1 Introduction

Radio Frequency Identification (RFID) is a system which uses radio signal to automatically identify objects. This technology was first introduced in second world war to identify friend and foe planes. Nowadays, RFID is used widespread in various commercial industries like supply-chain management, sales management, passports, libraries, human implantation, etc [7].

Generally, RFID system contains three components: tag (transponder), reader (interrogator), and back-end server. RFID tag is a small microchip that is embedded with objects to track or identify. Peoples see RFID as a successor of optical bar-code because of no need to line-of-sight contact to read RFID tags. Nowadays, Electronic Product Code (EPC) tags are deployed in many automatically identifying applications which are standardized by EPCglobal Inc.. Each EPC tag stores a unique identification number which is known as an EPC code in on-board memory. An EPC Gen-2 tag contains a pseudo-random number generator [5, 12]. Length of an EPC code is upto 96-bit. RFID reader, radio frequency (RF) emitter, which uses RF to interrogate tags when a tag comes into the reader’s read range. Back-end server manages database containing information associated with tags. In context of power source, RFID tags are divided into two types: active and passive. Active tag has its own power source for data transmission and computational process while passive tag has no internal power source. Passive tag harvests power from the signal of an interrogator.

RFID system operates in several frequency bands. Lower frequency (LF) RFID system operates at 124–135 kHz, having read range upto half a meter. High frequency (HF) system operates on 13.56 MHz, which can read upto a meter or more. Ultra high frequency (UHF) operates at 860–960 MHz, having read range upto 10 m.

RFID technology provides many benefits in various commercial industries and consumers. However, this technology arises many privacy and security issues. Because of RFID technology is based on wireless communication which suffers with numerous possible threats and eavesdropping, RFID system violates privacy in two general forms: reveal personal information and location privacy. Privacy and security threats create serious problem when a tag is combined with sensitive personal information. Due to limitation of memory, power sources and computational resource, RFID system can not bear traditional cryptographic algorithms. A simple way to protect RFID system from security and privacy threats is to use an ultralightweight authentication protocol which has less computational work with higher security.

In this paper, we propose an ultralightweight authentication protocol which is based on syndrome decoding, an error correction method of coding theory [3, 10] and cyclic redundancy check (CRC), an efficient checksum algorithm to protect message integrity.

Let \({\mathbb {F}}_2\) be a binary field with two elements 0 and 1. A binary linear code C of length n over \({\mathbb {F}}_2\) is a subspace of \({\mathbb {F}}_2^n\). A linear code C of length n and dimension k over \({\mathbb {F}}_2\) is called a binary linear [nk]-code. If the distance d of the code C is known, it is also referred as [nkd]-binary linear code. Let c be a codeword in C. The (Hamming) weight of c, denoted by wt(c), is defined to be the number of nonzero positions in c.

A generator matrix G of the binary linear code C is a matrix whose rows form a basis of C. A parity-check matrix H of the linear code C is a generator matrix of the dual code \(C^\perp\). Let \(u \in {\mathbb {F}}_2^n\), then u is in the code C if and only if rank of \(G' = \left( \begin{array}{c} G \\ u\end{array} \right)\) is k.

For any \(w \in {\mathbb {F}}_2^n\), the syndrome of w with respect to the parity-check matrix H is the word \(S(w) = wH^T \in {\mathbb {F}}_2^{n-k}\), where \(H^T\) is the transpose of H. Steps to construct a syndrome look-up table are following.

Step 1 List all cosets for the code C, choose from each coset a word of least weight as coset leader u.

Step 2 Take the parity-check matrix H for the code C, and for each coset leader u, calculate its syndrome \(S(u) = uH^T\).

This paper is organized as follows. We summarize the previous work in Sect. 2. In Sect. 3, we propose our scheme. We analyze security and privacy parameters of our proposed protocol in Sect. 4. In Sect. 5, we compare our proposed scheme with some other authentication protocols under the various parameters. Finally, we present conclusion in Sect. 6.

2 Past Works

In this section, we will review some selected protocols and discuss their approaches, advantages and drawbacks. In 2003, Weis et al. [14] introduced a hash-lock based authentication scheme. The main advantage of the scheme is that a tag responds to a reader’s query with a masked ID known as metaID = h(K) to hide the real ID of the tag, where K is secret key shared between server and the tag and h() is a one-way hash function. Although this scheme provides certain level of reliability at low-cost, an adversary can easily track the tag by its metaID which is unique image of the real ID. Also, the adversary can eavesdrop the communication channel to get the tag’s secret key which is sent in plaintext to break the privacy properties of the scheme.

In 2004, Henrici and Muller [6] proposed another hash-based scheme to provide mutual authentication properties. In this scheme, the authors use a random number, called transaction identifier TID, to refresh the tag identifier dynamically. The TID increases in every successful authentication session so that the scheme resists replay attack. This scheme makes the tag’s ID randomized in every session so that the scheme defends against location attack. Unfortunately, this scheme is vulnerable under man-in-the-middle attack and desynchronization attack [5].

In 2006, Lopez et al. [11] proposed a minimalist ultralightweight mutual authentication protocol, called \(M^2AP\), for low-cost RFID tags. This protocol utilize simple operations such as XOR, AND, OR, and addition modulo. Although, this protocol works very well under the resource’s limitation of RFID tags but this scheme is vulnerable under desynchronization attack and disclosure attack [2, 9].

In 2007, Chien [4] proposed a new ultralightweight RFID authentication protocol known as SASI. The scheme utilizes simple operations such as XOR, AND, OR, and bitwise rotation. SASI provides strong data integrity and tag anonymity. However, desynchronization attack is possible which is investigated by Sun et al. [12].

A new ultralightweight authentication protocol with permutation known as RAPP is introduced by Tian et al. [13] in 2012. This scheme introduced a new permutation operation to mix order of bits. RAPP uses fewer resources of tags in terms of computational operations and storage cost. Unfortunately, this scheme is vulnerable under desynchronization attack [1].

Recently, Khan and Moessner [8] proposed low cost authentication protocol (LCAP) that uses timestamp as a counter and in each authentication session, the counter is incremented. This protocol introduced a classful structure for key classes to reduce computational load. This protocol is vulnerable under distributed denial-of-service (DDoS) attack because a number of adversaries cooperate to interrogate the tag to increase its counter for overflow.

3 Proposed Scheme

We propose an ultralightweight authentication protocol for RFID system with syndrome decoding and CRC. Notations used in this protocol is defined in Table 1, and our proposed protocol is shown in Fig. 1.

Table 1 Notations and symbols are used in the proposed scheme
Full size table
Fig. 1
figure 1

Proposed authentication protocol

Full size image

3.1 Assumptions

The proposed protocol works under the following assumptions.

  1. 1.

    Every tag and legitimate reader have a pseduo random number generator (PRNG).

  2. 2.

    Every tag can generate a random number with length n and \(wt(R_T)\le t\).

  3. 3.

    Communication channel between server and reader is secure.

  4. 4.

    Communication channel between Reader and tag is insecure and their communications are subject to eavesdropping.

3.2 Initialization

  1. 1.

    An initiator (manufacturer) chooses a binary linear code C with generator matrix G of order \(k\times n\) with minimum distance d and corresponding a fixed parity-check matrix H, assigns to a legitimate server.

  2. 2.

    The initiator chooses a CRC function and assigns to each tag and the server.

  3. 3.

    The generator matrix generates \(2^k\) codewords.

  4. 4.

    The initiator assigns to each tag an unique identification number ID, chosen from these \(2^k\) codewords.

  5. 5.

    The initiator assigns a secret key K shared between legitimate tags and legitimate readers.

  6. 6.

    The server stores the other information of the tags in its own database.

  7. 7.

    The server stores all syndromes and corresponding coset leaders.

3.3 Process

The proposed authentication protocol works as follows.

  • Phase 1 Reader generates a random number \(R_r\) and computes \(V_1=R_r \oplus K\) using stored secret key K and transmits \(V_1\) to a tag.

  • Phase 2 After receiving \(V_1\), the tag generates a random number \(R_T\), \((wt(R_T)\le t)\) and computes response message as follows:

    • Calculates \(R_r = V_1\oplus K\).

    • Computes \(V_2 = CRC(ID{\Vert }R_T{\Vert }R_r)\) and \(V_3 = ID\oplus R_T\).

  • Phase 3 The tag transmits \(V_2,\,V_3\) to the reader.

  • Phase 4 The reader sends \(V_2,\,V_3\) with \(R_r\) to the server.

  • Phase 5 After receiving \(V_2,\,V_3\) and \(R_r\) from the reader, the server authenticates the tag as follows:

    • Calculates \(V_3H^T\), the syndrome of \(V_3\).

    • Find the corresponding coset leader u \((= R_T)\) from the stored syndrome \(V_3H^T\).

    • So \(ID = V_3 \oplus u\).

    • Computes \(V^{'}_2 = CRC(ID{\Vert }R_T{\Vert }R_r)\)

    • If \(V^{'}_2 = V_2\) then the tag is authorized otherwise not.

4 Security and Privacy Analysis

4.1 Tag Location Privacy

Communication between tag and reader is wireless which is an insecure channel. Adversaries can eavesdrop and collect data transmitted between reader and tag. If tag’s response is static in each session, adversaries can track the tag with the help of a number of unauthorized readers. In the proposed protocol, the tag’s response message \((V_2,\,V_3)\) contains random numbers which are generated by legitimate reader and the tag in each authentication session, so \(V_2\) and \(V_3\) behave like a random number in each session. Therefore, for an adversary, it is not possible to track the position of the tag.

4.2 Impersonation Attack

Suppose an adversary eavesdrops a session and collects data \(V_1\), \(V_2\) and \(V_3\). In the next session, when reader queries the tag by sending current \(V^{'}_1\), which contains updated random number, the adversary can not impersonate the tag using \(V_1\), \(V_2\), \(V_3\) and current \(V^{'}_1\) because here each contains different random number. So the scheme is secure against impersonation attack.

4.3 Disclosure Attack

In each authentication session, the tag masks its unique identity ID with random number and also reader’s random number is masked with secret key K shared among legitimate readers and legitimate tags. So it is hard to disclose ID and \(R_r\) without knowing K and \(R_T\). Therefore, our proposed scheme prevents disclosure attack.

4.4 Replay Attack

An adversary can collect data from an authentication session and use these data to authenticate as a legitimate tag. In our proposed protocol, tag’s response \(V_2\) and \(V_3\) are randomized in each authentication session. Suppose an adversary eavesdrops and collects tag’s response \(V_2\) and \(V_3\) of the previous session. When a legitimate reader interrogates the tag by sending current session’s \(V^{'}_1\), the adversary transmits previous session’s \(V_2\) and \(V_3\) as the tag to the reader. After receiving \(V_2\) and \(V_3\), the reader transmits it with current session’s \(R^{'}_r\) to the server. The server computes ID from \(V_3\) with the help of G and H. The server computes \(V^{'}_2\) using ID, \(R_T\) and current \(R^{'}_r\). But the reader’s random number stored in \(V_2\) and the current \(R^{'}_r\) are different, so \(V^{'}_2\ne V_2\). Hence the server can not authenticate the tag.

4.5 De-synchronization Attack

In the proposed scheme, there is no secret share among tags and the server. So here no need to update any value in each authentication session which cause de-synchronization problem. So, our scheme is fully protected from de-synchronization attack.

We compare security features of various popular ultralightweight authentication protocols with our proposed protocol in Table 2. It shows that proposed scheme provides better security with respect to others [8, 11, 13].

Table 2 Security performance comparision
Full size table

5 Cost Performance Comparison

For RFID system, an authentication protocol is better if it provides reasonable security with less computational cost. Computational cost means required memory, operations computation load and communication round (data send by tag in one authentication session). Reader and server have no limitation whereas RFID tag has limited memory to store static data and computational resources to perform computational work. So it is important for an authentication protocol to be easily implemented in low-cost tags.

In Table 3, we compare computational cost of various ultralightweight authentication protocols [8, 11, 13] with our proposed scheme in terms of required memory, communication round, and operations. In the table, we denote m as number of tags stored in the database, T as tag-side, R as reader-side and S as server-side to show overall performance of the RFID system.

Table 3 Computation cost performance comparison
Full size table

6 Conclusion

In this paper, we have shown some overview of RFID system. We review various types of authentication scheme with benefits and drawbacks. We have proposed a novel authentication protocol which uses only CRC and syndrome decoding for authentication. Then we analyze its security and privacy under various parameters. In Tables 2 and 3, we compare its security and computational cost with some other well-known ultralightweight authentication schemes [8, 11, 13]. It works under the limitation of passive tags. Finally, we conclude that proposed scheme provides better security with very less amount of computational cost.