A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS

ARTICLE IN PRESS

JID: INS

[m3Gsc;July 11, 2019;23:49]

Information Sciences xxx (xxxx) xxx

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS Fatty M. Salem a,∗, Ruhul Amin b a

Department of Electronics, Communications and Computer Engineering, Helwan University, Helwan, Cairo, Egypt Department of Computer Science and Engineering, DRSPM International Institute of Information Technology, Raipur, Chhattisgarh, 493661, India

b

a r t i c l e

i n f o

Article history: Received 5 May 2018 Revised 28 May 2019 Accepted 7 July 2019 Available online xxx Keywords: Healthcare environment Radio frequency identification Mutual authentication Privacy preserving El-Gamal cryptosystem AVISPA software

a b s t r a c t The healthcare environment now provides the facility for patients to communicate with doctors from home via the Internet; this facility is very useful for seriously ill patients. Errors in medication are hazardous and can cause significant harm to patients; therefore, patient medication and information safety are essential issues in such a healthcare environment. To protect this sensitive information, an authentication protocol is needed. Moreover, in the context of sharing data including a patient’s personal information, privacy leakage has become one of the most challenging issues in a telecare medicine information system (TMIS). In this paper, we propose a privacy-preserving radio frequency identification (RFID) authentication protocol based on the El-Gamal cryptosystem, for enhancing patient medication safety in a TMIS. The proposed protocol can achieve a number of security services and can also resist several types of attacks. We have also shown the results obtained by conducting an "Automated Validation of Internet Security Protocols and Applications" (AVISPA) simulation of our protocol. The simulation results verify that the proposed protocol is safe against active and passive attacks. The results of an informal security analysis also indicate that patient information is highly private, and the system is protected against possible related attacks. Our protocol is not only better in terms of protecting the privacy of patients but it also achieves better performance than similar existing protocols. © 2019 Elsevier Inc. All rights reserved.

1. Introduction In healthcare systems, there is a need to design a capable information-investigation tool, with the goal that the data capacity can scale up in size. This tool will enable the examination of patients’ present and future health conditions by investigating numerous health issue parameters. Organizations like Amazon, Google, and IBM have offered storage and computational resources for managing big data as a service in a cloud environment. However, the securing of network access and sensitive information is required by law. Moreover, it cultivates an environment in which highly mobile doctors and patients can communicate securely, and with confidence that a patient’s information is not being compromised. Radio-frequency identification (RFID) technology could successfully enhance patients’ medication safety through tracking, management, and validation. Moreover, RFID can facilitate contact with medical staff and patients; hence, it can shorten

∗

Corresponding author. E-mail addresses: [email protected] (F.M. Salem), [email protected] (R. Amin).

https://doi.org/10.1016/j.ins.2019.07.029 0020-0255/© 2019 Elsevier Inc. All rights reserved.

Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS 2

ARTICLE IN PRESS

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

waiting times for care processes. Accordingly, RFID has perceptible benefits, such as reducing cost and time, mitigating human resources, preventing possible theft, and improving productivity [1]. RFID uses radio waves to read, acquire, and store data on a tag. In RFID technology, there are two major components: a tag, attached to objects to check the uniqueness of the component; and a card reader, which represents tag read-write devices. The tag is a component of the user-side device operation, and provides a storage field with identity authentication and data access to provide application functionality. An advanced card structure has more memory space, providing more powerful encryption and decryption functionality modules. RFID is considered as an essential wireless communication technology, as any two remote devices can communicate with each other. Unlike a traditional barcode, RFID technology includes the following features: 1. 2. 3. 4. 5.

It offers both read and write capabilities. It can read more than one tag simultaneously. Line-of-sight contact with the reader is not required. RFID tags are durable and reusable. The read rate is greatly increased.

The attacks against RFID-based systems include eavesdropping, man-in-middle, spoofing, de-synchronization, traceability, and replay attacks. An authentication protocol is the eminent approach to preserving privacy in RFID-based systems [46]. Various protocols have been introduced for securing the healthcare environment. Among these protocols, RFID authentication protocols have gained the most attention. Many authentication protocols [26,44] have proposed using a smart card to guarantee sharing of data and communication in a healthcare environment. However, these protocols appear to be inappropriate for RFID-based healthcare systems, in view of the fact that the computational capability of the corresponding tag is limited. Therefore, various RFID authentication schemes have been proposed. A “Yoking proof” scheme [18] has been proposed and depends on hash functions and a message authentication code. However, the proposed scheme in [18] cannot achieve tag anonymity and cannot withstand a replay attack. In another scheme [34], a RFID-based SurgiChip system was proposed to hinder an invalid site, false procedures, and mistaken patient surgeries. Afterward, an RFID grouping proof protocol was proposed [15]. However, this protocol is inefficient for preserving privacy, and cannot resist a forgery or Denial-of-Service (DoS) attack. To enable a server to interact with the reader, authentication protocols using RFID have been proposed [22] where the identification of the tag is performed by only one authorized reader and at the same time. This also ensures that the server is disabled from revealing the tag. The first RFID privacy protection protocol was proposed in [19]; however, this protocol was not proper for practical applications. To solve this issue, a low-cost RFID access control was proposed in [40], using hash functions. Unfortunately, their protocol cannot prevent the tag’s traceability, as the users use the same identity in different sessions. The authors of scheme [28] proposed a privacy-preserving protocol to prevent a tag’s traceability, but their protocol cannot resist against impersonation and replay attacks. Later, the authors in [13] introduced a hash-based enhanced technique to safeguard the tag’s location privacy, and the tag’s identity is different for each session. However, the proposed protocol in [13] cannot provide backward traceability, and cannot resist an impersonation attack. To provide backward and forward untraceability, a few RFID authentication protocols [30,31,32] have been put forward that are lightweight in nature. Many RFID authentication schemes [20,33] have been put forth based on symmetric key cryptography; nevertheless, the dependence on a public key cryptosystem for RFID authentication schemes [10,42] attracts more attention. A protocol based on using a hashing technique to provide mutual authentication [36] has been put forth to ensure a patient’s privacy in a TMIS. Unfortunately, the authors in [23] explained that the proposed protocol in [36] has a very harmful problem for security, in that an attacker can make use of a robbed reader to access medical data stored in a medical server used as a back-end. In [2], a chaotic map-based RFID authentication protocol was proposed to uncover a suitable solution to all of the security problems in the proposed protocol by Benssalah et al. [6]. Furthermore, RFID mutual authentication protocols that make use of unclonable functions have been proposed in [41]. A TMIS depends on working in a cloud environment, where a patient can access his sensitive information stored on the cloud using his smart devices. Many authentication and privacy-preserving schemes [8,12] have been proposed for a secure cloud-based TMIS. A cloud-based scheme, namely the "Improved Cloud-Based Authentication Scheme for Medical Environment" (ICASME), was proposed in [8] to provide forward security and guarantee patient anonymity and unlinkbility. However, this scheme depends on bilinear pairing, which causes an expensive increase in the computation cost. The authors in [12] have proposed a cloud-based data sharing approach to protect a patient’s media data and efficiently manage these media data in a TMIS. Moreover, several RFID schemes for authentication have been introduced that apply elliptic curve cryptography (ECC). The authors in [39] proposed a RFID scheme for identification using ECC and claimed that the proposed scheme could withstand an attack caused by tag counterfeiting. Afterward, another RFID identification scheme based on ECC was proposed in [5], and asserted that it was resistant to active attacks. However, the authors in [21] found that the two schemes in [5,39] cannot achieve forward security, and cannot resist a location tracking attack. Later, an ECC-based RFID authentication scheme was proposed in [9] to withstand various types of attacks. However, the authors in [43] have illustrated that the proposed scheme in [9] cannot preserve tag information privacy, and they have proposed an efficient authentication protocol (EAP) to overcome security weaknesses in other related works. A secure authentication scheme (SAS) based on ECC was integrated with an ID-verifier transfer protocol in [24], and the authors claimed that the proposed integrated scheme could Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS

ARTICLE IN PRESS

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

3

Fig. 1. Telecare medical architecture with cloud server.

withstand a number of attacks. Unfortunately, the authors in [29] proved that the proposed scheme in [24] cannot withstand a server impersonation attack. A secure authentication protocol (SAP) based on ECC was proposed in [45]; however, Farash et al. [11] demonstrated that the proposed protocols in [43,45] cannot provide forward secrecy. To provide this security service, Farash et al. [11] proposed a provable secure authentication protocol (PSAP), proved in a random oracle model. In addition, the secure mutual authentication protocol (SMAP) proposed in [17] can provide forward security. As ECC is difficult to employ, and in particular the standard curves [7], an easily implemented cryptosystem is needed for authentication in a healthcare environment. In this paper, we propose an easy-to-implement privacy-preserving RFID authentication protocol based on the El-Gamal cryptosystem, for a secure TMIS. Our proposed protocol can render strong security features and can provide resistance to several types of attacks. Moreover, our protocol is easier to implement, as it does not use elliptic curves or bilinear pairing. In Fig. 1, our considered architecture for a TMIS is shown. 1.1. Contributions This study succeeds in achieving the following important contributions in the field of RFID-based TMIS systems. 1. We first considered a TMIS system, and then utilized the El-Gamal cryptosystem to design a privacy-preserving RFID authentication protocol. 2. Our protocol provides all the security requirements for TMIS, as presented in Section 3.1. 3. The required security properties have been validated using the "Automated Validation of Internet Security Protocols and Applications” (AVISPA) security simulation tool. 4. The performance of the proposed protocol is also better than existing protocols. 1.2. Organization of the paper The structure of the paper is as follows. Section 1 discusses an introduction and similar types of works, including major contributions of the study. A protocol is presented in Section 2. The security analysis, including the AVISPA simulation, appears in Section 3. The performance is analyzed in Section 4. Finally, we conclude the paper in Section 5. 2. Proposed protocol This section presents the proposed privacy-preserving authentication protocol. The proposed protocol comprises two phases: the setup phase, and the authentication phase. Setup Phase: Here, the server produces the system parameters, private keys, the public keys of the server, and tags as follows. • Chooses a random prime number p with a length of 1024 bits. • Chooses a generator g with 1 < g < p − 1. • Randomly chooses a secret key α , with 1 < α < p − 2. Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

ARTICLE IN PRESS

JID: INS 4

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

Fig. 2. The proposed privacy preserving radio-frequency identification (RFID) authentication protocol.

• • • •

Computes its public key y = gα mod p. For each patient with a tag, chooses a random secret xi with a length of 160 bits as an identifier of the i th tag. Stores each tag’s identifier and its associated information in the server’s database. Stores the identifier xi into the i th tag’s memory. Authentication Phase:

In the authentication phase, the tag and the server perform mutual authentication, as shown in Fig. 2. A clear description of this phase is as follows. Step 1: The server randomly chooses an integer k ∈ Z ∗p , sets C1 = k, and broadcasts the message {C1 } to tagi . Step 2: Upon receiving {C1 }, tagi picks two random integers (r1 , r2 ) ∈ Z ∗p , and computes:

R1 = gr1 mod p R2 = (r2 .yr1 ) mod p Aut hi = xi  H (r2 , C1 , R1 , R2 ) Tagi sends {R1 , R2 , Authi } to the server. The hash function used in the protocol is secure hash algorithm 1 (SHA-1); hence, the outputs of the hash function and the message Authi have a size of 160 bits. Step 3: Upon receiving {R1 , R2 , Authi }, the server computes:

S1 = Rα1 mod p S2 = S1−1 mod p r2 = (R2 .S2 ) mod p Then, the server extracts the identifier of tagi :

xi = Aut hi  H (r2 , C1 , R1 , R2 ) Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

ARTICLE IN PRESS

JID: INS

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

[m3Gsc;July 11, 2019;23:49] 5

Fig. 3. High-level protocol specification language (HLPSL) code of the tag of our protocol.

Then, the server looks for xi in its database. If the identifier is not in the database, it detects malicious behavior; otherwise, it authenticates tagi and computes:

C2 = H (xi , r2 , C1 , R1 , R2 , Aut hi ) Finally, the server sends {C2 }to tagi . Step 4: Upon receiving{C2 }, tagi computes the value C  = H (xi , r2 , C1 , R1 , R2 , Aut hi ), and then compares it with {C2 }. If both are equal, the server will acquire the authentication to tagi ; otherwise, tagi stops the session. 3. Protocol simulation using "Automated Validation of Internet Security Protocols and Applications" (AVISPA) software AVISPA is well-known software that basically ensures that a protocol is free from active and passive attacks. Furthermore, it determines whether or not the protocol is free from replay and Man-in-the-Middle (MITM) security attacks. We conducted a simulation of the proposed protocol through a high-level protocol specification language (HLPSL), and executed it in online mode. To do so, several pieces of preliminary knowledge are required, as listed in [3]. In this section, we will provide the HLPSL code used by all the entities (such as tag and server), followed by simulation results. In Figs. 3 and 4, we provide the HLPSL code of the tag and server, respectively. Finally, we show the HLPSL code of the goal, session, and environment in Fig. 5. The results of the AVISPA software are displayed in Figs. 6 and 7. From the figures, we can confirm that the proposed protocol is able to resist all types of active and passive attacks. 3.1. Security analysis of the proposed protocol In this subsection, we analyze the security of our proposed protocol and confirm that it provides strong protection from related security threats, including tag privacy issues, location tracking issues, traceability issues, cloning attacks, and desynchronization attacks. Theorem 1. The proposed protocol supports a confidentiality property. Proof. In our proposed protocol, the identifier of the i th tag xi is hidden in the message Aut hi = xi  H (r2 , C1 , R1 , R2 ). The adversary can obtain the broadcasted messages {C1 }, {R1 , R2 , Authi } and the server’s public key y. However, it cannot reveal the random value r2 , and hence cannot obtain the identifier of the i th tag xi . Thus, our proposed protocol can support a tag’s confidentiality. Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS 6

ARTICLE IN PRESS

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

Fig. 4. HLPSL code of the Server of our protocol.

Fig. 5. HLPSL code of the session, goal, and environment of our protocol.

Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS

ARTICLE IN PRESS F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

[m3Gsc;July 11, 2019;23:49] 7

Fig. 6. On-the-fly model-checker (OFMC) results.

Fig. 7. "Constraint Logic-based ATtack SEarcher" (CL-AtSe) results.

Theorem 2. The proposed protocol provides a mutual authentication property. Proof. In our proposed protocol, an adversary cannot fabricate a legitimate message {R1 , R2 , Authi }, as it is not able to acquire the identifier of the i th tag xi and the random values (r1 , r2 ). However, the server could compute xi = Aut hi  H (r2 , C1 , R1 , R2 ), and check the authenticity of tagi by searching for xi in its database. Moreover, the adversary cannot fabricate a legitimate message{C2 }, as it cannot reveal the server’s secret key α , the randomly generated number r2 , and the identifier of the i th tag xi , where C2 = H (xi , r2 , C1 , R1 , R2 , Aut hi ). Therefore, the proposed protocol can provide mutual authentication. Theorem 3. The proposed protocol offers tag privacy. Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS 8

ARTICLE IN PRESS

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

Proof. In the proposed protocol, the identifier of the i th tag xi is used in the message Aut hi = xi  H (r2 , C1 , R1 , R2 ). Moreover, with the start of new session, the server and tagi create new random numbers k, r1, and r2 . Hence, any adversary cannot trace the exact location of the tag. Therefore, the proposed protocol can offer tag privacy. Theorem 4. The proposed protocol offers an availability property. Proof. As the identifier of the i th tag xi is strongly protected and no adversary can obtain it during the protocol execution, there is no need to change the identifier of the tag after executing the protocol. Thus, the proposed protocol can offer availability. Theorem 5. The proposed protocol supports forward and backward traceability. Proof. In our proposed protocol, the adversary will not be able to trace the tag, even if it can reveal the tag’s identifier. As an example, assume that an adversary could reveal the tag’s identifier xi and intercept the messages {C1 } and {R1 , R2 , Authi } transmitted between the server and tagi , where C1 = k, R1 = gr1 mod p, R2 = (r2 .yr1 ) mod p, and Aut hi = xi  H (r2 , C1 , R1 , R2 ). An adversary cannot confirm if those messages are exchanged between the server and tagi , as it cannot reveal the server’s secret key α or the random values (r1 , r2 ). Thus, our proposed protocol can support backward and forward traceability. Theorem 6. The proposed protocol resists a tag impersonation attack. Proof. Assume that an assailant attempts to perform a tagi impersonation to the server when intercepting the message {C1 } transmitted by the server. It is required from the adversary to produce a valid message {R1 , R2 , Authi }, where R1 = gr1 mod p, R2 = (r2 .yr1 ) mod p, and Aut hi = xi  H (r2 , C1 , R1 , R2 ). However, as the adversary does not have any knowledge of the identifier of the i th tag xi and the random values (r1 , r2 ), it cannot create the legitimate message {R1 , R2 , Authi }. Thus, our proposed protocol can resist a tag impersonation attack. Theorem 7. The proposed protocol is protected against a server spoofing attack. Proof. Assume that the assailant does impersonate the server to the tag. For example, it might generate a random value k ∈ Z ∗p , set C1 = k, and send C1 to tagi . However, the adversary cannot create a valid message C2 , as it cannot reveal the server’s secret key α and cannot get the tag’s identifier xi . Thus, an adversary fails in impersonating as the server to the tag. Hence, our proposed protocol is protected against a server spoofing attack. Theorem 8. The proposed protocol prevents a replay attack. Proof. Suppose that an attacker takes away the messages {C1 }and {C2 }, and replays them to the tag, where C1 = k, and C2 = H (xi , r2 , C1 , R1 , R2 , Aut hi ). Tagi can detect the existence of the adversary by checking whether H (xi , r2 , C1 , R1 , R2 , Aut hi )? = C2 . That is why tagi produces the new random values (r1 , r2 ) with the start of each new session. In a case where the attacker intercepts the message {R1 , R2 , Authi } and replays it to the server, and where R1 = gr1 mod p, R2 = (r2 .yr1 ) mod p, and Aut hi = xi  H (r2 , C1 , R1 , R2 ), the server can observe the attack by validating the correctness of Authi . That is why the server generates a new random k with the start of each new session. Thus, our proposed protocol is protected against replay attacks. Theorem 9. The proposed protocol resists a DoS attack. Proof. In a DoS attack, the attacker attempts to hinder the target tag from receiving services. The adversary may try to make the synchronously shared secret value between tagi and the server inconsistent, to make the tag and server unrecognizable to each other and disable the tag. However, in our proposed protocol, the identifier of the i th tag xi is strongly protected, and any adversary cannot obtain it during the protocol execution. Thus, it is not necessary to synchronously change the tag’s identifier xi in the wake of executing the protocol. Hence, our proposed protocol can resist a DoS attack. Theorem 10. The proposed protocol is protected against a location tracking attack. Proof. In the event that the attacker collects the identifier of the i th tag xi , it cannot trace the tag. The adversary could trace the tag if it could relate the intercepted message to its transmitter tag, and hence correlate its time and place. If the transferred messages from the tag are usually fixed, the adversary could trace and find the tag. Thus, the transmitted messages from the tag should not be fixed. Assume that the attacker could reveal the tag’s identifier xi and intercept the messages {C1 } and {R1 , R2 , Authi } transmitted between the server and tagi , where C1 = k, R1 = gr1 mod p, R2 = (r2 .yr1 ) mod p, and Aut hi = xi  H (r2 , C1 , R1 , R2 ). During the authentication phase, tagi does not send the identifier xi directly, but instead sends Aut hi = xi  H (r2 , C1 , R1 , R2 ), which is computed freshly in each session. Thus, the adversary cannot confirm if those messages are exchanged between the server and tagi , as it cannot reveal the server’s secret key α and the random values (r1 , r2 ). Hence, it cannot trace the absolute location of the tag. Therefore, the proposed protocol is highly secured against a location tracking attack. Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS

ARTICLE IN PRESS F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

[m3Gsc;July 11, 2019;23:49] 9

Theorem 11. The proposed protocol is protected against a cloning attack. Proof. In our proposed protocol, the server generates a random secret xi ∈ Z ∗p for every tag considered, as the tag’s identifier. Even assuming that the adversary can reveal a number of tags’ identifiers, it cannot reveal other tags’ identifiers, because of the lack of relation between the tags. Thus, our proposed protocol is protected against a cloning attack. Theorem 12. The proposed protocol is protected against a de-synchronization attack. Proof. In our proposed protocol, as the identifier of the i th tag xi is strongly protected and any adversary cannot obtain it during the protocol execution, there is no need to synchronously change the tag’s identifier after executing our protocol. Thus, our proposed protocol is protected against a de-synchronization attack. 4. Performance analysis In the upcoming section, we analyze the performance of the proposed El-Gamal-based privacy-preserving RFID authentication protocol and compare it with a number of considerable ECC-based RFID authentication protocols in terms of implementation, security services, and complexity. 4.1. Implementation analysis There are various types of attacks against the implementation of ECC, including invalid curve and twist-security attacks. In an invalid curve attack [16], an adversary may trick the cryptographic device into carrying out scalar multiplication not on the selected secure curve, but on another weaker elliptic curve chosen by the adversary. This attack affects the implementation of elliptic curves, using formulas involving doubling and addition that do not depend on at least one of the curve parameters. Moreover, the authors in [27] have extended invalid curve attacks to Edwards curves and some other standard curves. This causes some of the points (x, y) to be missing in almost every ECC curve. Even the suggestion by many authors that the use of twist-secure elliptic curves can pave a way to secure implementations has some risks. The authors in [25] have described the vulnerabilities of ECC implementations using blinded static point multiplications, which result from unjustified trust into twist security. Further, the authors have confirmed by experiment that even if twist-secure curves have been used, an insecure implementation can occur, and the security can be degraded. Moreover, an improper implementation of ECC can lead to leakage of private keys, resulting in serious pitfalls in the cryptographic software. A notable example is the attack occurred when a group of hackers called "fail0verflow" revealed the private key used to sign software for Sony’s game console [35,47]. Although Sony depended on an elliptic curve digital signature algorithm (ECDSA) to sign software, they had not correctly implemented the algorithm. There are many examples of improper ECC implementation in OpenSSL, like common vulnerability and exposure (CVE)−2014-0076 [48], and CVE-2008-5077 [49]. In CVE-2014-0076, the implementer does not guarantee a constant-time behavior for certain swap operations, enabling users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. In CVE-2008-5077, remote attackers could bypass the certificate chain’s validation via a malformed secure sockets layer/transport layer security (SSL/TLS) signature for DSA and ECDSA keys. Consequently, the issue is not how secure ECC is theoretically, but rather is how the ECC can be properly implemented. In contrast, the El-Gamal cryptosystem is one of the most important and efficient cryptosystems and is used to provide secure communications with a high level of security [38]. Though the El-Gamal algorithm requires a long key size and higher computational power, it has been easily implemented by many research groups [37]. The implementation of ElGamal encryption depends on the execution of modular multiplications, exponentiations, and multiplicative inverses. These functions have been securely implemented using RFID in [14]. 4.2. Security comparison A security comparison between the proposed protocol and some related ECC-based RFID authentication protocols are pre√ sented in Table 1, where indicates the protocol protects or supports protection against the mentioned attack or property, and × indicates that the protocol does not protect or support protection against the mentioned attack or property. From Table 1, we can observe that the proposed protocols in [43,45] cannot provide forward and backward security. The scheme in [24] cannot withstand a tag impersonation attack or a server spoofing attack. Our proposed protocol and the protocols in [11,17] can guarantee the same security level, and resist against all of the mentioned attacks. However, only our proposed protocol and the protocol in [11] provide provable security. Moreover, our proposed protocol is easy to implement securely using the tag, unlike other ECC-based protocols. 4.3. Complexity comparison A complexity comparison is made in Table 2, where T and S indicate tag and server, respectively. It is evident that our proposed protocol depends on hash functions, modular exponentiations, modular multiplications, and multiplicative Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

ARTICLE IN PRESS

JID: INS 10

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx Table 1 Security comparison of efficient authentication protocol (EAP), secure authentication scheme (SAS), secure authentication protocol (SAP), provable secure authentication protocol (PSAP), secure mutual authentication protocol (SMAP), and the proposed protocol. Scheme Confidentiality Mutual authentication Tag’s privacy Availability Forward and backward security Tag’s impersonation attack resistance Server spoofing attack resistance Replay attack resistance DoS attack resistance Location tracking attack resistance Cloning attack resistance Desynchronization attack resistance Man-in-the-middle attack resistance Provable security Easiness of secure implementation

EAP [43] √ √ √ √ × √ √ √ √ √ √ √ √ × ×

SAS [24] √ √ √ √ √

SAP [45] √ √ √ √

× × √ √ √ √ √ √

× √ √ √ √ √ √ √ √

× ×

× ×

PSAP [11] √ √ √ √ √ √ √ √ √ √ √ √ √ √ ×

SMAP [17] √ √ √ √ √ √ √ √ √ √ √ √ √ × ×

Our Protocol √ √ √ √ √ √ √ √ √ √ √ √ √ √ √

Table 2 Complexity comparison. Function

EAP [43]

SAS [24]

SAP [45]

PSAP [11]

SMAP [17]

Our Protocol

Hash functions Modular Exponentiation Modular multiplications Multiplicative Inverse Scalar multiplications Addition over elliptic curve Modular Addition

T 2 0 0 0 2 1 0

T 0 0 0 0 5 0 0

T 0 0 0 0 5 3 0

T 2 0 0 0 2 1 0

T 2 0 1 0 2 0 1

T 2 2 1 0 0 0 0

S 2 0 0 0 1 1 0

S 0 0 0 0 5 0 0

S 0 0 0 0 5 3 0

S 2 0 0 0 1 1 0

S 2 0 1 0 2 0 1

S 2 1 1 1 0 0 0

Table 3 Required notations table for all the crypto-operation. Function

Notation

Execution Time

Hash functions Modular Exponentiation Modular multiplications Scalar multiplications Addition over elliptic curve

Th Tme Tmm Tsm Tac

0.0004 1.83 0.015 7.35 0.009

Table 4 Real-time complexity comparison. Function

T

S

TC

EAP [43] SAS [24] SAP [45] PSAP [11] SMAP [17] Our Protocol

14.7 36.7 36.8 14.7 14.8 3.7

7.4 36.7 36.8 7.4 14.8 1.8

22.1 73.4 73.6 22.1 29.6 5.5

inverses. The implementation of these functions can be securely performed using RFID as provided in [14], unlike the implementation of ECC, which is complicated and difficult to implement. In Table 3, we have given all of the notations for the crypto-operations used in the comparison, and have further given the real-time execution for each in milliseconds [4]. By considering the time complexity mentioned in Table 3, we have presented another table (Table 4) for showing the computation cost of the tag and server separately. In Table 4, TC indicates the total cost. Table 4 further highlights that our protocol requires less computation costs than other protocols. Hence, the proposed protocol contributes a great performance in terms of computation costs, even though the same protocol protects against all related security threats. From the above-mentioned results and analysis, it is evident that the proposed El-Gamal-based RFID authentication protocol can provide numerous desirable important security features with high-level security attack protection. Moreover, our proposed protocol is the first to use the El-Gamal cryptosystem to design a practical privacy-preserving RFID authentication Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS

ARTICLE IN PRESS F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

[m3Gsc;July 11, 2019;23:49] 11

protocol that can be securely and easily implemented, unlike ECC-based protocols, which are complicated and difficult to implement. Additionally, the proposed protocol is highly efficient in terms of computation cost as compared to other related ECC-based protocols. These features and advantages make our proposed protocol more suitable and practical for a TMIS than other related protocols. 5. Conclusion In this article, we proposed an easy-to-implement privacy-preserving RFID authentication protocol for a TMIS, based on the El-Gamal cryptosystem. A security comparison performed in relation to other protocols confirms that our proposed protocol can withstand clearly known cryptographic attacks, and can also provide additional security features. Furthermore, formal security verification is provided using the well-known AVISPA tool, whose results confirm that the proposed protocol is secure against various types of attacks. Moreover, the proposed protocol contributes greater performance when considering the computation cost of other relevant protocols. These advantages exhibit the high-level security provided by our proposed protocol, which finds its practical implementation easier in a healthcare environment. Declaration of Interest None. References [1] S. Ajami, A. Rajabzadeh, Radio Frequency Identification (RFID) technology and patient safety, J. Res. Med. Sci. 18 (9) (2013) 809–813. [2] M. Akgün, A.O. Bayrak, M.U. Çaglayan, Attacks and improvements to chaotic map-based RFID authentication protocol, Secur. Commun. Netw. 8 (18) (2015) 4028–4040. [3] R. Amin, G.P. Biswas, A novel user authentication and key agreement protocol for accessing multi-medical server usable in TMIS, J. Med. Syst. 39 (2015) 33. [4] R. Amin, S.H. Islam, G.P. Biswas, D. Giri, M.K. Khan, N. Kumar, A more secure and privacy-aware anonymous user authentication scheme for distributed mobile cloud computing environments, Secur. Commun. Netw. 9 (17) (2016) 4650–4666. [5] L. Batina, J. Guajardo, Kerins T, N. Mentens, P. Tuyls, I. Verbauwhede, Public-key cryptography for RFID-tags, in: Fifth annual IEEE International Conference on PerCom Workshops’ 07, IEEE, 2007, pp. 217–222. [6] M. Benssalah, M. Djeddou., K. Drouiche, Security enhancement of the authenticated RFID security mechanism based on chaotic maps, Secur. Commun. Netw. 7 (2014) 2356–2372. [7] J.W. Bos, J.A. Halderman, N. Heninger, J. Moore, M. Naehrig, E. Wustrow, Elliptic curve cryptography in practice, in: N Christin, R. Safavi-Naini (Eds.), Financial Cryptography and Data Security, 8437, Springer, Berlin, Heidelberg, 2014 FCLecture Notes in Computer Science. [8] Q. Cheng, X. Zhang, J. Ma, ICASME: an improved cloud-based authentication scheme for medical environment, J. Med. Syst. 41 (3) (2017) 44. https: //doi.org/10.1007/s10916- 017- 0693- 8. [9] J.-S. Chou, A secure RFID authentication protocol to enhance patient medication safety using elliptic curve cryptography, J. Supercomput. (2014), doi:10.1007/s11227- 013- 1073- x. [10] R. Doss, S. Sundaresan, W. Zhou, A practical quadratic residues based scheme for authentication and privacy in mobile RFID systems, Ad Hoc Netw. 11 (1) (2013) 383–396. [11] M.S. Farash, O. Nawaz, K. Mahmood, S.H. Chaudhry, M.K. Khan, A provably secure RFID authentication protocol based on elliptic curve for healthcare environments, J. Med. Syst. 40 (7) (2016) 165, doi:10.1007/s10916- 016- 0521- 6. [12] M.M. Hassan, K. Lin, et al., A multimedia healthcare data sharing approach through cloud-based body area network, Future Gener. Comput. Syst. 66 (1) (2017) 48–58. [13] D. Henrici, P. Muller, Hash based enhancement of location privacy for radio frequency identification devices using varying identifiers, in: International Workshop on Pervasive Computing and Communication Security—PerSec 2004, IEEE Computer Society, 2004, pp. 149–153. [14] W. Hinz, K. Finkenzeller, M. Seysen, Methods and system for secure communication between an RFID tag and a reader, US Patent 14/385,525, March 1, 2016. [15] H.H. Huang, C.Y. Ku, A RFID grouping proof protocol for medication safety of inpatient, j, Med. Syst. 33 (6) (2009) 467–474. [16] T. Jager, J. Schwenk, J. Somorovsky, Practical invalid curve attacks on TLS-ECDH, 20th European Symposium on Research in Computer Security (ESORICS), 2015. [17] C. Jin, C. Xu, X. Zhang, F. Li, A secure ECC-based RFID mutual authentication protocol to enhance patient medication safety, J. Med. Syst. 40 (2016) 12, doi:10.1007/s10916-015-0362-8. [18] A. Juels, Yoking-proofs for RFID tags, First International Workshop on Pervasive Computing and Communication Security, 2004. [19] A. Juels, R.L. Rivest, M. Szudlo, The blocker tag: selective blocking of rfid tags for consumer privacy, in: The 8th ACM Conference on Computer and Communications Security, 2003, pp. 103–111. [20] W.C. Kuo, B.L. Chen, L.C. Wuu, Secure indefinite-index RFID authentication scheme with challenge-response strategy, Inf. Technol. Control 42 (2) (2013) 124–130. [21] Y. Lee, L. Batina, I. Verbauwhede, EC-RAC (ECDLP based randomized access control): provably secure RFID authentication protocol, in: 2008 I.E. international conference on RFID, IEEE, 2008, pp. 97–104. [22] N. Li, Y. Mu, W. Susilo, F. Guo, V. Varadharajan, Privacy-preserving authorized RFID authentication protocols, Radio Freq. Identif. Secur. Priv. Issues (2014) 108–122. [23] C.T. Li, C.Y. Weng, C.C. Lee, A secure RFID tag authentication protocol with privacy preserving in telecare medicine information system, J, Med, Syst, 39 (2015) 77. https://doi.org/10.1007/s10916- 015- 0260- 0. [24] Y. Liao, C. Hsiao, A secure ECC-based RFID authentication scheme integrated with ID-verifier transfer protocol, Ad Hoc Netw. 18 (2014) 133–146. [25] M. Lochter, A. WiemersTwist insecurity, In IACR Cryptology ePrint Archive, 2015 Available at: https://eprint.iacr.org/2015/577 Last Accessed on 15 November 2018. [26] T. Maitra, M. Obaidat, R. Amin, S. Islam, S. Chaudhry, D. Giri, A robust Elgamal-based password-authentication protocol using smart card for client-server communication, Int. J. Commun. Syst. 30 (2016) 1–12. [27] S. Neves, M. Tibouchi, Degenerate curve attacks - extending invalid curve attacks to Edwards curves and other models, Advan. Cryptol. Public Key Cryptogr. 12 (2016) 217–225 PKC2016, 2016. [28] M. Okhubo, K. Suzuki, S. Kinoshita, Cryptographic approach to privacy friendly tags, RFID Privacy Workshop, 2003. [29] R. Peeters, J. Hermans, Attack on Liao and Hsiao’s secure ECC-based RFID authentication scheme integrated with ID verifier transfer protocol, Cryptol. ePrint Arch. (2013) Report 2013/399.

Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029

JID: INS 12

ARTICLE IN PRESS

[m3Gsc;July 11, 2019;23:49]

F.M. Salem and R. Amin / Information Sciences xxx (xxxx) xxx

[30] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, A. Ribagorda, EMAP, an efficient mutual authentication protocol for low cost rfid tags, in: Proc. of IS’06, 4277, Springer Verlag, 2006, pp. 352–361. [31] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, A. Ribagorda, LMAP: a real lightweight authentication protocol for low cost rfid tags, In Hand of Workshop on RFID and Lightweight Crypto, 2006. [32] P. Peris-Lopez, J.C. Hernandez-Castro, J.M. Estevez-Tapiador, A. Ribagorda, M2AP, a minimalist mutual authentication protocol for low cost rfid tags, in: Proc. of UIC’06, 4159, Springer Verlag, 2006, pp. 912–923. [33] M. Safkhani, P. Peris-Lopez, J.C. Hernandez-Castro, N. Bagheri, Cryptanalysis of the Cho et al.’s protocol: a hash based RFID tag mutual authentication protocol, J. Comput. Appl. Math. 259 (1) (2014) 571–577. [34] D. Sandlin, SurgiChip-new technology for prevention of wrong site, wrong procedure, wrong person surgery, J. Perianesth. Nurs. 20 (2005) 2144–2146. [35] M. Schmid, ECDSA - Application and implementation failures, UC SANTA BARBARA, CS 290G, FALL 2015, pp. 1–4. Available at:https://tinyurl.com/ SchmidProject. Last accessed on 22-May-2019. [36] K. Srivastava, A. K., S.D.Kaul Awasthi, R.C. Mittal, A hash based mutual RFID tag authentication protocol in telecare medicine information system, J. Med. Syst. 39 (2015) 153. [37] L.A. Tawalbeh, S. Sweidan, Hardware design and implementation of Elgamal public-key cryptography algorithm, Inf. Security J. Glob. Perspect. 19 (5) (2010) 243–252. [38] Y. Tsiounis, M. Yung, On the security of Elgamal based encryption„ PKC’98 (January, 1998). [39] P. Tuyls, L. Batina, RFID-tags for anti-counterfeiting, in: Topics in cryptology-CT-RSA 2006, 2006, pp. 115–131. [40] S.A. Weis, S.E. Sarma, R.L. Rivest, R. L., D.W. Engles, Security and privacy aspects of low-cost radio frequency identification systems, in: Security in Pervasive Computing - SPC 2003, 2802, Springer-Verlag, 2003, pp. 201–212. [41] H. Xu, J. Ding, P. Li, F. Wang, A lightweight RFID mutual authentication protocol based on physical unclonable function, Sensors 18 (2018) 760, doi:10. 3390/s18030760. [42] T.-C. Yeh, C.-H. Wu, Y.-M. Tseng, Improvement of the RFID authentication scheme based on quadratic residues, Comput. Commun. 34 (2011) 337–341. [43] Z.Z. Zhang, Q.Q. Qi, An efficient RFID authentication protocol to enhance patient medication safety using elliptic curve cryptography, J. Med. Syst 38 (5) (2014) 1–7. [44] Z. Zhao, An efficient anonymous authentication scheme for wireless body area networks using elliptic curve cryptosystem, J. Med. Syst. 38 (2014) 13, doi:10.1007/s10916- 014- 0013- 5. [45] Z. Zhao, A secure RFID authentication protocol for healthcare environments using elliptic curve cryptosystem, J. Med. Syst. 38 (5) (2014) 1–7. [46] Z. Zhu, An efficient authentication scheme for telecare medicine information systems, J. Med. Syst. 36 (6) (2012) 3833–3838. [47] The Central Scrutinizer, “Sony’s PS3 Security is Epic Fail—Videos Within. PSX-Scene Forum, 29 December 2010 Available at http://psx-scene.com/ forums/content/sony- s- ps3- security- epic- fail- videos- within- 581/?s=68e141dc91333038e2223ee86e3c748f Last Accessed on 15 November 2018. [48] OpenSSL.org “OpenSSL Security Advisory,” openssl.org 05 June 2014 [Online]. Available at:https://www.openssl.org/news/secadv/20140605.txt. Last Accessed on 15 November 2018. [49] OpenSSL.org “OpenSSL Security Advisory,” openssl.org 07 Jan 2009 [Online]. Available at:https://www.openssl.org/news/secadv/20090107.txt. Last Accessed on 15 November 2018.

Please cite this article as: F.M. Salem and R. Amin, A privacy-preserving RFID authentication protocol based on El-Gamal cryptosystem for secure TMIS, Information Sciences, https://doi.org/10.1016/j.ins.2019.07.029