A novel mutual authentication scheme based on quadratic residues for RFID systems

Computer Networks 52 (2008) 2373–2380

Contents lists available at ScienceDirect

Computer Networks journal homepage: www.elsevier.com/locate/comnet

A novel mutual authentication scheme based on quadratic residues for RFID systems Yalin Chen a, Jue-Sam Chou b,*, Hung-Min Sun a a b

Institute of Information Systems and Applications, National Tsing Hua University, Taiwan, ROC Department of Information Management, Nanhua University, 32, Chung Keng Li, Dalin, Chiayi 622, Taiwan, ROC

a r t i c l e

i n f o

Article history: Received 11 September 2007 Received in revised form 24 February 2008 Accepted 18 April 2008 Available online 30 April 2008 Responsible Editor: J. Misic Keywords: Mutual authentication RFID system Privacy Tag anonymity Location privacy Forward secrecy Quadratic residue assumption

a b s t r a c t In 2004, Ari Juels proposed a Yoking-Proofs protocol for RFID systems. Their aim is to permit a pair of tags to generate a proof which is verifiable off-line by a trusted entity even when the readers are potentially untrusted. However, we found that their protocol does not possess the anonymity property but also suffers from both known-plaintext attack and replay attack. Wong et al. [Kirk H.M. Wong, Patrick C.L. Hui, Allan C.K. Chan, Cryptography and authentication on RFID passive tags for apparel products, Computer in Industry 57 (2005) 342–349] proposed an authentication scheme for RFID passive tags, attempting to be a standard for apparel products. Yet, to our review, their protocol suffers from guessing parameter attack and replay attack. Moreover, both of the schemes have the common weakness: the backend server must use brute search for each tag’s authentication. In this paper, we first describe the weaknesses in the two above-mentioned protocols. Then, we propose a novel efficient scheme which not only achieve the mutual authentication between the server and the tag but also can satisfy all the security requirements needed in an RFID system. Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction An RFID (radio frequency identification device) system has become one of the most important applications today. It consists of radio frequency (RF) tags, tag readers and a backend server. In the system, when the server wants to identify a tag, the reader will broadcast an RF signal. The tag in the range of the signal will then be triggered and respond with its resident data. After receiving the responded data, the reader, usually cooperating with the backend server, identifies whether the tag is legal or not. For an earlier application, an RF tag is used for replacing the barcode, the universal product code (UPC) printed on merchandise, with an advantage that 100–200 tags can be read per second in a range of several meters [6]. Moreover, an RF tag as a ‘‘smart label” has its own memory and * Corresponding author. Tel.: +886 05 272 1001x56226. E-mail addresses: [email protected] (Y. Chen), jschou@mail. nhu.edu.tw (J.-S. Chou), [email protected] (H.-M. Sun). 1389-1286/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.comnet.2008.04.016

computing unit. These equipments can further support access control or cryptographic functions and thus can make an RF tag applicable in various significant areas such as, supply chain management, inventory control, counterfeiting prevention, etc. However, this promising technology may suffer from some security threats. For example, 1. Secrecy: a fake reader may defraud an honest tag of its resident secrecy, 2. Location privacy: a malicious person may expose a person’s location through tracing a particular tag embedded in a product. 3. Forward secrecy: due to the impracticality of equipping a low-cost tag with tamperproof device, an attacker may compromise a tag’s resident data and then expose the bearer’s previous locations by tracing the past transactions the tag had been involved in, 4. Replay attack and DOS attack: a poor designed tag identification protocol may suffer from replay attack or deny-of-service (DOS) attack. To prevent the above-mentioned security threats, many researchers have proposed solutions. Weis et al. [4,5] proposed ‘‘hash locking” and ‘‘randomized hash-locking”

2374

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

schemes by using hash function and pseudo-random number generation (PRNG) function. In their scheme, when a tag is locked, it does not respond to any reader’s triggering. Only a legitimate reader possessing the right key can unlock the tag to obtain its resident data. However, in their scheme, after a reader unlocking a tag, the tag ID (TID) is transmitted between the tag and the reader in clear. This makes personal information or individual location of the bearer traceable. It violates the anonymity property of TID. In the same year, Ohkubo et al. [11] proposed a ‘‘privacy-friendly” tag scheme by using hash-chain. In the scheme, the tag sends ai = G(si) to the reader/server for being authenticated and renews si+1 = H(si) in the ith authentication. After receiving ai, the server which maintains a list of (TID, s1) checks if ai is equal to G(Hi(s1)) to identify the tag valid or not. Although their scheme has the anonymity property of TID, it obviously suffers from the replay attack. When an attacker replays any old message aj = G(sj) where j 6 i, the server will undoubtedly identify the tag as valid. Henrici et al. [8] proposed another ‘‘hash lock”-like scheme. They claimed that their scheme possesses the properties of TID anonymity, location privacy, and can resist replay and DOS attacks. However, in 2005, Yang et al. [13,14] pointed out that their scheme suffers from man-in-the-middle attack because an attacker may do some malicious actions between a tag and a reader to obtain information and be authenticated by the reader before the next transaction. Moreover, we found that Henrici et al.’s scheme does not provide forward secrecy. Because when a tag is compromised, the attacker can use the current tag ID (changed to ID  RND after each authentication, where RND is a random number generated by the backend server) and the last authentication flows (which contains the information of h(ID), RND, etc.) to trace the tag’s previous transaction by computing the tag’s previous ID. Hence, Yang et al. proposed a new mutual authentication protocol for low-cost RFID also based on hash function [13,14]. They claimed that their scheme can guarantee TID anonymity and location privacy of the tag bearers, and can prevent active attacks such as, man-in-the-middle attack, replay attack, forgery and so on. However, [21] pointed out that their scheme lacks the forward secrecy. Moreover, another weakness of this study is that the backend server always uses brute search for finding TID in each authentication. This needs O(n2) time complexity for n tags’ authentication. It is very time consuming and limits the number of tags to be authenticated by the reader/server each time. In 2004, Molnar et al. [10] proposed a pseudo-randomfunction(PRF)-based scheme for library RFID. They claimed that their scheme can protect a patron’s privacy and can be extended to a tree-based protocol needing only O(log n) rounds for n tags’ simultaneous identification. However, Rhee etal. [12] pointed out that Molnar et al.’s scheme does not achieve forward secrecy. Hence, Rhee et al. proposed an improvement based on Molnar et al.’s scheme. Unfortunately, Rhee et al.’s is still unable to provide forward secrecy mentioned in [2]. In addition, we found that the common drawback of server’s brute search exists in Molnar et al.’s scheme. This is time-consuming and thus compromises the advantage of round efficiency they emphasized.

Beside the above hash-based and PRF-based (cryptography-based) approaches for RFID systems, some lightweight schemes (non-cryptography-based) [7,9,2] have been proposed. Both Duc et al.’s [7] and Chien et al.’s schemes [2] adopt CRC function (instead of costly hash function) and PRNG function. Karikeyan et al’s scheme [9] is based on matrix operations. However, Chien et al. [2] pointed out that Duc et al.’s scheme [7] does not provide forward secrecy and suffers from DOS attack, and Karikeyan et al.’s scheme [9] does not provide TID anonymity and suffers from DOS attack as well. Hence, Chien et al. [2] proposed a scheme intended to satisfy all of the security and privacy requirements of an RFID system. However, we found the common drawback still exist in their scheme, the backend server searching TID in a brute way. This significantly impacts on the scalability of the RFID system’s deployment. Moreover, such lightweight schemes are intuitively less secure than the cryptography-based ones. This paper is organized as follows. In Section 2, we review Juels’ and Wong et al.’s schemes and discuss their weaknesses. In Section 3, we present our protocol. The security analysis and performance evaluation of our scheme is discussed in Section 4. Finally, a conclusion is given in Section 5.

2. Review of Juels’ and Wong et al.’s schemes In this section, we aim to review Juels’ scheme [2] and Wong et al.’s scheme [3] and analyze their weaknesses. Juels’ scheme exposes the information of TID and suffers from both replay and known-plaintext attacks whereas Wong et al.’s scheme leaks individual location and can be broken by guessing parameter and replay attacks. Moreover, both the schemes have the common weakness: the backend server’s brute search for each tag’s authentication. The details of the two schemes and their weaknesses are discussed in Sections 2.1 and 2.2, respectively. 2.1. Juels’ scheme and its weaknesses In 2004, Juels [1] proposed a ‘‘Yoking-Proof” RFID scheme by using keyed hash function and MAC function for a specified application – pharmaceutical distribution. It offers a verifiable value for a pair of tags. One is embedded in the patient’s medicine container and the other in the leaflet describing its side-effect. The scheme is as follows and depicted in Fig. 1. 1. The reader sends the message ‘‘left proof” to Tag TA. 2. Tag TA computes rA = fXA(cA), where f is a secure keyed hash function, xA is TA’s secret key, and cA is a counter value. Then, TA sends the message a = (A, cA, rA) to the reader. 3. After receiving a, the reader sends the message ‘‘right proof” together with the message a to Tag TB. 4. Tag TB computes mB = MACxB(a, cB), where MAC function can be a HMAC, xB is TB’s secret key, and cB is a counter value. Then, TB sends the message b = (B, cB, rB) to the reader. 5. After receiving b, the reader forwards it to Tag TA.

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

2375

Fig. 1. Juels’ scheme.

6. Upon receiving b, Tag TA computes mAB = MACxA(a, b) and sends it back to the reader. 7. The reader then generates the yoking-proof as PAB = (A, B, cA, cB, mAB).

known-plaintext attack to find xA and xB. This can succeed with a high probability by way of the cooperation of computations through network, like the collision finding of hash function MD5 [17].

The resulting proof PAB = (A, B, cA, cB, mAB) can be verified by V using the knowledge of the secret keys, xA and xB, of the two tags. V computes a0 = (A, cA, fxA(cA)), b0 = (B, cB, MACxB(a, cB)), and subsequently checks the equality of mAB = MACXA(a0 , b0 ). Unfortunately, we have found three weaknesses in Juels’ scheme. First, it does not provide basic personal privacy of the tag bearer due to its exposure of the tags’ identities A and B. Secondly, two counterfeit tags, T A0 and T B0 , can impersonate the pair of tags TA and TB and launch a replay attack by TA0 replaying flows (2) and (6), and T B0 replaying flow (4) to the reader correspondingly. Thirdly, the scheme suffers from known-plaintext attack because an adversary X can eavesdrop the conversation among the tags TA, TB and the reader, and record the pairs of values, (rA, cA) and (mB, (a, cB)). Whenever the attacker has collected enough of such pairs, he can launch an

2.2. Wong et al.’s scheme and its weaknesses In 2005, Wong et al. proposed an RFID authentication scheme by using ‘‘hash lock” for apparel products such as garments or high-value apparel accessories. They use a pseudo-EPC to prevent eavesdroppers from figuring out what the product the buyer carries. Their scheme is shown in Fig. 2. Initially, the backend server sets up each tag’s memory by storing the tag’s public key Kpub (i.e. EPC code) and private key Kpriv, and saves them in the server’s database. During the authentication process, the reader broadcasts a ‘‘hello” message to the tag. The tag is then triggered and responses withpseudo-EPC which is equal to ShiftLeft(Kpub  Kpriv, l), where ShiftLeft() is a left bit shifting function and parameter l is a secret constant. After receiving the pseudo-EPC, the server computes key* as ShiftRight(pseudo-EPC, l) and compares each tag record in

Fig. 2. Wong et al.’s scheme.

2376

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

the database to see if the tag’s Kpub  Kpriv is equal to the computed key*. If it is, the server accepts the tag as valid and sends the unlock command containing the key(=h(key*)) to the tag. On receiving the unlock command, the tag checks the value of the key to see if it is equal to h(Kpub  Kpriv). If it is, the tag responses with ACK. We have found several weaknesses in Wong et al.’s scheme. First, the pseudo-EPC is the result of shifting the value key* left by l bits. We can shift pseudo-EPC right by one bit at a time and check if the hash value of this result is equal to the unlock value key. Hence, in the average case, we only need jpseudo-EPCj/2 times to find the right key to unlock the tag. Therefore, we break Wong et al.’s scheme by guessing l. The second weakness is the violation of individual location privacy. Although TID, i.e. EPC, is not transmitted in clear, the pseudo-EPC is transmitted in fixed form due to the constant value of parameter l. Thus the relationship between pseudo-EPC and real EPC is one-toone. Hence, an attacker can trace individual locations by using this one-to-one relationship. The third weakness is that the fixed pseudo-EPC can be replayed by an attacker to impersonate the server or the tag without being detected by the other party. The last weakness is that the backend server uses brute search for each tag’s authentication. 3. Proposed scheme In this section, we present a simple protocol based on hash function and quadratic residue assumption which can achieve the security requirements of an RFID system but it can also be implemented efficiently because we use direct indexing for each tag’s authentication. Thus, it can avoid server’s brute search. Moreover, our scheme is able to resist all known attacks such as, replay, DOS, known-plaintext and guessing parameter attacks. Next, we will first describe the quadratic residue assumption in Section 3.1. The security requirements of an RFID system will be discussed in Section 3.2. Finally, our proposed scheme will be presented in Section 3.3. 3.1. Quadratic residue assumption Let n be the product of the two large primes p and q. If y = x2 mod n has a solution, i.e. there exists a square root for y, then y is named as a quadratic residue modulo n. Let the symbol QRn denotes the set of all quadratic residues in [1, n  1]. Then the quadratic residue assumption can be described as below. Suppose y 2 QRn. It is computationally infeasible to find x satisfying y = x2 mod n without the knowledge of p and q due to the difficulty of factoring n [15,16]. 3.2. Security requirements We describe the privacy needed in an RFID system by the following three properties.  TID anonymity: The tag’s ID (TID) should not be transmitted in clear or nor easily computed from the conversation between the tag and the reader/server.

 Individual location privacy: The conversation between the tag and the reader/server should not be linkable to the TID. If an adversary can distinguish that a particular conversation is from a target tag, he may trace the tag.  Forward secrecy: Even when an attacker can compromise a tag and obtain its resident data, he cannot trace the tag through past conversations the tag involved in. Then, to guard against the security threats, an RFID system must take the following attacks into considerations.  Replay attack: An attacker can eavesdrop on the conversation between the tag and the reader/server, and retransmit the message to the legitimate reader/server as being authentic.  DOS attack: An attacker can desynchronize the secret data shared between the tag and the server by simply dropping or sending a forged message to the tag. It stops the tag from being authenticated by a legitimate reader any more.

3.3. Mutual authentication scheme based on quadratic residue In our RFID system, we assume that the server and the reader communicate under an authenticated channel. And there are two phases in the system: an initialization phase and an authentication phase. They are described as follows. 3.3.1. Initialization phase The server first generates two large primes p and q, and computes n = pq. It also chooses a one-way hash function, h(), and a pseudo-random number generator, PRNG(). The value of n and h() are both made public. Then the server stars to set up each tag as follows. It chooses a random number r 2 Zn and writes TID, h(TID) and r into tag’s memory, where TID may include EPC codes depending on the user’s specification. Meanwhile, the server saves into its database, where rold = r at the beginning and h(TID) serves as the sorted primary key. 3.3.2. Authentication phase The authentication phase of our schemes is described as follows. It is also illustrated in Fig. 3. Step 1. The reader chooses a random challenge s 2 Zn and broadcasts a hello message together with s to the tag. Step 2. After receiving the hello message and challenge s, the tag reads TID, h(TID) and r from its memory and computes x = h(TID)  r  s, X = x2mod n, and R = r2mod n. Then, it responses to the reader with hX, R, h(x), h(r)i. Step 3. After receiving tag’s response h X, R, h(x), h(r)i, the reader forwards this response together with s to the server. Step 4. After receiving hX, R, h(x), h(r), si, the server solves X = x2mod n and R = r2mod n by using Chinese

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

2377

Fig. 3. The proposed scheme.

Remainder Theorem, obtaining four roots (x1, x2, x3, x4) and (r1, r2, r3, r4) respectively. It then compares h(xi) with h(x) and h(ri) with h(r), for i = 1 to 4, to determine the unique values of x and r. The server then computes x  r  s, obtaining h(TID). Having obtained h(TID), the server uses it as a searching key to find the tag record in its database. If it is not found, the server will abort the session; otherwise, it verifies whether the solved r is equal to the value of r or rold stored in the found record. If it is, the server will compute xack = TID  r and then sends the acknowledgement message hh(xack)i to the tag through the reader. Simultaneously, the server updates the tag’s record by replacing rold with r, and r with PRNG(r). Step 5. After receiving the server/reader’s h h(xack)i, the tag first verifies whether h(TID  r) is equal to the

received h(xack). If so, the tag updates r with PRNG(r).

4. Security analysis and performance evaluation In this section, we will present the security analysis and evaluate the performance of our scheme. The comparisons of various security attributes and usage of brute search among our scheme and other work are listed in Table 1. The performance comparisons of our scheme with others are shown in Table 2. 4.1. Security analysis Six claims will be presented in order to demonstrate that our scheme possesses the three privacy properties as

2378

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

Claim 2. The proposed scheme can provide individual location privacy.

Table 1 Comparisons of various security attributes Scheme

P1

P2

P3

A1

A2

M

B

Weis et al.’s hash-locking [5] Weis et al.’s randomized hash-locking [5] Ohkubo et al.’s [11] Henrici et al.’s [8] Yang et al.’s [13,14] Molnar et al.’s [10] Karikeyan et al.’s [9] Duc et al.’s [7] Chien et at.’s [2] Ours

No No

No No

No No

No No

Yes Yes

No No

Yes Yes

Yes Yes No Yes Yes Yes Yes Yes

Yes Yes No Yes No Yes Yes Yes

Yes No No No No No Yes Yes

No No Yes Yes No No Yes Yes

Yes Yes Yes Yes No No Yes Yes

No Yes No Yes Yes No Yes Yes

Yes No No Yes Yes Yes Yes No

P1: TID aNonymity, P2: individual location privacy, P3: forward secrecy, A1:replay attack resistance, A2: DOS attack resistance, M: mutual authentication, B: brute search.

Table 2 Performance comparisons Scheme

Rounds

Tag’s computation

Server’s computation

Weis et al.’s hash-locking [5] Weis et al.’s randomized hash-locking [5] Ohkubo et al.’s [11]

6

0

0

5

1 Hash/PRF, 1 PRNG

n hash/PRF (brute search)

4

2 Hash

Henrici et al.’s [8] Yang et al.’s [13,14]

5 5

3 Hash 2 Hash

Molnar et al.’s [10]

5

2 PRF

Karikeyan et al.’s [9]

5

2 Matrix multiplication

Duc et al.’s [7]

4

2 CRC, 1 PRNG

Chien et at.’s [2]

5

1 CRC, 2 PRNG

Ours

5

3 Hash, 2 squaring, 1 PRNG

n*(i + 1) (brute search) 2 Hash 2n Hash (brute search) n + 1 PRF (brute search) n + 1 matrix multiplication (brute search) 2n + 1 CRC, 1 PRNG (brute search) n + 1 CRC, 2 PRNG (brute search) 9 Hash, 2 squaring root solving, 1 PRNG

described in Section 3.2, prevents replay and DOS attacks, and achieves mutual authentication. Claim 1. The proposed scheme can provide TID anonymity. Proof. In our scheme, flow (2) hX, R, h(x), h(r)i and flow (4) hh(xack)i both implicitly contain TID. We show that it is enciphered well and can not be computed by any attacker. First, from X = x2mod n, where x = h(TID)  r  s, in flow (2), we can see that it is computationally infeasible for any attacker to solve x. Not to mention that he can deduce TID. Even if he could solve x and figure r, he still cannot obtain TID due to the one-way property of the hash function. Secondly, from hh(xack)i, where xack = TID  r, in flow (4), we can also see that the value of xack is protected by the one-way hash function. Without the knowledge of xack, it is impossible for any attacker to deduce TID even when he knows the value of r. Therefore, from the first and second observation, we prove the claim. h

Proof. To prove this claim, we will show that the transcript hs, X, R, h(x), h(r), h(xack)i of a conversation can be produced by any tag with the reader/server. We can thus argue that no conversation can be linked to a particular tag. First, for s is a random number and both h(r) and R are generated from random number r, they obviously can not be linked to any particular tag. Next, we will demonstrate that the values of X(=x2mod n), h(x), and h(xack) can be produced by any tag. Since X and h(x) are computed from x, it can be seen that only the values of x and xack should be considered. The value x is equal to h(TID)  r  s, where r and s are random numbers generated by the tag and the reader respectively. It is obvious that for a fixed value x, there can be two different tags TID1 and TID2 with the corresponding random numbers r1, s1, and r2, s2 such that x = h(TID1)  r1  s1 = h(TID2)  r2  s2. Similarly, we can argue that for a fixed value xack, it can be generated by any tag. Therefore, we prove the claim. h Claim 3. The proposed scheme can provide forward secrecy. Proof. To prove this claim, we will show that even if an attacker can compromise a tag and obtain its current resident data, he still can not trace back any of its previous conversations. We describe it as follows. Let the tag’s current resident data be (TID, h(TID), r(0)), and the last ð1Þ conversation be hsð1Þ ; X ð1Þ ; Rð1Þ ; hðxð1Þ Þ; hðrð1Þ Þ; hðxack Þi. Since the value of s(1) is a random number, it is therefore independent of the triple (TID, h(TID), r(0)). In addition, both the values of X(1)(=(h(TID)  r(1)  s(1))2mod n) and R(1)(=(r(1))2mod n) are also independent of the triple due to the quadratic residue assumption. Moreover, The values of h(x(1))(=h(TID)  r(1)  s(1)), ð1Þ h(r(1)), and hðxack Þð¼ hðTID  r ð1Þ ÞÞ are independent of the triple for there are no relationship between r(0) and r(1). Therefore, we have shown that the relationship between the triple and the last conversation is a mutually independent one. An attacker can not find the last conversation using the knowledge of the compromised triple (TID, h(TID), r(0)), not to mention that he can find previous conversations of the specified tag. We prove the claim. h Claim 4. The proposed scheme can resist replay attack. Proof. Since the reader queries the tag with a new random challenge s each time, it is impossible for any attacker to be authenticated as valid by replaying an old flow, hX(o), R(o), h(x(o)), h(r(o))i, where x(o) = h(TID)  r(o)  s(o). When receiving the replayed old flow hX(o), R(o), h(x(o)), h(r(o))i, the reader will forward it together with the new challenge s(new) to the server. The server then solves X(o), R(o) and obtains x(o), r(o). Since h(TID) = x(o)  r(o)  s(o), h(TID) can not be figured out by the knowledge of x(o), r(o) and s(new). Thus, the attacker will fail in its attempt to be identified as valid. Therefore, we prove the claim. h

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

Claim 5. The proposed scheme can resist DOS attack. Proof. We will show that an attacker can not simply drop or forge a last flow (acknowledge message) that is sent to the tag to desynchronize the secret data shared between the tag and the server. Although dropping the last flow will make the tag’s resident r unchanged, it will not affect the tag’s next authentication. Since the server always keeps the old r of the tag in the database. Furthermore, forging a last flow will not succeed since only the true server can send a valid acknowledge message h(xack) to be accepted by the tag. Due to the one-way property of hash function and without the knowledge of TID and r, the attacker can not figure out xack. We prove the claim. h Claim 6. The proposed scheme can achieve mutual authentication between the tag and the server. Proof. Only a legitimate tag with the knowledge of TID and r can compute a valid x as h(TID)  r  s after receiving a reader’s random challenge s. It can then generate a valid flow hX(=x2mod n), R(=r2mod n), h(x), h(r)i to send to the server through the reader. After the server computes r and h(TID) according to the protocol, it will use h(TID) as the primary key to search its database. If it can find the tag record, it will check whether the computed r is consistent with the corresponding r or rold in the found tag record. If so, it believes that the tag is valid. On the other hand, only the true server with the knowledge of p and q can compute the correct h(TID) by using the Chinese Remainder Theory and find the TID by searching the database using h(TID). Then, it can compute and send a valid acknowledgement message h(xack(=TID  r)) to the tag. When the tag verifies h(xack) as valid, it believes that the other party is the intended server. Therefore, we prove the claim. h After above discussions, we summarize the comparisons of our system with others in Table 1.

2379

the size and the computational load of the server’s database in their system. Moreover, from Table 1, research [8] does not possess the property of forward secrecy and suffers from replay attack. As for Weis et al.’s hash-locking [5], there is no computational cost for the tag and the server. However, this scheme offers none of the three properties of privacy needed in an RFID system. In addition, it can not resist replay attack. Now, we would like to discuss the computational cost of the modular squaring used in our scheme. According to recent research [18,19], modular multiplication is complicated but non-modular multiplication is regular. Hence, an implementation of a cheap modular squaring is using f(x) = x2  an to substitute f(x) = x2 mod n, where a is a carefully computed coefficient [18]. From this, the implementation of such a modular squaring can be reduced to only a few hundred gate-equivalents [19]. This is much cheaper than the implementation of a hash function, because the traditional hash functions such as, MD5 and SHA-1, cost 16 K gates and 20 K gates, respectively [20]. Even the cheapest hash function, the universal hash function, still requires 1.7 K gates. Thus, we argue that the two modular squaring operations will affect the efficiency of our scheme to a minimal extent. 5. Conclusion Many secure schemes have been proposed for RFID systems but only few of them can achieve the three privacy properties (TID anonymity, individual location privacy and forward), replay attack resistance, and DOS attack resistance. In this paper, we have demonstrated that Juels’s scheme is vulnerable to known-plaintext and replay attacks. We also found that Wong et al.’s scheme is easy to be broken. Then, we presented a new mutual authentication RFID scheme using quadratic residues. After our analysis, we can conclude that our scheme is not only efficient but is also more secure than the other work examined in this paper.

4.2. Performance evaluation References In this section, we compare the performance of our system with others, Weis et al.’s hash-locking [5], Weis et al.’s randomized hash-locking [5], Ohkubo et al.’s [11], Henrici et al.’s [8], Yang et al.’s [13,14], Molnar et al.’s [10], Karikeyan et al.’s [9], Duc et al.’s [7], and Chien et at.’s [2]. The comparisons of the number of rounds and both the tag’s and server’s computational cost are shown in Table 2. Here, for clarity, we assume that there are n tags in each scheme. From Table 2, it appears that our scheme is less efficient than Ohkubo et al.’s [11] and Duc et al.’s [7] schemes in round efficiency. However, these two schemes are insecure. Ohkubo et al.’s scheme suffers from replay attack and lacks mutual authentication while Duc et al.’s scheme does not provide forward secrecy, replay and DOS attack resistance, and mutual authentication. Also from Table 2, it appears that our scheme is less efficient than Henrici et al.’s scheme [8] and Weis et al.’s hash-locking scheme [5] in both tag’s and server’s computational cost. However, in research [8], the server needs to insert a new record after each successful tag authentication. This will increase

[1] A. Juels, Yoking-Proofs for RFID tags, in: Proceedings of IEEE International Conference Digital Object Identifier, 2004, pp. 138– 143. [2] H.Y. Chien, C.H. Chen, Mutual authentication protocol for RFID conforming to EPC Class 1 Generation 2 standards, Computer Standards & Interfaces (2006). [3] Kirk H.M. Wong, Patrick C.L. Hui, Allan C.K. Chan, Cryptography and authentication on RFID passive tags for apparel products, Computer in Industry 57 (2005) 342–349. [4] S. Sarma, S. Weis, D. Engels, RFID system, security and privacy implications, in: White Paper, MIT Auto-ID Center, November 2002. [5] S.A. Weis, S.E. Sarma, R.L. Rivest, D.W. Engels, Security and privacy aspects of low-cost radio frequency identification systems, in: Security in Pervasive Computing 2003. LNCS no. 2802, 2004, pp. 201–212. [6] EPCglobal web site, . [7] D.N. Duc, J. Park, H. Lee, K. Kim, Enhancing security of EPCglobal Gen2 RFID tag against traceability and cloning, in: The 2006 Symposium on Cryptography and Information Security, 2006. [8] A.D. Henrici, P. Mauller, Hash-based enhancement of location privacy for radio-frequency identification devices using varying identifiers, in: IEEE PerCom, 2004, pp. 149–153. [9] S. Karthikeyan, M. Nesterenko, RFID security without extensive cryptography, in: Proceedings of the 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks, 2005, pp. 63–67.

2380

Y. Chen et al. / Computer Networks 52 (2008) 2373–2380

[10] D. Molnar, D. Wagner, Privacy and security in library RFID: issues, practices, and architectures, in: Conference on Computer and Communications Security CCS’04, 2004, pp. 210–219. [11] M. Ohkubo, K. Suzki, S. Kinoshita, Cryptographic approach to privacy-friendly tags, in: RFID Privacy Workshop, 2003. [12] K. Rhee, J. Kwak, S. Kim, D. Won, Challenge-response based RFID authentication protocol for distributed database environment, in: International Conference on Security in Pervasive Computing SPC 2005, pp. 70–84. [13] J. Yang, J. Park, H. Lee, K. Ren, K. Kim, Mutual authentication protocol for low-cost RFID, in: Handout of the Encrypt Workshop on RFID and Lightweight Crypto, 2005. [14] J. Yang, K. Ren, K. Kim, Security and privacy on authentication protocol for low-cost radio, in: The 2005 Symposium on Cryptography and Information Security. [15] K.H. Rosen, Elementary Number Theory and its Applications, Addison-Wesley, Reading, MA, 1988. [16] W. Patterson, Mathematical Cryptology for Computer Scientists and Mathematicians, Rowman, 1987. [17] E. Thompson, MD5 collisions and the impact on computer forensics, in: Digital Investigation 2005, pp. 36–40. [18] A. Shamir, Squash: A new one-way hash function with provable security properties for highly constrained devices such as RFID tags, in: Invited Talk, International Conference on RFID Security (RFIDSec’07), 2007. [19] M. Burmester, B. Medeiros, R. Motta, Robust, Anonymous RFID Authentication with Constant Key-Lookup,” , 2007. [20] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, A. Ribagorda, M2AP: A minimalist mutual-authentication protocol for low-cost RFID tags, in: Proceedings of International Conference on Ubiquitous Intelligence and Computing UIC’06, LNCS 4195, SpringerVerlag, 2006, pp. 912–923. [21] G. Avoine, E. Dysli, P. Oechslin, Reducing time complexity in RFID systems, in: The 12th Annual Workshop on Selected Areas in Cryptography (SAC), 2005.

Yalin Chen received her bachelor degree in the department of computer science and information engineering from Tamkang University in Taipei, Taiwan and her MBA degree in the department of information management from National Sun-Yat-Sen University (NYSU) in Kaohsiung, Taiwan. She is now a Ph.D. candidate of the Institute of Information Systems and Applications of National TsingHua University (NTHU) in Hsinchu, Taiwan. Her primary research interests are data security and privacy, protocol security, authentication, key agreement, electronic commerce, and wireless communication security.

Jue-Sam Chou received his Ph.D. degree in the department of computer science and information engineering from National Chiao Tung University (NCTU) in Hsinchu, Taiwan, ROC. He is an associate professor and teaches at the department of Information Management of Nanhua University in Chiayi, Taiwan. His primary research interests are electronic commerce, data security and privacy, protocol security, authentication, key agreement, communication and statistics.

Hung-Min Sun received his B.S. degree in applied mathematics from National ChungHsing University in 1988, his M.S. degree in applied mathematics from National ChengKung University in 1990, and his Ph.D. degree in computer science and information engineering from National Chiao-Tung University in 1995, respectively. He was an associate professor with the Department of Information Management, Chaoyang University from 1999 to 2002. Currently he is an associate professor with Department of Computer Science, National Tsing Hua University. He has published over 100 international journal and conference papers. He was the program co-chair of 2001 National Information security Conference and the program committee member of 1997, 2005, Information security Conference, 2000 Workshop on Internet and Distributed System, 2001, 2002, and 2005 Workshop on the 21st Century digital Life and Internet Technologies. 1998–1999 2002– 2004 2006–2007 National conference on Information Security, ACISP’04, NCS’2001, ICS’2002, ITRE’2005, NCS’2007. His research interests include information security, wireless network security, cryptography and multimedia security.