Literature DB >> 32867181

A Novel Lightweight Authentication Scheme for RFID-Based Healthcare Systems.

Feng Zhu1,2, Peng Li1,2, He Xu1,2, Ruchuan Wang1,2.   

Abstract

The Internet of Things (IoT) has been integrated into legacy healthcare systems for the purpose of improving healthcare processes. As one of the key technologies of IoT, radio frequency identification (RFID) technology has been applied to offer services like patient monitoring, drug administration, and medical asset tracking. However, people have concerns about the security and privacy of RFID-based healthcare systems, which require a proper solution. To solve the problem, recently in 2019, Fan et al. proposed a lightweight RFID authentication scheme in the IEEE Network. They claimed that their scheme can resist various attacks in RFID systems with low implementation cost, and thus is suitable for RFID-based healthcare systems. In this article, our contributions mainly consist of two parts. First, we analyze the security of Fan et al.'s scheme and find out its security vulnerabilities. Second, we propose a novel lightweight authentication scheme to overcome these security weaknesses. The security analysis shows that our scheme can satisfy the necessary security requirements. Besides, the performance evaluation demonstrates that our scheme is of low cost. Thus, our scheme is well-suited for practical RFID-based healthcare systems.

Entities:  

Keywords:  authentication; healthcare systems; lightweight; radio frequency identification; security

Mesh:

Year:  2020        PMID: 32867181      PMCID: PMC7506697          DOI: 10.3390/s20174846

Source DB:  PubMed          Journal:  Sensors (Basel)        ISSN: 1424-8220            Impact factor:   3.576


1. Introduction

The Internet of Things (IoT), as its name implies, means to connect a large number of objects to the Internet, such as smartphones, vehicles, sensors, and wearable devices [1]. Nowadays, IoT has gradually penetrated into our daily life, providing services and resources in various domains, including healthcare, smart cities, home automation, smart grid, industrial manufacturing, logistics, business management, and intelligent transportation [2,3]. One of the fundamental technologies of IoT is radio frequency identification (RFID) [4]. RFID uses radio waves for short-range communication so as to provide contactless and automatic object identification [5]. A typical RFID system consists of three components: RFID tag, reader, and server. In the system, each tag is attached to an object and usually stores the information about the object. The reader plays a role as the intermediary between the tag and the server. To identify an object, the reader first retrieves the object information from the tag and then sends it to the server for further processing. With the nice feature of noncontact automatic identification, in recent years, RFID technology has been applied in healthcare systems for providing intelligent services such as patient monitoring, drug administration, and medical asset tracking [6]. The architecture of a common RFID-based healthcare system is demonstrated in Figure 1. A patient in the system is given a wearable device (e.g., a smart wristband) that contains a sensor and a tag. The sensor in the wearable device collects the patient’s medical data and then stores it in the tag. A nurse can read the patient data from the tag using a reader. The data is then transmitted to the server so that doctors can remotely access the patient information, which helps with the goal of real-time patient monitoring. In addition, medication errors [7] caused by inadequate patient monitoring can be reduced. Drugs are also attached with tags so that medical staff can easily check their integrity and availability with a reader. Medical staff can further verify whether the right drug is being given to the right patient. According to the U.S. Food and Drug Administration [8], the improvement of drug management can also help reduce the number of medication errors. By integrating with RFID technology, hospitals can track medical assets in order to mitigate theft loss, improve resource utilization, and save costs [6]. Thus, patients and medical staff can benefit a lot from these services.
Figure 1

A typical radio frequency identification (RFID)-based healthcare system.

Although an RFID-based healthcare system has lots of advantages over a traditional one, it suffers from new security and privacy risks [9]. For example, if an adversary can track a tag embedded in the smart wristband of a patient, the location of the patient is known by the adversary. Furthermore, an adversary may impersonate as a legitimate reader to collect a patient’s medical data from the patient’s smart wristband, leading to medical privacy leakage. Hence, a suitable solution to secure RFID-based healthcare systems is urgently needed. RFID systems have two common architectures. One is that the reader is fixed and has a wired connection to the server. The other is that the reader is portable and connects to the server wirelessly. In the former one, there is a special cable for the connection between the server and the reader so the channel is considered to be safe, while the channel in the latter one is deemed to be insecure due to the wireless connection between the server and the reader [10]. With the advances of mobile technology, the second architecture has become the mainstream of RFID systems so our article mainly considers this architecture. Besides, in either architecture, since the reader and tag use radio waves for communication, the channel between them is unsafe. A straightforward idea for securing an RFID system is to encrypt all the communications. However, in practical RFID systems, especially the large ones, tags conforming to the Electronics Product Code Class-1 Generation-2 (short for EPC C1G2) standard [11] are most widely used due to the low price. EPC C1G2 tags have limited computation power and storage capacity and thus only support restricted operations such as exclusive-OR, cyclic redundancy check calculation, and pseudorandom number generation. Besides, such low-cost tags usually have no more than 2000 equivalent gates available for security purposes [12], which is insufficient for standard cryptographic algorithms. For instance, the smallest known implementation of the Advanced Encryption Standard (AES) algorithm needs 2400 equivalent gates [13]. Therefore, a lightweight security solution is required to secure RFID-based healthcare systems. To address this requirement, in 2019, Fan et al. [14] proposed a lightweight RFID authentication scheme in IEEE Network. They stated that their scheme can provide strong security for low-cost RFID-based healthcare systems. In this article, we first show that their scheme has several security flaws and then propose our improved scheme.

1.1. Contributions

We make the following contributions to this article. We perform a security analysis of Fan et al.’s scheme [14] and demonstrate that this scheme fails to support forward secrecy and is prone to impersonation attacks. To overcome the security vulnerabilities of Fan et al.’s scheme, we propose an improved scheme. The security of our proposed scheme is evaluated from informal and formal security analyses. The analysis results illustrate that our scheme can offer better security than existing schemes. To show the efficiency of our proposed scheme, we compare it with other existing schemes in terms of computation cost, communication cost, storage cost, and hardware implementation cost. The performance evaluation results present that our proposed scheme is lightweight and conforming to the EPC C1G2 standard.

1.2. Organization

The rest of this article is structured as follows. Section 2 briefly discusses the related works. Section 3 presents the preliminaries, including the security demands, adversary model, and notations used in this article. Section 4 firstly describes Fan et al.’s scheme [14] and then analyzes the security of this scheme. Section 5 proposes our enhanced scheme, followed by its security analysis. Section 6 evaluates the performance of our proposed scheme. Finally, Section 7 summarizes the paper.

2. Related Works

Over the last several years, researchers have proposed a variety of authentication schemes, aiming to secure RFID-based healthcare systems. In 2014, Zhao [15] proposed an RFID authentication protocol based on elliptic curve cryptosystem (ECC) to secure communications in healthcare environments. In the same year, Zhang and Qi [16] proposed an ECC-based RFID authentication protocol for medical systems to enhance patient safety. However, Farash et al. [17] analyzed the protocols in [15,16] and pointed out that these two protocols cannot ensure forward secrecy. Farash et al. also suggested an improved protocol based on ECC to enhance the security of healthcare environments in [17]. Later, researchers proposed more ECC-based RFID authentication protocols [18,19,20,21,22,23] for healthcare applications. Because of the high hardware requirement of ECC, these ECC-based protocols are not well compatible with the EPC C1G2 standard. In 2015, Srivastava et al. [24] proposed a new authentication protocol to strengthen the security of telecare medicine information systems (TIMSs), which is based on a hash function and shared secrets. However, Li et al. [25] analyzed Srivastava et al.’s protocol and found that an adversary can use a stolen/lost reader to obtain sensitive information of any tagged object. Furthermore, Li et al. demonstrated that the server and the reader in this protocol do not authenticate each other. Besides, Li et al. pointed out that this protocol requires the server to perform an exhaustive search to validate a tag, which exhibits low efficiency in practical TIMSs. To remedy these weaknesses, Li et al. provided an enhanced version in [25]. Later in 2017, Benssalah et al. [26] illustrated that Li et al.’s protocol incurs traceability, impersonation and desynchronization attacks, and introduced an improvement. Unfortunately, Benssalah et al.’s protocol is still vulnerable to traceability and desynchronization attacks [27]. In 2018, Fan et al. [10] proposed an ultralightweight RFID authentication protocol, named LRMI, to protect medical privacy in IoT, using cross and rotation functions for authentication. Nevertheless, in 2019, Aghili et al. [28] analyzed the LRMI protocol and found that it cannot withstand traceability and impersonation attacks. Additionally, Aghili et al. proposed an improved version in [28], named SecLAP, which is based on modular rotation function. However, Safkhani et al. [29] discovered that the SecLAP protocol has a security vulnerability of secret disclosure, which allows an adversary to mount traceability and desynchronization attacks. Moreover, it is suggested that the ultralightweight operations such as the rotation, cross, and modular rotation functions do not converge to construct a secure protocol [29,30]. In the same year, Zhou et al. [31] presented a quadratic residue-based RFID authentication protocol for TIMSs. Later, Safkhani and Vasilakos [27] pointed out that Zhou et al.’s protocol [31] is prone to desynchronization attacks. They also proposed an improved protocol for TIMSs in [27]. In this improved protocol, the identifier of a tag is used as the secret key of the tag, which does not update so as to avoid desynchronization attacks. In the authentication phase, a tag encrypts its identifier with random numbers and timestamp using a hash function, and sends the ciphertext to the server for authentication. To verify the tag, the server needs to exhaust its database to find a tag identifier that can satisfy the received ciphertext. Thus, their protocol is inefficient. Besides, since the random numbers and timestamp are transmitted in plain text, once a tag identifier is exposed, an adversary can easily identify the tag’s messages in previous sessions, which implies that this protocol is destitute of forward secrecy. Recently, Fan et al. proposed [14] a lightweight RFID authentication scheme based on quadratic residue theorem. The authors claimed that their scheme meets the security requirements necessary for RFID-based healthcare systems and is compatible with the EPC C1G2 standard. In this article, we demonstrate that this scheme has several security concerns.

3. Preliminary

3.1. Security Demands

An authentication scheme, which aims to secure a practical RFID-based healthcare system, should meet the following security demands. Untraceability: A tag should not be traced by an adversary. The adversary who stands between the tag and the reader may eavesdrop and correlate the tag’s messages from two different sessions so as to identify the tag. Forward secrecy: Even if the secret parameters of a tag are exposed to an adversary, the adversary can hardly identify the previous messages of the tag, which can be obtained by eavesdropping the read-tag channel. Resilience to impersonation attacks: An adversary may try to impersonate legitimate scheme parties (the server, reader, or tag), e.g., by replaying a message intercepted from the channels. Any impersonation should be prevented. Resistance to desynchronization attacks: If a scheme relies on shared values for authentication, an adversary may cause desynchronization problems. For example, if the server updates the shared values but the tag does not, the server may not be able to authenticate the tag in the future. Such desynchronization attacks should be resisted. Scalability: If the server needs to do an exhaustive search to verify a tag, the scheme is not scalable. Worse than that, an adversary may launch a time measurement attack [32] against the scheme, which can identify a tag according to its authentication time spent by the server. Thus, an authentication scheme should avoid any exhaustive search operation to ensure scalability.

3.2. Adversary Model

Researchers, who proposed the authentication schemes [10,14,25,26,27,28,31] for RFID-based healthcare systems in recent years, have a consensus that both the tag-to-reader channel and the reader-to-server channel are insecure so their security should be considered in the authentication schemes. Thus, we assume that an adversary can control both communication channels. The adversary is able to eavesdrop, modify, block, and replay the transferred messages. In addition, if the scheme leverages timestamps for authentication, we assume that the adversary can manipulate the time setting of the reader, which is practical for mobile readers [27]. We model the adversary A as a polynomial-time algorithm. Given a server, S, a reader, R, and a tag, T, the adversary A has access to the following oracles: Execute(S, R, T): A eavesdrops on both of the two communication channels during the execution of an instance of the scheme between T, R, and S. This oracle models the adversary’s ability to monitor the channels between scheme parties. Send(X, m1, m2): A sends a message m1 to a scheme party X and receives a message m2 from X. This oracle models the adversary’s ability to act as a scheme party. Block(.): A blocks any message of the scheme. This oracle models the adversary’s ability to stage a denial of service attack by jamming the communication channels. SetTime(R, t): A sets the current time of the reader R to time t. This oracle models the adversary’s ability to control the reader’s time setting. Reveal(T): A manages to obtain the secret parameters of the tag T. The oracle models the adversary’s ability to crack a tag and access its secrets. The adversary A can invoke the oracles Execute, Send, Block, Time, and SetTime any polynomial number of times. However, the Reveal oracle can be called only once for each tag. If the tag is already compromised, it is meaningless to invoke the Reveal oracle on the same tag again.

3.3. Notations

The notations used for scheme description are presented in Table 1.
Table 1

Notations.

NotationDescription
p, qTwo large primes
nn = pq
SID, SIDold, SIDnewThe tag’s current, previous and next pseudo identifier, respectively
SRID, SRIDold, SRIDnewThe reader’s current, previous and next pseudo identifier, respectively
x, xold, xnewThe tag’s current, previous and next secret key, respectively
x’x2 mod n, n = pq
y, yold, ynewThe reader’s current, previous and next secret key, respectively
y’y2 mod n, n = pq
TEThe current time of E
TthThe time threshold
NEThe random number generated by E
The bitwise exclusive-OR
PRNG()The pseudo random number generator
Rot(x, y)Left shift x⨁y by y mod L bits, in which L is the length of y

4. Review of Fan et al.’s Scheme

In this section, we first review Fan et al.’s scheme [14] and then perform a security analysis of this scheme.

4.1. Fan et al.’s Scheme

In Fan et al.’s scheme, as shown in Figure 2, the server stores the current pseudo identifier SID and secret data x’ of a tag in an index data table, in which the current pseudo identifier is used as an index. The old pseudo identifier and secret data of the tag are also recorded in the table. Similarly, the current pseudo identifier and secret data of a reader and also the old ones are stored in another index data table, as presented in Figure 3.
Figure 2

Tags’ index data table in Fan et al.’s scheme.

Figure 3

Readers’ index data table in Fan et al.’s scheme.

Fan et al.’s scheme consists of an initial phase, authentication phase, and update phase. The last two phases are demonstrated in Figure 4.
Figure 4

Authentication and update phases of Fan et al.’s scheme.

The system administrator generates two big primes p and q (the length of each is at least 512 bits), computes n = pq, and stores n, p, and q in each legitimate reader. For each legitimate reader, the administrator assigns a pseudo identifier SRID and a secret key y. The length of y is at least 1024 bits. In the readers’ index data table stored in the server, the administrator sets SRID = SRID and y’ = y2 mod n while SRIDold and y’old are both set to 0. For each legitimate tag, the administrator assigns a pseudo identifier SID and a secret key x. The length of x is at least 1024 bits. In the tags’ index data table stored in the server, the administrator sets SID = SID and x’ = x2 mod n while SIDold and x’old are both set to 0. Reader→Tag: M1 = {Query, TR}

4.1.2. Authentication Phase

The reader sends “Query” along with its current time TR to the tag. Tag→Reader: M2 = {MT1, MT2} After receiving M1, the tag computes MT1 = Rot(TR, SID)⨁SID, MT2 = PRNG(x⨁TR), and sends {MT1, MT2} to the reader. Reader→Server: M3 = {MR1, MR2, MT1, TR} Upon receipt of M2, the reader computes MR1 = Rot(TR, SRID) ⨁SRID, y’ = y2 mod n, MR2 = PRNG(y’⨁TR), and sends {MR1, MR2, MT1, TR} to the server. Server→Reader: M4 = {x‘, TC} Once M3 is received, the server generates its current time TS and checks whether Tth1 < TS- TR < Tth2. If so, the server checks the records in the readers’ index data table to find an SRID for the matching MR1 = Rot(TR, SRID) ⨁SRID. If found, the server reads y’ from the corresponding record to check if PRNG(y’⨁TR) = MR2. If MR2 is correct, the reader is valid. Then, the server checks the records in the tags’ index data table to find a SID for the matching MT1 = Rot(TR, SID) ⨁SID. If there is a match, the server reads the corresponding x’ and sends it along with the server’s current time TC to the reader. Reader→Tag: M5 = {MT3, TC} Upon receiving M4, the reader resolves four solutions x1, x2, x3, x4 with x’ and p, q. Then, it checks whether there exists a x = xi (i = 1, 2, 3, 4) that can satisfy PRNG(x⨁TR) = MT2. If so, the tag is legitimate. The reader computes MT3 = PRNG(x) and sends {MT3, TC} to the tag. Validation at the tag. Once M5 arrives, the tag checks whether the value of MT3 is PRNG(x). If so, the reader is authenticated. The authentication phase ends here, followed by the update phase. Tag→Reader: M6 = {AT1}

4.1.3. Update Phase

The tag computes SIDnew = SID + TC, xnew = Rot(x, TC) ⨁TC, AT1 = PRNG(SIDnew⨁TR), and sends AT1 to the reader. Reader→Server: M7 = {AR1, AR2, AT1, AT2} After the receipt of M6, the reader computes xnew = Rot(x, TC)⨁TC, x’new = mod n, SRIDnew = SRID + TC, ynew = Rot(TC, y), y’new = mod n, AR1 = PRNG(y’⨁SRIDnew⨁TR), AR2 = Rot(y’new, TR⨁SRIDnew)⨁SRIDnew, AT2 = Rot(x’new, TR⨁SRIDnew)⨁SRIDnew, and sends {AR1, AR2, AT1, AT2} to the server. Server→Reader: M8 = {AR3, AT3} Once M7 is received, the server computes SRIDnew = SRID + TC to check whether PRNG(y’⨁SRIDnew⨁TR) = AR1. If so, the server extracts y’new from AR2 and begins to update the reader’s record. If SRID is found in the new index field, the server lets SRIDold←SRID, y’old←y‘, SRID←SRIDnew, y’←y’new. Otherwise, the server just lets SRID←SRIDnew, y’←y’new. Then, the server computes SIDnew = SID + TC to check whether PRNG(SIDnew⨁TR) = AT1. If so, the server extracts x’new from AT2 and begins to update the tag’s record. If SID is found in the new index field, the server lets SIDold←SID, x’old←x‘, SID←SIDnew, x’←x’new. Otherwise, the server just lets SID←SIDnew, x’←x’new. At last, the server computes AR3 = PRNG(y’new⨁SRIDnew⨁TR), AT3 = PRNG(SIDnew)⨁PRNG(x‘new⨁TR), and sends {AR3, AT3} to the reader. Reader→Tag: M9 = {AT4} Upon receiving M8, the reader checks whether PRNG(y’new⨁SRIDnew⨁TR) = AR3. If so, the reader updates SRID←SRIDnew, y←ynew, computes AT4 = AT3⨁PRNG(x‘new⨁TR) and sends AT4 to the tag. Validation at the tag. After M9 arrives, the tag checks whether PRNG(SIDnew) = AT4. If so, the tag updates SID←SIDnew, x←xnew.

4.2. Security Analysis of Fan et al.’s Scheme

Although Fan et al. claimed that their scheme is secure, we prove that this scheme cannot provide forward secrecy and is not resistant against impersonation attacks. Fan et al.’s scheme cannot ensure forward secrecy. In Fan et al.’s scheme, if an adversary manages to obtain the current pseudo identifier SID and secret key x of a tag, the adversary can correlate the tag with its messages before completing the last scheme run with valid scheme parties. This is modeled by the following game between the challenger C as the RFID system and the adversary A. Assumed that both C and A have the power no more than a polynomial-time algorithm: C selects two tags, T0 and T1, a reader R, and a server S, which are all valid. A calls the oracles Execute, Send, and Block for a polynomial number of times on T0, T1, R, and S. A stops and notifies C. C randomly selects a bit b and sets T = Tb A invokes the oracle Reveal(T). A outputs a bit b’. If b’ = b, A wins the game. The advantage of successfully identifying the tag is defined as AdvA = . If the adversary A has no advantage over the random guess, . Thus, Fan et al.’s scheme fails to ensure forward secrecy if AdvA > 0. For easy reading, we denote a parameter P in the i-th session of the tag T as . Suppose the challenger C selects two tags, T0 and T1, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T0, T1, R and S. Assume that C carries out a complete instance of the scheme, denoted as the i-th session, with each tag. After the i-th session is finished, the pseudo identifier of the tag Tj (j {0, 1}), , has been updated to . A records the parameter AT4 in the i-th session of the tag T0, denoted as , and notifies C. Then, C chooses a random bit b and sets T = Tb. Now, A calls the oracles Reveal(T) to obtain the current pseudo identifier of the tag T, denoted as TSID. Obviously, TSID is either or . Then, A computes PRNG(TSID). If PRNG(TSID) = , A outputs a bit b’ = 0 since = PRNG(). Otherwise, A outputs a bit b’ = 1. Therefore, the probability that Pr(b’ = b) is 1. So the advantage of the adversary A in the tag identification, AdvA, is 1, which proves that Fan et al.’s scheme cannot provide forward secrecy. □

4.2.1. Attack against Forward Secrecy

This security flaw is due to the fact that the value of AT4 is only related to the updated tag pseudo identifier SIDnew. In Fan et al.’s scheme, an adversary can impersonate as a legitimate reader to the tag. In the authentication phase of Fan et al.’s scheme, a tag authenticates a reader through the message M5. To model the adversary’s attempt to impersonate as a legitimate reader to a tag, we use the following game between the challenger C and the adversary A. C chooses a tag T, a reader R, and a server S, which are all valid. A calls the oracles Execute, Send, and Block for a polynomial number of times on T, R, and S. A stops and notifies C. A invokes the Send oracle to impersonate as a reader. If A is authenticated by the tag T as a valid reader, A wins the game. Suppose the challenger C selects a tag T, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T, R and S. Assume that C carries out an instance of the scheme on T, R and S. A records the messages M1 and M5, and blocks the message M5 so that the update phase does not execute. The message M1 consists of “Query” and TR. The message M5 consists of MT3 and TC. The value of MT3 is PRNG(x), in which x is the secret key of the tag T. Then, A notifies C. Now, A invokes the Send oracle to impersonate as a reader to T. Specifically, A sends the stored M1 to T and receives the response from T. After that, A sends the stored M5 to T. Upon receipt of the stored M5, T checks whether PRNG(x) = MT3. Since T’s secret key x does not update in the last scheme run, the condition satisfies. Thus, the adversary A wins the game with a probability of 1. So, an adversary can impersonate as a legitimate reader to the tag in Fan et al.’s scheme. □

4.2.2. Impersonation Attack

The reason for this security flaw is that the authentication parameter MT3 contains no randomness produced by the tag. In Fan et al.’s scheme, an adversary can impersonate as a legitimate reader to the server. In the authentication phase of Fan et al.’s scheme, a server authenticates a reader through the message M3. If an adversary has the ability to manipulate the time setting of the reader, as the adversary model explained in Section 3.2, the adversary is able to impersonate as a legitimate reader to the server. The impersonation attempt is modeled as the following game between the challenger C and the adversary A. C chooses a tag T, a reader R, and a server S, which are all valid. A calls the oracles Execute, Send, Block, and SetTime for a polynomial number of times on T, R, and S. A stops and notifies C. A invokes the Send oracle to impersonate as a reader. If A is authenticated by the server S as a valid reader, A wins the game. Suppose the challenger C selects a tag T, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, Block, and SetTime for a polynomial number of times on T, R and S. Specifically, A changes the time of the reader R to a future time t1. Assume that C immediately carries out an instance of the scheme on T, R and S. In this session, the reader R sends M1 = {Query, t1} to the tag T. Upon receiving M1, the tag T computes MT1 = Rot(t1, SID)⨁SID, MT2 = PRNG(x⨁t1), and sends M2 = {MT1, MT2} to the reader. After M2 arrives, the reader computes MR1 = Rot(t1, SRID)⨁SRID, y’ = y2 mod n, MR2 = PRNG(y‘⨁t1), and sends M3 = {MR1, MR2, MT1, t1} to the server. A records the messages M1 and M3, and blocks the messages M3. Then, A sets the time of the reader R to the correct time to synchronize with the time of the server S. Before the time t1, A blocks any message sent to the server S so that no updates will be done. At the time t1, A notifies C and invokes the Send oracle to impersonate as a reader to S. Specifically, A sends the stored M1 to the tag T. Upon receipt of the response from T, A sends the stored M3 to S. Once the stored M3 is received, S generates a timestamp TS and checks whether Tth1 < TS – t1 < Tth2. Because A starts the current session at the time t1, A can pass the check. After that, S searches the readers’ index data table to find an SRID for the matching Rot(t1, SRID)⨁SRID = MR1. Since the reader pseudo identifier SRID does not update, there is a match. Then, S checks whether PRNG(y‘⨁t1) = MR2. Because the reader’s secret data y’ does not update, the condition satisfies. In this way, the adversary A is authenticated as a valid reader by the server with a probability of 1. Therefore, an adversary can impersonate as a legitimate reader to the server in Fan et al.’s scheme. □ This security flaw is because that TR is the current time of the reader R. By manipulating the reader’s time, an adversary can obtain the parameters, MR1 and MR2, related to a future time.

5. The Proposed Scheme

In this section, we first propose an improved scheme to overcome the security vulnerabilities of Fan et al.’s scheme [14]. Moreover, to satisfy the EPC C1G2 standard and the mobile environment in an RFID-based healthcare system, the heavyweight cryptographic primitives should not be used. In the proposed scheme, we just leverage the operations supported by an EPC C1G2 tag to secure both the reader-tag channel and the server-reader channel. Although it is feasible to adopt a mutual authenticated TLS channel between the server and the reader to secure the server-reader channel, our scheme can just use the lightweight operations to achieve the same goal with lower overhead. We also formally analyze our proposed scheme on the major security demands.

5.1. Scheme Description

As shown in Figure 5, the server stores the current pseudo identifier SID and secret key x of a tag in an index data table. The current pseudo identifier is used as an index in the table. The previous index SIDold and secret key xold of the tag are also recorded in the table to prevent desynchronization attacks. Similarly, the current pseudo identifier SRID and secret key y of a reader are stored in another index data table and so are the previous ones, as demonstrated in Figure 6. Our proposed scheme includes an initial phase and an authentication phase.
Figure 5

Tags’ index data table in our proposed scheme.

Figure 6

Readers’ index data table in our proposed scheme.

For each legitimate tag, the administrator assigns a pseudo identifier SID and a secret key x. The administrator then sets SID = SID and x = x in the tags’ index data table while SIDold and xold are both set to 0. For each legitimate reader, the administrator assigns a pseudo identifier SRID and a secret key y. The administrator then sets SRID = SRID and y = y in the readers’ index data table while SRIDold and yold are both set to 0.

5.1.2. Authentication Phase

The authentication phase of our proposed scheme is presented in Figure 7. This phase consists of the following steps:
Figure 7

Authentication phase of our improved scheme.

Reader→Server: M1 = {NR} The reader generates a random number NR and sends it to the server. Server→Reader: M2 = {NS} After receiving M1, the server generates a random number NT and sends it to the reader. Reader→Tag: M3 = {NS} Upon receipt of M2, the reader forwards NS to the tag. Tag→Reader: M4 = {SID, MT1, NT} Once M3 is received, the tag generates a random number NT, computes MT1 = PRNG(y⨁NS⨁NT), and sends {SID, MT1, NT} to the reader. Reader→Server: M5 = {SRID, MR1, SID, MT1, NT} After M4 arrives, the reader computes MR1 = PRNG(y⨁NS⨁NR) and composes a reply {SRID, MR1, SID, MT1, NT} to the server. Server→Reader: M6 = {MR2, MT2} Upon receiving M5, the server searches for the received SRID in the readers’ index data table. If found, the server reads the corresponding y to check whether PRNG(y⨁NS⨁NR) = MR1. If so, the reader is valid. Then, the server searches for the received SID in the tags’ index data table. If found, the server reads the corresponding x to check whether PRNG(x⨁NS⨁NT) = MT1. If so, the tag is valid. After confirming the validity of both the reader and tag, the server computes MR2 = PRNG((y + 1)⨁NS⨁NR), SRIDnew = PRNG(SRID⨁y⨁NS⨁NR), ynew = PRNG((y + 2)⨁NS⨁NR), MT2 = PRNG((x + 1)⨁NS⨁NT), SIDnew = PRNG(SID⨁x⨁NS⨁NT), and xnew = PRNG((x + 2)⨁NS⨁NT). Then, the server updates the readers’ index data table. If SRID is found in the new index field, the server lets SRIDold←SRID, yold←y, SRID←SRIDnew, y←ynew. Otherwise, the server just lets SRID←SRIDnew, y←ynew. Similarly, the server updates the tags’ index data table. If SID is found in the new index field, the server lets SIDold←SID, xold←x, SID←SIDnew, x←xnew. Otherwise, the server just lets SID←SIDnew, x←xnew. Once the updating is finished, the server sends {MR2, MT2} to the reader. Reader→Tag: M7 = {MT2} After M6 is received, the reader checks whether PRNG((y + 1)⨁NS⨁NR) = MR2. If so, the server is valid and has updated the readers’ index data table. Since the server sends out MR2 only when the tag is legitimate, the reader authenticates the tag implicitly via MR2. Then, the reader computes SRIDnew = PRNG(SRID⨁y⨁NS⨁NR), ynew = PRNG((y + 2)⨁NS⨁NR), and updates SRID←SRIDnew, y←ynew. After that, the reader sends MT2 to the tag. Validation at the tag. Once M7 arrives, the tag checks whether PRNG((x + 1)⨁NS⨁NT) = MT2. If so, the server is valid and has updated the tags’ index data table. The tag also implicitly authenticates the reader since the tag will not receive a valid MT2 unless the server has authenticated the reader. Then, the tag computes SIDnew = PRNG(SID⨁x⨁NS⨁NT), xnew = PRNG((x + 2)⨁NS⨁NT) and updates SID←SIDnew, x←xnew. In the proposed scheme, the secret keys cannot be exposed without calling the Reveal oracle. In the scheme, the transferred parameters related to the tag secret key x include MT1 and MT2, which are generated by MT1 = PRNG(x⨁NS⨁NT) and MT2 = PRNG((x+1)⨁NS⨁NT), respectively. An adversary cannot obtain x from MT1 or MT2 because PRNG() is regarded as an irreversible operation [14]. On the other hand, the transferred parameters related to the reader secret key y include MR1 and MR2, which are generated by MR1 = PRNG(y⨁NS⨁NR) and MR2 = PRNG((y+1)⨁NS⨁NR), respectively. Since PRNG() is irreversible, the adversary cannot get y from MR1 or MR2. Therefore, unless the adversary calls the Reveal oracle, the secret keys cannot be revealed. □ In the proposed scheme, two of the message parameters, before and after completing a scheme run with valid scheme parties, cannot be correlated without calling the Reveal oracle. For easy reading, we denote a parameter P in the i-th session as iP. Without loss of generality, we assume that an adversary attempts to correlate iP with i+1P. In our proposed scheme, the messages consist of nine parameters: NS, NR, NT, SID, SRID, MT1, MT2, MR1, and MR2. First, we consider the parameters NS, NR, and NT. NS is a random number generated in each session so the adversary cannot correlate iNS with i+1NS. For the same reason, iNR and iNT cannot be correlated with i+1NR and i+1NT, respectively. Second, we consider the pseudo identifiers, SID and SRID. The value of i+1SID is PRNG(iSID⨁ix⨁iNS⨁iNT). By Lemma 1, the adversary cannot obtain ix. Thus, it is difficult for the adversary to correlate iSID with i+1SID unless the Reveal oracle is invoked. Similarly, the value of i+1SRID is PRNG(iSRID⨁iy⨁iNS⨁iNR). Because iy is not exposed, the adversary cannot correlate i+1SRID with iSRID. Finally, we consider the remaining parameters. Since iMT1 = PRNG(ix⨁iNS⨁iNT), i+1x = PRNG((ix + 2 )⨁iNS⨁iNT) and i+1MT1 = PRNG(i+1x⨁i+1NS⨁i+1NT) to correlate iMT1 with i+1MT1, the adversary needs to know ix, which cannot be obtained without the Reveal oracle (by Lemma 1). For the same reason, iMT2, whose value is PRNG((ix + 1)⨁iNS⨁iNT), cannot be correlated with i+1MT2, whose value is PRNG((i+1x+1)⨁i+1NS⨁i+1NT). Similarly, since iMR1 = PRNG(iy⨁iNS⨁iNR), i+1y = PRNG((iy + 2)⨁iNS⨁iNR) and i+1MR1 = PRNG(i+1y⨁i+1NS⨁i+1NR), without the knowledge of iy, the adversary cannot correlate iMR1 with i+1MR1. For the same reason, iMR2, whose value is PRNG(iy + 1⨁iNS⨁iNR), cannot be correlated with i+1MR2, whose value is PRNG((i+1y + 1)⨁i+1NS⨁i+1NR). Thus, without calling the Reveal oracle, the adversary cannot correlate two of the message parameters that are separated by a complete scheme run with valid scheme parties. □ In the proposed scheme, tags are universally untraceable. In an RFID scheme, a tag is universally untraceable [33] if an adversary cannot correlate two of the messages sent and received by the tag, separated by a complete scheme run with valid scheme parties. This is modeled by a game between the challenger C as the RFID system and the adversary A. Assumed that both C and A have the power no more than a polynomial-time algorithm: C selects two tags, T0 and T1, a reader R, and a server S, which are all valid. A calls the oracles Execute, Send, and Block for a polynomial number of times on T0, T1, R and S. A stops and notifies C. C randomly selects a bit b and sets T = Tb. A calls the oracles Execute, Send, and Block on T, R and S. A outputs a bit b’. If b’ = b, A wins the game. The advantage of successful tag identification is defined as AdvA = . If the adversary A has no advantage over the random guess, . Thus, tags are universally untraceable if AdvA is 0. Suppose the challenger C selects two tags, T0 and T1, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T0, T1, R and S. Assume that C carries out a complete instance of the scheme, denoted as the i-th session, with each tag. A records all the outputs of the oracle calls and notifies C. Then, C chooses a random bit b and sets T = Tb. Now, A calls the oracles Execute, Send, and Block on T, R and S. Assume that C carries out a complete instance of the scheme with the tag T, denoted as the i+1-th session. A records all the outputs of the oracle calls and produces a guess bit b’. In the proposed scheme, the tag sends and receives the messages M1, M2, and M7, which consist of the following message parameters: SID, NT, NR, MT1, and MT2. Since A cannot correlate any message parameter in the i-th session with the parameter in the i+1-th session (by Lemma 2), A can only perform a random guess. Therefore, the probability that Pr[b’ = b] is and AdvA is 0. So the tags in our proposed scheme are universally untraceable. □ The proposed scheme can ensure forward secrecy. We model this as the game in the proof of Theorem 1. The challenger C selects two tags, T0 and T1, a reader R, and a server S for the game. The adversary A starts the game and calls the oracles Execute, Send, and Block on T0, T1, R, and S for a polynomial number of times. Assume C carries out a complete instance of the scheme with each tag. A records the outputs of the oracle calls. Then, C generates a random bit b and sets T = Tb. Hereafter, A calls the oracles Reveal(T) to obtain the pseudo identifier and secret key of the tag T. Finally, A outputs a guess bit b’. Because the current secret key of T is generated from the PRNG of the previous one, A cannot inverse the PRNG function to obtain the previous secret key. Similarly, since the current pseudo identifier of T is generated from the PRNG of the previous one, A cannot deduce the previous pseudo identifier. Besides, by Lemma 2, A cannot correlate the previous pseudo identifier of T, which is either that of T0 or that of T1, with the current pseudo identifier of T. Therefore, A has no advantage over a random guess, which means that the proposed scheme can ensure forward secrecy. □ The proposed scheme can resist impersonation attacks. An adversary may attempt to impersonate as a tag, a reader or a server. We discuss these three cases as follows. Tag impersonation We model this as the following game between the challenger C and the adversary A. C chooses a tag T, a reader R, and a server S, which are all valid. A calls the oracles Execute, Send, and Block for a polynomial number of times on T, R, and S. A stops and notifies C. A invokes the Send oracle to impersonate as a tag. If A is authenticated as a valid tag, A wins the game. Suppose the challenger C selects a tag T, a reader R, and a server S for the game. A starts the game and calls the oracles Execute, Send, and Block for a polynomial number of times on T, R, and S. Assume that C carries out an instance of the scheme on T, R, and S. A records all the oracle outputs. To pass the authentication, A must send a valid SID and a valid MT1 = PRNG(x⨁NS⨁NT). To do so, A needs to know the tag secret key x. However, by Lemma 1, A cannot obtain x to generate a valid MT1. On the other hand, assume that A calls the Block oracle to block the message M5 so that no updates will happen, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a tag, A invokes the Send oracle to send the recorded SID, MT1, and NT to the reader R as the response M2. However, since the reader R generates a new NR in this scheme run, the recorded MT1 cannot be valid unless the new NR happens to be the same as the old NR, whose probability is negligible. Therefore, A can hardly impersonate as a valid tag. Reader impersonation Firstly, we consider that the adversary A attempts to impersonate as a valid reader to the tag. The attempt is modeled as the game in the proof of Theorem 2. To be validated by the tag T, A needs to send a valid MT2 = PRNG((x + 1)⨁NS⨁NT). However, by Lemma 1, A cannot obtain x to generate a valid MT2. On the other hand, assume that A blocks M7 to prevent any updating on the tag, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a reader to the tag, A sends the recorded MT2 to the tag T. However, the recorded MT2 cannot be valid unless the old NT is the same as the NT generated in the new scheme run, which has a negligible probability. Secondly, we consider that A tries to impersonate as a valid reader to the server, which can be modeled as a game similar to the one in the proof of Theorem 2, except that in the last step the adversary A should be authenticated by the server S. To be authenticated, A must send a valid SRID and a valid MR1 = PRNG(y⨁NS⨁NR) to the server. By Lemma 1, the reader secret key y is not exposed so A cannot generate a valid MR1. On the other hand, assume that A blocks M5 to prevent any updating, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a reader to the server, A sends the recorded NR, SRID and MR1 to the server S. Since S generates a new NS in the new scheme run, the recorded MR1 has a negligible probability to be valid. Therefore, the probability to impersonate as a valid reader is negligible. Server impersonation We model this attempt as a game similar to the one in the case (a), except that A calls the Send oracle to impersonate as a valid server. To impersonate as a legitimate server, A must send a valid MR2 = PRNG((y + 1)⨁NS⨁NR). However, without the knowledge of y (by Lemma 1), A fails to generate a valid MR2. On the other hand, assume that A blocks M6 to prevent any updating on the reader and tag, and then notifies C. Hereafter, C carries out a new instance of the scheme on T, R, and S. To impersonate as a server, A sends the recorded MR2 to the reader R. Because the new NR is hardly the same as the old NR, the probability that the recorded MR2 can pass the authentication is negligible. Thus, the adversary A can impersonate as a valid server with a negligible probability. In summary, the proposed scheme can defend against impersonation attacks. □ The proposed scheme can ensure the resistance of desynchronization attacks. In the proposed scheme, the server updates the index data tables after the message M5 is received and verified. If the message M6 is blocked, the reader does not update its pseudo identifier SRID and secret key y. Since SRID and y are stored in the old fields, the server can synchronize with the reader based on them. Assume that there is a new session and M6 is blocked again. In this session, since the server finds the received SRID in the old index field, the old values do not update. Thus, the server can still synchronize with the reader. Similarly, if M6 (or M7) is blocked, the server and tag can keep synchronization between them. On the other hand, as discussed in the proof of Theorem 6, an adversary cannot forge valid MT1 and MR1 to force the server to update the index data tables. Therefore, the proposed scheme is resistant to desynchronization attacks. □ The proposed scheme is scalable. According to Burmester et al. [34], if the server can find the record of a tag just based on the received data, the time cost can be constant. Otherwise, if some computation operations are needed before checking each record, an exhaustive search operation is needed to authenticate a tag, which results in time measurement attacks [32]. In the proposed scheme, the tag pseudo identifier is used as the index of the tags’ index data table so the server can find the tag’s record just by the received SID. Similarly, with the received SRID, the server can find the reader’s record. So the proposed scheme requires no exhaustive search operation. Therefore, the proposed scheme is of scalability and can also resist time measurement attacks. □

5.3. Formal Security Analysis with BAN-Logic

In this part, we employ BAN-logic [35] to perform a formal security analysis of our proposed scheme. The notations of BAN-logic are demonstrated in Table 2.
Table 2

BAN-logic notations.

NotationDescription
P|X P believes X
PX P receives X
P|~X P sends X
PX P has jurisdiction over X
#(X)X is fresh
{X}k X is encrypted by the key k
PkQ P and Q use the shared key k to communicate
PQ If P then Q
Then, we present the BAN-logic rules used in the analysis as below. R1 (Seeing rule):, it means when P receives a message set {X, Y}, P receives the message X. R2 (Message-meaning rule):, it means if P believes that P and Q have a shared key K, P receives a message X encrypted by K, which indicates P believes Q has sent X to P. R3 (Freshness rule):, it means if P believes the message X is fresh, P believes the message set {X, Y} is fresh. R4 (Nonce-verification rule):, it means if P believes X is fresh, and Q has sent X, which indicates P believes Q believes X. In the following analysis, the server, reader, and tag are denoted by S, R, and T, respectively.

5.3.1. Idealized Form

Based on the BAN-logic notations, the message transmissions of our proposed scheme are idealized as below. IM1: IM2: IM3: IM4: IM5: IM6: , IM7:

5.3.2. Initial Assumptions

The initial assumptions of our proposed scheme are as follows, specifying the initial process and belief of data. A1: A2: A3: A4: A5:

5.3.3. Security Goals

Since our proposed scheme aims to achieve mutual authentication between the genuine scheme parties, the security goals of should be achieved are listed as follows. G1: G2: G3: G4:

5.3.4. Security Proofs

In this part, we prove the security goals of our scheme. G1: By IM5 and R1, we have Given E1, A2, and R2, we obtain In accordance with A5 and R3, we get With E2, E3 and R4, we can deduce . Therefore, G1 is proved. □ G2: Based on IM6 and R1, we get With E4, A2, and R2, we know Given A4 and R3, we have Taking into account E5, E6, and R4, we can prove . Thus, G2 is achieved. □ G3: According to IM5 and R1, we obtain By E7, A1, and R2, we have On the basis of A5 and R3, we get With E8, E9, and R4, we can deduce . Therefore, G3 is proved. □ G4: In accordance with IM7, A1, and R2, we get Taking into account A3 and R3, we obtain Based on E10, E11, and R4, we can prove . Thus, G4 is achieved. □ Since all security goals are verified, our proposed scheme satisfies the logic security.

6. Performance Evaluation

In this section, we analyze the performance of our proposed scheme by comparing it with some recent schemes (published since 2018) [10,14,27,28,31] for RFID-based healthcare systems.

6.1. Security Performance

We compare the performance of our proposed scheme based on the security demands essential for RFID-based healthcare systems as demonstrated in Table 3. In the table, the symbol “Yes” represents that the scheme meets a security demand while the symbol “No” denotes that the scheme fails to satisfy a security demand. From Table 3, we can see that only our proposed scheme can guarantee all the desired security demands while other schemes fail to meet one or more security demands. As presented in Section 4.2, Fan et al.’s scheme [14] cannot support forward secrecy and is vulnerable to impersonation attacks. The security of other existing schemes has been discussed in Section 2. Safkhani and Vasilakos’s scheme [27] fails to ensure forward secrecy and scalability. The LRMI scheme [10] cannot resist traceability and impersonation attacks. The SecLAP scheme [28] is prone to traceability and desynchronization attacks. Zhou et al.’s scheme [31] is unable to withstand desynchronization attacks. The security of our proposed scheme has been analyzed in Section 5.2 and Section 5.3.
Table 3

Security performance comparison.

SchemeD1D2D3D4D5
Fan et al. [14]YesNoNoYesYes
Safkhani and Vasilakos [27]YesNoYesYesNo
LRMI [10]NoYesNoYesYes
SecLAP [28]NoYesYesNoYes
Zhou et al. [31]YesYesYesNoYes
Our schemeYesYesYesYesYes

D1: Untraceability; D2: Forward secrecy; D3: Resilience to impersonation attacks; D4: Resistance to desynchronization attacks; D5: Scalability.

6.2. Efficiency Performance

We also compare the performance of our proposed scheme with other schemes in terms of costs for computation, communication, storage, and hardware implementation. Firstly, the performance comparison in terms of the computation cost is presented in Table 4. We ignore simple operations such as concatenation, exclusive-OR, and addition. Table 4 shows the number of operations including rotation (denoted as Rot), the inverse operation of rotation (denoted as Rot−1), pseudo random number generation (denoted as P), hash (denoted as H), cross (denoted as C), modular rotation (denoted as MR) and squaring root solving operation (denoted as SR), which are required by our scheme and other schemes. From the column “Tag” of Table 4, we can notice that our proposed scheme only needs a tag to perform the pseudo random number generation operation, a preset operation for EPC C1G2 tags, while other schemes require a tag to perform some operations not implemented by EPC C1G2 tags. Thus, our proposed scheme has the best compatibility with the EPC C1G2 standard.
Table 4

Computation cost comparison (in operations).

SchemeTagReaderServerTotal
Fan et al. [14]2 Rot + 4 P5 Rot + 6 P + 3 MS + SR2 Rot + 2 Rot−1 + 5 P9 Rot + 2 Rot−1 + 15 P + 3 MS + SR
Safkhani and Vasilakos [27]P + 2 HP + 2 HP + 4 H3 P + 8 H
LRMI [10]P + 4 CP + 4 CP + 4 C3 P + 12 C
SecLAP [28]P + 7 MRP + 17 MRP + 5 MR3 P + 29 MR
Zhou et al. [31]P + H + 3 MSP + 5 H + 3 MS 6 H + 6 SR11 H + 6 MS + 6 SR + 2 P
Our scheme5 P5 P9 P19 P

Rot: rotation operation; Rot−1: the inverse operation of Rot; P: pseudo random number generation; H: hash operation; C: cross operation; M: modular rotation operation; MS: modular squaring operation; SR: squaring root solving operation.

According to the experiment results in Section 4.3 of Zhou et al. [31], the time costs of hash, pseudo random number generation, modular squaring, and squaring root solving operations are 0.253, 0.021, 1.896, and 3.481 ms, respectively. As the cross, rotation, and modular rotation are ultralightweight operations, their time cost is negligible in computation. With these data, we can estimate the computation cost of each scheme, as illustrated in Table 5. From Table 5, we can see that the computation cost of our scheme is just higher than the ultralightweight schemes [10,28]. However, it can be justified since our scheme offers a higher security level than all other schemes.
Table 5

Computation cost comparison (in milliseconds).

SchemeTagReaderServerTotal
Fan et al. [14]0.0849.5470.1059.736
Safkhani and Vasilakos [27]0.5270.5271.0332.087
LRMI [10]0.0210.0210.0210.063
SecLAP [28]0.0210.0210.0210.063
Zhou et al. [31]6.2156.974 22.40435.593
Our scheme0.1050.1050.1890.399
Secondly, we compare the efficiency of our proposed scheme to other schemes in terms of the communication and storage cost. Since RFID tags have limited storage capacity while readers and servers have relatively sufficient storage capacity, the storage cost comparison focuses on the tag’s costs. For the schemes not based on quadratic residues, we assume that the lengths of parameters such as identifiers, secret keys, random numbers, timestamps, and function outputs are all L bits. For the quadratic residue-based schemes, we assume that the length of a secret key is LQK bits and the length of the output of modulo squaring operation is LMS bits while other parameters have the same length of L bits. LQK and LMS are usually greater than L for security purposes. According to Fan et al. [14], LQK and LMS are suggested to be at least 1024 while the length of a common tag EPC, used as a tag’s identifier, is 96 bits. Thus, for an intuitive comparison of the communication cost and storage cost, we assume LQK = LMS = 1024 while L = 96. Besides, to be fair, we omit the cost of the string “Query” since most schemes do not use it. The comparison results are demonstrated in Table 6.
Table 6

Performance comparison based on the communication and storage cost.

SchemeCommunication Cost (bits)Storage Cost (bits)
Fan et al. [14]27521120
Safkhani and Vasilakos [27]134496
LRMI [10]1632192
SecLAP [28]2112192
Zhou et al. [31]110081120
Our scheme1344192
In our proposed scheme, there are seven transferred messages consisting of fourteen 96-bit parameters, which results in a communication cost of 1344 bits. From Table 6, we can see that our scheme and the scheme in [27] have the same communication cost, which is less than the rest of the schemes. Besides, a tag in our scheme needs to store an identifier and a secret key, leading to a storage cost of 192 bits. Table 6 shows that the storage cost of our scheme is just higher than that of the scheme in [27] because a tag stores only an identifier in this scheme. However, the scheme in [27] is less secure than our scheme. Finally, we discuss the hardware implementation cost. Considering that the server and the reader have much more resources than the tag, we focus on the implementation cost imposed on the tag. From the “Tag” column of Table 4, we can know that the security primitives, used by tags in our scheme and other schemes, include rotation function, cross function, modular rotation function, pseudo random number generator (PRNG), hash function, and modular squaring function. The authors in [10,14,28] present the FPGA implementation costs of the rotation, cross, and modular rotation functions, which are 112, 1, and 65 lookup tables (LUTs), respectively. Due to the limited resource on a tag, lightweight PRNG and hash function should be adopted. For instance, Mandal et al. [36] designed a lightweight PRNG satisfying the EPC C1G2 standard, named Warbler, which can be implemented with 760 equivalent gates or 184 LUTs. Bogdanov et al. [37] proposed a lightweight hash function, named SPONGENT, whose smallest implement cost is 738 equivalent gates. For modular squaring, an estimated implementation cost of 1000 equivalent gates is given in Section 3.4 of Burmester et al. [38]. Table 7 summarizes the hardware implementation costs of these security primitives. Then, we can roughly estimate the implementation cost of each scheme according to the costs of the security primitives. The estimated results are presented in Table 8. From Table 8, we can see that our scheme has the lowest hardware implementation cost and is feasible to be applied in an RFID-based healthcare system with low-cost tags.
Table 7

The hardware implementation cost of the security primitives.

Security PrimitiveImplementation Cost (LUTs/Gates)
Rotation function112/- [14]
Cross function1/- [10]
Modular rotation function65/- [28]
Warbler PRNG184/760 [36]
SPONGENT hash function-/738 [37]
Modular squaring function-/1000 [38]
Table 8

Performance comparison based on the estimated hardware implementation cost.

SchemeSecurity Primitives UsedImplementation Cost (Estimated)
Fan et al. [14]Rotation function, Warbler PRNG112 LUTs + 760 Gates
Safkhani and Vasilakos [27]Warbler PRNG, SPONGENT hash function1498 Gates
LRMI [10]Cross function, Warbler PRNG1 LUT + 760 Gates
SecLAP [28]Modular rotation function, Warbler PRNG65 LUTs + 760 Gates
Zhou et al. [31]Warbler PRNG, SPONGENT hash function, Modular squaring function2498 Gates
Our schemeWarbler PRNG760 Gates

6.3. Our Proposed Scheme vs. Fan et al.’s Scheme

Based on Section 6.1 and Section 6.2, we highlight the advantages of our proposed scheme by comparing it with Fan et al.’s scheme [14], as summarized in Table 9.
Table 9

Performance comparison between our proposed scheme and Fan et al.’s scheme.

SchemeFan et al. [14]Our Scheme
Performance
Security Demands Not all satisfiedAll satisfied
Computation Cost 9.736 milliseconds0.399 milliseconds
Communication Cost 2752 bits1344 bits
Storage Cost 1120 bits192 bits
Implementation Cost 112 LUTs + 760 Gates760 Gates
As shown in Table 9, Fan et al.’s scheme [14] cannot meet all the security demands. This scheme fails to assure forward secrecy and cannot resist impersonation attacks, which makes it doubtful to be applied in the real world healthcare systems. Our scheme, on the contrary, can satisfy all the security requirements. When considering the efficiency performance, it is obvious that Fan et al.’s scheme has a much higher overhead than our scheme in terms of computation, communication, and storage costs. For the implementation cost imposed on the tag, our scheme just needs to implement a PRNG while Fan et al.’s scheme needs a PRNG and an additional rotation function. In summary, as an improvement of Fan et al.’s scheme, our scheme demonstrates the superiority in all aspects.

7. Conclusions

The legacy healthcare systems have integrated with RFID technology so as to offer better healthcare services. However, the security and privacy concerns about RFID-based healthcare systems are a challenge to combat. In this article, we have analyzed the security of Fan et al.’s scheme [14], a lightweight authentication scheme to secure RFID-based healthcare systems. We first have shown that their scheme is destitute of forward secrecy and also insecure against impersonation attacks. Subsequently, we have proposed an enhanced scheme. Then, we have analyzed the security of the proposed scheme. Analyses illustrate that the proposed scheme can not only overcome the security vulnerabilities of Fan et al.’s scheme but also meet all the essential security demands. In addition, our scheme has low overhead and is compatible with the EPC C1G2 standard. Therefore, our proposed scheme is of practical use for RFID-based healthcare systems.
  9 in total

Review 1.  The adoption and implementation of RFID technologies in healthcare: a literature review.

Authors:  Wen Yao; Chao-Hsien Chu; Zang Li
Journal:  J Med Syst       Date:  2011-10-19       Impact factor: 4.460

Review 2.  Medication errors: what they are, how they happen, and how to avoid them.

Authors:  J K Aronson
Journal:  QJM       Date:  2009-05-20

3.  A hash based mutual RFID tag authentication protocol in telecare medicine information system.

Authors:  Keerti Srivastava; Amit K Awasthi; Sonam D Kaul; R C Mittal
Journal:  J Med Syst       Date:  2014-12-10       Impact factor: 4.460

4.  A Secure RFID Tag Authentication Protocol with Privacy Preserving in Telecare Medicine Information System.

Authors:  Chun-Ta Li; Chi-Yao Weng; Cheng-Chi Lee
Journal:  J Med Syst       Date:  2015-06-18       Impact factor: 4.460

5.  A secure RFID mutual authentication protocol for healthcare environments using elliptic curve cryptography.

Authors:  Chunhua Jin; Chunxiang Xu; Xiaojun Zhang; Jining Zhao
Journal:  J Med Syst       Date:  2015-02-10       Impact factor: 4.460

6.  A secure RFID authentication protocol for healthcare environments using elliptic curve cryptosystem.

Authors:  Zhenguo Zhao
Journal:  J Med Syst       Date:  2014-04-23       Impact factor: 4.460

7.  A Provably Secure RFID Authentication Protocol Based on Elliptic Curve for Healthcare Environments.

Authors:  Mohammad Sabzinejad Farash; Omer Nawaz; Khalid Mahmood; Shehzad Ashraf Chaudhry; Muhammad Khurram Khan
Journal:  J Med Syst       Date:  2016-05-24       Impact factor: 4.460

8.  A Secure ECC-based RFID Mutual Authentication Protocol to Enhance Patient Medication Safety.

Authors:  Chunhua Jin; Chunxiang Xu; Xiaojun Zhang; Fagen Li
Journal:  J Med Syst       Date:  2015-10-29       Impact factor: 4.460

9.  An efficient RFID authentication protocol to enhance patient medication safety using elliptic curve cryptography.

Authors:  Zezhong Zhang; Qingqing Qi
Journal:  J Med Syst       Date:  2014-04-15       Impact factor: 4.460
  9 in total
  1 in total

1.  A RFID Authentication Protocol for Epidemic Prevention and Epidemic Emergency Management Systems.

Authors:  Xiuqing Chen; Xiao Zhang; Deqin Geng; Lei Zhou; Junshu Chen; Fan Lu
Journal:  J Healthc Eng       Date:  2021-12-03       Impact factor: 2.682
  1 in total

北京卡尤迪生物科技股份有限公司 © 2022-2023.