Introduction

Radio Frequency Identification (RFID) is a technology that can automatic identify people and objects using radio waves. Its main components are a tag, a reader and a database system for handing information. Divided by power supply mode, there are three types of tags: active, passive and semi-passive tags. Active tags are more expensive since they have an internal power source and can start a connection with a reader by themselves. Passive tags are less expensive, but they do not have an internal power source and have to gain energy from the reader signal to transmit data. Semi-passive tags have a small battery which only meets the need of the internal circuit, but harvest energy from the reader signal for sending data. RFID has more advantages than the traditional barcode. It does not require line of sight to read the tag and has a longer read range than barcode reader. It allows both read and write operations. The tag can store more data than barcode and the reader can simultaneously communicate with multiple tags. These advantages make RFID suitable for healthcare environments. It has been used in the location tracking of medical assets [1, 2], new born and patient identification [3], medical treatments tracking and validation [4], patient location and process management at a wellness center [5], and surgical process management [6]. Healthcare systems are open environments and RFID utilizes radio waves for mutual communication. Personal and medical information in the tags can be read or cloned by the adversary. Thus security and privacy are the major concerns of RFID system in healthcare environments. To ensure secure communication in this application, a secure RFID mutual authentication protocol is necessary to guarantee the healthcare system safety.

In recent years, many RFID authentication protocols have been proposed. Huang and Ku [7] proposed a RFID grouping proof protocol to enhance medication safety for inpatient. Soon after, Chien et al. [8] pointed out that Huang and Ku’s protocol [7] is vulnerable to Denial-of-Service(DoS) attack and replay attack. Then they gave a further improvement to overcome those attacks. Unfortunately, Peris-Lopez et al. [9] proved that Chien et al.’s protocol [8] suffers from the impersonation attack and the replay attack. Then they gave an Inpatient Safety RFID(IS-RFID) system to enhance inpatient medication safety. However, Yen et al. [10] found that Peris-Lopez et al.’s protocol [9] does not detect the denial of proof attack and the hospital can modify the generated medication evidence. Later, Chen et al. [11] proposed a novel RFID-based tamper-resistant prescription access control protocol. However, Safkhani et al. [12] showed that Chen et al.’s protocol [11] cannon resist the impersonation attack, the traceability attack and the de-synchronization attack. In 2013, Wu et al. [13] proposed a reliable RFID mutual authentication protocol for healthcare environments. Nevertheless, Picazo-Sanchez et al. [14] pointed out that Wu et al.’s protocol [13] suffers from the traceability attack and gave an improved RFID authentication protocol.

With the development of public key cryptography, elliptic curve cryptography is receiving more and more attention. Compared with the traditional public key cryptography, elliptic curve cryptography has smaller key size with the same security level, faster speed and requires lower space. Therefore, it is especially applicable for RFID authentication protocol. In 2006, Tuyls and Batina [15] proposed the first RFID authentication protocol using ECC. Later, Batina et al. [16] proposed a very similar authentication protocol for RFID using ECC. But Lee et al. [17] found Tuyls and Batina’s protocol [15] has the privacy flaw. Besides, their attack is also valid for Batina et al.’s protocol [16]. Then they proposed an improvement protocol using ECC. However, their protocol cannot provide scalability. In 2013, Liao and Hsiao [18] proposed a secure ECC-based RFID authentication protocol and claimed that their protocol can withstand various attacks. Unfortunately, Zhao [19] found that Liao and Hsiao’s protocol [18] has the key comprise problem and the adversary can get the tag’s private key. To address this problem, Zhao gave an improved protocol that has the same performance. Recently, Chou et al. [20] proposed a new RFID authentication protocol using ECC and demonstrated that their protocol can withstand various attacks. However, Zhang and Qi [21] pointed out that Chou et al.’s protocol [20] is vulnerable to the tag’s privacy information problem, backward traceability problem and forward traceability problem. Then they gave an improved RFID authentication protocol using ECC. Very recently, He et al. [34] proposed a lightweight ECC based RFID authentication integrated with an ID verifier transfer protocol. Their protocol could provide strong security properties and overcome the weaknesses of the existing schemes.

In this paper, we propose a RFID mutual authentication protocol. As compared with existing protocols, our protocol has the following advantages:

  1. 1.

    our protocol has better performance since we use pro-computing method in tag’s communication.

  2. 2.

    our protocol can achieve a lot of security properties and resist various attacks.

Therefore, our protocol is very suitable for healthcare environments.

The rest of this paper is organized as follows. We introduce the preliminary work in Section “Preliminaries”. A RFID mutual authentication protocol has been proposed in Section “The proposed protocol”. We give security analysis in Section “Analysis of the scheme”. The conclusions are given in Section “Conclusion”.

Preliminaries

In this section, we introduce hash function [22] and the related hardness problems. The details are described as follows.

Hash function [22]

A hash function H is a one-way function, which accepts an arbitrarily large input m, and produces a small fixed-size output h. we can denote as h=H(m). The purpose of hash function is to generate hash value of file, message and other data blocks. It can be mainly applied in message authentication and digital signature, so that hash function has the following properties:

  1. 1.

    Given a message of arbitrary-length, H produces a fixed-size output.

  2. 2.

    H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical.

  3. 3.

    For any given hash value h, it is computationally infeasible to find y such that H(y)=h.

  4. 4.

    For any given block x, it is computationally infeasible to find yx with H(y)=H(x).

  5. 5.

    It is computationally infeasible to find any pair (x,y) such that H(x)=H(y).

Based on the above properties, when we employ hash function, it can guarantee the security of our protocol by preventing forgery attacks.

Elliptic Curve Discrete Logarithm Problem (ECDLP)

ECDLP Definition: given an elliptic curve E defined over a finite field F q , a point PE(F q ) of order n, and a point Q=l P where 0≤ln−1, determine l.

Computational Diffie-Hellman Problem (CDHP)

CDHP Definition: given an elliptic curve E defined over a finite field F q , a point PE(F q ) of order n. The computational Diffie-Hellman problem is to compute a b P given (P,a P,b P) with \(a, b\in Z_{n}^{*}\).

The proposed protocol

In this section, our protocol has three participants: a trusted tag issuer I, a trusted tag T i and a trusted reader R which connects with backed-end database stores identities and public keys of all legitimate tags. We assume that the channel between the tag and the reader is not secure. We also assume that the channel between the reader and backed-end database is secure. There are two phases, i.e., the setup phase and the authentication phase. Before describing the protocol, notations are presented as follows.

q,n::

Two large prime numbers.

P::

A generator with order n.

F(q)::

A finite field.

E::

An elliptic curve defined over a finite field F q by the equation y 2=x 3+a x+b, where a,bF(q).

\(ID_{T_{i}}\)::

The identity of the ith tag, where \(ID_{T_{i}}\in \{0, 1\}^{*}\) .

(s R ,P R )::

The private/public key of the reader, where \(P_{R}={s_{R}}P, s_{R}\in Z_{n}^{*}\).

\((s_{T_{i}}, P_{T_{i}})\)::

The private/public key of the tag, where \(P_{T_{i}}={s_{T_{i}}}P, s_{T_{i}}\in Z_{n}^{*}\).

H 1,H 2::

Two secure and collision-resistant hash functions.

Setup phase

In this phase, the issuer generates system parameters, its private/public key and the private/public key of the tag.

  1. 1.

    The issuer I chooses two large prime numbers q,n. Let F(q) be a finite field and E be an elliptic curve over F(q) defined by the equation y 2=x 3+a x+b. Then I selects a generator P with order n.

  2. 2.

    I chooses two secure and collision-resistant hash functions H 1,H 2.

  3. 3.

    For reader R, the issuer selects a random value \(s_{R} \in Z_{n}^{*}\) as its private key and computes P R =s R P as its public key.

  4. 4.

    For each tag T i , the issuer chooses a random value \(s_{T_{i}} \in Z_{n}^{*}\) as its private key and computes \(P_{T_{i}}= s_{T_{i}}P\) as its public key. Scalar multiplication is the main cryptographic operation in ECC. Due to the limited computational capabilities of tag, in order to reduce the amount of computations to be performed by tag, I pre-computes r=k P,K=k P R as follows. An integer k has binary representation \((k_{l_{q}-1}, k_{l_{q}-2}, \cdots , k_{0})_{2}\), k i ∈{0,1}, then \(k={\sum }_{i=0}^{l_{q}-1} k_{i} 2^{i}\). Given an elliptic point P,P R , \(r=kP={\sum }_{i=0}^{l_{q}-1} k_{i} 2^{i}P, K=kP_{R}={\sum }_{i=0}^{l_{q}-1} k_{i} 2^{i} P_{R}\). In the same way, I pre-computes a=s 1 P,b=e 1 P R as follows.Integer s 1 has binary representation \((s_{l_{q}-1}, s_{l_{q}-2}, \cdots , s_{0})_{2}\), s i ∈{0,1}, then \(s_{1}={\sum }_{i=0}^{l_{q}-1} s_{i} 2^{i}\). Given an elliptic point P, \(a=s_{1}P={\sum }_{i=0}^{l_{q}-1} s_{i} 2^{i} P\). Integer e 1 has binary representation \((e_{l_{q}-1}, e_{l_{q}-2}, \cdots , e_{0})_{2}\), e i ∈{0,1}, then \(e_{1}={\sum }_{i=0}^{l_{q}-1} e_{i} 2^{i}\). Given an elliptic point P R , \(b=e_{1} P_{R}={\sum }_{i=0}^{l_{q}-1} e_{i} 2^{i} P_{R} \). 0≤il q −1. l q denotes binary bitlength of q. The issuer I securely stores \((s_{T_{i}}, P_{T_{i}}, P_{R})\) and data values r,K,a and b into the tag’s memory.

Authenticated phase

In this phase, the reader and the tag can realize mutual authenticate. As shown in Fig. 1, the details are presented as follows.

  1. 1.

    R generates a random value \(t\in Z_{n}^{*}\), computes z=t P and sends z to T i .

  2. 2.

    T i chooses a random value \(k\in Z_{n}^{*}\), uses the binary method [23] to pre-compute r=k P,K=k P R . Then T i computes \(e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k)\;\text {mod}\; n\), \(C=E_{K}(ID_{T_{i}}\parallel r\parallel s \parallel z)\), and sends (r,C) to R.

  3. 3.

    Upon receiving (r,C), R computes \(K^{\prime }= s_{R} r\), decrypts C using \(K^{\prime }\), then it can get \(ID_{T_{i}}^{\prime }\parallel r^{\prime }\parallel s^{\prime } \parallel z^{\prime }\). If \(z^{\prime }\neq z, r^{\prime }\neq r\), R rejects the session; otherwise, R searches \(ID_{T_{i}}^{\prime }\) from its backed-end database. In this case, if \(ID_{T_{i}}^{\prime }\) is no found, T i is considered illegitimate; otherwise, R obtains the corresponding item \((ID_{T_{i}}^{\prime }, P_{T_{i}}^{\prime })\), computes \(e^{\prime }=H_{1}(r^{\prime }, z^{\prime })\). Then R checks whether \(r^{\prime }= s^{\prime }P + (-e^{\prime })P_{T_{i}}\) or not. If they are equal, the tag T i is authenticated. Then R computes \(e_{1}=H_{2}(ID_{T_{i}}^{\prime }, r^{\prime }, C^{\prime }, z^{\prime })\), s 1s R e 1+t mod n and sends s 1 to T i .

  4. 4.

    Upon receiving s 1, T i first computes \(e_{1}=H_{2}(ID_{T_{i}}, r, C, z)\) , then it sets a=s 1 P,b=e 1 P R and uses the binary method of [23] to check whether ab+z mod n or not. If they are equal, the reader R is authenticated.

Fig. 1
figure 1

The RFID mutual authentication protocol

Full size image

Analysis of the scheme

In this section, we analyze the consistency and security of the proposed scheme.

Consistency

The consistency can be easily verified by the following equations.

$$ r^{\prime}=s^{\prime}P + (-e^{\prime})P_{T_{i}} =(s_{T_{i}}e+k)P+s_{T_{i}}(-e^{\prime})P =kP =r $$
(1)
$$ s_{1}P=(s_{R}e_{1}+t\;\text{mod}\; n)P =(s_{R}e_{1}P+tP)\;\text{mod}\; n =P_{R} e_{1} +z \;\text{mod}\; n $$
(2)
Table 1 Performance comparison
Full size table

Security analysis

In this section, we will show that our protocol can provide confidentiality , unforgeability, mutual authentication, tag anonymity, availability and forward security [17, 18, 2426]. We also show that our protocol can withstand the replay attack, the impersonation attack, server spoofing attack, DoS attack, the de-synchronization attack, the man-in-the-middle attack and cloning attack [19, 20, 2732].

Theorem 1

The proposed protocol could provide confidentiality.

Proof

In the proposed protocol, only the random value z generated by R is transmitted as plaintext. While the identity of tag is transmitted as ciphertext, so the unauthorized users cannot obtain tag’s identity information, only the reader R which really has the private key s R can decrypt the ciphertext. Therefore, the proposed protocol could provide confidentiality. □

Theorem 2

The proposed protocol could provide unforgeability.

Proof

In the proposed protocol, only the tag T i which has the secret key \(s_{T_{i}}\) can generate a legitimate signature s. In the same way, only the reader R which has the secret key s R can generate a legitimate signature s 1. Therefore, the proposed protocol could provide unforgeability. □

Theorem 3

The proposed protocol could provide mutual authentication.

Proof

The adversary cannot produce a legitimate message (r,C) without the tag’s identity \(ID_{T_{i}}\), where \(r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\) and \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\). Then the reader R could authenticate the tag T i by checking the correctness of tag’s identity \(ID_{T_{i}}\) and signature s. The adversary cannot produce a legitimate signature s 1 without the tag’s identity \(ID_{T_{i}}^{\prime }\) and the reader’s private key s R , where \(e_{1}=H_{2}(ID^{\prime }_{T_{i}}, r^{\prime }, C, z^{\prime }), s_{1}\equiv (e_{1}s_{R}+t \;\text {mod}\; n)\). Then the tag T i could authenticate the reader R by checking the correctness of s 1. Thus, the proposed protocol could provide mutual authentication. □

Theorem 4

The proposed protocol could provide tag’s anonymity.

Proof

Suppose that the adversary could intercept the messages z,(r,C) and s 1 transmitted between the reader R and the tag T i , where \(z=tP, r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\), \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\), \(e_{1}=H_{2}(ID^{\prime }_{T_{i}}, r^{\prime }, C, z^{\prime })\) and \(s_{1}\equiv (e_{1}s_{R}+t \;\text {mod}\; n)\). If the adversary wants to obtain the tag’s identity \(ID_{T_{i}}\) and its private key \(s_{T_{i}}\), it has to compute \(K=kP_{R}=ks_{R}P\) and \(s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\). It will face the computational Differ-Hellman problem and the elliptic curve discrete logarithms problem. Thus, the proposed protocol could provide tag’s anonymity. □

Theorem 5

The proposed protocol could provide availability.

Proof

In the proposed protocol, the tag’s identity \(ID_{T_{i}}\) and its private key \(s_{T_{i}}\) are protected well, so that there is no need to update these values after the protocol execution. Therefore, the proposed protocol could provide availability. □

Theorem 6

The proposed protocol could provide forward security.

Proof

Suppose that the adversary could get the tag’s identity \(ID_{T_{i}}\) and its private key \(s_{T_{i}}\). We also suppose that the adversary could intercept these messages z,(r,C) and s 1 transmitted between the reader and the tag, where \(z=tP, r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\), \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\), \(e_{1}=H_{2}(ID^{\prime }_{T_{i}}, r^{\prime }, C, z^{\prime })\) and \(s_{1}\equiv (e_{1}s_{R}+t \;\text {mod}\; n)\). However, it cannot determine whether these messages z,(r,C) and s 1 transmitted between the reader R and the tag T i since it does not know the random numbers t and k. Therefore, the adversary cannot trace the tag T i and the proposed protocol could provide forward security. □

Theorem 7

The proposed protocol could overcome the tag impersonation attack.

Proof

Suppose that the adversary wants to impersonation the tag T i to the reader R after receiving the message z sent by R. It has to generate a legitimate message (r,C) where \(r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\) and \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\). However, it cannot generate (r,C) since it does not know the tag’s identity \(ID_{T_{i}}\) and its private key \(s_{T_{i}}\). Thus, the proposed protocol could overcome the tag impersonation attack. □

Theorem 8

The proposed protocol could overcome the sever spoofing attack.

Proof

Suppose that the adversary wants to impersonation the reader R to the tag T i . It could produce a random value \(t\in Z_{n}^{*}\), computes z=t P and sends z to the tag T i . However, it cannot generate a legitimate message s 1 without the tag’s identity \(ID_{T_{i}}\) and the reader’s private key s R , where \(e_{1}=H_{2}(ID^{\prime }_{T_{i}}, r^{\prime }, C, z^{\prime }), s_{1}\equiv (e_{1}s_{R}+t \;\text {mod}\; n)\). Thus, the adversary cannot impersonation the reader R to the tag T i and the proposed protocol could overcome the sever spoofing attack. □

Theorem 9

The proposed protocol could overcome the replay attack.

Proof

Suppose that the adversary intercepts the message z and replays it to the tag T i . However, the adversary cannot generate a legitimate signature s 1 after receiving the message (r,C). The reason is that it does not know the tag’s identity \(ID_{T_{i}}\) and the reader’s private key s R where \(z=tP, r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\), \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\), \(e_{1}=H_{2}(ID^{\prime }_{T_{i}}, r^{\prime }, C, z^{\prime })\) and s 1≡(e 1 s R +t mod n). Then the tag T i could find the attack by checking the correctness of s 1.

Suppose that the adversary intercepts the message (r,C) and replays it to the reader R after receiving the message z where \(z=tP, r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\) and \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\). The reader R could find the attack by checking the correctness of z because it produces a new random value \(z\in Z_{n}^{*}\) for each session. □

Theorem 10

The proposed protocol could overcome DoS attack.

Proof

In the proposed protocol, we know that there is no need to synchronously update the tag’s identity \(ID_{T_{i}}\) after the protocol execution. Thus, the proposed protocol could overcome DoS attack. □

Theorem 11

The proposed protocol could overcome the modification attack.

Proof

Suppose that the adversary intercepts the message z or s 1 and sends it to the tag T i when the adversary modifies it, where \(z=tP, r=kP, K=kP_{R}, e=H_{1}(r, z), s\equiv (s_{T_{i}}e+k) \;\text {mod}\; n\) and \(C=E_{K}(ID_{T_{i}} \parallel r \parallel s \parallel z)\) and \(e_{1}=H_{2}(ID^{\prime }_{T_{i}}, r^{\prime }, C, z^{\prime }), s_{1}\equiv (e_{1}s_{R}+t \;\text {mod}\; n)\). The tag T i could find the attack by checking the correctness of s 1. Suppose that the adversary intercepts the message (r,C) and sends it to the reader R when the adversary modifies it. The reader R could find the attack by checking the correctness of identity \(ID_{T_{i}}\) and the signature s. Thus, the proposed protocol could overcome the modification attack. □

Theorem 12

The proposed protocol could overcome cloning attack.

Proof

In the proposed protocol, we know that every tag has its own identity \(ID_{T_{i}}\) and its own private key \(s_{T_{i}}\), where \(ID_{T_{i}} \in \{0, 1\}^{*}, s_{T_{i}}\in Z_{n}^{*}\). Suppose that the adversary could obtain some tags’ identity and private key, but it cannot get other tags’ identities and private keys since there is no relationship between these tags. Thus, the proposed protocol could overcome cloning attack. □

Theorem 13

The proposed protocol could overcome the de-synchronization attack.

Proof

In the proposed protocol, we know that the tag T i and the reader R do not need to update the tag’s identity \(ID_{T_{i}}\) after the proposed execution. Thus, the proposed protocol could withstand the de-synchronization attack. □

Theorem 14

The proposed protocol could overcome the man-in-the-middle attack.

Proof

According to Theorem 3, the proposed protocol could provide mutual authentication between the tag T i and the reader R. Thus, the proposed protocol could overcome the man-in-the-middle attack. □

Performance analysis

In this section, we will compare the computational cost, communication overhead and security of the proposed protocol with those of existing ECC-based RFID authentication protocols [19, 21, 34] in Table 1. We denoted by A, M, the point add operation and point multiplication operation in ECC. We can omit hash function operation, XOR operation in ECC since they have fast computational speeds. We assume that \(\left |p\right |\) =320 bits, \(\left |n\right |\) = 160 bits, hash value = 160 bits.

We adopt the experiment on PBC library with an embedding degree 2 on an Intel Pentium(R) Dual-Core processor running 2.69GHz, 2,048MB of RAM(2,007.04MB available) using a 5MHz tag. A point add operation and a point multiplication operation need 0.065ms and 15.927ms using an ECC with 160 bits n, respectively. The reader has powerful computational capacity since it connects with a server, so that we do not compute its running time. While the tag has limited computational capacity, so the less tag’s calculated amount the better. In this paper, we mainly compare the running time of tag. The running time of tag in [21] need 31.919ms. The running time of tag in [19] need 111.684ms. The running time of tag in [34] need 47.911ms. The running time of tag in our scheme need 16.057ms. Figure 2 shows the running time of tag in [19, 21, 34] and our scheme. As compared with [19, 21, 34], our scheme has the least computational cost of tag. Figure 3 shows the communication overhead for [19, 21, 34] and our protocol. From Figure 3, we can see that the communication overhead for [21] and our protocol have the same advantage. According to Table 1, although our protocol has the same security level with the other three protocols, our protocol has better efficiency. Therefore, our protocol is the most suitable for practical applications.

Fig. 2
figure 2

The computational cost of tag

Full size image
Fig. 3
figure 3

The communication overhead of RFID mutual authentication protocol

Full size image

Conclusion

The application of RFID in healthcare environments becomes more and more widespread. Therefore, many RFID authentication protocols emerge at the right moment. However, the security problems in RFID authentication protocol remain a challenge. In order to ensure security communication in healthcare environments, many RFID authentication protocols based on ECC have been proposed. In this paper, we also propose a RFID authentication protocol using ECC. We use the pre-computing concept within the tag’s communication process to avoid the time-consuming scalar multiplication since the tag has limited computational capabilities. Thus, the proposed protocol has better efficiency. In terms of security, our protocol can achieve a lot of security properties and withstand many common attacks. Therefore, our protocol is more suitable for healthcare environments.