Survey and Analysis of Lightweight Authentication Mechanisms

*Adarsh Kumar and Deepak Kumar Sharma*

#### **Abstract**

Interconnection of devices through Radio Frequency IDentification (RFID) brings enormous applications that are increasing constantly day by day. Due to the rapid growth of such applications, security of RFID networks becomes crucial and is a major challenge. Classical or lightweight cryptography primitives and protocols are the solutions to enhance the security standards in such networks. Authentication protocols are one of the important security protocols required to be integrated before exchange of secured information. This work surveyed the recently developed authentication protocols. Further, classifications, security challenges, and attack analysis are explored. A comparative analysis of different types of authentication protocols explains their applications in resourceful and resource constraint Internet of Things (IoT). Authentication protocols are categorized into: symmetric, asymmetric, lightweight, ultra-lightweight and group protocols. Symmetric and asymmetric protocols are more suitable for resourceful devices whereas lightweight and ultra-lightweight protocols are designed for resource constraint devices. Security and cost analysis shows that asymmetric protocols provide higher security than any other protocol at a reasonable cost. However, lightweight authentication protocols are suitable for passive RFID devices but do not provide full security.

**Keywords:** authentication, authorization, cost analysis, cybersecurity, lightweight cryptography, primitives, protocols

#### **1. Introduction**

Kevin Ashton in 2009 proposed an interconnected network of uniquely identifiable objects, devices, and different types of systems called IoT [1]. Some of the important features of IoT are self-configuration, sensing, ad-hoc networking, automatic identification, etc. [2]. In IoT, each object has a unique address and identification. Here, mostly RFID is preferred for assigning an address and unique object identification. The information, captured by IoT objects, is propagated through the internet to other objects. The information communicated captures the current events and responses. The revealed information further requires human intervention to control the results [3]. Several objects are involved to form the interconnected network: RFID devices, sensors, mobiles, back end storage, etc. Resourceful and resource constraints are the types of IoT devices. In resourceful devices, there are sufficient software and hardware resources. There are some hardware and software resource limitations in resource constraint devices. The role of the devices changes with the condition. For example, a metro smart card authenticates the passenger at the entry point, the same card authenticates exit after deducting a charge for the travel. Using the same smart card, information of daily passenger traveling systems is stored in a database server and helps in train counting. Library management, supply chain management, and inventory control systems are some of the applications of RFID enabled things. Here, users are validated using authentication protocols. Unauthenticated users are disallowed to enter into the system. The observation system is maintained to analyze the possibilities of intrusions by unauthenticated users.

user sites, obstructing physical access, controlling the devices and stealing the information etc. Protection from these threats demands strong mechanism for confidentiality, integrity, authentication, availability and non-repudiation [31–35]. This protection mechanisms should addresses major security concerns in RFID

*Survey and Analysis of Lightweight Authentication Mechanisms*

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

• *Privacy:* No one is interested to reveal personnel information to others without being part of authentic process. This privacy leakage could bring up many frauds. For example, if some item is equipped with tag and store name, price, area and other item information then a robber can easily fetch the information that how much he can earn with one or more robberies in a particular area. Similarly, unauthentic reader can scan the information written on e-passport to locate the important persons or count the gathering in an area [38–40]. This could result in planning of some terrorist activities. Thus, privacy of personnel or correspondence information leakage through RFID system is a major

• *Tracking:* Objects, persons, animals etc. tracking through RFID readers and tags increases the information vulnerabilities also. This information availability helps to create profiles and important information can be leaked from these profiles [41]. This information can be used in various unauthentic or uninterested activities like: advertisement, etc. For example, if customer is buying items from a shop on a regular interval and each item is equipped with RFID tag then customer profile can be created in a database. This profile helps to put similar interest customers in a group. An advertisement can be floated of special interests for these groups which may not be interest to customers. Equipments used to track items, people or animal attached with RFID tags are not expensive thus data collection for these advertisements, promotions or gathering future requirements to earn profits is much easier. As compared to

other tracking techniques like: video surveillance, RFID system based technique is much cheaper and faster. Thus, it is beneficial to both authentic and unauthentic users. Hence, it demands strong security mechanism to protect the information at any stage of system. Protected information results in

• *Eavesdropping:* This is one of the most common forms of attack in networks where there is use of radio frequency for data communication. An

eavesdropper can deploy an antenna to collect the information transmitted between reader and tag. Tags and readers communicate at different frequency bands like: low, high, ultrahigh and microwave. Thus, distance and location of

information in reader to tag (forward eavesdropping), tag to reader (backward eavesdropping), operation zone of reader and randomly selected distance directions. Since, it is easily feasible to fetch the information at longer distance and without any difficulty hence this attack should be handled properly. In real time applications, if an attacker deploy antenna to eavesdrop the information then information from RFID systems like e-passports, payment systems, identity cards, tickers etc. is on stake [42–44]. This information could reveal

eavesdropper from reader or tag is important. An attacker eavesdrop

• *Skimming:* Eavesdropping is intercepting the information during its transit whereas skimming is reading the information from its store stage. Like eavesdropping, skimming attack can fetch the information from real time

wide applications of RFID technology.

personnel data.

**63**

system like [36, 37]:

concern.

There are different types of authentication protocols. Cryptographic primitives, like AES, RSA, SHA, etc. are used in resourceful devices for authentication and authorization. Lightweight primitives and lightweight protocols are the different types of lightweight cryptography [4]. Stream cipher, hash function, block cipher, pseudo-random number generation, etc. are included in symmetric primitives whereas asymmetric primitives include discrete logarithmic constructions, number based systems, and curve based cryptosystems. Authentication, yoking, identification, tag ownership protocols, distance bounding, etc. are some classes of lightweight protocols. Up to 30% of gate equivalents (GEs) can be used in resource constraint devices for cryptographic [5, 6]. With the advancement of technology, the GEs also increase [7].

Tags, readers, and data centers are the three types of RFID devices. Information is written over tags and readers are used to read the information. If required, data center is used for storing the information; otherwise, it is communicated to other objects to increase the information availability. The behavior of readers is similar to duplex links. These devices use different procedure for storing data. The tags get power from these devices and have longer information availability range. Tags, passive, semi-passive, active follows the cryptography procedures as implemented [8]. Passive tags do not have their source of power. These tags have low costs and low memory. These are more suitable for short range. Information on these devices is read many times after writing it for once [9–11]. Active tags are more costly, have their battery source, limited battery and communication range. Active or Semipassive tags show economical to active tags and costlier to passive tags [12, 13]. These three tags are used in different applications. Semi-passive tags are mainly used in applications such as alarm systems, thermostats, etc. Active tags are used in applications meant for animal or person tracking, health care systems, etc. Supply chain management, smart cards, etc. are some applications of passive tags [14–29].

#### **1.1 Chapter organization**

The rest of the chapter is organized as follows: Section 2 states the important security parameters required to analyze the authentication protocols. Section 3 introduces the classifications of recently developed authentication protocols [30]. Lightweight authentication protocols are discussed in section 4. Section 5 presents group authentication protocols. In this section, authentication protocols are classified, explained and analyzed from important attacks. Comparative security and cost analysis of surveyed authentication protocol is presented in section 6. Finally, conclusive and future scope remarks are given in section 7.

#### **2. Security challenges**

RFID is a pervasive system. Security of this system is equally important. An attacker can harm at various points including information eavesdropping at end

#### *Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

of the devices changes with the condition. For example, a metro smart card

intrusions by unauthenticated users.

*Cryptography - Recent Advances and Future Developments*

the GEs also increase [7].

**1.1 Chapter organization**

**2. Security challenges**

**62**

authenticates the passenger at the entry point, the same card authenticates exit after deducting a charge for the travel. Using the same smart card, information of daily passenger traveling systems is stored in a database server and helps in train counting. Library management, supply chain management, and inventory control systems are some of the applications of RFID enabled things. Here, users are validated using authentication protocols. Unauthenticated users are disallowed to enter into the system. The observation system is maintained to analyze the possibilities of

There are different types of authentication protocols. Cryptographic primitives, like AES, RSA, SHA, etc. are used in resourceful devices for authentication and authorization. Lightweight primitives and lightweight protocols are the different types of lightweight cryptography [4]. Stream cipher, hash function, block cipher, pseudo-random number generation, etc. are included in symmetric primitives whereas asymmetric primitives include discrete logarithmic constructions, number based systems, and curve based cryptosystems. Authentication, yoking, identification, tag ownership protocols, distance bounding, etc. are some classes of lightweight protocols. Up to 30% of gate equivalents (GEs) can be used in resource constraint devices for cryptographic [5, 6]. With the advancement of technology,

Tags, readers, and data centers are the three types of RFID devices. Information is written over tags and readers are used to read the information. If required, data center is used for storing the information; otherwise, it is communicated to other objects to increase the information availability. The behavior of readers is similar to duplex links. These devices use different procedure for storing data. The tags get power from these devices and have longer information availability range. Tags, passive, semi-passive, active follows the cryptography procedures as implemented [8]. Passive tags do not have their source of power. These tags have low costs and low memory. These are more suitable for short range. Information on these devices is read many times after writing it for once [9–11]. Active tags are more costly, have their battery source, limited battery and communication range. Active or Semipassive tags show economical to active tags and costlier to passive tags [12, 13]. These three tags are used in different applications. Semi-passive tags are mainly used in applications such as alarm systems, thermostats, etc. Active tags are used in applications meant for animal or person tracking, health care systems, etc. Supply chain management, smart cards, etc. are some applications of passive tags [14–29].

The rest of the chapter is organized as follows: Section 2 states the important security parameters required to analyze the authentication protocols. Section 3 introduces the classifications of recently developed authentication protocols [30]. Lightweight authentication protocols are discussed in section 4. Section 5 presents group authentication protocols. In this section, authentication protocols are classified, explained and analyzed from important attacks. Comparative security and cost analysis of surveyed authentication protocol is presented in section 6.

RFID is a pervasive system. Security of this system is equally important. An attacker can harm at various points including information eavesdropping at end

Finally, conclusive and future scope remarks are given in section 7.

user sites, obstructing physical access, controlling the devices and stealing the information etc. Protection from these threats demands strong mechanism for confidentiality, integrity, authentication, availability and non-repudiation [31–35]. This protection mechanisms should addresses major security concerns in RFID system like [36, 37]:


#### *Cryptography - Recent Advances and Future Developments*

applications like: e-passports, identity cards, traveling tickers or passes, consumer products etc. This could again reveal the personnel information like: name, birth date, financial account details, photo etc. Anti-skimming devices designed to protect against this attack uses reverse electromagnetic field. Antiskimming devices are lightweight, persistent and easy to carry.

nodes. This results to blockage in services. Many solutions are proposed to observe this attack through graphs, behaviors, trusts, performance, quality of service etc. Detection of this attack is easier as compared to removal of attack

• *Spoofing Attack:* This attack modifies the identity, address or naming services to provide false information. For example, an attacker claims to have certain IP address, MAC address or domain name which is not true. Here, attacker aims

to eavesdrop or modify the information during its transit [55, 56].

• *Secret disclosure attacks:* In this attack, vulnerabilities of key updating, data centre processing, reader or tag computing etc. reveal the identity or key information [57]. This attack is common in ultra-lightweight authentication protocols where some secret information is known to adversary. Secret disclosure attack could result to other attacks like: de-synchronization,

this attack thus it is dangerous for low cost passive RFID devices [58].

Recently developed RFID authentication protocols in classical, lightweight, ultra-lightweight and grouping proof protocols are discussed in this section. This section also discusses the latest attacks found on recently developed authentication

**Authentication Protocols in Classical Cryptography Primitives Category.** This work discusses authentication protocols that uses classical cryptography [59]. Symmetric and asymmetric are two major types of classical cryptosystems.

**Symmetric Cryptography Primitives based Authentication Protocols.**

tively. Let ri, ei and dci are the random numbers. Every tag selects its unique

**Premise:** Let 'R', 'T' and 'DC' represent the reader, tag and data centre respec-

session key between R and T respectively. P(.) represents the enhanced chebyshev

*Session* )

*Session*

*Session* ), *<sup>K</sup>Old*

: if temp4 record exist in data centre then fetch H(ID),

*Session*: temp5 = temp1 ⊕ H(ID) ⊕ r1

*Session* )) then

*Session* = *KCurrent*

*Session* and

*Session* ⊕ e1

: temp4 = H(ID) ⊕ *KCurrent*

: temp6 = H(ID) ⊕ r1 ⊕ dc1

: temp7 = *Pdc*1,*e*<sup>1</sup> *KCurrent*

*Session* =*KCurrent*

: if temp2 equals to *Pr*<sup>1</sup> *Pe*<sup>1</sup> *KCurrent*

*Session* ⊕ (e1||dc1)

*Session* and *KCurrent*

*Session* =temp1 ⊕ temp3 ⊕ r1

*Session* are the old and current

**3. Authentication protocols, classifications and security issues**

impersonation, eavesdropping etc. Since, algebraic computing is main cause of

in resource constraint networks [54].

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

*Survey and Analysis of Lightweight Authentication Mechanisms*

Protocols in these categories are as follows:

**Protocol (A1):** Cheng et al*.* Protocol [60].

identification (ID) with its hash as H(ID). *KOld*

**Step 2:-** T : temp1 = H(ID) ⊕ e1 ⊕ r1

: temp2=*Pr*1,*e*<sup>1</sup> *KCurrent*

: temp3=*KCurrent*

T ➔ R : temp1, temp2, temp3 **Step 3:-** R ➔ DC : r1, temp1, temp2, temp3 **Step 4:-** DC : Computes H(ID) ⊕ *KCurrent*

> *KCurrent Session* , *KOld*

*KCurrent*

protocols.

polynomial.

**65**

**Step 1:-** R ➔ T :r1


applications like: e-passports, identity cards, traveling tickers or passes, consumer products etc. This could again reveal the personnel information like: name, birth date, financial account details, photo etc. Anti-skimming devices designed to protect against this attack uses reverse electromagnetic field. Anti-

• *Cloning:* Resource constraint RFID devices are easy to clone because high security classical primitives cannot be implemented on these devices. RFID passive devices are cost effective as it does not require battery source. These devices gain power from reader thus easy to clone. Similarly, cloning devices could be passive and gain power from reader. Passive cloning devices are put closer to original device. Passing a cloning device closer to original device and making a copy of the data for cloning purpose may just take few seconds or minutes. This could be more dangerous for those devices which do not provide strong protection like: employee ID cards, train or bus ticket passes, product vouchers in supply chain management etc. Several solutions have been proposed to protect tags from cloning. Authentication is one of them. In authentication based mechanism, a random number is generated and exchanged. Response to this random number exchange uses cryptography primitives like digital signature, hashing, encryption/decryption, message authentication code etc. Verification of this response is performed at other side. If response is verified then tag is considered to be authentic else

unauthentic or cloned. A new random number is generated every time a tag is

• *Replay attacks*: In RFID system, one reader scans multiple tags and one tag could be associated with multiple readers. Replay attacks occur when freshness and aliveness of messages are not handled properly. If traceability is not a major concern then random number or nonce help to stop replaying of messages. A sequence number synchronizes the information between tag and reader. Count of numbers generated is limited in fixed length sequence number. Thus, an attacker can play old sequence number in new session. In order to avoid replaying an old sequence number in new session, aliveness of message is important [4, 45–47]. A computational challenge aliveness of message along with freshness hinders the attacker to play a replay attack. This attack is common among ultra-lightweight protocols where bitwise logical operators are only allowed [46, 48]. These operators are easy to break because

• *Relay attack:* In this type of attack, RFID tags and readers are mislead by

providing false information. For example, if some reader is interested to scan a tag then attacker tag claims that it is the targeted tag [49]. Whereas, attacker tag fetches the information from another attacker reader which is close to authentic tag [50]. Thus, one reader and one tag attacker provide false

information to authentic reader and tag [51, 52]. These authentic reader and tag are not in range of each other but attacker readers and tags mislead them to be close [53]. Attackers tries to prove the reader that the destination tag is nearby

• *Denial of Service (DoS):* Radio signal blocks, active and passive jamming, packet overflows etc. are the signs of DoS attack. Low cost passive devices are resource constraint devices thus this attack easily blocks the services and it is more dangerous. An attacker floods the packets towards specific or set of

read. This process further protects the tags from cloning.

of least computational breaking challenge.

which is not in actual.

**64**

skimming devices are lightweight, persistent and easy to carry.

*Cryptography - Recent Advances and Future Developments*

nodes. This results to blockage in services. Many solutions are proposed to observe this attack through graphs, behaviors, trusts, performance, quality of service etc. Detection of this attack is easier as compared to removal of attack in resource constraint networks [54].


#### **3. Authentication protocols, classifications and security issues**

Recently developed RFID authentication protocols in classical, lightweight, ultra-lightweight and grouping proof protocols are discussed in this section. This section also discusses the latest attacks found on recently developed authentication protocols.

#### **Authentication Protocols in Classical Cryptography Primitives Category.**

This work discusses authentication protocols that uses classical cryptography [59]. Symmetric and asymmetric are two major types of classical cryptosystems. Protocols in these categories are as follows:

**Symmetric Cryptography Primitives based Authentication Protocols. Protocol (A1):** Cheng et al*.* Protocol [60].

**Premise:** Let 'R', 'T' and 'DC' represent the reader, tag and data centre respectively. Let ri, ei and dci are the random numbers. Every tag selects its unique identification (ID) with its hash as H(ID). *KOld Session* and *KCurrent Session* are the old and current session key between R and T respectively. P(.) represents the enhanced chebyshev polynomial.


: else if temp2 equals to *Pr*<sup>1</sup> *Pe*<sup>1</sup> *KOld Session* )) then : temp7 = *Pdc*1,*e*<sup>1</sup> *KOld Session* ) and *<sup>K</sup>Current Session* = *KOld Session* ⊕ (dc1||e1) : else tag is unauthentic : Now, if tag is authentic then DC ➔ R : temp6, temp7 **Step 5:-** R ➔ T : temp6, temp7 **Step 6:-** T : dc1 = temp6 ⊕ H(ID) ⊕ r1 : if temp7 equals to *Pdc*1,*e*<sup>1</sup> *KCurrent Session* ) then *<sup>K</sup>Current Session* = *KCurrent Session* ⊕ (e1 ||dc1)

**Version 2:**

also explored.

used to generate the digest.

**Step 1:-** R : Selects 'r1'*ϵ*Zn

T ➔ R :y

R ➔ T :CR, IDT, H **Step 2:-** T : (y,IDT) = D(CR)

end users.

i

**67**

**Step 1:-** T ➔ R : {e1} **Step 2:-** R ➔ T :EK{e1} **Step 3:-** T : Verify EK{r1}

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

verifies the response for authentication (step 3) [65].

*Survey and Analysis of Lightweight Authentication Mechanisms*

functions at jth side are represented by Ej() and Dj

**Explanation:** There are two version of single entity two communications based unilateral authentication protocol. In first version of protocol, reader initiates the authentication process by sending a random number challenge (step 1). Tag encrypts the received random number with symmetric key shared between tag and reader, and forwards it to reader (step 2). Now, reader re-encrypts its own random number challenge and verifies by comparing with the received data (step 3). If both are equal then tag is considered to be authentic. Similarly in second version, tag initiates the authentication process by sending a random number challenge (step 1). Reader encrypts the challenge with symmetric key and sends it to tag (step 2). Tag

**Asymmetric Cryptography Primitives based Authentication Protocols.** Like symmetric cryptography, asymmetric cryptography primitives based protocols are also designed to enhance the security of system. Major of recently developed asymmetric protocols are based on elliptic curve cryptography. This section discusses the recently developed elliptic curve cryptography based authentication protocols. Recently analyzed attacks on some of the authentication protocols are

**Elliptic Curve Cryptography (ECC) based Authentication Protocols.**

**Protocol (B1):** Authentication mechanism with ECC Encryption/Decryption for

**Premise:** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri is the

(). Unique identification of tag

th random number selected by reader or tag. Let Cj and Pj represent the ciphertext and plaintext generated at ith side. Where, j*ϵ*{R, T}. Encryption and decryption

and reader is represented by IDT and IDR respectively. Let 'h' is the hash function

(ii) CR = E(r1,IDT)

: Verify [h(y)==H] and [decrypted IDT]

**Explanation:** This is random number generation based authentication protocol. Here, reader selects a random number and computes the ciphertext of tag identification with this random number. Reader sends the ciphertext, tag identification and hashing over random number to tag (step 1). After receiving the data, tag decrypt the encrypted information and fetches the random value and tag identification. Here, tag verifies the received hash value with regenerated hash value. If both are verified then tag sends the decrypted random number value to reader (step 2). Reader verifies the received random value with its own generated random value in step 1. If it matches then user associated with tag is considered to be authentic otherwise unauthentic (step 3). This protocol was developed by taking consideration that protocol is protected from replay, reflection and chosen-text attacks due

: Calculate (i) H = h(r1)

**Step 3:-** R : if y== r1 then 'T' is authentic else unauthentic.

**Explanation:** Cheng et al*.* proposed random number and hash based authentication protocol in 2013 [60]. In this protocol, reader starts the authentication process. It selects a random number and sends it to tag (step 1). Tag computes three responses temp1, temp2 and temp3 with the help of random numbers, H(ID), *KCurrent Session* and P(.). Now, tag sends r1 and three responses to reader (step 2). Reader forwards this information to datacentre (step3). Data centre verifies the tag entry record in database. Further, if tag is authentic then datacentre computes two responses for reader: temp6 and temp7 (step4). Reader forwards these responses to tag (step5). Tag verifies the authenticity of reader by comparing temp7 with*Pdc*1,*e*<sup>1</sup> *KCurrent Session* ). If both are equal then reader is considered to be authentic and symmetric session key is generated [36, 37, 46, 61, 62].

**Protocol (A2):** Single Entity-Single Communication based Unilateral Authentication Protocol.

**Premise:** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random numbers. A symmetric key 'K' is shared between reader and tag. EK(.) and DK(.) are the encryption and decryption functions [63].

```
Version 1:
Step 1:- R ➔ T :EK{IDT}
Step 2:- T : Verify {DK{IDT}}
Version 2:
Step 1:- T ➔ R :EK{IDT}
Step 2:- R : Verify {DK{IDT}}
```
**Explanation:** In single entity-single communication based unilateral authentication protocol, two variations of protocols are possible. In first variation, reader sends an encrypted identification based message to tag (step 1) and tag verify its identity (step 2). In second version, tag sends its encrypted entity to reader (step 1) and reader authenticates it by decryption and verification (step 2) [64].

**Protocol (A3):** Single Entity**-**Two Communications based Unilateral Authentication Protocol.

**Premise:** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the *i* th random numbers selected by reader and tag respectively. A symmetric key 'K' is shared between reader and tag. EK(.) and DK(.) are the encryption and decryption functions.

```
Version 1:
Step 1:- R ➔ T : {r1}
Step 2:- T ➔ R :EK{r1}
Step 3:- R : Verify EK{r1}
```
*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

```
Version 2:
Step 1:- T ➔ R : {e1}
Step 2:- R ➔ T :EK{e1}
Step 3:- T : Verify EK{r1}
```
: else if temp2 equals to *Pr*<sup>1</sup> *Pe*<sup>1</sup> *KOld*

: if temp7 equals to *Pdc*1,*e*<sup>1</sup> *KCurrent*

temp1, temp2 and temp3 with the help of random numbers, H(ID), *KCurrent*

the authenticity of reader by comparing temp7 with*Pdc*1,*e*<sup>1</sup> *KCurrent*

EK(.) and DK(.) are the encryption and decryption functions [63].

Now, tag sends r1 and three responses to reader (step 2). Reader forwards this information to datacentre (step3). Data centre verifies the tag entry record in database. Further, if tag is authentic then datacentre computes two responses for reader: temp6 and temp7 (step4). Reader forwards these responses to tag (step5). Tag verifies

then reader is considered to be authentic and symmetric session key is generated

**Protocol (A2):** Single Entity-Single Communication based Unilateral Authenti-

**Premise:** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random numbers. A symmetric key 'K' is shared between reader and tag.

**Explanation:** In single entity-single communication based unilateral authentication protocol, two variations of protocols are possible. In first variation, reader sends an encrypted identification based message to tag (step 1) and tag verify its identity (step 2). In second version, tag sends its encrypted entity to reader (step 1)

**Protocol (A3):** Single Entity**-**Two Communications based Unilateral Authenti-

**Premise:** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei

key 'K' is shared between reader and tag. EK(.) and DK(.) are the encryption and

th random numbers selected by reader and tag respectively. A symmetric

and reader authenticates it by decryption and verification (step 2) [64].

*Session*

**Explanation:** Cheng et al*.* proposed random number and hash based authentication protocol in 2013 [60]. In this protocol, reader starts the authentication process. It selects a random number and sends it to tag (step 1). Tag computes three responses

) and *KCurrent*

*Session*

: temp7 = *Pdc*1,*e*<sup>1</sup> *KOld*

DC ➔ R : temp6, temp7

*Cryptography - Recent Advances and Future Developments*

**Step 6:-** T : dc1 = temp6 ⊕ H(ID) ⊕ r1

(e1 ||dc1)

**Step 5:-** R ➔ T : temp6, temp7

[36, 37, 46, 61, 62].

cation Protocol.

**Version 1:**

**Version 2:**

cation Protocol.

decryption functions.

**Step 1:-** R ➔ T : {r1} **Step 2:-** T ➔ R :EK{r1} **Step 3:-** R : Verify EK{r1}

**Version 1:**

are the *i*

**66**

**Step 1:-** R ➔ T :EK{IDT}

**Step 1:-** T ➔ R :EK{IDT}

**Step 2:-** T : Verify {DK{IDT}}

**Step 2:-** R : Verify {DK{IDT}}

: else tag is unauthentic : Now, if tag is authentic then

*Session* )) then

*Session* = *KOld*

) then *KCurrent*

*Session*

*Session* ⊕ (dc1||e1)

*Session* = *KCurrent*

). If both are equal

*Session* ⊕

*Session* and P(.).

**Explanation:** There are two version of single entity two communications based unilateral authentication protocol. In first version of protocol, reader initiates the authentication process by sending a random number challenge (step 1). Tag encrypts the received random number with symmetric key shared between tag and reader, and forwards it to reader (step 2). Now, reader re-encrypts its own random number challenge and verifies by comparing with the received data (step 3). If both are equal then tag is considered to be authentic. Similarly in second version, tag initiates the authentication process by sending a random number challenge (step 1). Reader encrypts the challenge with symmetric key and sends it to tag (step 2). Tag verifies the response for authentication (step 3) [65].

**Asymmetric Cryptography Primitives based Authentication Protocols.**

Like symmetric cryptography, asymmetric cryptography primitives based protocols are also designed to enhance the security of system. Major of recently developed asymmetric protocols are based on elliptic curve cryptography. This section discusses the recently developed elliptic curve cryptography based authentication protocols. Recently analyzed attacks on some of the authentication protocols are also explored.

**Elliptic Curve Cryptography (ECC) based Authentication Protocols.**

**Protocol (B1):** Authentication mechanism with ECC Encryption/Decryption for end users.

**Premise:** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri is the i th random number selected by reader or tag. Let Cj and Pj represent the ciphertext and plaintext generated at ith side. Where, j*ϵ*{R, T}. Encryption and decryption functions at jth side are represented by Ej() and Dj (). Unique identification of tag and reader is represented by IDT and IDR respectively. Let 'h' is the hash function used to generate the digest.


**Explanation:** This is random number generation based authentication protocol. Here, reader selects a random number and computes the ciphertext of tag identification with this random number. Reader sends the ciphertext, tag identification and hashing over random number to tag (step 1). After receiving the data, tag decrypt the encrypted information and fetches the random value and tag identification. Here, tag verifies the received hash value with regenerated hash value. If both are verified then tag sends the decrypted random number value to reader (step 2). Reader verifies the received random value with its own generated random value in step 1. If it matches then user associated with tag is considered to be authentic otherwise unauthentic (step 3). This protocol was developed by taking consideration that protocol is protected from replay, reflection and chosen-text attacks due

to encryption/decryption and hash functions. Use of encryption/decryption and hash functions is the major cause that this protocol is not suitable for resource constraint devices.

**Step 4:-** Rattacker ➔ T :e1

**Step 6:-** T ➔ Rattacker : X" **Step 7:-** Rattacker ➔ T :e2(=e1) **Step 8:-** T ➔ Rattacker : y'

(y'


reduces gradually.

authentication protocol.

**Step 1:-**R ➔ T :r1

**69**

**Step 5:-** T ➔ Rattacker : y = ae1 + r

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

*Survey and Analysis of Lightweight Authentication Mechanisms*

trace of the 'T' by computing whether (y'

considered to be secure against forward secrecy.

**4. Lightweight authentication protocols**

**Protocol (C1):-** Yu et al*.* Protocol [49].

T ➔ R : h(ki, r1)

T ➔ R : h(ki,e1) **Step 3:-** R ➔ DC : h(ki, r1) or h(ki,e1).

**Step 2:-**T : Compute j = h(ki, r1)mod m

found then

: if map[j] is zero then : map[j] = 1 and

**:** Now, Rattacker is knowing X, e1 and y = ae1 + r.

P+e2Z=X'




**Explanation:** Now, attacker reader can easily trace the tag by checking whether

'T'. Here, 'T' communicates with Rattacker instead of 'R' (step 1). Rattacker does not generate a challenge by itself but forwards the e1 received from 'R' to 'T' (step 2 to step 4). In continuation, 'T' responses to challenge but it go to Rattacker instead of 'R'(step 5). Later, 'T' communicates again with Rattacker. 'T' and 'Rattacker' again generate new challenges and responses (step 6 and step 8). Now, Rattacker can keep

**Attack 2:** If attacker reader knows the public key 'Z' of tag then it can easily compute the message by computing yP + e1Z = X. Thus, this mechanism is not

In addition to attack 1 and attack 2, this protocol is having scalability issues. Cost of computation at reader side is high since increase in number of tags handled per reader requires most of the public keys to be accessed from database by the reader. This increases the computational cost of reader. Increase in computational cost reduces the power of reader to handle more tag. Thus, scalability of network

Lightweight authentication protocols are less powerful as compared to classical cryptography based protocols. Lightweight cryptography is integrated with protocols to achieve confidentiality, integrity, availability, authentication and nonrepudiation. Apart from security, communication and computational cost at reader and tag is another factor taken into consideration for selecting the lightweight

**Premises:-** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and

ei are the ith random number selected by reader and tag respectively. Let 'm' represents the m-bit map in form of non-volatile memory. This non-volatile memory is used to store random number information to protect from tracking attack.

: else if map[j] is non-zero then

**Step 4:-** DC : find entry for h(ki, r1) or h(ki,e1) in database. If entry

: Compute h(ki + 1, r1) or h(ki + 1,e1)

: Update ki with h(ki) and hash value with h(ki, r2)

= ae2 + r' : computes y'

**Protocol (B2):** ECC based signature-based mechanism for authenticating end users.

**Premise: -** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively, IDr represents the identification of reader, CERTTAG represents the certificate pre-shared between tag and reader, and SIGN and VERIFY represents the digital signature based signing and verification processes.


**Explanation:** Reader starts the authentication process by sending a random challenge to tag (step 1). Tag selects another challenge and digitally signs both challenges along with the identification of reader. This signature message, random challenge, identification of reader and tag's certification is sent towards tag (step 2). Now, reader verifies both the certificate and digital signature. If both are verified then tag is considered to be authentic else unauthentic (step 3). Author claims that this protocol prevents existential forgery attack.

**Protocol (B3):** Schnorr Identification scheme and end-user verification with ECC [55].

**Premises:-** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively. Tag's public key is represented by Z and P is the base point selected on elliptic curve E.

```
Step 1:- T : Computer X = r1P
       T ➔ R :X
Step 2:- R ➔ T :e1
Step 3:- T : Compute y = ae1+ r1
       T ➔ R :y
Step 4:-R : if yP+ e1Z==X then authentic else unauthentic
```
**Explanation:** Tuyls proposed schnorr identification protocol based on elliptic curve discrete logarithmic problem in 2006. In this protocol, tag starts the communication by sending X = r1P to reader (step 1). Reader receiver the message X. To verify this message and tag, it sends a random number to tag (step 2). Now, tag responds with 'y' to the reader (step 3). Reader verifies the message 'X' with the help of tag's public key. If it matches then tag is considered to be authentic else unauthentic. In this protocol, an attacker reader can easily trace the tag by acting as a middle entry between tag and reader. Attacker reader function is explained in attack 1.

**Attack 1:** Tag tracing by attacker reader on ECC and Schnorr Identification scheme.

**Premises:** In addition to premises of protocol, let Rattacker is the eavesdropper that want to trace the tag.

**Step 1:-** T ➔ Rattacker : X **Step 2:-** Rattacker ➔ R :X' **Step 3:-** R ➔ Rattacker : e1 *Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

to encryption/decryption and hash functions. Use of encryption/decryption and hash functions is the major cause that this protocol is not suitable for resource

**Protocol (B2):** ECC based signature-based mechanism for authenticating end

**Premise: -** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively, IDr represents the identification of reader, CERTTAG represents the certificate pre-shared between tag and reader, and SIGN and VERIFY represents the digital

: if verified then consider that tag is valid.

**Explanation:** Reader starts the authentication process by sending a random challenge to tag (step 1). Tag selects another challenge and digitally signs both challenges along with the identification of reader. This signature message, random challenge, identification of reader and tag's certification is sent towards tag (step 2). Now, reader verifies both the certificate and digital signature. If both are verified then tag is considered to be authentic else unauthentic (step 3). Author claims that

**Protocol (B3):** Schnorr Identification scheme and end-user verification with

**Step 4:-**R : if yP+ e1Z==X then authentic else unauthentic

between tag and reader. Attacker reader function is explained in attack 1.

**Explanation:** Tuyls proposed schnorr identification protocol based on elliptic curve discrete logarithmic problem in 2006. In this protocol, tag starts the communication by sending X = r1P to reader (step 1). Reader receiver the message X. To verify this message and tag, it sends a random number to tag (step 2). Now, tag responds with 'y' to the reader (step 3). Reader verifies the message 'X' with the help of tag's public key. If it matches then tag is considered to be authentic else unauthentic. In this protocol, an attacker reader can easily trace the tag by acting as a middle entry

**Attack 1:** Tag tracing by attacker reader on ECC and Schnorr Identification

**Premises:** In addition to premises of protocol, let Rattacker is the eavesdropper

**Premises:-** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively. Tag's public key is represented by Z and P is the base point selected on elliptic curve E.

signature based signing and verification processes.

*Cryptography - Recent Advances and Future Developments*

T ➔ R :r2, IDr, y, CERTTAG **Step 3:-** R : VERIFY CERTTAG and VERIFY y

**Step 2:-** T : y = SIGN(r1, r2, IDr)

this protocol prevents existential forgery attack.

**Step 1:-** T : Computer X = r1P T ➔ R :X

**Step 3:-** T : Compute y = ae1+ r1

**Step 2:-** R ➔ T :e1

that want to trace the tag.

**Step 1:-** T ➔ Rattacker : X **Step 2:-** Rattacker ➔ R :X' **Step 3:-** R ➔ Rattacker : e1

T ➔ R :y

constraint devices.

**Step 1:-** R ➔ T :r1

users.

ECC [55].

scheme.

**68**

**Step 4:-** Rattacker ➔ T :e1 **Step 5:-** T ➔ Rattacker : y = ae1 + r **:** Now, Rattacker is knowing X, e1 and y = ae1 + r. **Step 6:-** T ➔ Rattacker : X" **Step 7:-** Rattacker ➔ T :e2(=e1) **Step 8:-** T ➔ Rattacker : y' = ae2 + r' : computes y' P+e2Z=X'

**Explanation:** Now, attacker reader can easily trace the tag by checking whether (y' -y)P equals (X' -X). In this attack, Rattacker communicates with 'T' and 'R' to trace 'T'. Here, 'T' communicates with Rattacker instead of 'R' (step 1). Rattacker does not generate a challenge by itself but forwards the e1 received from 'R' to 'T' (step 2 to step 4). In continuation, 'T' responses to challenge but it go to Rattacker instead of 'R'(step 5). Later, 'T' communicates again with Rattacker. 'T' and 'Rattacker' again generate new challenges and responses (step 6 and step 8). Now, Rattacker can keep trace of the 'T' by computing whether (y' -y)P equals (X' -X).

**Attack 2:** If attacker reader knows the public key 'Z' of tag then it can easily compute the message by computing yP + e1Z = X. Thus, this mechanism is not considered to be secure against forward secrecy.

In addition to attack 1 and attack 2, this protocol is having scalability issues. Cost of computation at reader side is high since increase in number of tags handled per reader requires most of the public keys to be accessed from database by the reader. This increases the computational cost of reader. Increase in computational cost reduces the power of reader to handle more tag. Thus, scalability of network reduces gradually.

#### **4. Lightweight authentication protocols**

Lightweight authentication protocols are less powerful as compared to classical cryptography based protocols. Lightweight cryptography is integrated with protocols to achieve confidentiality, integrity, availability, authentication and nonrepudiation. Apart from security, communication and computational cost at reader and tag is another factor taken into consideration for selecting the lightweight authentication protocol.

**Protocol (C1):-** Yu et al*.* Protocol [49].

**Premises:-** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively. Let 'm' represents the m-bit map in form of non-volatile memory. This non-volatile memory is used to store random number information to protect from tracking attack.



**Step n-1:-** RAttacker ➔ R : IDSn **Step n: -** R : *ID*<sup>0</sup>

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

clone.

... ...

Step i + 4:- T'

identifications (IDT, *ID*<sup>0</sup>

identification IDT and *ID*<sup>0</sup>

**71**

*<sup>T</sup>*=IDSn mod Kn

**Explanation:** In this attack, an attacker observes the communication between tag and reader [52]. Attacker observes and record IDS1 to /IDSn values (step 2, step 5, step n-2). This attacker again calculates temp1 to tempn-1 values and greatest common divisor (GCD) of these values (step n + 1). This GCD value is the secret key of tag in communication. Here, an attacker can start the message exchange with tag by collecting tempi and sending IDSi + ri\*tempi to tag. This is an easy way to

: Compute temp1 = (IDS2-IDS1)\*K1, temp2 =

(IDS3-IDS2)\*K2, ......, tempn-1 = (IDSn-IDSn-1)\*Kn-1. : Compute Ki = GCD(temp1, temp2, ....tempn-1)

**Step n + 1:-** RAttacker : Collects IDS1, IDS2, ...., IDSn.

*Survey and Analysis of Lightweight Authentication Mechanisms*

**Attack:-** Traceability attack in Mitra's protocol.

RAttacker ➔ T' : {request}

➔ RAttacker : IDSn+1

**Attack:-** Full disclosure attack on Mitra's protocol

Step i + 5:- RAttacker : accept IDSn if b==0, accept IDSn+1 if b==1

8 < :

reader to tag (step 1 to step i + 1). In response to these requests, tag receives encrypted messages: IDS1 and IDSi. Attacker again sends two requests to associated

**Explanation:** Traceability attack in this protocol start with two requests from

messages: IDSn and IDSn+1 (step i + 3 and i + 4). Attacker accepts these messages from different tags in different form. It accepts IDSn and IDSn+1 from tags with

distinguish between tags and further necessary computations. Attacker computes temp1 and temp2 from received encrypted messages (step 5). Now, attacker guesses the bit based on length decision rule. Peris-Lopez found a success probability of guessing equal to 1 and this result in traceability with 50% probability [52].

**Explanation:** As seen in cloning attack, attacker observes the messages exchange between tags and reader. This results in obtaining the secret key of tag with the help of GCD computations. After getting the secret of tag, attacker can easily reveal the stored and transmitted information. Peris-Lopez calculated the probability of revealing the secret using Riemann zeta function [52]. Authors found

: Select

: Compute temp1 = IDS1-IDSi

: Compute temp2 <sup>=</sup> *IDS*<sup>1</sup> � *IDSn if b* ¼¼ <sup>0</sup>

*d* ¼ 0 *if* GCD temp1, temp2

*d* ¼ 1 *if* GCD temp1, temp2

(

*<sup>T</sup>*) based tags (step i + 2). These tags return encrypted

*<sup>T</sup>* respectively. It uses b = 0 for IDT and b = 1 for *ID*<sup>0</sup>

*IDSn* � *IDSn*þ<sup>1</sup>*if b* ¼¼ 1

� �≥2*<sup>L</sup>=*<sup>2</sup>

� �<2*<sup>L</sup>=*<sup>2</sup>

*<sup>T</sup>* to

Step 1:- RAttacker ➔ T : {request} Step 2:- T ➔ RAttacker : IDS1

Step i:- RAttacker ➔ T : {request} Step i + 1:- T ➔ RAttacker : IDSi Step i + 2:- RAttacker ➔ T : {request}

Step i + 3:- T ➔ RAttacker : IDSn

**Explanation:** This is a random number based authentication protocol. Reader starts a process of authentication by selecting a random number and sending towards tag (step 1). Tag computes its position and search the corresponding bit position on map. If bit position is zero on map then it sends its position to reader else selects a new random number and send towards tag (step 2). Reader sends the received value to data centre (step 3). Data centre searches the record in database. If entry found in database then it updates key and hash values. Updated information is forwarded to reader (step 4). If entry is not found in database then a DENY message is replied. Reader checks the received message. If received message is not DENY message then it forwards the received message to tag (step 5). Now, tag recomputes the hash value. If new hash value is equal to received value then tag also updates its hash value. It sets all bits of map to zero (step 6).

**Protocol (C2)**:- Mitra et al*.* protocol [51].

**Premises:-** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively.


**Explanation:** Mitra proposed authentication protocol to protect against traceability and cloning in 2008 [51]. Reader to tag or tag to reader eavesdropping in communication is feasible in this protocol. In this protocol, reader starts the process by sending a random number (step 1). Tag computes the identification pseudonym and sends it to reader (step 2). Reader extracts the identification from received data (step 3).

**Attack:-** Cloning attack on Mitra Protocol.

**Step 1:-** R ➔ T : {request} **Step 2:-** T : Compute IDS1 = e1\*K1 + IDT T ➔ RAttacker : IDS1 **Step 3:-** RAttacker ➔ R : IDS1 **Step 4:-** R : *ID*<sup>0</sup> *<sup>T</sup>*=IDS1 mod K1 R ➔ T : {request} **Step 5:-** T ➔ RAttacker : IDS2 = e2 \* K2 + IDT **Step 6:-** RAttacker ➔ R : IDS2 ... ... **Step n-2:-** T ➔ RAttacker : IDSn = en \* Kn + IDn

*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

DC ➔ R : h(ki + 1, r1) or h(ki + 1,e1)

*Cryptography - Recent Advances and Future Developments*

: else R ➔ T : h(ki + 1, r1) or h(ki + 1,e1)

**Step 5**:- R : if response from DC is DENY then

are equal then

updates its hash value. It sets all bits of map to zero (step 6).

ei are the ith random number selected by reader and tag respectively.

*<sup>T</sup>*=IDS mod K

**Protocol (C2)**:- Mitra et al*.* protocol [51].

**Step 2:-** T : Compute IDS = e1\*K + IDT

**Attack:-** Cloning attack on Mitra Protocol. **Step 1:-** R ➔ T : {request}

T ➔ RAttacker : IDS1

R ➔ T : {request} **Step 5:-** T ➔ RAttacker : IDS2 = e2 \* K2 + IDT

**Step n-2:-** T ➔ RAttacker : IDSn = en \* Kn + IDn

**Step 3:-** RAttacker ➔ R : IDS1 **Step 4:-** R : *ID*<sup>0</sup>

**Step 6:-** RAttacker ➔ R : IDS2

**Step 2:-** T : Compute IDS1 = e1\*K1 + IDT

**Step 1:-** R ➔ Ti :{request}

**Step 3:-** R : *ID*<sup>0</sup>

(step 3).

... ...

**70**

T ➔ R : IDS

**Step 6:-** T : Compute h(ki + 1, r1) or h(ki + 1,e1) again

DC ➔ R : DENY

R ➔ T : r3

: if entry does not found in database then

**Explanation:** This is a random number based authentication protocol. Reader

**Premises:-** Let 'R' and 'T' represents reader and tag respectively. Suppose, ri and

**Explanation:** Mitra proposed authentication protocol to protect against traceability and cloning in 2008 [51]. Reader to tag or tag to reader eavesdropping in communication is feasible in this protocol. In this protocol, reader starts the process by sending a random number (step 1). Tag computes the identification pseudonym and sends it to reader (step 2). Reader extracts the identification from received data

*<sup>T</sup>*=IDS1 mod K1

starts a process of authentication by selecting a random number and sending towards tag (step 1). Tag computes its position and search the corresponding bit position on map. If bit position is zero on map then it sends its position to reader else selects a new random number and send towards tag (step 2). Reader sends the received value to data centre (step 3). Data centre searches the record in database. If entry found in database then it updates key and hash values. Updated information is forwarded to reader (step 4). If entry is not found in database then a DENY message is replied. Reader checks the received message. If received message is not DENY message then it forwards the received message to tag (step 5). Now, tag recomputes the hash value. If new hash value is equal to received value then tag also

: Compare received message with computed message. If they

: Update its key with h(ki) and all bits of map equals to zero.


**Explanation:** In this attack, an attacker observes the communication between tag and reader [52]. Attacker observes and record IDS1 to /IDSn values (step 2, step 5, step n-2). This attacker again calculates temp1 to tempn-1 values and greatest common divisor (GCD) of these values (step n + 1). This GCD value is the secret key of tag in communication. Here, an attacker can start the message exchange with tag by collecting tempi and sending IDSi + ri\*tempi to tag. This is an easy way to clone.

**Attack:-** Traceability attack in Mitra's protocol.


**Explanation:** Traceability attack in this protocol start with two requests from reader to tag (step 1 to step i + 1). In response to these requests, tag receives encrypted messages: IDS1 and IDSi. Attacker again sends two requests to associated identifications (IDT, *ID*<sup>0</sup> *<sup>T</sup>*) based tags (step i + 2). These tags return encrypted messages: IDSn and IDSn+1 (step i + 3 and i + 4). Attacker accepts these messages from different tags in different form. It accepts IDSn and IDSn+1 from tags with identification IDT and *ID*<sup>0</sup> *<sup>T</sup>* respectively. It uses b = 0 for IDT and b = 1 for *ID*<sup>0</sup> *<sup>T</sup>* to distinguish between tags and further necessary computations. Attacker computes temp1 and temp2 from received encrypted messages (step 5). Now, attacker guesses the bit based on length decision rule. Peris-Lopez found a success probability of guessing equal to 1 and this result in traceability with 50% probability [52].

**Attack:-** Full disclosure attack on Mitra's protocol

**Explanation:** As seen in cloning attack, attacker observes the messages exchange between tags and reader. This results in obtaining the secret key of tag with the help of GCD computations. After getting the secret of tag, attacker can easily reveal the stored and transmitted information. Peris-Lopez calculated the probability of revealing the secret using Riemann zeta function [52]. Authors found a success rate of 60 to 100% of this attack and claim that it is most dangerous among all discussed attacks.

RAttacer : Acquire r1, e1 and *MessageT*<sup>0</sup> = *MessageT*<sup>0</sup>

*MSB*, *MessageT*<sup>0</sup>

*MSB*.

b∈ {0,1}. {*CRC UIDT*<sup>0</sup>

*MSB* ⊕ *rnew*

*MSB* ⊕ *rnew*

to T0. Constant1LSB = *Message<sup>T</sup>*<sup>0</sup>

Constant1MSB. {*CRC UID<sup>T</sup>*<sup>0</sup>

CRC(e1) = CRC(*UID<sup>T</sup>*<sup>0</sup>

*LSB* ⊕ *rnew*

*LSB*, *MessageT*<sup>0</sup>

RAttacer : Selects two tags with *UIDT*<sup>0</sup> and *UIDT*<sup>1</sup> . It execute a test

<sup>1</sup> ⊕ *e T*<sup>0</sup>

<sup>1</sup> ⊕ *e T*1

<sup>1</sup> ⊕ *e T*1 2 ) *PASSWDT*<sup>1</sup>

RAttacer **:** An attacker obtains constant 1 and constant 2 values from

*LSB* ⊕ CRC(r1) ⊕ CRC(e1) =

*MSB*<sup>Þ</sup> <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup>

*MSB*<sup>Þ</sup> <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup>

*LSB* <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>1</sup>

**Explanation:** Peris-Lopex et al*.* calculated the probability to distinguish between tags in order to interact for traceability [52]. This probability is high because it is easy to distinguish between tags. Thus, it is easy to implement traceability attack with above sequence of steps. There are three stage of observation: learning, challenge and guessing. Learning state observe the transactions between reader and tag to collect the secret parameters. Challenge step put random number based challenges to tag through attacker. Finally guessing state finds the probability of receiv-

**Protocol (C4):** LRAP (Lightweight RFID Authentication protocol) [67] **Premises:-** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose ri, ei and dci are the random numbers selected by reader, tag and data centre respectively. Further, IDS, Ci, KE, KD are the identification pseudo-

**Step 3:-** R : Compute ciphertext, (C1, C2, C3) = *EKE* (r1, r2), C3 = r3P,

r2 mod N, temp3 = (IDS + r1 + r2) ⊕ KE.

**Step 4:-** T : Extract (r1, r2) from (C1, C2, C3), (temp1, temp2)=KD.C3,

nym, ith ciphertext, encryption and decryption keys respectively.

R ➔ T : (C1, C2, C3) || temp3

r1 = C1. *temp*�<sup>1</sup>

*MSB* <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>1</sup>

*MessageT*<sup>0</sup>

*Survey and Analysis of Lightweight Authentication Mechanisms*

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

and *e Ti*

CRC(*UIDT*<sup>0</sup>

CRC(*UID<sup>T</sup>*<sup>1</sup>

*Message<sup>T</sup>*<sup>0</sup>

CRC(*UID<sup>T</sup>*<sup>0</sup>

CRC(*UID<sup>T</sup>*<sup>0</sup>

CRC(*UID<sup>T</sup>*<sup>1</sup>

{*CRC UID<sup>T</sup>*<sup>0</sup>

{*CRC UIDT*<sup>0</sup>

**Step 2 (Challenge):**

**Step 3 (Guessing):**

ing 0 or 1.

**73**

**Step 1:-** R ➔ T : {Hello} **Step 2:-** T ➔ R : {IDS}

⊕ *PASSWDT*<sup>0</sup>

⊕ *PASSWDT*<sup>0</sup>

*LSB*||

*LSB*||

*LSB* ⊕ CRC(r1) ⊕

*LSB* ⊕ r1 ⊕ e1)

*MSB* ⊕ r1 ⊕ e1)

1

*LSB*||

*MSB* if {b==0}or

*LSB*. Constant1MSB =

*MSB*. Constant1 = Constant1LSB||

*LSB*||

<sup>2</sup> mod N, Compute

*MSB* if b==1}

*LSB*= CRC(*UIDT*<sup>0</sup>

query that result to return two random numbers *rnew*

Selection of message is dependent on random bit

*LSB* ⊕ *rnew*

<sup>2</sup> , and message *MessageTi* <sup>∈</sup> {*MessageT*<sup>0</sup> ,*MessageT*<sup>1</sup>g*:*

<sup>1</sup> ⊕ *e T*<sup>0</sup> 2 ) *PASSWDT*<sup>0</sup>

<sup>2</sup> ) <sup>⊕</sup> *PASSWDT*<sup>0</sup>

<sup>2</sup> ) <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>1</sup>

step 1 and step 2 respectively. These values are associated

*LSB*<sup>Þ</sup> <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup>

*LSB* ||

calculate value of output bit d = {0 if constant1 equals to constant2, 1 if constant 1 not equals to constant 2}.

(temp1, temp2)=r3KE, C1 = temp1 . r1 mod N, C2 = temp2 .

<sup>1</sup> mod N, r2 = C2. *temp*�<sup>1</sup>

*LSB* <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup>

*MSB* if {b==0}or

*MSB* if b==1. An attacker

*MSB*= CRC(*UIDT*<sup>0</sup>

**Protocol (C3):** Qingling et al*.*'s protocol [51]

**Premises:** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose ri, ei and dci are the random numbers selected by reader, tag and data centre respectively. MSB and LSB represents the most and least significant bits of a unique identifier (UID<sup>T</sup> ) and access password (PASSWD<sup>T</sup> ).


**Explanation:** Qingling et al. [66] proposed a lightweight authentication protocol based on password challenge [51]. Reader starts the authentication process by sending a random number challenge to tag (step 1). Tag constructs most significant and least significant part of message to generate response for reader. Most significant and least significant parts are XORed with passwords before sending it to reader (step 2). Reader verifies the received messages and generates new challenge for tag to prove its authenticity (step 3). Tag verifies the received message for reader authenticity (step 4).

**Attack:-** Attack on Qingling et al*.*'s protocol. **Premise:-** An attacker eavesdrops one session between 'R' and 'T'. **Step 1:-** RAttacker ➔ Ti : *MessageTi LSB* <sup>⊕</sup> CRC(α)||*MessageTi MSB* ⊕ CRC(α), *enew <sup>i</sup>* . Where, α = δ + γ. δ=*enew <sup>i</sup>* ⊕ ei, γ=*rnew <sup>i</sup>* ⊕ ri. **Step 2:**- RAttacker ➔ R : *Message<sup>R</sup> LSB* <sup>⊕</sup> CRC(δ)|| *MessageTi MSB* ⊕ CRC(δ). Where, δ=*enew <sup>i</sup>* ⊕ ei.

**Explanation:** Peris-Lopez et al*.* discovered impersonation of tag and reader in two communications [52]. This is possible by passively observing the one session between tag and reader. This impersonation helps the attacker to send a message with new random values (*enew <sup>i</sup>* and *rnew <sup>i</sup>* ). Now, verification of this message at tag side is easy (step 1). Similarly, an attacker can supplant the reader with a message containing new random variables (*enew <sup>i</sup>* ). This message authenticates the attacker as a genuine reader. Tag can not detect this attack easily (step 2).

**Attack:-** Traceability attack on Qingling et al*.* protocol. **Step 1 (Learning):**

*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*


RAttacer : Selects two tags with *UIDT*<sup>0</sup> and *UIDT*<sup>1</sup> . It execute a test query that result to return two random numbers *rnew* 1 and *e Ti* <sup>2</sup> , and message *MessageTi* <sup>∈</sup> {*MessageT*<sup>0</sup> ,*MessageT*<sup>1</sup>g*:* Selection of message is dependent on random bit b∈ {0,1}. {*CRC UIDT*<sup>0</sup> *LSB* ⊕ *rnew* <sup>1</sup> ⊕ *e T*<sup>0</sup> 2 ) *PASSWDT*<sup>0</sup> *LSB*|| CRC(*UIDT*<sup>0</sup> *MSB* ⊕ *rnew* <sup>1</sup> ⊕ *e T*<sup>0</sup> <sup>2</sup> ) <sup>⊕</sup> *PASSWDT*<sup>0</sup> *MSB* if {b==0}or {*CRC UIDT*<sup>0</sup> *LSB* ⊕ *rnew* <sup>1</sup> ⊕ *e T*1 2 ) *PASSWDT*<sup>1</sup> *LSB*|| CRC(*UID<sup>T</sup>*<sup>1</sup> *MSB* ⊕ *rnew* <sup>1</sup> ⊕ *e T*1 <sup>2</sup> ) <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>1</sup> *MSB* if b==1}

**Step 3 (Guessing):**

a success rate of 60 to 100% of this attack and claim that it is most dangerous among

) and access password (PASSWD<sup>T</sup>

holds for any tag in data centre then tag is authentic and

*LSB* ⊕ *r Ti*

*MSB* ⊕ *r Ti*

*LSB* <sup>⊕</sup> CRC(α)||*MessageTi*

*LSB* <sup>⊕</sup> CRC(δ)|| *MessageTi*

*<sup>i</sup>* ⊕ ei.

**Explanation:** Peris-Lopez et al*.* discovered impersonation of tag and reader in two communications [52]. This is possible by passively observing the one session between tag and reader. This impersonation helps the attacker to send a message

side is easy (step 1). Similarly, an attacker can supplant the reader with a message

*MSB*

*LSB* <sup>⊕</sup> ri <sup>⊕</sup> ei) <sup>⊕</sup> *PASSWDTi*

*MSB* <sup>⊕</sup> ri <sup>⊕</sup> ei) <sup>⊕</sup> *PASSWDTi*

*LSB*||*Message<sup>R</sup>*

*<sup>i</sup>* ). If condition holds then reader is

*<sup>i</sup>* ⊕ ei, γ=*rnew*

*<sup>i</sup>* ). Now, verification of this message at tag

*<sup>i</sup>* ). This message authenticates the attacker as

*<sup>i</sup>* ) <sup>⊕</sup> *PASSWDTi*

*<sup>i</sup>* ) <sup>⊕</sup> *PASSWDTi*

*LSB*||*MessageTi*

).

*LSB*

*MSB* ⊕ ri ⊕ ei). If this condition

*MSB*, Where,

*LSB* and

*MSB*.

*MSB* ⊕ CRC(α), *enew*

*<sup>i</sup>* ⊕ ri.

*MSB* ⊕ CRC(δ).

*<sup>i</sup>* .

*LSB* ⊕ *r Ti <sup>i</sup>* ) ||

*MSB*

**Premises:** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose ri, ei and dci are the random numbers selected by reader, tag and data centre respectively. MSB and LSB represents the most and least significant

= *MessageTi*

*LSB*=CRC(*UIDTi*

*MSB*=CRC(*UIDTi*

*LSB* <sup>⊕</sup> ri <sup>⊕</sup> ei) || CRC(*UIDTi*

process continues else unauthentic. : Compute Message<sup>R</sup> = *Message<sup>R</sup>*

*LSB*= CRC(*UIDTi*

*MSB*= CRC(*UIDTi*

**Step 4:- T** : Verify Message<sup>R</sup> ⊕ *PASSWDTi* equals to CRC(*UIDTi*

based on password challenge [51]. Reader starts the authentication process by sending a random number challenge to tag (step 1). Tag constructs most significant and least significant part of message to generate response for reader. Most significant and least significant parts are XORed with passwords before sending it to reader (step 2). Reader verifies the received messages and generates new challenge for tag to prove its authenticity (step 3). Tag verifies the received message for

**Premise:-** An attacker eavesdrops one session between 'R' and 'T'.

Where, δ=*enew*

*<sup>i</sup>* and *rnew*

a genuine reader. Tag can not detect this attack easily (step 2).

**Attack:-** Traceability attack on Qingling et al*.* protocol.

Where, α = δ + γ. δ=*enew*

**Explanation:** Qingling et al. [66] proposed a lightweight authentication protocol

*MSB* ⊕ *r Ti*

authentic else unauthentic.

,*e Ti i* } **Step 3:-** R : Verify *MessageTi* ⊕ *PASSWDTi* equals to CRC

all discussed attacks.

bits of a unique identifier (UID<sup>T</sup>

**Step 2:-** Ti : *MessageTi*

Ti ➔ R :{*MessageTi*

R ➔ Ti : Message<sup>R</sup>

reader authenticity (step 4).

with new random values (*enew*

**Step 1 (Learning):**

**72**

containing new random variables (*enew*

**Step 1:-** R ➔ Ti : ri

**Protocol (C3):** Qingling et al*.*'s protocol [51]

*Cryptography - Recent Advances and Future Developments*

: *MessageTi*

: *MessageTi*

(*UIDTi*

*Message<sup>R</sup>*

*Message<sup>R</sup>*

CRC(*UIDTi*

**Attack:-** Attack on Qingling et al*.*'s protocol.

**Step 1:-** RAttacker ➔ Ti : *MessageTi*

**Step 2:**- RAttacker ➔ R : *Message<sup>R</sup>*

RAttacer **:** An attacker obtains constant 1 and constant 2 values from step 1 and step 2 respectively. These values are associated to T0. Constant1LSB = *Message<sup>T</sup>*<sup>0</sup> *LSB* ⊕ CRC(r1) ⊕ CRC(e1) = CRC(*UID<sup>T</sup>*<sup>0</sup> *LSB*<sup>Þ</sup> <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup> *LSB*. Constant1MSB = *Message<sup>T</sup>*<sup>0</sup> *LSB* ⊕ CRC(r1) ⊕ CRC(e1) = CRC(*UID<sup>T</sup>*<sup>0</sup> *MSB*<sup>Þ</sup> <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup> *MSB*. Constant1 = Constant1LSB|| Constant1MSB. {*CRC UID<sup>T</sup>*<sup>0</sup> *LSB* <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup> *LSB*|| CRC(*UID<sup>T</sup>*<sup>0</sup> *MSB*<sup>Þ</sup> <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>0</sup> *MSB* if {b==0}or {*CRC UID<sup>T</sup>*<sup>0</sup> *LSB* <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>1</sup> *LSB* || CRC(*UID<sup>T</sup>*<sup>1</sup> *MSB* <sup>⊕</sup> *PASSWD<sup>T</sup>*<sup>1</sup> *MSB* if b==1. An attacker calculate value of output bit d = {0 if constant1 equals to constant2, 1 if constant 1 not equals to constant 2}.

**Explanation:** Peris-Lopex et al*.* calculated the probability to distinguish between tags in order to interact for traceability [52]. This probability is high because it is easy to distinguish between tags. Thus, it is easy to implement traceability attack with above sequence of steps. There are three stage of observation: learning, challenge and guessing. Learning state observe the transactions between reader and tag to collect the secret parameters. Challenge step put random number based challenges to tag through attacker. Finally guessing state finds the probability of receiving 0 or 1.

**Protocol (C4):** LRAP (Lightweight RFID Authentication protocol) [67]

**Premises:-** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose ri, ei and dci are the random numbers selected by reader, tag and data centre respectively. Further, IDS, Ci, KE, KD are the identification pseudonym, ith ciphertext, encryption and decryption keys respectively.


*temp*0 <sup>3</sup>= (IDS + r1 + r2) ⊕ KDP and verifies whether *temp*0 <sup>3</sup>equals to temp3. If both are equal then compute temp4 = (r1 ⊕ r2) + ID. T ➔ R : temp4 : Updation IDSold = IDS, IDSnew = (IDSold + r1) + (ID+r2) **Step 5:-** R : Computes *temp*<sup>0</sup> <sup>4</sup>= (r1 ⊕ r2) + ID, Verifies *temp*<sup>0</sup> <sup>4</sup> equals to temp4. If both are equal then tag is authentic else unauthentic. **:** Updation IDS = (IDS + r1) ⊕ (ID+ r2).

**Step 1:-** DC ➔ R : {timestamp}

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

**Step 3:-** Ti ➔ R : tempi= *MACKi*

grouping proof.

ity of this attack is '1'.

**6. Comparisons**

**6.1 Security analysis**

**75**

**Step 4:-** R ➔ PT : {timestamp}, tempi, **Step 5:-** PT ➔ R :EK[{timestamp}, tempi]

**Attack:** Secret disclosure attack on Kazahaya.

resource constraint or resourceful devices in IoT.

**Step 2:-** R ➔ Ti : {timestamp}, Where i∈ {1,n}

*Survey and Analysis of Lightweight Authentication Mechanisms*

**Step 6:-** R ➔ DC : {timestamp, EK[{timestamp}, tempi], *IDT*<sup>1</sup> }

protocol [74]. Data centre initiated the group authentication proof protocol by sending a timestamp message to reader (step 1). Reader forwards the timestamp to all tags (step 2). All tags then send a message authentication code of timestamp to reader (step 3). There is use of pallet tag in this protocol. This tag is assumed to have abundance of resources as compared to any existing tag. Reader forwards the timestamp message and message authentication code of all tags to pallet tag (step 4). Pallet tag encrypts the received message and sends it to reader (step 5). Reader forwards this message to data centre for storage (step 6). This stored entry is a

[timestamp]

**Explanation:** Saito and Sakurai protocol tried to remove replay attack from juel's

**Explanation:** Bagheri et al*.* found that it is possible for an attacker to retrieve tag's secret parameters at cost of O(216) offline random number evaluations [75]. In this attack, an attacker eavesdrops one session between tag and reader. Further, at cost of O(216) operations, it fetches private key of tag, identification of tag and group identification. These secret disclosure parameters increase the chance of tag and reader impersonation, and traceability. An attack can forge proofs at any time. It is found that verification of forged proofs is possible at cost of one session eavesdropping. Thus, forgery attack is another threat to this protocol and probabil-

Security and cost analysis of authentication protocols is presented in this section. Security analysis is performed based on parameters selected in Section 3. Similarly, cost estimation is analyzed through communication and computational cost param-

eters. This analysis is performed to find authentication protocol suitable for

Possibilities of attacks on surveyed authentication protocols are analyzed in security analysis. This comparison of authentication protocols is made through infeasible, strong, medium and weak possibilities of attacks. Authentication protocol attacks and their chance on studied protocols are searched from literature. If a direct attack is found then possibility of attack is considered to be strong (S). Otherwise, attacker's dependency on existing attack is searched. For example, manin-the-middle and denial of service attacks lead to de-synchronization and traceability attacks. Hence, if chances of man-in-the-middle and denial of service attacks is strong then de-synchronization and traceability attacks provide medium (M) chances. Similarly, eavesdropping leads to secret disclosure attack. Chances of indirect attacks are considered to be medium because extra computational and communication cost is required to perform these attacks. Further, chances of indirect attacks with high computational and communication cost are considered to be weak

**Explanation:** LRAP is elliptic curve based lightweight authentication protocol proposed by Liu et al*.* in 2013 [67]. Reader starts the authentication process by sending a hello request (step 1). Tag responds with its identification pseudonym (step 2). Reader response to tag includes the ciphertexts append with identification pseudonym (step 3). These ciphertexts are generated by encrypting the reader generated random numbers with encryption key. After receiving the response from reader, tag extracts the random numbers and verifies it. If these are verified then compute a new identification and random number based response to reader (step 4). After this communication, tag initiates the identification pseudonym updating process. On receiving the response, reader verifies it for authenticity and initiated the identification pseudonym updating process (step 5).

#### **5. Grouping/yoking authentication protocols**

This section discusses the protocols that allows the multiple tags to authentication simultaneously with same reader. Multiple tag authentication constructs groups with unique group identifications. Group construction is possible through collaborations of tag to jointly request the reader for authentication. Following are the important group authentication protocols [68].

**Protocol (E1):** Juels Yoking Protocol [69, 70].

**Premise:-** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Let ri and ei are the random number selected by reader and tag respectively. Suppose, 'Ki' is the shared key between reader and ith tag, MAC is the message authentication code.


**Explanation:** Juel's grouping protocol is the first group authentication protocol [71, 72]. This is the simplest protocol to understand and implement. Reader starts the authentication process by sending a random number based challenge (step 1). Tag responds with its identification mark and another random number challenge (step 2).

**Protocol (E2):** Saito and Sakurai's Protocol [73].

**Premise:-** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose, 'Ki' is the shared key between reader and ith tag, MAC is the message authentication code. PT is the pallet tag.

*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*


**Explanation:** Saito and Sakurai protocol tried to remove replay attack from juel's protocol [74]. Data centre initiated the group authentication proof protocol by sending a timestamp message to reader (step 1). Reader forwards the timestamp to all tags (step 2). All tags then send a message authentication code of timestamp to reader (step 3). There is use of pallet tag in this protocol. This tag is assumed to have abundance of resources as compared to any existing tag. Reader forwards the timestamp message and message authentication code of all tags to pallet tag (step 4). Pallet tag encrypts the received message and sends it to reader (step 5). Reader forwards this message to data centre for storage (step 6). This stored entry is a grouping proof.

**Attack:** Secret disclosure attack on Kazahaya.

**Explanation:** Bagheri et al*.* found that it is possible for an attacker to retrieve tag's secret parameters at cost of O(216) offline random number evaluations [75]. In this attack, an attacker eavesdrops one session between tag and reader. Further, at cost of O(216) operations, it fetches private key of tag, identification of tag and group identification. These secret disclosure parameters increase the chance of tag and reader impersonation, and traceability. An attack can forge proofs at any time. It is found that verification of forged proofs is possible at cost of one session eavesdropping. Thus, forgery attack is another threat to this protocol and probability of this attack is '1'.

#### **6. Comparisons**

*temp*0

*Cryptography - Recent Advances and Future Developments*

*temp*0

unauthentic.

the identification pseudonym updating process (step 5).

**5. Grouping/yoking authentication protocols**

the important group authentication protocols [68]. **Protocol (E1):** Juels Yoking Protocol [69, 70].

**Step 4:-** T2 ➔ R : *IDT*<sup>2</sup> , e2, temp1=*MACK*<sup>2</sup> [e1]

**Protocol (E2):** Saito and Sakurai's Protocol [73].

message authentication code. PT is the pallet tag.

**Step 7:-** R ➔ DC : {*IDT*<sup>1</sup> , e1, temp2, *IDT*<sup>2</sup> , e2, temp1}

**Step 6:-** T1 ➔ R : temp2=*MACK*<sup>1</sup> [e2]

message authentication code.

**Step 5:-** R ➔ T1 : e2

**74**

**Step 1:-** R ➔ T1 : {hello} **Step 2:-** T1 ➔ R : *IDT*<sup>1</sup> , e1 **Step 3:-** R ➔ T2 : e1

T ➔ R : temp4

**Step 5:-** R : Computes *temp*<sup>0</sup>

temp4 = (r1 ⊕ r2) + ID.

<sup>3</sup>= (IDS + r1 + r2) ⊕ KDP and verifies whether

: Updation IDSold = IDS, IDSnew = (IDSold + r1) + (ID+r2)

temp4. If both are equal then tag is authentic else

**:** Updation IDS = (IDS + r1) ⊕ (ID+ r2).

**Explanation:** LRAP is elliptic curve based lightweight authentication protocol proposed by Liu et al*.* in 2013 [67]. Reader starts the authentication process by sending a hello request (step 1). Tag responds with its identification pseudonym (step 2). Reader response to tag includes the ciphertexts append with identification pseudonym (step 3). These ciphertexts are generated by encrypting the reader generated random numbers with encryption key. After receiving the response from reader, tag extracts the random numbers and verifies it. If these are verified then compute a new identification and random number based response to reader (step 4). After this communication, tag initiates the identification pseudonym updating process. On receiving the response, reader verifies it for authenticity and initiated

This section discusses the protocols that allows the multiple tags to authentica-

tion simultaneously with same reader. Multiple tag authentication constructs groups with unique group identifications. Group construction is possible through collaborations of tag to jointly request the reader for authentication. Following are

**Premise:-** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Let ri and ei are the random number selected by reader and tag respectively. Suppose, 'Ki' is the shared key between reader and ith tag, MAC is the

**Explanation:** Juel's grouping protocol is the first group authentication protocol [71, 72]. This is the simplest protocol to understand and implement. Reader starts the authentication process by sending a random number based challenge (step 1). Tag responds with its identification mark and another random number challenge (step 2).

**Premise:-** Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose, 'Ki' is the shared key between reader and ith tag, MAC is the

<sup>3</sup>equals to temp3. If both are equal then compute

<sup>4</sup>= (r1 ⊕ r2) + ID, Verifies *temp*<sup>0</sup>

<sup>4</sup> equals to

Security and cost analysis of authentication protocols is presented in this section. Security analysis is performed based on parameters selected in Section 3. Similarly, cost estimation is analyzed through communication and computational cost parameters. This analysis is performed to find authentication protocol suitable for resource constraint or resourceful devices in IoT.

#### **6.1 Security analysis**

Possibilities of attacks on surveyed authentication protocols are analyzed in security analysis. This comparison of authentication protocols is made through infeasible, strong, medium and weak possibilities of attacks. Authentication protocol attacks and their chance on studied protocols are searched from literature. If a direct attack is found then possibility of attack is considered to be strong (S). Otherwise, attacker's dependency on existing attack is searched. For example, manin-the-middle and denial of service attacks lead to de-synchronization and traceability attacks. Hence, if chances of man-in-the-middle and denial of service attacks is strong then de-synchronization and traceability attacks provide medium (M) chances. Similarly, eavesdropping leads to secret disclosure attack. Chances of indirect attacks are considered to be medium because extra computational and communication cost is required to perform these attacks. Further, chances of indirect attacks with high computational and communication cost are considered to be weak (W). Overall, it is analyzed that the recent trends is to design authentication protocols based on asymmetric key based cryptosystem because such protocol provide high security and low communicational cost as compared to symmetric key cryptosystem based protocols. Symmetric or asymmetric cryptosystem based authentication protocols are suitable for resourceful devices such as active RFID devices. These devices can afford the computational cost of protocols. Lightweight and ultra-lightweight protocols are designed for resource constraint devices like: passive RFID devices. These devices cannot afford high computations or storage. Security of such protocols is a major concern. It is impossible to fully secure such protocols from attacks. Protocol with higher attack resistant probability is considered to be more reliable. Hence protocol like C4, D2 and D3 are more reliable. Further, these authentication protocols can be extended to create groups called grouping or yoking protocols.

#### **6.2 Cost analysis**

Communication and computational cost of studied authentication protocols is analyzed in **Table 1**. Communication cost is measured in terms of number of transactions made between reader and tag. Different levels to measure the cost are Low (L), Medium (M) and High (H). If number of transactions is between 1 and 3 then communication cost is considered to be low. If it varies from 4 to 6 then communication cost is medium. Communication cost is considered to be high if number of transactions is more than 6. It is found that communication cost of asymmetric cryptography primitives based authentication protocols is much lower than any other type of authentication protocols. Although lightweight and ultra-lightweight protocols claim to be efficient for resource constraint devices but asymmetric cryptography based protocols can also be designed to reduce the overhead through reduction in communication cost. For example, protocol C4 is based on elliptic curve cryptosystem based asymmetric cryptography and it is efficient than any other lightweight protocol. Like communication cost, computational cost is also

divided into three levels: Low, Medium and High. A high cost authentication protocol includes encryption, decryption, hashing or high computational functions. Medium cost based protocols include mathematical functions like elliptic curve based addition, multiplication or inverse, shift or permutation operations etc. A low cost protocol affords simple mathematical functions like: logical operations (AND, OR, NOT etc.), simple permutation, rotation random number generator etc. Lightweight and ultra-lightweight protocols are especially designed to count these low computational cost factors into considerations. Computational cost of these protocols is much lower than any classical cryptography based symmetric or asymmet-

**Possibility of Attacks on Authentication Protocols Cost**

**Ultra-lightweight Authentication Protocols**

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

*Survey and Analysis of Lightweight Authentication Mechanisms*

*Security and cost analysis of authentication protocols.*

**Group Authentication Protocols**

**Protocol Pr Tr FS BS Ea Sk Cl RP RL DoS SP SD DE MM Comm Comp**

D1 [36] S S S S S S S S S S S S S S M L D2 [76] M S M M M M M M M M M M S M L H D3 [77] M M M M M M M M M M M M M M H L

E1 ([71]; [72]) W W M M W W W W W W W W W W H L E2 [74] W W M M W W W W W W W W W W M L E3 [37] M M W W M W W M W W M W M M M L *Pr = Privacy,Tr = Tracking, FS = Forward Secrecy, BS = Backward Secrecy, Ea = Eavesdropping, Sk = Skimming, Cl = Cloning, RP = Replay, RL = Relay, DoS = Denial of Service, SP = Spoofing, SD = Secret Disclosure. DE = De-synchronization, MM = Man-in-the-middle, W = Weak, M = Medium, S = Strong,*

*Comm = Communication Cost, Comp = Computational Cost, L = Low, H = High.*

**Analysis**

In this work, RFID authentication protocols from different categories are studied

and compared on security requirements and cost. Authentication protocols are categorized as: symmetric, asymmetric, lightweight, ultra-lightweight and group based authentication based protocols. It is found that asymmetric cryptography based protocols are gaining popularity day-by-day and provide enough security. Symmetric and asymmetric cryptography based authentication protocols are suitable for resourceful devices. Passive RFID devices are resource constraint devices thus lightweight or ultra-lightweight protocols are more suitable. Security in lightweight protocols is a major challenge. Hardware limitations restrict the implemen-

tation of full security on these devices. Thus, these devices can not be fully

protected. Integration of asymmetric key cryptography based lightweight authentication protocols is contemporary topic of research. These unilateral or mutual authentication protocols can be extended for group authentication. Multiple tags authenticate itself with reader and store group information in data centre. This concept of group authentication is important for IoT. Authenticated devices in IoT increase the chances of secure communication in a network. Future work demands

ric authentication protocols.

**7. Conclusion**

**77**

**Table 1.**



*Pr = Privacy,Tr = Tracking, FS = Forward Secrecy, BS = Backward Secrecy, Ea = Eavesdropping, Sk = Skimming,*

*Cl = Cloning, RP = Replay, RL = Relay, DoS = Denial of Service, SP = Spoofing, SD = Secret Disclosure.*

#### **Table 1.**

(W). Overall, it is analyzed that the recent trends is to design authentication protocols based on asymmetric key based cryptosystem because such protocol provide high security and low communicational cost as compared to symmetric key cryptosystem based protocols. Symmetric or asymmetric cryptosystem based authentication protocols are suitable for resourceful devices such as active RFID devices. These devices can afford the computational cost of protocols. Lightweight and ultra-lightweight protocols are designed for resource constraint devices like: passive RFID devices. These devices cannot afford high computations or storage. Security of such protocols is a major concern. It is impossible to fully secure such protocols from attacks. Protocol with higher attack resistant probability is considered to be more reliable. Hence protocol like C4, D2 and D3 are more reliable. Further, these authentication protocols can be extended to create groups called grouping or yoking

*Cryptography - Recent Advances and Future Developments*

Communication and computational cost of studied authentication protocols is analyzed in **Table 1**. Communication cost is measured in terms of number of transactions made between reader and tag. Different levels to measure the cost are Low (L), Medium (M) and High (H). If number of transactions is between 1 and 3 then communication cost is considered to be low. If it varies from 4 to 6 then communication cost is medium. Communication cost is considered to be high if number of transactions is more than 6. It is found that communication cost of asymmetric cryptography primitives based authentication protocols is much lower than any other type of authentication protocols. Although lightweight and ultra-lightweight protocols claim to be efficient for resource constraint devices but asymmetric cryptography based protocols can also be designed to reduce the overhead through reduction in communication cost. For example, protocol C4 is based on elliptic curve cryptosystem based asymmetric cryptography and it is efficient than any other lightweight protocol. Like communication cost, computational cost is also

**Possibility of Attacks on Authentication Protocols Cost**

**Symmetric Cryptography Primitives Based Authentication Protocols**

**Asymmetric Cryptography Primitives Based Authentication Protocols**

**Lightweight Authentication Protocols**

**76**

**Protocol Pr Tr FS BS Ea Sk Cl RP RL DoS SP SD DE MM Comm Comp**

A1 [60] S M M M M M M W M M M S S S M H A2 M S S M M M M S S S M M S M L H A3 S S S M S M M S S S S S S S L H

B1 S S S M WMM M M M MM M M L H B2 S S S M W M M M M M M M M M L H B3 S S S M W M S S S S S S S S L M

C1 M M M M M M M M M M M M M M M H C2 [51] M S M M M M S M M M M S S S L L C3 [51] M S M M S M M M M M S M S S L L C4 [67] M M M M M M M M M M M M M M M L

**Analysis**

protocols.

**6.2 Cost analysis**

*Security and cost analysis of authentication protocols.*

divided into three levels: Low, Medium and High. A high cost authentication protocol includes encryption, decryption, hashing or high computational functions. Medium cost based protocols include mathematical functions like elliptic curve based addition, multiplication or inverse, shift or permutation operations etc. A low cost protocol affords simple mathematical functions like: logical operations (AND, OR, NOT etc.), simple permutation, rotation random number generator etc. Lightweight and ultra-lightweight protocols are especially designed to count these low computational cost factors into considerations. Computational cost of these protocols is much lower than any classical cryptography based symmetric or asymmetric authentication protocols.

#### **7. Conclusion**

In this work, RFID authentication protocols from different categories are studied and compared on security requirements and cost. Authentication protocols are categorized as: symmetric, asymmetric, lightweight, ultra-lightweight and group based authentication based protocols. It is found that asymmetric cryptography based protocols are gaining popularity day-by-day and provide enough security. Symmetric and asymmetric cryptography based authentication protocols are suitable for resourceful devices. Passive RFID devices are resource constraint devices thus lightweight or ultra-lightweight protocols are more suitable. Security in lightweight protocols is a major challenge. Hardware limitations restrict the implementation of full security on these devices. Thus, these devices can not be fully protected. Integration of asymmetric key cryptography based lightweight authentication protocols is contemporary topic of research. These unilateral or mutual authentication protocols can be extended for group authentication. Multiple tags authenticate itself with reader and store group information in data centre. This concept of group authentication is important for IoT. Authenticated devices in IoT increase the chances of secure communication in a network. Future work demands

*DE = De-synchronization, MM = Man-in-the-middle, W = Weak, M = Medium, S = Strong, Comm = Communication Cost, Comp = Computational Cost, L = Low, H = High.*

to construct a secure grouping proof protocol that is not affected with relay, replay or de-synchronization attacks.

**References**

Berlin Heidelberg.

4986

[1] Ashton, K. (2009). That 'Internet of Things' Thing, in the real world things matter more than ideas, *RFID Journal*, Retrieved July 15, 2014, from http:// www.rfidjournal.com/articles/view?

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

*Survey and Analysis of Lightweight Authentication Mechanisms*

Scheme for RFID Tags and Sensor Nodes, Proceedings of the second ACM conference on Wireless network security (WiSec '09) (pp. 59–68), NY,

[10] Rabin, M. (1979). Digitized signatures and public key functions as intractable as factorization. Technical report, MIT, Cambridge, MA, USA.

*Advances in Cryptology,*

[11] Shamir, A. (1995) Memory efficient variants of public key schemes for smart card applications. In A. D. Santis (Ed.),

*EUROCRYPT'94,* LNCS, vol. 950, page 445–449, Springer-Verlag, Perugia,

[12] McEliece, R. (1978). A public key cryptosystem based on algebraic coding theory. *The Deep Space Network Progress Report,* (pp. 114-116), DSN PR 42–44.

[13] Niederreiter, H. (1986). Knapsacktype cryptosystems and algebraic coding

Information Theory, 15(2), pp. 159–166.

[14] Bringer, J., Chabanne, H. and Icart, T. (2008). Cryptanalysis of EC-RAC, a RFID Identification Protocol, In M. K. Franklin, L. C. K. Hui, and D. S. Wong, (Ed.), *CANS 2008*(pp. 149–161), LNCS 5339 Springer, Hong-Kong, Chiana.

[15] Bringer, J., Chabanne, H. and Icart, T. (2009). Efficient Zero-Knowledge Identification Schemes which respect Privacy, In W. Li, W.Susilo, U. K. Tupakula, R. Safavi-Naini, and V. Varadharajan (Ed.), *Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS* (pp. 195–205), Sydney,

[16] Cayrel, P. L., Veron, P. and Alaoui, S. M. E. Y. (2011). A Zero-Knowledge Identification Scheme Based on the qary Syndrome Decoding Problem, In A.

theory, Problems of Control and

USA.

Italy.

Australia.

[2] Uckelman D., Harrison M. and Michahelles F. (2011) Architecturing the Internet of Things. Springer-Verlag

[3] Aggarwal, C. C., Ashish, N. and Sheth, A. (2013). The Internet of Things: A Survey from the data-centric Perspective. In Aggarwal, C (Ed.), *Managing and Mining Sensor Data* (pp.

[4] Abyaneh, M. R. S. (2012). Security Analysis of Lightweight Schemes for RFID Systems. Ph. D.Thesis, University

Authenticating Pervasive Devices with Human Protocols. In V. Shoup, editor, *Advances in cryptology-Crypto 05*, LNCS 3126, pp. 293–298, Springer-Verlag.

[6] Peris-Lopez, P., Hernandez-Castro, J.

*Communication- PWCA'06*, LNCS 4217,

[7] Moore, G. E. (1965), Cramming More Components onto Integrated Circuits. Electronics: http://www.intel.com,

[8] Lopez, P. P. (2008). Lightweight Cryptography in Radio Frequency Identification (RFID) Systems, Ph. D. THESIS, UNIVERSIDAD CARLOS III

[9] Oren, Y. and Feldhofer, M. (2009). A Low-Resource Public-Key Identification

DE MADRID. Madrid, Spain.

C., Esteveze-Tapiador, J. M. and Ribagorda, A. (2006). RFID Systems: A

Survey on Security Threats and Proposed Solutions, *International Conference on Personal Wireless*

pp. 159–170, Albacete, Spain.

(1965).

**79**

383–428). Springer-Verlag.

[5] Juel A. and Weis S. (2005).

of Bergen, Norway.

## **Key terms and definitions**


### **Author details**

Adarsh Kumar<sup>1</sup> \* and Deepak Kumar Sharma<sup>2</sup>

1 Department of Systemics, School of Computer Science, University of Petroleum and Energy Studies, Dehradun, India

2 Department of Informatics, School of Computer Science, University of Petroleum and Energy Studies, Dehradun, India

\*Address all correspondence to: adarsh.kumar@ddn.upes.ac.in

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

#### **References**

to construct a secure grouping proof protocol that is not affected with relay, replay

Active attacks an illegal act of modifying the information or

Asymmetric key cryptography a cryptosystem that uses public and private keys

Authentication a process to confirm the attributes of message/

Lightweight cryptography a least computational cost based cryptosystem

straint devices Passive attacks an illegal use of using the important system

Symmetric key cryptography a cryptosystem that uses same or symmetric key

Yoking protocol a group of participants authenticates each other

1 Department of Systemics, School of Computer Science, University of Petroleum

2 Department of Informatics, School of Computer Science, University of Petroleum

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

\* and Deepak Kumar Sharma<sup>2</sup>

\*Address all correspondence to: adarsh.kumar@ddn.upes.ac.in

operation to affect the system

as asymmetric key cryptosystem

for encryption and decryption process is known

user is known as message or user authentication

designed to provide security for resource con-

information using affecting the resources

for encryption and decryption operation

for constructing a secure environment

or de-synchronization attacks.

*Cryptography - Recent Advances and Future Developments*

**Key terms and definitions**

**Author details**

Adarsh Kumar<sup>1</sup>

**78**

and Energy Studies, Dehradun, India

and Energy Studies, Dehradun, India

provided the original work is properly cited.

[1] Ashton, K. (2009). That 'Internet of Things' Thing, in the real world things matter more than ideas, *RFID Journal*, Retrieved July 15, 2014, from http:// www.rfidjournal.com/articles/view? 4986

[2] Uckelman D., Harrison M. and Michahelles F. (2011) Architecturing the Internet of Things. Springer-Verlag Berlin Heidelberg.

[3] Aggarwal, C. C., Ashish, N. and Sheth, A. (2013). The Internet of Things: A Survey from the data-centric Perspective. In Aggarwal, C (Ed.), *Managing and Mining Sensor Data* (pp. 383–428). Springer-Verlag.

[4] Abyaneh, M. R. S. (2012). Security Analysis of Lightweight Schemes for RFID Systems. Ph. D.Thesis, University of Bergen, Norway.

[5] Juel A. and Weis S. (2005). Authenticating Pervasive Devices with Human Protocols. In V. Shoup, editor, *Advances in cryptology-Crypto 05*, LNCS 3126, pp. 293–298, Springer-Verlag.

[6] Peris-Lopez, P., Hernandez-Castro, J. C., Esteveze-Tapiador, J. M. and Ribagorda, A. (2006). RFID Systems: A Survey on Security Threats and Proposed Solutions, *International Conference on Personal Wireless Communication- PWCA'06*, LNCS 4217, pp. 159–170, Albacete, Spain.

[7] Moore, G. E. (1965), Cramming More Components onto Integrated Circuits. Electronics: http://www.intel.com, (1965).

[8] Lopez, P. P. (2008). Lightweight Cryptography in Radio Frequency Identification (RFID) Systems, Ph. D. THESIS, UNIVERSIDAD CARLOS III DE MADRID. Madrid, Spain.

[9] Oren, Y. and Feldhofer, M. (2009). A Low-Resource Public-Key Identification

Scheme for RFID Tags and Sensor Nodes, Proceedings of the second ACM conference on Wireless network security (WiSec '09) (pp. 59–68), NY, USA.

[10] Rabin, M. (1979). Digitized signatures and public key functions as intractable as factorization. Technical report, MIT, Cambridge, MA, USA.

[11] Shamir, A. (1995) Memory efficient variants of public key schemes for smart card applications. In A. D. Santis (Ed.), *Advances in Cryptology, EUROCRYPT'94,* LNCS, vol. 950, page 445–449, Springer-Verlag, Perugia, Italy.

[12] McEliece, R. (1978). A public key cryptosystem based on algebraic coding theory. *The Deep Space Network Progress Report,* (pp. 114-116), DSN PR 42–44.

[13] Niederreiter, H. (1986). Knapsacktype cryptosystems and algebraic coding theory, Problems of Control and Information Theory, 15(2), pp. 159–166.

[14] Bringer, J., Chabanne, H. and Icart, T. (2008). Cryptanalysis of EC-RAC, a RFID Identification Protocol, In M. K. Franklin, L. C. K. Hui, and D. S. Wong, (Ed.), *CANS 2008*(pp. 149–161), LNCS 5339 Springer, Hong-Kong, Chiana.

[15] Bringer, J., Chabanne, H. and Icart, T. (2009). Efficient Zero-Knowledge Identification Schemes which respect Privacy, In W. Li, W.Susilo, U. K. Tupakula, R. Safavi-Naini, and V. Varadharajan (Ed.), *Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS* (pp. 195–205), Sydney, Australia.

[16] Cayrel, P. L., Veron, P. and Alaoui, S. M. E. Y. (2011). A Zero-Knowledge Identification Scheme Based on the qary Syndrome Decoding Problem, In A. Biryukov, G. Gong and D. R. Stinson (Eds.), *SAC 2010* (pp. 171–186), LNCS 6544, Ontano, Canada.

[17] Faugere, J.-C., Otmani, A., Perret, L. and Tillich, J.-P.(2010). Algebraic cryptanalysis of mcEliece variants with compact keys, In: Gilbert, H. (ed.) *EUROCRYPT 2010* (pp. 279–298)*,* LNCS 6110, Springer, Heidelberg, France.

[18] Fiat, A. and Shamir, A. (1986). How to prove yourself: Practical solutions to identification and signature problems, In Andrew M. Odlyzko (Ed.), *Advances in Cryptology-CRYPTO'86,* (pp. 186– 194), Santa Barba, California, USA.

[19] Fiat, A. and Shamir, A. (1987). Unforgeable proofs of identity, Securicom 87 (pp. 147-153). Paris, France.

[20] Feige, U., Fiat, A. and Shamir, A. (1988). Zero-knowledge proofs of identity, J. Cryptology, vol. 1(2), pp. 77–94.

[21] Gauthier Umana, V. and Leander, G. (2009). Practical key recovery attacks on two McEliece variants, *IACR ePrint Archive*, http://eprint.iacr.org/ 2009/509.pdf

[22] Guilion, L. C. and Quisquater, J. J. (1988). A "paradoxical" identity-based signature scheme resulting from zero knowledge, In Shafi Goldwasser, (Ed.), *Advances in Cryptology CRYPTO '88*(pp. 216–231). *8th Annual International Cryptology Conference,* Santa Barba, California, USA.

[23] Micali, S. and Shamir, A. (1988). An improvement of the Fiat-Shamir identification and signature scheme. In Shafi Goldwasser, (Ed.). *Advances in Cryptology CRYPTO '88, 8th Annual International Cryptology Conference* (pp. 244–247). Santa Barba, California, USA.

[24] Peters, C. (2009). Information-set decoding for linear codes over Fq, *ICAR Archive*: http://eprint.iacr.org/2009/589.

[25] Quisquater, J. J. and Guilion, L. (2000). The new Guilion Quisquater Scheme, *In Proceedings of the RSA 2000 conference*.

[33] Molnar, D., Soppera, A. and Wagner, D. (2006). A scalable delegatable pseudonym protocol enabling ownership transfer of RFID tags, *In Selected Areas in Cryptography* (pp. 276–290), Kingston, ON, Canada.

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

*Survey and Analysis of Lightweight Authentication Mechanisms*

[41] Gaborit, P. and Girault, M. (2007). Lightweight code-based identification and signatures, *IEEE International Symposium on Information Theory* 2007,

*ISIT 2007* (pp. 191–195), Nice.

(2011). Lightweight RFID

(1), pp. 11:1–11:26.

(1), pp. 73–77.

(2), pp. 315–317.

(2), pp. 381–394.

[46] Koh, R., Schuster, E. and Chackrabarti, I. (2003). A. Bellman, Securing the pharmaceutical supply chain, White Paper, Auto-ID Labs, Massachusetts Institute of Technology.

[48] Lehtonem, M., Staake, T.,

A Review of RFID Product

*RFID Systems and Lightweight Cryptography,* P. H. Cole, D. C. Ranasinghe (Ed.), pp. 169–187.

[42] Burmester, M. and Munilla, J.

Authentication with Forward and Backward Security, ACM Transactions on Information and System Security*,* 14

[43] Cao, T., Bertino, E. and Lei, H. (2009). Security analysis of the SASI protocol, IEEE Transactions on Dependable and Secure Computing*,* 6

[44] Sun, H.-M., Ting, W. C., and Wang, K. H. (2011). On the security of Chien's ultralightweight RFID authentication protocol, IEEE Transaction on

Dependable and Secure Computing, 8

[45] Juels A. (2005). RFID security and privacy: A research survey, IEEE Journal on Selected Areas in Communication, 24

[47] Takaragi, K. Usami, M., Imura, R., Itsuki, R. and Satoh, T. (2001). An ultra small individual recognition security chip, IEEE Micro*,* 21(6), pp. 43–49.

Michahelles, F. and Fleisch, E. (2007). From Identification to Authentication-

Authentication Techniues, *Networked*

[49] Yu, S., Ren, K. and Lou, W. (2007) A Privacy-preserving Lightweight

[34] Saito, J., Imamoto, K. and Sakurai, K. (2005). Reassignment scheme of an RFID tags key for owner transfer, Embedded and Ubiquitous Computing (pp. 1303–1312), Nagasaki, Japan.

[35] Tippenhauer, N. and Capkun, S. (2009). Id-Based Distance Bounding and Localization, *Proc. 14th European Conf. Research in Computer Security (ESORICS '09)* (pp. 621–636), Saint-

[36] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M. and Ribagorda, A. (2011a). Attacking RFID Systems, In Harold F., Nozaki K., Tipton, M. (Ed.), *Information Security Management Handbook (*pp. 313–334),

[37] Peris-Lopez, P. Orla, A., Hernandez-Castro, J. C. and Lubbe, J. C. (2011b). Flaws on RFID grouping-proofs. Guidelines for future sound protocols, *in* Journal of Network and Computer Applications, 34(3), pp. 833–845.

[38] Chandran, N., Goyal, V., Moriarty, R. and Ostrovsky, R. (2009). Position Based Cryptography, *Proc. Int'l Cryptology Conf. (CRYPTO'09)* (pp. 391–407), Santabarbara, CA, USA.

[39] Shmatikov, V. and Wang, M. H. (2007). Secure Verification of location claims with Simultaneous Distance Modification, *Proc. 12th Ann. Asian Computing Science Conf. (Asian '07)*

[40] Wei, Y. Yu, Z. and Guan, Y. (2013). Location verification algorithms for wireless sensor networks, IEEE

Transactions on Parallel and Distributed

(pp. 181–195), Doha, Qatar.

Systems*,* 24(5), pp. 938–950.

**81**

Malo, France.

Auerbach Publications.

[26] Shamir, A. (1987). The search for provably secure identification schemes, Proceedings of the International Congress of Mathematicians(pp. 1488– 1495), Berkeley, CA, USA.

[27] Stern, J. (1989a). A method for finding codewords of small weight. In Wolfmann, J., Cohen, G. (eds.), *Coding Theory and Applications 1988* (pp. 106– 113), LNCS 388, Springer, Heidelberg, Toulon, France.

[28] Stern, J. (1989b). A method for finding codewords of small weight. In Wolfmann, J., Cohen, G. (eds.), *Coding Theory and Applications 1988* (pp. 106– 113), LNCS 388, Springer, Heidelberg, Toulon, France.

[29] Stern, J.(1994). A new identification scheme based on syndrome decoding, In: Stinson, D. R. (ed.) *CRYPTO 1993* (pp. 13–21)*,* LNCS 773, Springer, Heidelberg, Santa Barbara, California, USA.

[30] Aguilar, C., Gaborit, P. and Schrek, J. (2011). A new zero-knowledge code based identification scheme with reduced communication, *CoRR abs/ 1111.1644*.

[31] Chiang, J. T., Haas, J. and Hu, Y. C. (2009). Secure and Precise Location Verification Using Distance Bounding and Simultaneous Multilateration, *Proc. Second ACM Conf. Wireless Network Security (WiSec '09)* (pp. 181–192), Zurich, Switzerland.

[32] Hancke, G. and Kuhn, M. (2005). An RFID Distance Bounding Protocol, *In Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)* (pp. 67–73), Athens.

*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

[33] Molnar, D., Soppera, A. and Wagner, D. (2006). A scalable delegatable pseudonym protocol enabling ownership transfer of RFID tags, *In Selected Areas in Cryptography* (pp. 276–290), Kingston, ON, Canada.

Biryukov, G. Gong and D. R. Stinson (Eds.), *SAC 2010* (pp. 171–186), LNCS

*Cryptography - Recent Advances and Future Developments*

[25] Quisquater, J. J. and Guilion, L. (2000). The new Guilion Quisquater Scheme, *In Proceedings of the RSA 2000*

[26] Shamir, A. (1987). The search for provably secure identification schemes, Proceedings of the International Congress of Mathematicians(pp. 1488–

[27] Stern, J. (1989a). A method for finding codewords of small weight. In Wolfmann, J., Cohen, G. (eds.), *Coding Theory and Applications 1988* (pp. 106– 113), LNCS 388, Springer, Heidelberg,

[28] Stern, J. (1989b). A method for finding codewords of small weight. In Wolfmann, J., Cohen, G. (eds.), *Coding Theory and Applications 1988* (pp. 106– 113), LNCS 388, Springer, Heidelberg,

[29] Stern, J.(1994). A new identification scheme based on syndrome decoding, In: Stinson, D. R. (ed.) *CRYPTO 1993* (pp. 13–21)*,* LNCS 773, Springer, Heidelberg, Santa Barbara, California,

[30] Aguilar, C., Gaborit, P. and Schrek, J. (2011). A new zero-knowledge code based identification scheme with reduced communication, *CoRR abs/*

[31] Chiang, J. T., Haas, J. and Hu, Y. C. (2009). Secure and Precise Location Verification Using Distance Bounding and Simultaneous Multilateration, *Proc. Second ACM Conf. Wireless Network Security (WiSec '09)* (pp. 181–192),

[32] Hancke, G. and Kuhn, M. (2005). An RFID Distance Bounding Protocol, *In Conference on Security and Privacy for Emerging Areas in Communication Networks (SecureComm)* (pp. 67–73),

1495), Berkeley, CA, USA.

Toulon, France.

Toulon, France.

USA.

*1111.1644*.

Athens.

Zurich, Switzerland.

*conference*.

[17] Faugere, J.-C., Otmani, A., Perret, L. and Tillich, J.-P.(2010). Algebraic cryptanalysis of mcEliece variants with compact keys, In: Gilbert, H. (ed.) *EUROCRYPT 2010* (pp. 279–298)*,* LNCS 6110, Springer, Heidelberg, France.

[18] Fiat, A. and Shamir, A. (1986). How to prove yourself: Practical solutions to identification and signature problems, In Andrew M. Odlyzko (Ed.), *Advances in Cryptology-CRYPTO'86,* (pp. 186– 194), Santa Barba, California, USA.

[19] Fiat, A. and Shamir, A. (1987). Unforgeable proofs of identity, Securicom 87 (pp. 147-153). Paris,

[20] Feige, U., Fiat, A. and Shamir, A. (1988). Zero-knowledge proofs of identity, J. Cryptology, vol. 1(2),

[21] Gauthier Umana, V. and Leander, G. (2009). Practical key recovery attacks on two McEliece variants, *IACR ePrint Archive*, http://eprint.iacr.org/

[22] Guilion, L. C. and Quisquater, J. J. (1988). A "paradoxical" identity-based signature scheme resulting from zero knowledge, In Shafi Goldwasser, (Ed.), *Advances in Cryptology CRYPTO '88*(pp. 216–231). *8th Annual International Cryptology Conference,* Santa Barba,

[23] Micali, S. and Shamir, A. (1988). An

[24] Peters, C. (2009). Information-set decoding for linear codes over Fq, *ICAR Archive*: http://eprint.iacr.org/2009/589.

improvement of the Fiat-Shamir identification and signature scheme. In Shafi Goldwasser, (Ed.). *Advances in Cryptology CRYPTO '88, 8th Annual International Cryptology Conference* (pp. 244–247). Santa Barba, California, USA.

France.

pp. 77–94.

2009/509.pdf

California, USA.

**80**

6544, Ontano, Canada.

[34] Saito, J., Imamoto, K. and Sakurai, K. (2005). Reassignment scheme of an RFID tags key for owner transfer, Embedded and Ubiquitous Computing (pp. 1303–1312), Nagasaki, Japan.

[35] Tippenhauer, N. and Capkun, S. (2009). Id-Based Distance Bounding and Localization, *Proc. 14th European Conf. Research in Computer Security (ESORICS '09)* (pp. 621–636), Saint-Malo, France.

[36] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M. and Ribagorda, A. (2011a). Attacking RFID Systems, In Harold F., Nozaki K., Tipton, M. (Ed.), *Information Security Management Handbook (*pp. 313–334), Auerbach Publications.

[37] Peris-Lopez, P. Orla, A., Hernandez-Castro, J. C. and Lubbe, J. C. (2011b). Flaws on RFID grouping-proofs. Guidelines for future sound protocols, *in* Journal of Network and Computer Applications, 34(3), pp. 833–845.

[38] Chandran, N., Goyal, V., Moriarty, R. and Ostrovsky, R. (2009). Position Based Cryptography, *Proc. Int'l Cryptology Conf. (CRYPTO'09)* (pp. 391–407), Santabarbara, CA, USA.

[39] Shmatikov, V. and Wang, M. H. (2007). Secure Verification of location claims with Simultaneous Distance Modification, *Proc. 12th Ann. Asian Computing Science Conf. (Asian '07)* (pp. 181–195), Doha, Qatar.

[40] Wei, Y. Yu, Z. and Guan, Y. (2013). Location verification algorithms for wireless sensor networks, IEEE Transactions on Parallel and Distributed Systems*,* 24(5), pp. 938–950.

[41] Gaborit, P. and Girault, M. (2007). Lightweight code-based identification and signatures, *IEEE International Symposium on Information Theory* 2007, *ISIT 2007* (pp. 191–195), Nice.

[42] Burmester, M. and Munilla, J. (2011). Lightweight RFID Authentication with Forward and Backward Security, ACM Transactions on Information and System Security*,* 14 (1), pp. 11:1–11:26.

[43] Cao, T., Bertino, E. and Lei, H. (2009). Security analysis of the SASI protocol, IEEE Transactions on Dependable and Secure Computing*,* 6 (1), pp. 73–77.

[44] Sun, H.-M., Ting, W. C., and Wang, K. H. (2011). On the security of Chien's ultralightweight RFID authentication protocol, IEEE Transaction on Dependable and Secure Computing, 8 (2), pp. 315–317.

[45] Juels A. (2005). RFID security and privacy: A research survey, IEEE Journal on Selected Areas in Communication, 24 (2), pp. 381–394.

[46] Koh, R., Schuster, E. and Chackrabarti, I. (2003). A. Bellman, Securing the pharmaceutical supply chain, White Paper, Auto-ID Labs, Massachusetts Institute of Technology.

[47] Takaragi, K. Usami, M., Imura, R., Itsuki, R. and Satoh, T. (2001). An ultra small individual recognition security chip, IEEE Micro*,* 21(6), pp. 43–49.

[48] Lehtonem, M., Staake, T., Michahelles, F. and Fleisch, E. (2007). From Identification to Authentication-A Review of RFID Product Authentication Techniues, *Networked RFID Systems and Lightweight Cryptography,* P. H. Cole, D. C. Ranasinghe (Ed.), pp. 169–187.

[49] Yu, S., Ren, K. and Lou, W. (2007) A Privacy-preserving Lightweight

Authentication Protocol for Low-Cost RFID Tags. *Military Communication Conference, MILCOM 2007* (pp. 1–7)*,* Orlando, FL, USA.

[50] Burmester, M., Le, T. V. and Medeiros, B. D. (2009). Universally Composable RFID Identification and Authentication Protocols, *ACM Transaction on Information and Systems Security*, 2(4), pp. 21:1–21:33.

[51] Mitra, M. (2008). Privacy for RFID systems to prevent tracking and cloning, International Journal of Computer Science and Network Security, 8(1), pp. 1–5.

[52] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., Li, T. and Lubbe, J. C. A. van Der, (2010). Weaknesses in Two Recent Lightweight RFID Authentication Protocols, Information Security and Cryptology (pp. 383–392), Beijing, China.

[53] Tian, Y., Chen G. and Li, J. (May 2012). A New Ultralightweight RFID Authentication Protocol with Permutation, IEEE Communications Letters, 16(5), pp. 702–705.

[54] Haber, S. and Stornetta, W.(1991). How to time-stamp a digital document, Journal of Cryptology, 3(2), pp. 99–111.

[55] Deursen TV and Radomirovie S. (2010). EC-RAC: Enriching a Capacious RFID Attack Collection, RFIDSec 2010 (pp. 75–90), Istanbul, Turkey.

[56] Fan, J., Hermans, J. and Vercauteren, F. (2010). On the claimed privacy of EC-RAC III, RFIDSec 2010 (pp. 66–74), Istanbul, Turkey.

[57] Chien, H. Y. and Liu, S. B. (2009). Tree-Based RFID Yoking Proof, *International conference on Networks Security,* Wireless Communications and Trusted Computing (NSWCTC'09)*,* pp. 550–553.

[58] Due, D. N. and Kim, K. (2009). Grouping-proof protocol for rfid tags: Security definition and scalable construction, *Cryptology ePrint Archive*, Report 2009/609, http://eprint.iacr.org/ Workshops (SAINTW'06), 2006 (pp.

*DOI: http://dx.doi.org/10.5772/intechopen.94407*

*Survey and Analysis of Lightweight Authentication Mechanisms*

[72] Juels, A. (2006). RFID Security and Privacy: A Research Survey, IEEE Journals on Selected Area in

Communications*,* 24(2), pp. 381–394.

[73] Lin, E.-C., Lai, Y.-C., Tygar, J. D., Yang, C.-K. and Chiang, C.-L. (2007). Coexistence proof using chain of timestamps for multiple RFID tags, In: Chang, K. C.-C., Wang, W., Chen, L., Ellis, C. A., Hsu, C.-H., Tsoi, A. C., Wang, H. (Eds.), *International*

*Workshop on DataBase Management and Application over Networks – DBMAN 2007* (pp. 634–643)*,* LNCS 4537, Springer-Verlag, Huang Shan, China.

[74] Saito, J. and Sakurai, K. (2005). Grouping Proof for RFID Tags, *International Conference on Advanced*

[75] Bagheri, N. And Safkhani, M. (2013). Secret Disclosure attack on Kazahaya, a Yoking-Proof For Low-Cost RFID Tags, *IACR Cryptology ePrint Archive 2013*: 453. https://eprint.iacr.

[76] Hung-Yu Chein and Chen-Wei Huang. (2007). A lightweight RFID protocol using substring, In Embedded and Ubiquitous Computing (EUC 2007)

(pp. 422–431), Taipei, Taiwan.

Reza Aref, M. (2013).

[77] Ahmadian, Z., Salmasizadeh, M. and

Desynchronization Attack on RAPP Ultralightweight Authhentication Protocol, Information Processing Letters*,* 113(7), pp. 206–209.

*Information Networking and Applications-AINA*, (pp. 621–624),

Taiwan.

org/2013/453.pdf

[66] Qingling, C., Yiju, Z. And Yonghua,

authentication protocol for RFID system and BAN logic analysis. *CCCM 2008*

[67] Liu, Y., Qin, X., Wang, C. and Li, B.

[68] Cho, J.-S., Yeo, S.-S, Hwang, S., Rhee, S.-Y. And Kim, S. K. (2008). Enhanced yoking proof protocols for RFID tags and tag groups. *International Conference on Advanced Information Networking and Applications- Workshop-AINAW 2008* (pp. 1591–1596), IEEE Computer Society, Okinawa, Japan, pp.

[69] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M. and Ribagords, A. (2007). Solving the Simultaneous Scanning Problem Anonymously: Clumping Proofs for RFID Tags, In IEEE International Conference on Pervasive Services, Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing-SecPerU 2007(pp. 55–60), IEEE, IEEE Computer Society Press,

[70] Piramuthu, S. (2006). On Existence Proofs for Multiple RFID Tags, *IEEE International Conference on Pervasive Services, Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing –SecPerU 2006,* IEEE, IEEE Computer Society Press, Lyon, France.

[71] Juels, A. (2004). Yoking-Proofs for RFID Tags, In: Sandhu, R., Thomas, R. (Eds.), *International Workshop on Pervasive Computing and Communication Security- PerSec 2004* (pp. 138–143)*,* IEEE, IEEE Computer Society, Orlando,

W. (2008). A minimalist mutual

(pp. 449–453), Guangzhou.

(2013). A Lightweight RFID Authentication Protocol based on Elliptic Curve Cryptography, Journal of Computers, 8(11), pp. 2880–2887.

1591–1596.

Istanbul, Turkey.

Florida, USA.

**83**

72-75).Phoenix, AZ.

[59] Burmester, M., de Medeiros, B. and Motta, R. (2008). Provably Secure Grouping Proofs for RFID Tags, Proceedings of the 8th Smart Card Research and Advanced Applications-CARDIS 2008(pp. 176–190), Springer, Royal Holloway University of London, UK.

[60] Cheng, Z. Y., Liu, Y., Chang, C. C. and Chang, S.C. (2013). Authenticated RFID security mechanism based on chaotic maps, Security and Communication Networks*,* 6(2), pp. 247–256.

[61] Akgun, M. and Caglayan, M. U. (2013). Weaknesses in a Recently Proposed RFID Authentication Protocol, *IACR Cryptology ePrint Archive:* https:// eprint.iacr.org/2013/855.

[62] Biasi, F. P., Barreto, S. L. M. B., Misoczki, R. and Ruggiero, W. V. (2012). Scaling efficient code-based cryptosystems for embedded platforms, *CoRR, abs/1212.4317*

[63] Mujahid, U., Najam-ul-islam, M., Ahmed, J. and Mujahid, Us. (2013). Cryptanalysis of ultralightweight RFID authentication protocol, *Cryptology ePrint Archive,* Report 2013/385.

[64] Pearson, J. (2005). Securing the pharmaceutical supply chain with RFID and public key infrastructure (PKI) technologies, Texas instruments White Paper, Available from: http://www.ti. com/rfid/docs/docntr.shtml

[65] Nochta, Z., Staake, T. and Fleisch, E. (2006). Product Specific Security Features Based on RFID Technology, International Symposium on Applications and the Internet

*Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org/10.5772/intechopen.94407*

Workshops (SAINTW'06), 2006 (pp. 72-75).Phoenix, AZ.

Authentication Protocol for Low-Cost RFID Tags. *Military Communication Conference, MILCOM 2007* (pp. 1–7)*,*

*Cryptography - Recent Advances and Future Developments*

[58] Due, D. N. and Kim, K. (2009). Grouping-proof protocol for rfid tags: Security definition and scalable

construction, *Cryptology ePrint Archive*, Report 2009/609, http://eprint.iacr.org/

[59] Burmester, M., de Medeiros, B. and Motta, R. (2008). Provably Secure Grouping Proofs for RFID Tags, Proceedings of the 8th Smart Card Research and Advanced Applications-CARDIS 2008(pp. 176–190), Springer,

[60] Cheng, Z. Y., Liu, Y., Chang, C. C. and Chang, S.C. (2013). Authenticated RFID security mechanism based on

[61] Akgun, M. and Caglayan, M. U. (2013). Weaknesses in a Recently Proposed RFID Authentication Protocol, *IACR Cryptology ePrint Archive:* https://

[62] Biasi, F. P., Barreto, S. L. M. B., Misoczki, R. and Ruggiero, W. V. (2012). Scaling efficient code-based cryptosystems for embedded platforms,

[63] Mujahid, U., Najam-ul-islam, M., Ahmed, J. and Mujahid, Us. (2013). Cryptanalysis of ultralightweight RFID authentication protocol, *Cryptology ePrint Archive,* Report 2013/385.

[64] Pearson, J. (2005). Securing the pharmaceutical supply chain with RFID and public key infrastructure (PKI) technologies, Texas instruments White Paper, Available from: http://www.ti.

[65] Nochta, Z., Staake, T. and Fleisch, E. (2006). Product Specific Security Features Based on RFID Technology,

com/rfid/docs/docntr.shtml

International Symposium on Applications and the Internet

Royal Holloway University of

chaotic maps, Security and Communication Networks*,* 6(2),

eprint.iacr.org/2013/855.

*CoRR, abs/1212.4317*

London, UK.

pp. 247–256.

[50] Burmester, M., Le, T. V. and Medeiros, B. D. (2009). Universally Composable RFID Identification and Authentication Protocols, *ACM Transaction on Information and Systems*

*Security*, 2(4), pp. 21:1–21:33.

[51] Mitra, M. (2008). Privacy for RFID systems to prevent tracking and cloning, International Journal of Computer Science and Network Security, 8(1),

[52] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M., Li, T. and

Weaknesses in Two Recent Lightweight

[53] Tian, Y., Chen G. and Li, J. (May 2012). A New Ultralightweight RFID

[54] Haber, S. and Stornetta, W.(1991). How to time-stamp a digital document, Journal of Cryptology, 3(2), pp. 99–111.

[55] Deursen TV and Radomirovie S. (2010). EC-RAC: Enriching a Capacious RFID Attack Collection, RFIDSec 2010

Vercauteren, F. (2010). On the claimed privacy of EC-RAC III, RFIDSec 2010 (pp. 66–74), Istanbul, Turkey.

[57] Chien, H. Y. and Liu, S. B. (2009). Tree-Based RFID Yoking Proof, *International conference on Networks Security,* Wireless Communications and Trusted Computing (NSWCTC'09)*,*

(pp. 75–90), Istanbul, Turkey.

[56] Fan, J., Hermans, J. and

pp. 550–553.

**82**

Lubbe, J. C. A. van Der, (2010).

RFID Authentication Protocols, Information Security and Cryptology (pp. 383–392), Beijing, China.

Authentication Protocol with Permutation, IEEE Communications

Letters, 16(5), pp. 702–705.

Orlando, FL, USA.

pp. 1–5.

[66] Qingling, C., Yiju, Z. And Yonghua, W. (2008). A minimalist mutual authentication protocol for RFID system and BAN logic analysis. *CCCM 2008* (pp. 449–453), Guangzhou.

[67] Liu, Y., Qin, X., Wang, C. and Li, B. (2013). A Lightweight RFID Authentication Protocol based on Elliptic Curve Cryptography, Journal of Computers, 8(11), pp. 2880–2887.

[68] Cho, J.-S., Yeo, S.-S, Hwang, S., Rhee, S.-Y. And Kim, S. K. (2008). Enhanced yoking proof protocols for RFID tags and tag groups. *International Conference on Advanced Information Networking and Applications- Workshop-AINAW 2008* (pp. 1591–1596), IEEE Computer Society, Okinawa, Japan, pp. 1591–1596.

[69] Peris-Lopez, P., Hernandez-Castro, J. C., Estevez-Tapiador, J. M. and Ribagords, A. (2007). Solving the Simultaneous Scanning Problem Anonymously: Clumping Proofs for RFID Tags, In IEEE International Conference on Pervasive Services, Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing-SecPerU 2007(pp. 55–60), IEEE, IEEE Computer Society Press, Istanbul, Turkey.

[70] Piramuthu, S. (2006). On Existence Proofs for Multiple RFID Tags, *IEEE International Conference on Pervasive Services, Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing –SecPerU 2006,* IEEE, IEEE Computer Society Press, Lyon, France.

[71] Juels, A. (2004). Yoking-Proofs for RFID Tags, In: Sandhu, R., Thomas, R. (Eds.), *International Workshop on Pervasive Computing and Communication Security- PerSec 2004* (pp. 138–143)*,* IEEE, IEEE Computer Society, Orlando, Florida, USA.

[72] Juels, A. (2006). RFID Security and Privacy: A Research Survey, IEEE Journals on Selected Area in Communications*,* 24(2), pp. 381–394.

[73] Lin, E.-C., Lai, Y.-C., Tygar, J. D., Yang, C.-K. and Chiang, C.-L. (2007). Coexistence proof using chain of timestamps for multiple RFID tags, In: Chang, K. C.-C., Wang, W., Chen, L., Ellis, C. A., Hsu, C.-H., Tsoi, A. C., Wang, H. (Eds.), *International Workshop on DataBase Management and Application over Networks – DBMAN 2007* (pp. 634–643)*,* LNCS 4537, Springer-Verlag, Huang Shan, China.

[74] Saito, J. and Sakurai, K. (2005). Grouping Proof for RFID Tags, *International Conference on Advanced Information Networking and Applications-AINA*, (pp. 621–624), Taiwan.

[75] Bagheri, N. And Safkhani, M. (2013). Secret Disclosure attack on Kazahaya, a Yoking-Proof For Low-Cost RFID Tags, *IACR Cryptology ePrint Archive 2013*: 453. https://eprint.iacr. org/2013/453.pdf

[76] Hung-Yu Chein and Chen-Wei Huang. (2007). A lightweight RFID protocol using substring, In Embedded and Ubiquitous Computing (EUC 2007) (pp. 422–431), Taipei, Taiwan.

[77] Ahmadian, Z., Salmasizadeh, M. and Reza Aref, M. (2013). Desynchronization Attack on RAPP Ultralightweight Authhentication Protocol, Information Processing Letters*,* 113(7), pp. 206–209.

**Chapter 5**

**Abstract**

RFID Systems

Function (PUF), security, privacy

**1. Introduction**

**85**

*and Cristian Hristea*

*Ferucio Laurenţiu Ţiplea, Cristian Andriesei*

Security and Privacy of PUF-Based

The last decade has shown an increasing interest in the use of the physically unclonable function (PUF) technology in the design of radio frequency identification (RFID) systems. PUFs can bring extra security and privacy at the physical level that cannot be obtained by symmetric or asymmetric cryptography at the moment. However, many PUF-based RFID schemes proposed in recent years do not even achieve the lowest privacy level in reputable security and privacy models, such as Vaudenay's model. In contrast, the lowest privacy in this model can be achieved through standard RFID schemes that use only symmetric cryptography. The purpose of this chapter is to analyze this aspect. Thus, it is emphasized the need to use formal models in the study of the security and privacy of (PUF-based) RFID schemes. We broadly discuss the tag corruption oracle and highlight some aspects that can lead to schemes without security or privacy. We also insist on the need to formally treat the cryptographic properties of PUFs to obtain security and privacy proofs. In the end, we point out a significant benefit of using PUF technology in RFID, namely getting schemes that offer destructive privacy in Vaudenay's model.

**Keywords:** Radio Frequency Identification (RFID), Physically Unclonable

Although the roots of the *Radio Frequency Identification* (RFID) technology can be traced back to World War II, the ancestor of modern RFID technology was introduced by Cardullo and Parks in 1973 [1] when the two proposed a passive radio transponder with memory. In recent years, RFID technology has become increasingly popular and its applicability has expanded to more and more diverse and complex domains and systems. It is worth mentioning here process automation, tracking and identification, toll collection, public transportation, national IDs and passports, medical healthcare systems, pharmaceutical systems, and so on.

From a scientific point of view, RFID has become a well-defined research field, counting more than fifteen thousand scientific papers and books indexed by IEEE, Springer, and Elsevier, and more than twenty-two thousand patents or patent applications indexed by the most essential three regional patent databases (USA, Europe, and Japan) [2]. All of these highlight a rich palette of research directions in RFID technology, such as: system implementation, design principles, chipless

implementations, IoT integration, security, and so on.

#### **Chapter 5**
