, the attacker \( {\mathcal{A}} \) has physical access to the tag database. In addition, the attacker \( {\mathcal{A}} \) can set secret key to K′.

  • Test query (T 0 , T 1 ,i) When this query is executed in the particular session i, after completing ith session, a random number bit b {0,1} is generated by challenger and delivered T b {T 0 ,T 1} to the attacker. Now, the attacker succeeds if he/she can guess the bit b correctly.

Untraceability privacy (UPriv): Untraceability privacy could be defined by the game G that is played between an attacker \( {\mathcal{A}} \) and a set of the tag and the reader instances. In other words, an attacker \( {\mathcal{A}} \) plays game G using collected instances of the reader and the tag. The game G can be played using mentioned queries as follows.

  • Learning phase The attacker \( {\mathcal{A}} \) has permission to send each one of the queries such as Execute, Send and Corrupt, and interact with the reader R and T 0 , T 1 that are chosen randomly.

  • Challenge phase The attacker \( {\mathcal{A}} \) selects two tags T 0 , T 1 and forwards a test query (T 0,T 1,i) to the challenger. After that, the challenger selects \( b^{\prime } \in \{ 0,1\} \) randomly and the attacker \( {\mathcal{A}} \) determines a tag \( T_{b} \in \{ T_{0} ,T_{1} \} \) using Execute and Send queries.

  • Guess phase Eventually, the attacker \( {\mathcal{A}} \) finishes the game G and outputs a bit \( b^{\prime } \in \{ 0,1\} \) as guess of b.

The success of attacker \( {\mathcal{A}} \) in the game G and consequently breaking the notion of UPriv is quantified via \( {\mathcal{A}} \)’s advantage in recognizing whether attacker \( {\mathcal{A}} \) received T0 or T1, and denoted by \( {\text{Adv}}_{{\mathcal{A}}}^{U\Pr iv} (k) \) where k is the security parameter.

$$ \begin{aligned} {\text{Adv}}_{{\mathcal{A}}}^{U\Pr iv} (k) & = \left| {{\text{pr}}\left( {b^{{\prime }} = b} \right) - {\text{pr}}\left( {{\text{random}}\;{\text{coin}}\;{\text{flip}}} \right)} \right| \\ & = \left| {{\text{pr}}\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| \\ \end{aligned} $$

where \( 0 \le {\text{Adv}}_{{\mathcal{A}}}^{U\Pr iv} (k) \le \frac{1}{2} \). Note that, if \( {\text{Adv}}_{{\mathcal{A}}}^{U\Pr iv} (k) \ll \varepsilon (k) \), the protocol is traceable with negligible probability.

In the rest of paper, the privacy of Dehkordi–Farzaneh, Khedr, and Habiibi et al. protocols are investigated based on Ouafi and Phan formal privacy model.

3 Privacy Analysis of Dehkordi–Farzaneh Protocol

In [12], Dehkordi and Farzaneh proposed an improved version of Cho et al.’s protocol [22] that eliminates weaknesses of Cho et al.’s protocol. In this section, it is shown that their improved protocol still has some privacy concerns and is not resistance against backward traceability and forward traceability attacks. In the rest of this section, we first introduce Dehkordi–Farzaneh protocol and then present our traceability attacks based on Ouafi and Phan privacy model.

3.1 Structure of Dehkordi–Farzaneh Protocol

Dehkordi and Farzaneh protocol, such as the most of RFID authentication protocols made use of random number generators, Exclusive-OR operator, hash functions and etc. Their protocol consists of eight phases that are shown in Fig. 1. The notations that are used in Dehkordi–Farzaneh protocol are provided in Table 1.

Fig. 1
figure 1

The Dehkordi–Farzaneh protocol [12]

Full size image
Table 1 The notations of Dehkordi–Farzaneh protocol
Full size table

3.2 Backward Traceability Attack on Dehkordi–Farzaneh Protocol

In this subsection, we show that Dehkordi–Farzaneh protocol is not secure against backward traceability attack. This attack can be summarized based on Ouafi and Phan privacy model as follows,

  • Learning phase In the ith round, the attacker \( {\mathcal{A}} \) sends a Corrupt query(T 0,K′) and obtains \( S_{i}^{{r,T_{0} }} \) and \( S_{i}^{{t,T_{0} }} \) from the tag T 0.

  • Challenge phase In round (i − 1), the attacker \( {\mathcal{A}} \) selects two new tags T 0 and T 1 for test, and sends a Test query (T 0,T 1,i − 1). According to the randomly chosen bit \( b \in \left\{ {0, 1} \right\} \), the attacker is given a tag \( T_{b} \in \left\{ {T_{0} , T_{1} } \right\} \). Then, the attacker \( {\mathcal{A}} \) sends an Execute query (R,T b ,i − 1), and obtains \( M_{1,i - 1}^{{T_{b} }} \), \( M_{3,i - 1}^{{T_{b} }} \) and \( M_{4,i - 1}^{{T_{b} }} \). Now, the attacker computes \( \alpha = M_{1,i - 1}^{{T_{b} }} \oplus S_{i}^{{t,T_{0} }} \) and \( \beta = M_{3,i - 1}^{{T_{b} }} \oplus S_{i}^{{r,T_{0} }} \).

  • Guess phase The attacker \( {\mathcal{A}} \) stops the game G, and outputs a bit \( b^{\prime } \in \left\{ {0, 1} \right\} \) as a guess of bit b. In order to determine \( b^{\prime } \in \left\{ {0, 1} \right\} \), the attacker uses the following rule,

    $$ b^{{\prime }} = \left\{ {\begin{array}{*{20}l} 0 \hfill & {if\;M_{4,i - 1}^{{T_{b} }} = h\left( {\beta \oplus M_{3,i - 1}^{{T_{b} }} \oplus \alpha \parallel \alpha } \right)} \hfill \\ 1 \hfill & {otherwise} \hfill \\ \end{array} } \right. $$

    As a result, we can write,

    $$ \begin{aligned} {\text{Adv}}_{A}^{upriv} (K) & = \left| {pr\left( {b^{{\prime }} = b} \right) - pr\left( {random\;coin\;flip} \right)} \right| \\ & = \left| {pr\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| = \left| {1 - \frac{1}{2}} \right| = \frac{1}{2} \gg \varepsilon \\ \end{aligned} $$

Proof According to the structure of Dehkordi–Farzaneh protocol and its updating procedure as \( S_{i + 1}^{{t,T_{0} }} \leftarrow R_{i}^{{s,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \) and \( S_{i + 1}^{{r,T_{0} }} \leftarrow R_{i}^{{t,T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus R_{i}^{{s,T_{0} }} \) following equations can be written,

$$ \begin{aligned} If\;T_{b} & = T_{0} \\ h\left( {\beta \oplus M_{3,i - 1}^{{T_{b} }} \oplus \alpha \parallel \alpha } \right) & = h\left( {M_{3,i - 1}^{{T_{b} }} \oplus S_{i}^{{r,T_{0} }} \oplus M_{3,i - 1}^{{T_{b} }} \oplus M_{1,i - 1}^{{T_{b} }} \oplus S_{i}^{{t,T_{0} }} \parallel M_{1,i - 1}^{{T_{b} }} \oplus S_{i}^{{t,T_{0} }} } \right) \\ \end{aligned} $$
(1)

with substituting the value \( M_{1,i - 1}^{{T_{b} }} = R_{i - 1}^{{t,T_{b} }} \oplus S_{i - 1}^{{t,T_{0} }} \), Eq. (1) can be rewritten as follows,

$$ = h\left( {S_{i}^{{r,T_{0} }} \oplus R_{i - 1}^{{t,T_{b} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \parallel R_{i - 1}^{{t,T_{b} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} } \right) $$
(2)

then, with substituting the updated values of \( S_{i}^{{t,T_{0} }} \leftarrow R_{i - 1}^{{s,T_{0} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus R_{i - 1}^{{t,T_{0} }} \) and \( S_{i}^{{r,T_{0} }} \leftarrow R_{i - 1}^{{t,T_{0} }} \oplus S_{i - 1}^{{r,T_{0} }} \oplus R_{i - 1}^{{s,T_{0} }} \), Eq. (2) can be rewritten as follows,

$$ \begin{aligned} & = h\left( {R_{i - 1}^{{t,T_{0} }} \oplus S_{i - 1}^{{r,T_{0} }} \oplus R_{i - 1}^{{s,T_{0} }} \oplus R_{i - 1}^{{t,T_{b} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus R_{i - 1}^{{s,T_{0} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus R_{i - 1}^{{t,T_{0} }} \parallel R_{i - 1}^{{t,T_{b} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus R_{i - 1}^{{s,T_{0} }} \oplus S_{i - 1}^{{t,T_{0} }} \oplus R_{i - 1}^{{t,T_{0} }} } \right) \\ & = h\left( {S_{i - 1}^{{r,T_{0} }} \oplus R_{i - 1}^{{t,T_{b} }} \parallel R_{i - 1}^{{s,T_{0} }} } \right) \\ & = M_{4,i - 1}^{{T_{b} }} . \\ \end{aligned} $$
(3)

3.3 Forward Traceability Attack on Dehkordi–Farzaneh Protocol

Beside the backward traceability attack that presented above, Dehkordi–Farzaneh protocol is vulnerable to forward traceability attack. An attacker can perform this attack in three phases as follows,

  • Learning phase In the ith round, the attacker \( {\mathcal{A}} \) sends an Execute query(R,T 0,i) and obtains \( M_{1,i}^{{T_{0} }} \) and \( M_{3,i}^{{T_{0} }} \). Also, the attacker \( {\mathcal{A}} \) sends a Corrupt query(T 0,K′) and obtains ID, \( S_{i}^{{r,T_{0} }} \) and \( S_{i}^{{t,T_{0} }} \) from tag T 0. Now the attacker computes \( \alpha = M_{1,i}^{{T_{0} }} \oplus S_{i}^{{t,T_{0} }} \), \( \beta = M_{3,i}^{{T_{0} }} \oplus S_{i}^{{r,T_{0} }} \) and \( \psi = \beta \oplus S_{i}^{{t,T_{0} }} \oplus \alpha \).

  • Challenge phase The attacker \( {\mathcal{A}} \) selects two fresh tags T 0 and T 1, and sends a Test query(T 0,T 1 ,i + 1). According to the randomly chosen bit \( b \in \left\{ {0, 1} \right\} \), the attacker is given a tag \( T_{b} \in \left\{ {T_{0} , T_{1} } \right\} \). After that, the attacker \( {\mathcal{A}} \) sends an Execute query(R,T b ,i + 1) by sending R r and obtains \( M_{1,i + 1}^{{T_{b} }} \) and \( M_{2,i + 1}^{{T_{b} }} \).

  • Guess phase The attacker \( {\mathcal{A}} \) stops the game G, and outputs a bit \( b^{{\prime }} \in \left\{ {0, 1} \right\} \) as a guess of bit b as follows,

    $$ b^{\prime } = \left\{ {\begin{array}{*{20}l} 0 \hfill & {if\;M_{2,i + 1}^{{T_{b} }} = h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus \psi \parallel R^{r} \oplus \beta \oplus \alpha \oplus S_{i}^{{t,T_{0} }} } \right)} \hfill \\ 1 \hfill & {otherwise} \hfill \\ \end{array} } \right.. $$

    As a result, \( Adv_{A}^{upriv} (k) \) can be written as follows,

    $$ \begin{aligned} Adv_{A}^{upriv} (k) & = \left| {pr\left( {b^{{\prime }} = b} \right) - pr\left( {random\;coin\;flip} \right)} \right| \\ & = \left| {pr\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| = \left| {1 - \frac{1}{2}} \right| = \frac{1}{2} \gg \varepsilon \\ \end{aligned} $$

Proof According to the Fig. 1 following equations can be written,

$$ \begin{gathered} (1)\;If T_{b} = T_{0} \hfill \\ \quad h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus \psi \parallel R^{r} \oplus \beta \oplus \alpha \oplus S_{i}^{{t,T_{0} }} } \right) = h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus \beta \oplus S_{i}^{{t,T_{0} }} \oplus \alpha \parallel R^{r} \oplus \beta \oplus \alpha \oplus S_{i}^{{t,T_{0} }} } \right) \hfill \\ \end{gathered} $$
(4)

with substituting the values \( \alpha = M_{1,i}^{{T_{0} }} \oplus S_{i}^{{t,T_{0} }} \) and \( \beta = M_{3,i}^{{T_{0} }} \oplus S_{i}^{{r,T_{0} }} \), Eq. (4) can be rewritten as follows,

$$ \begin{aligned} & = h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus M_{3,i}^{{T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \oplus M_{1,i}^{{T_{0} }} \oplus S_{i}^{{t,T_{0} }} \parallel R^{r} \oplus M_{3,i}^{{T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus M_{1,i}^{{T_{0} }} \oplus S_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} } \right) \\ & = h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus M_{3,i}^{{T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus M_{1,i}^{{T_{0} }} \parallel R^{r} \oplus M_{3,i}^{{T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus M_{1,i}^{{T_{0} }} } \right) \\ \end{aligned} $$
(5)

then, with substituting \( M_{3,i}^{{T_{0} }} = R_{i}^{{s,T_{0} }} \oplus S_{i}^{{r,T_{0} }} \) we can rewrite Eq. (5) as follows,

$$ \begin{aligned} & = h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus R_{i}^{{s,T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \parallel R^{r} \oplus R_{i}^{{s,T_{0} }} \oplus S_{i}^{{r,T_{0} }} \oplus S_{r,i}^{{T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} } \right) \\ & = h\left( {ID \oplus M_{1,i + 1}^{{T_{b} }} \oplus R_{i}^{{s,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \parallel R^{r} \oplus R_{i}^{{s,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} } \right) \\ \end{aligned} $$
(6)

finally, with substituting the updated values of \( S_{i + 1}^{{t,T_{0} }} \leftarrow R_{i}^{{s,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \) and \( M_{1,i + 1}^{{T_{b} }} = R_{i + 1}^{{t,T_{0} }} \oplus S_{i + 1}^{{t,T_{0} }} \) last equation can be rewritten as follows,

$$ \begin{aligned} & = h\left( {ID \oplus R_{i + 1}^{{t,T_{0} }} \oplus S_{i + 1}^{{t,T_{0} }} \oplus R_{i}^{{s,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \parallel R^{r} \oplus S_{i + 1}^{{t,T_{0} }} } \right) \\ & = h\left( {ID \oplus R_{i + 1}^{{t,T_{0} }} \oplus R_{i}^{{s,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \oplus R_{i}^{{s,T_{0} }} \oplus R_{i}^{{t,T_{0} }} \oplus S_{i}^{{t,T_{0} }} \parallel R^{r} \oplus S_{i + 1}^{{t,T_{0} }} } \right) \\ & = h\left( {ID \oplus R_{i + 1}^{{t,T_{0} }} \parallel R^{r} \oplus S_{i + 1}^{{t,T_{0} }} } \right) \\ & = h\left( {ID \oplus R_{i + 1}^{{t,T_{b} }} \parallel R^{r} \oplus S_{i + 1}^{{t,T_{b} }} } \right) \\ & = M_{2,i + 1}^{{T_{b} }} . \\ \end{aligned} $$
(7)

4 Privacy Analysis of Khedr’s Protocol

In 2013, Khedr proposed a novel hash-based RFID mutual authentication protocol [23]. He analyzed the security and the privacy of his protocol and claimed that his protocol can provide secure and confidential communication for RFID users and it is secure against various security and privacy attacks. He claimed that due to random responses from tags in each session, the privacy of his protocol is provided. In this section, we show that still the privacy of his protocol has some weaknesses and an attacker can perform traceability and forward traceability attacks on his protocol. First, we introduce the structure of his protocol and then provide our privacy analysis.

4.1 Structure of Khedr’s Protocol

In Khedr’s protocol, in order to provide secure communication between the tag and the back-end server all exchanged messages are hashed with one-way hash function. Their protocol consists of five stages that are presented in Fig. 2. Table 2 shows the notations that are used in Khedr’s protocol.

Fig. 2
figure 2

The Khedr’s protocol [23]

Full size image
Table 2 The notations of Khadr’s protocol
Full size table

4.2 Traceability Attack on Khedr’s Protocol

This subsection shows that Khedr’s protocol is vulnerable to the traceability attack and an attacker can trace a specific tag. This attack presented based on Ouafi and Phan privacy model and can be express as follows,

  • Learning phase In round (i), the attacker \( {\mathcal{A}} \) sends an \( Execute\;query(R, T_{0} ,i) \) by sending a random number R and obtains \( M_{1,i}^{{T_{0} }} = h\left( {ID_{H}^{{T_{0} }} \oplus R} \right) \).

  • Challenge phase The attacker \( {\mathcal{A}} \) selects two fresh tags T 0 and T 1 for test, and sends a \( Test \; query\left( {T_{0} , T_{1} , i + 1} \right) \). According to the randomly chosen bit \( b \in \left\{ {0, 1} \right\} \), the attacker is given a tag \( T_{b} \in \left\{ {T_{0} , T_{1} } \right\} \). After that, the attacker \( {\mathcal{A}} \) sends an \( Execute \; query(R, T_{b} ,i + 1) \) by sending R, and obtains \( M_{1,i + 1}^{{T_{b} }} = h\left( {ID_{H}^{{T_{b} }} \oplus R} \right) \).

  • Guess phase The attacker \( {\mathcal{A}} \) stops the game G, and outputs a bit \( b^{{\prime }} \in \left\{ {0, 1} \right\} \) as a guess of bit b as follows,

    $$ b^{{\prime }} = \left\{ {\begin{array}{*{20}l} 0 \hfill & {if\;M_{1,i + 1}^{{T_{b} }} = M_{1,i}^{{T_{0} }} } \hfill \\ 1 \hfill & {otherwise} \hfill \\ \end{array} } \right. $$

    As a result, we can write,

    $$ \begin{aligned} Adv_{A}^{upriv} (K) & = \left| {pr\left( {b^{{\prime }} = b} \right) - pr\left( {random\;coin\;flip} \right)} \right| \\ & = \left| {pr\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| = \left| {1 - \frac{1}{2}} \right| = \frac{1}{2} \gg \varepsilon \\ \end{aligned} $$

Proof According to the structure of Khedr’s protocol, since the tag T 0 does not update its secret value and uses the same ID H in the both Learning and Challenge phases, the attacker can trace the target tag.

4.3 Forward Traceability Attack on Khedr’s Protocol

In this subsection, we show that Khedr’s protocol also does not assure the forward traceability, and an attacker can perform forward traceability attack on Khedr’s protocol as follows,

  • Learning phase In the ith round, the attacker \( {\mathcal{A}} \) sends a \( Corrupt \; query(T_{0} ,K^{{\prime }} ) \) and obtains \( ID_{H,i}^{{T_{0} }} \) and \( SQN_{i}^{{T_{0} }} \) from the tag T 0. Now the attacker can compute \( \alpha = SQN_{i + 1}^{{T_{0} }} \) at the session i + 1 by apply a increment function \( INC\left( {SQN_{i}^{{T_{0} }} } \right) \). Then, the attacker calculates \( \beta = ID_{H,i + 1}^{{T_{0} }} \) at the session i + 1 by \( h\left( {ID_{H,i}^{{T_{0} }} \parallel SQN_{i + 1}^{{T_{0} }} } \right) \).

  • Challenge phase The attacker \( {\mathcal{A}} \) selects two fresh tags T 0 and T 1 for the test, and sends a \( Test \; query\left( { T_{0} , T_{1} ,i + 1} \right) \). According to the randomly chosen bit \( b \in \left\{ {0, 1} \right\} \), the attacker is given a tag \( T_{b} \in \left\{ {T_{0} , T_{1} } \right\} \). After that, the attacker \( {\mathcal{A}} \) sends an \( Execute\;query\left( {R, T_{b} ,i + 1} \right) \) by sending R and obtains \( ID_{T,i + 1}^{{T_{b} }} \).

  • Guess phase The attacker \( {\mathcal{A}} \) stops the game G, and outputs a bit \( b^{{\prime }} \in \left\{ {0, 1} \right\} \) as a guess of bit b. In order to guess b′, the attacker \( {\mathcal{A}} \) uses calculated α and β in Learning phase and computes \( \theta = h\left( {\beta \parallel \alpha } \right) \). Then, outputs a bit \( b^{{\prime }} \in \left\{ {0, 1} \right\} \) as a guess of bit b as follows,

    $$ b^{{\prime }} = \left\{ {\begin{array}{*{20}l} 0 \hfill & {if\;ID_{T,i + 1}^{{T_{b} }} = \theta } \hfill \\ 1 \hfill & {otherwise} \hfill \\ \end{array} } \right. $$

    As a result, it can be written that,

    $$ \begin{aligned} Adv_{A}^{upriv} (K) & = \left| {pr\left( {b^{{\prime }} = b} \right) - pr\left( {random coin flip} \right)} \right| \\ & = \left| {pr\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| = \left| {1 - \frac{1}{2}} \right| = \frac{1}{2} \gg \varepsilon . \\ \end{aligned} $$

Proof According to the updating procedure of Khedr’s protocol following equations can be written,

$$ \begin{aligned} If\;T_{b} = T_{0} \Rightarrow ID_{T,i + 1}^{{T_{b} }} & = h\left( {ID_{H,i}^{{T_{b} }} \parallel SQN_{i + 1}^{{T_{b} }} } \right) \\ & = h\left( {ID_{H,i}^{{T_{0} }} \parallel SQN_{i + 1}^{{T_{0} }} } \right) \\ & = h\left( {\beta \parallel \alpha } \right) \\ & = \theta \\ \end{aligned} $$
(8)

5 Privacy Analysis of Habibi et al.’s Protocol

In [13], Habibi et al. analyzed the security and the privacy of Yeh et al.’s protocol [25] and showed that Yeh et al.’s protocol cannot ensure the security and the privacy of RFID users. Then, they changed the structure of message M1 and proposed an improved protocol of Yeh et al.’s protocol. Habibi et al. claimed that due to this modification, the security of their improved protocol is complete and also their protocol is resistance against traceability attacks. In this section, it is shown that still the privacy of their protocol has some vulnerabilities and traceability and forward traceability attacks can be performed on their protocol.

5.1 Structure of Habibi et al.’s Protocol

In the subsection, we present the structure of Habibi et al.’s protocol. Habibi et al.’s protocol consists of five stages that showed in Fig. 3. The notations that are used in Habibi et al.’s protocol are provided in Table 3.

Fig. 3
figure 3

The Habibi et al.’s protocol [13]

Full size image
Table 3 The notations of Habibi et al.’s protocol
Full size table

5.2 Traceability Attack on Habibi et al.’s Protocol

In this subsection, it is shown that although Habibi et al. claimed that their protocol is resistance against traceability attacks, an attacker can perform traceability attack and trace the location of a specific tag. This attack can be summarized as follows,

  • Learning phase In round (i), the attacker \( {\mathcal{A}} \) sends an \( Execute \; query(R, T_{0} ,i) \) by sending N R and obtains \( C_{i}^{{T_{0} }} \).

  • Challenge phase The attacker \( {\mathcal{A}} \) selects two new tags T 0 and T 1, and sends a \( Test \; query\left( {T_{0} , T_{1} , i + 1} \right) \). According to the randomly chosen bit \( b \in \left\{ {0, 1} \right\} \), the attacker is given a tag \( T_{b} \in \left\{ {T_{0} , T_{1} } \right\} \). After that, the attacker \( {\mathcal{A}} \) sends an \( Execute \; query(R, T_{b} ,i + 1) \) by sending N R , and he/she obtains \( C_{i + 1}^{{T_{b} }} \).

  • Guess phase The attacker \( {\mathcal{A}} \) stops the game G, and outputs a bit \( b^{\prime } \in \left\{ {0, 1} \right\} \) as a guess of bit b as follows.

    $$ b^{{\prime }} = \left\{ {\begin{array}{*{20}l} 0 \hfill & {if\;C_{i + 1}^{{T_{b} }} = C_{i}^{{T_{0} }} } \hfill \\ 1 \hfill & {otherwise} \hfill \\ \end{array} } \right. $$

    As a result,

    $$ \begin{aligned} Adv_{A}^{upriv} (K) & = \left| {pr\left( {b^{{\prime }} = b} \right) - pr\left( {random \; coin \; flip} \right)} \right| \\ & = \left| {pr\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| = \left| {1 - \frac{1}{2}} \right| = \frac{1}{2} \gg \varepsilon \\ \end{aligned} $$

Proof In Habibi et al.’s protocol, according to the Fig. 3, we can write following equations,

$$ \begin{aligned} If\;T_{b} = T_{0} \Rightarrow C_{i + 1}^{{T_{b} }} & = PRNG\left( {N_{T,i}^{{T_{0} }} \oplus N_{R, i}^{{T_{0} }} } \right) \\ & = C_{i}^{{T_{0} }} \\ \end{aligned} $$
(9)

Note that, the tag T 0 does not update its secret values in the Learning phase and uses the same secret value C i in the both Learning and Challenge phases.

5.3 Forward Traceability Attack on Habibi et al.’s Protocol

According to the Habibi et al.’s protocol in Fig. 3, it can be seen that the EPC s is fixed in all rounds. In the rest of subsection, we show that an attacker can use this issue as a weakness of protocol and perform forward traceability attack as follows,

  • Learning phase In the ith round, the attacker \( {\mathcal{A}} \) sends a \( Corrupt \; query(T_{0} ,K^{{\prime }} ) \) and obtains \( (K_{i}^{{T_{0} }} ,C_{i}^{{T_{0} }} , EPC_{s,i}^{{T_{0} }} ) \) from tag T 0. It also sends an \( Execute \; query\left( {R, T_{0} ,i} \right) \) and obtains N R,i . Now the attacker can compute K i+2 at the session i + 2 by two times repeating PRNG of K i . Consequently, N T,i+2 can be obtained by XORing K i+2 and D i+2 as \( N_{T, i + 2} = K_{i + 2} \oplus D_{i + 2} \) if we have D i+2.

  • Challenge phase The attacker \( {\mathcal{A}} \) selects two fresh tags T 0 and T 1 for the test, and sends a \( Test \; query\left( { T_{0} , T_{1} ,i} \right) \). According to the randomly chosen bit \( b \in \left\{ {0, 1} \right\} \), the attacker is given a tag \( T_{b} \in \left\{ {T_{0} , T_{1} } \right\} \). After that, in round (i + 2)th, the attacker \( {\mathcal{A}} \) sends an \( Execute \; query\left( {R, T_{b} ,i + 2} \right) \) by sending N R,i (i.e., the same value as for session i) and obtains \( \left( {M_{1,i + 2}^{{T_{b} }} , D_{i + 2}^{{T_{b} }} } \right) \).

  • Guess phase The attacker \( {\mathcal{A}} \) stops the game G, and outputs a bit \( b^{\prime } \in \left\{ {0, 1} \right\} \) as a guess of bit b. In order to guess b′, firstly the attacker \( {\mathcal{A}} \) computes \( \alpha = PRNG\left( {PRNG\left( {K_{i}^{{T_{0} }} } \right)} \right) \), \( \beta = D_{i + 2}^{{T_{b} }} \oplus \alpha \) and \( \gamma = PRNG\left( {EPC_{s,i}^{{T_{0} }} \oplus N_{R, i} \oplus \beta } \right) \), where γ is a 16-bit string. Then, outputs a bit \( b^{{\prime }} \in \left\{ {0, 1} \right\} \) as a guess of bit b using the following rule,

    $$ b^{\prime } = \left\{ {\begin{array}{*{20}l} 0 \hfill & {if\;M_{1, i + 2}^{{T_{b} }} = \gamma \oplus \alpha } \hfill \\ 1 \hfill & {otherwise} \hfill \\ \end{array} } \right. $$

    As a result, it can be written that,

    $$ \begin{aligned} Adv_{A}^{upriv} (K) & = \left| {pr\left( {b^{{\prime }} = b} \right) - pr\left( {random \; coin \; flip} \right)} \right| \\ & = \left| {pr\left( {b^{{\prime }} = b} \right) - \frac{1}{2}} \right| = \left| {1 - \frac{1}{2}} \right| = \frac{1}{2} \gg \varepsilon \\ \end{aligned} $$

Proof As mentioned above, since the value of EPC s is fixed in all rounds, thus \( EPC_{s,i}^{{T_{0} }} = EPC_{s,i + 2}^{{T_{0} }} \). Using this fact, the following equations can be written,

$$ \begin{aligned} \left( 1 \right) If\;T_{b} = T_{0} \; = > \quad K_{i + 2}^{{T_{b} }} & = PRNG\left( {PRNG\left( {K_{i}^{{T_{b} }} } \right)} \right) \\ & = PRNG\left( {PRNG\left( {K_{i}^{{T_{0} }} } \right)} \right) \\ & = K_{i + 2}^{{T_{0} }} = \alpha \\ \left( 2 \right) If\;T_{b} = T_{0} \; = > \quad N_{T,i + 2}^{{T_{b} }} & = D_{i + 2}^{{T_{b} }} \oplus K_{i + 2}^{{T_{b} }} \\ & = D_{i + 2}^{{T_{b} }} \oplus \alpha = \beta \\ \left( 1 \right),\left( 2 \right) = > \quad M_{1,i + 2}^{{T_{b} }} & = K_{i + 2}^{{T_{b} }} \oplus PRNG\left( {EPC_{s,i + 2}^{{T_{b} }} \oplus N_{R,i + 2}^{{T_{b} }} \oplus N_{T,i + 2}^{{T_{b} }} } \right) \\ & = \alpha \oplus PRNG\left( {EPC_{s,i}^{{T_{0} }} \oplus N_{R,i} \oplus \beta } \right) \\ & = \alpha \oplus \gamma \\ \end{aligned} $$
(10)

It is clear that base on the mentioned attack, the attacker can obtain K i+n for \( n \ge 1 \) using K i .

6 Improved Versions of Dehkordi-Farzane and Habibi et al.’s Protocols

In Sects. 3 and 5 it is shown that the privacy of Dehkordi–Farzaneh and Habibi et al.’s protocols have some weaknesses and con not provide users privacy. Now, in order to increase the privacy of two mentioned protocols, we apply some modifications on their protocols and propose two improved versions of them. Then, we analyze the privacy of the improved protocols against various privacy concerns. It is shown that without increasing the complexity of Habibi et al.’s protocol, all the existing weaknesses eliminated. But, in the improved version of Dehkordi-Frazaneh protocol, we update secret values of the tag with hashed values which protect the exchanged messages and overcome all the presented privacy weaknesses.

6.1 Improved Version of Dehkordi–Farzaneh Protocol and Privacy Analysis

In Sect. 3, we showed that the updating of Dehkordi–Farzaneh protocol has some weaknesses that using these weaknesses an attacker could perform backward and forward traceability attacks. Now, in order to increase the privacy of this protocol and eliminate its weaknesses, we apply some changes in its updating procedure. Indeed, we protect updated data using a hash function. We change updating procedure as follows,

$$ S_{i + 1}^{t} \leftarrow h\left( {R_{i}^{s} \oplus S_{i}^{t} \oplus R_{i}^{t} } \right) $$
(11)
$$ S_{i + 1}^{r} \leftarrow h\left( {R_{i}^{t} \oplus S_{i}^{r} \oplus R_{i}^{s} } \right) $$
(12)

where h(·) is a one-way hash function.

Now we analyze the privacy of new protocol against various traceability attacks and we show that how the mentioned new changes overcome all the mentioned weaknesses in Sect. 3.

  • Backward traceability attack

In this attack, an attacker tries to trace the location of a target tag in previous runs and usages. To this aim, an attacker should obtain some fix messages of the target tag in previous runs which are exclusive. In Sect. 3, it is shown that due to dependency of exchanged messages between the tag and the back-end server including M 1, M 3 and M 4, an attacker can calculate a fix message of a target tag and trace the target tag in the previous sessions. In the improved version of Dehkordi–Farzaneh protocol, in order to prevent this attack we changed updating procedure of \( S_{i + 1}^{t} \) and \( S_{i + 1}^{r} \) which omitted the direct dependence between the two consecutive of them which was the main flaw for this attack.

  • Traceability attack

When an RFID authentication protocol is vulnerable to traceability attack, an attacker can determine the present location of a specific tag. Similar to the original one, in the improved version of Dehkordi–Farzaneh protocol, in each challenge with the tag, the tag responses with a new random number which prevent traceability attack. As a result, both the Dehkordi–Farzaneh and its improved version are secure against traceability attack.

  • Forward traceability attack

In some cases, an attacker can obtain a fixed message or secret keys of a specific RFID tag and uses them for tracing the location of the tag in future. This attack is named forward traceability attack. In Sect. 3, we showed that in Dehkordi–Farzaneh protocol, an attacker can corrupt a secret key in a specific round of protocol and obtains the secret keys that will be used in the future rounds. Due to this weakness, their protocol suffers from forward traceability attack. In the proposed protocol, to solve this problem we changed the updating procedure of \( S_{i + 1}^{t} \) and \( S_{i + 1}^{r} \) as (11) and (12). By these changes, the direct dependence between the two consecutive secret values \( S_{i}^{t} \) and \( S_{i}^{r} \) are eliminated. Consequently, if an attacker corrupts current secret values of a specific tag, it will not be able to perform forward traceability attack and trace the location of the tag in the future.

6.2 Improved Version of Habibi et al.’s Protocol and Privacy Analysis

In this subsection, we aim to eliminate all privacy weaknesses of Habibi et al.’s protocol that presented in Sect. 5. In Habibi et al.’s the structures of C i , E and its updating procedure has some weaknesses that makes it vulnerable against traceability and forward traceability attacks. In order to eliminate these weaknesses, we propose an improved version of Habibi et al.’s protocol. In the improved protocol, we apply some changes in authentication and updating procedures. In authentication procedure, we compute the values C i and E as follows,

$$ C_{i} = C_{i} \oplus N_{3} $$
(13)
$$ E = N_{T} \oplus PRNG\left( {C_{i} \oplus K_{i} } \right) \oplus P_{i} $$
(14)

where N 3 is a new random number and P i is the tag access key. In addition, we changed the updating of Habibi et al.’s protocol as follows,

$$ K_{i + 1} \leftarrow PRNG\left( {K_{i} \oplus N_{3} } \right) $$
(15)
$$ C_{i + 1} \leftarrow PRNG\left( {N_{T} \oplus N_{R} \oplus P_{i} } \right) $$
(16)

The structure of improved version of Habibi et al.’s protocol is illustrated in Fig. 4 with more details. In the rest of subsection, the privacy of the proposed protocol is evaluated against various privacy concerns.

Fig. 4
figure 4

The improved version of Habibi et al.’s protocol

Full size image

  • Backward traceability attack

In the strengthened version of Habibi et al.’s protocol, due to new modifications in the updating procedures of C i and K i , an attacker cannot obtain previous secret keys even by burst force attack to perform backward traceability attack. Moreover, by these modifications, if the attacker corrupts the secret keys of a tag in a specific round of the protocol, he/she cannot obtain the secret keys of the target tag in the past. As a result, the improved version of Habibi et al.’s protocol protect RFID users against backward traceability attack.

  • Traceability attack

In Sect. 5, it is shown that the attacker used the structure of \( C_{i} = PRNG\left( {N_{T} \oplus N_{R} } \right) \) and weakness of updating that happens just in successful authentications, and performs traceability attack on the specific tag. In new protocol, in order to prevent this attack we changed updating of \( C_{i} = PRNG\left( {N_{T} \oplus N_{R} } \right) \) with \( C_{i} = PRNG\left( {N_{T} \oplus N_{R} \oplus P_{i} } \right) \). With this change, the traceability attack concern still does not solved, and an attacker can use the mentioned weakness of updating procedure and trace the tag. Thus, in order to prevent this attack we Xored the value C i with a new random number N 3 in each run of protocol. Thus in each new challenge, the tag sends a new C i that is equal to \( C_{i} = C_{i} \oplus N_{3} . \)

  • Forward traceability attack

Besides the presented analyses, in order to prevent forward traceability attack, we changed updating procedure of \( K_{i} = PRNG\left( {K_{i} } \right) \) with \( K_{i} = PRNG\left( {K_{i} \oplus N_{3} } \right) \). With this modification, if an attacker obtains K i in any way, he/she cannot use them to perform forward traceability attack.

In Table 4, the privacy of improved protocols and some similar protocols are compared. As it can be seen, the proposed protocols are secure against various privacy attacks including backward traceability, traceability and forward traceability. In addition, in Table 5, the experimental evaluations of the improved protocols and analyzed protocols are compared in the terms of computational complexity.

Table 4 A comparison of privacy analysis
Full size table
Table 5 Comparison of computational complexity of the improved and analyzed protocols
Full size table

7 Conclusion

Privacy and security of RFID authentication protocols is one of the most challenging fields in the last few years. In this paper, we analyzed the privacy of three new-found RFID authentication protocols that proposed by Dehkordi et al., Khedr, and Habibi et al. recently. We show that the privacy of them has some weaknesses and we presented backward traceability and forward traceability attacks on Dehkordi et al.’s protocol, traceability and forward traceability attacks on Khedr et al.’s protocol, and traceability and forward traceability attacks on Habibi et al.’s protocol. In addition, we applied some changes in Dehkordi et al. and Habibi et al. protocols and presented two improved versions of their protocol. We analyzed privacy of the proposed protocols and showed that they are secure and confident against various privacy attacks. Finally, the computational complexity and the privacy of the proposed protocols compared with some similar protocols and showed that proposed protocols can protect RFID end-users.