SURC: Secure Ultra-lightweight RFID Authentication Protocol with Crossover

Radio Frequency Identification (RFID) system is a wireless automatic identification using low-cost RFID tags. Due to the importance of RFID in everyday life, the need to maintain security and Privacy in these systems has been increasing day by day. In this paper, at first, we define a new operation named crossover, by using simple bitwise operations and discuss its security. Then we propose a new secure ultra-lightweight RFID Authentication protocol with crossover operation (SURC). SURC is a low communication and computation cost protocol that can be integrated into the ubiquitous Electronic Product Code (EPCglobal) class1 Generation 2 tag protocol (C1G2). The new protocol resists data integrity and confidentiality, tag location tracking backward traceability, and server and tag impersonation.


Introduction
Identification technology through radio frequency (RFID) is a new technology that is used to identify objects and living creatures.Due to many advantages such as lower costs, higher speed and large-scale identification, the use of this technology has been increasing regularly.The basis of this technology is similar to barcode technology but in RFID systems, identification takes place without any physical contact or direct visibility and recognition perform via radio waves.These advantages make this technology attractive for commercial

International journal of innovation in Engineering
journal homepage: www.ijie.irand industrial users, so that today the deployment of RFID systems in various areas such as credit cards, subways and buses, new Passport cards, and new electrical barcodes can be seen.Due to the use of RFID technology in important areas such as access control systems, supply chain management, new passports, noncontact smart cards, and etc., study on the security aspects of this technology and the deployment of security protocols for authentication in this system, is an urgent need for industries and organizations (Cole & Ranasinghe, 2008) (Mehrabani & Sadegha, 2021b) (Mehrabani & Sadegha, 2021a).
Most RFID frameworks use EPCglobal information and communication standards.EPC Class-1 Gen.-2 is a standard that is provided by EPCglobal organization (Duc, 2006).This standard gives a structure to RFID communications.EPC C-1 G-2 has confined labels to some straightforward math activities, for example, CRC (Cyclic Redundancy Checksum Code), PRNG (Pseudorandom Number Generator) and bitwise XOR (Chi-Fang, 2011).In this way, RFID authentication protocols dependent on EPC C-1 G-2 standard have gone through certain hardships to give amazing security viewpoints.
Authentication protocols are the most important tools to provide security in the highest layer, namely application layer, in RFID system.They run between the tag and card reader, and during their implementation, the parties review the accuracy of each other's identity to accept.Low cost production in RFID tags is one of the most important features (Shi et al., 2017), so there is no possibility of using encryption separately and security of the entire system depends directly on the security level of protocols that are used for identification and authentication.
In RFID systems, the most important features of a secure identification and authentication protocol are • Confidentiality: Ensure that information is only available to those who are authorized to access this information (Shi et al., 2017).Confidentiality means that in a secure protocol there shouldn't be any leak-age of information to an attacker or eavesdrop-per.Information that is stored on the tag such as a unique identifier and secret keys that are employed in reconnaissance operations, should be only disposal to tag, and if necessary, the server should be final.Besides this, another point about confidentiality, is privacy and the location privacy of the tag or tag's holder.Location privacy of a tag means that, if an attacker, eavesdrop the session and save exchanged information during the identification protocol between the tag Ti and an allowed reader at time t, the attacker fails to identify any other transactions related to tag Ti, in the other time.• Data integrity: Maintaining the authenticity and integrity of information and processing methods (Su et al., 2007).It means that no person should be able to alter or manipulate the exchange information between parties of protocol.Originality of the message, can prevent many attacks that lead to impersonation.• Availability: Assurance that all authorized users can have access to information and other requirements (Bertolini et al., 2012).This means that authorized users (tags) at any time and any place need system services, be able to easily use them.• Authentication: The most basic goal that an identifying protocol seeks, is checking the identity of an entity or parties of the protocol.
The remainder of this paper is divided into 5 parts.section 2 briefly reviews some recent RFID authentication protocols.Section 3 presents our new crossover operation and discuss its security features.Section 4, proposes a new authentication protocol with crossover operation (SURC), and while Section 5 discusses the security and the performance of the proposed protocol and compares it to the prior art, respectively.A few ends are introduced in section 6.

Related work
In 2009, Chen and Deng proposed a new mutual low-overhead authentication protocol that had 4 rounds (Chen & Deng, 2009).Their protocol relies on the use of PRNG primitives in tag and some other simple bitwise operations.Yeh et al. (2010) presented a mutual authentication protocol conforming to EPC Global class1 Gen-2 RFID Tag.Yeh et al.'s protocol uses pseudorandom number generator and simple bitwise operation and has six authentication steps (Yeh et al., 2010).Habibi et al, (2011) proved that does not assure the un-traceability and backward un-traceability aspects.Namely, all past and next transactions of a compromised tag will be traceable by an adversary (Habibi et al., 2011).Yoon (2012) pointed out that Yeh et al.'s protocol has serious security problems such as DATA integrity problem and forward secrecy problem (Yoon, 2012).
A mutual authentication protocol beneath the EPC C-1 G-2 standard was suggested by Chien & Chen (2007).
They had utilized basic XOR, CRC, and PRNG in their plan (Chien & Chen, 2007).YI et al, (2012) showed some security problems of the protocol and proposed a new improved protocol (Yi et al., 2012).Peris -Lopez et al, (2009) showed some weaknesses of Chien and Chen's protocol including tag and reader impersonation and de-synchronization attack.They also showed that this protocol does not guarantee forward security and is vulnerable to trace attacks (Peris-Lopez et al., 2009).Han & Kwon (2009) also presented a desynchronization attack and two tag impersonation attacks on Chien and Chen's protocol in new methods (Han & Kwon, 2009).These attacks were predominantly founded on frail weak secure properties of CRC.Chien (2007) proposed a new ultra-lightweight RFID authentication protocol named SASI (Chien, 2007).
The proposed scheme is ultra-lightweight, it has three shares of secret keys k1 and two random numbers nl, n2 by taking XOR operation to implement the encryption, in order to achieve forward security, the shared secret key, and the random number update each time.But because the key's updating does not adopt strict limits so this easily suffers a de-synchronization attack (Cao et al., 2009) (Castro et al., 2008) (Phan, 2009).
A security protocol with Only XOR and matrix operations was suggested by Karthikeyan & Nesterenko (2005) (Karthikeyan & Nesterenko, 2005).Phan (2009) showed that this protocol is at risk to some attacks like replay attacks and doesn't satisfy the un-traceability property (Phan, 2009).ARAP is a mutual authentication protocol that was proposed by Shen et al, (2010) (Shen et al., 2010).Niu et al, (2011), applied tag impersonation attack and de-synchronization attack on ARAP protocol (Niu et al., 2011).Wei et al.
(2011) offered a mutual authentication protocol based on the hash function.In this protocol, the reader has its own identifier IDr and the backend server maintains old and new keys and also old and new random numbers (Wei et al., 2011).Niu et al, (2011), showed that Wei et al.'s (2011) protocol is vulnerable to Manin-the middle attack (Niu et al., 2011).

Definition of the new operation
The tags in SURC use only three operations: bitwise XOR, Crossover operation Cros (A, B, C) and Pseudorandom Numbers Generators (PRNG).The crossover operation is defined as

Definition
Suppose A, B and C are L-bit strings, where Then the crossover of A and C according to B denoted as (, , ) and is as Where ⋀ is bitwise AND, ⋁ is bitwise OR operations and ⨁ is bitwise XOR operation.

Security analyses of crossover operation
There are some remarks that should be noticed for analyses of this operation.First, there is no resemblance between the Hamming weight of the output string and inputs, so crossover can be used alone as it will not reveal any information about inputs Hamming weight.The other point is the effect of each sting on crossover's security that in the following we examine the effect of each string separately.Now, suppose that the attacker has gained the string A and also has the output (, , ).We want to investigate that if knowing an A can reveal any information about B or C and threaten their privacy.The adversary cannot determine that which of i a or i c is used for producing   .In fact, to gain any information about B and C from A and output, an adversary should understand the position of A and C's entries in the output, and it is impossible.
1) Suppose that the attacker has gained the string C and also has the output (, , ).This situation is just like the above and having C will never threaten the privacy of A and B. 2) -Suppose that the attacker has gained the string A and also has the output (, , ).In this case, an adversary can easily compute  = ().If  = (), then the adversary can find m entries of  and l-m entries of , and this will threaten the privacy of  and .To solve this problem, we can put some hidden strings such as EPC in this position and also XOR it with other hidden strings, so disclosing of EPC wouldn't be a threat to the other strings.3) Suppose that the attacker has gained  and  and also has the output (, , ).This assumption can be investigated in two cases: Case 1: The i-th bit of  and  are different, ii ac  .
In this case, an adversary will never find out the amount of In this case an adversary can easily find   .For example if 0 ii ac  and   = 1 , then   will be 1, and similarly in other three case   can be determined.4) Suppose that  and  have m similar bits, so an adversary has m bit of , where  = ().The question is that can knowing m bit of  reveals any information about the string  It is obvious that finding  from string  with m known bit, is as difficult as finding  from string  without any information about , so knowing A and C will not reveal any information about B.

PROPOSED PROTOCOL
In this section we will present the proposed security protocol in detail.

Overview of Protocol
In the proposed protocol each tag stores a static identifier (EPC), an index-pseudonym and three keys  and  all of which are of 96 bit lengths to ensure compatibility with EPC Global encoding schemes.This information is also stored in a central database.To provide adequate protection from de-synch attacks, the backend database will store two tuples for each tag identifier: the current keys  and  and the last approved keys  and .We first review the notations used in proposed protocol.Notations used in this paper are defined as The unique 96 bits identifier code in EPC Global encoding scheme. i K : The authentication key stored in the tag for the database to authenticate the tag at the (© + 1)th authentication phase. i P : The access key stored in the tag for the tag to authenticate the database at the (© + 1)th authentication phase. , EPC ) Fig. 3 shows the proposed protocol which consists of two phases: the initialization phase, and the ( + 1)-th authentication phase.

Initialization phase
The manufacturer generates random values for 0 K and 0 P respectively, and sets the values for the record in the tag (   .The process is iteratively repeated for each entry until it finds a match.Once the matching record is found, set value X as old or new according to which authentication key in the record is found matched.2. Server Computes ( , , )

The (i+1)-th authentication phase
, and forward them to the reader.3.If X=new, then update the record by replacing old K with new K and   with   .New values for   and   will be reset as ( ⊕   ) and (  ⊕   ). Step 6.The tag computes ( , , ) x T x r C cros P R P R    and compares it with received C from reader.If they are equal then the authentication to the database is completed and the content kept inside is renewed as   , for next access.

Security Analysis
The protocol has the following privacy and security properties.1.Mutual authentication: The valid tag and the valid reader can authenticate each other.The massages A, B and C are all based on the shared keys K and P. Thus the valid party can generate these massages and be authenticated by the other party.2. Tag Information Privacy: The detailed information K, P and EPC of tag is stored in database of the server, which is assumed to be secure.A server and a reader communicate via a secure channel.Only a legitimate server can extract a tag identifier from the massages.Also the Hamming weight of Crossover operation is not related to any of input, so the massages never leak any information about the tag and its secret numbers.

Tag Location Privacy:
The responses of the tag Ti are anonymous.In fact, the eavesdropper cannot link tag responses to previous responses from the same tag, or distinguish one tag's responses from another's.4. Resistance to De-Synchronization Attack: There are three different cases for creating desynchronization between the tag and server, which are listed at below. The server updates the tag entries while the tag does not update its secrets: Because the server holds old and new values of keys, if for any reason the server can updates keys, but the tag does not update its secrets, for example The attacker blocks the forwarding message which is sending from the reader to the tag at the step 5, de-synchronization will not happen, because in the next session tag will use the keys that are stored in the server as old keys.
The tag updates its secrets but the server does not update the tag entries: In this protocol, because server's updating is done the keys in before than the tag, this case will never happen. Both the tag and the server have updating, but with different values: This situation will happen only when the value of the generated RT in tag be different from what the server has, but an attacker would never make such a difference because the RT in the message A, has been used only to determine the position and an attacker cannot manipulate it.5. Tag Impersonation Attack: An attacker cannot impersonate the tag, because for this goal he or she should have tag's secret keys.The attacker will never impersonate the tag without EPC and K, also he or she cannot attack when he or she have EPC or K alone and for this goal an attacker need to couple of them.6. Reply attack: The protocol uses random numbers to resist reply attacks.The messages ,  and  are functions of freshly generated nonces RT and Rr and so the messages cannot be used in other sessions.7. Backward security: An attacker cannot identify the past interactions, even if it knows tag's present internal state.In fact, the attacker cannot detect tag's past interactions from its present state.It is obvious from that attacker cannot easily find Ki and Pi from Ki+1 and Pi+1.8. Server Impersonation Attack: A legitimate server responds with a message C to tag in order to enable the tag to authenticate the server.Without knowing P, K and RT an attacker cannot create valid C.An attacker would block round 5 and save sent C from server to the tag, but he will not be able to use this message in the other session, because in the next session the value of RT will change and attacker cannot find it from A or B. so our protocol can resist impersonation attack.In Table I, we compare our protocol with other lightweight protocols that have been recently proposed.It is clear from Table I that the proposed protocol, satisfy the greatest number of privacy and security properties.

Efficiency analysis
In this chapter we analyze the efficiency of SURC protocol.To examine efficiency of the protocols we first compare their computational costs.Table 2 shows that compare to the existing protocols, such as SASI, the proposed protocol does not suffer too much increase in computational cost.Storage requirement on the tag is the other factor that should be considered in analysis.This factor, as well as computational cost, is caused by memory limitations of the cheap price tag.The tag in SURC stores 3 strings: its unique EPC code, and two shared keys K and P. All the strings are L bits and so each tag needs storage of 3L bits.As we see in the table, compare to the other protocols, SURC requires less storage.Communication cost is the other factor that shows the efficiency of protocols.As we see in Table II, in SURC the tag transmits only two messages, hence our protocol in this respect, is one of the lightest protocols.

Conclusion
In this work, we have defined a new operation named Crossover.By using Crossover operation, we have proposed a new ultra-lightweight protocol that although it can solve the privacy and security problems of protocols, it is one of the lightest authentication protocols.In SURC there are only four operations for tags: bitwise AND, OR, XOR and PRNG.It has been compared with existing protocols with respect to both its privacy and security properties and its storage and computational requirements.The comparisons have shown that SURC is both more secure than other schemes and has some advantage over them, such as greatest number of security features and required less storage and computation in a tag.

Fig. 1 .Fig. 2 .
Fig. 1.Computation scheme of Crossover operation used to produce   .Case 2: The i-th bit of A and C are equal, ii ac  .

oldK:
The old authentication key stored in the database. new K : The new authentication key stored in the database. old P : The old access key stored in the database. new P : The new access key stored in the database. X : The value kept as either new or old to show which key in the record of the database is found matched with the one of the tag. AB  : A forwards a message to B.  Y R : The random number generated by device Y.  AB  : Message A is XOR with message B.The information kept within respective devices:

Fig. 3
Fig. 3 illustrates the ( + 1)-th authentication phase of proposed protocol.The detailed steps of the authentication phase are presented as follows:  Step 1. Reader  Tag: The reader generates random number as a challenge and forwards it to the tag. Step 2. Tag  Reader: (A, B) After receiving r R , the tag generates random number