The Internet of Things (IoT) is a future trend that uses the Internet to connect a variety of physical things with the cyber world. IoT technology is rapidly evolving, and it will soon have a significant impact on our daily lives. While the growing number of linked IoT devices makes our daily lives easier, it also puts our personal data at risk. In IoT applications, Radio Frequency Identification (RFID) helps in the automatic identification of linked devices, and the dataflow of the system forms a symmetry in communication between the tags and the readers. However, the security and privacy of RFID-tag-connected devices are the key concerns. The communication link is thought to be wireless or insecure, making the RFID system open to several known threats.
1. Introduction
An RFID infrastructure has a symmetric nature. The RFID system is a wireless technology that is used to identify remote objects that have RFID tags embedded in them. RFID technology is utilized in a variety of applications, including transportation, supply chain management, livestock management, e-passport, e-payment, and patient healthcare
[1][2][3]. Backend readers, servers, and tags are all a part of a conventional RFID system whose architecture is symmetric, since the dataflow is in one direction from the tag, reader to server, and then, the inverse Table 5. The lack of physical contact between the reader and the tags is a crucial element of RFID systems, and the following are some of the benefits of using them: RFID tags are small and inexpensive, and radio frequency communication can recognize large numbers of RFID tags at the same time
[4][5]. RFID systems, on the other hand, are exposed to a variety of security attacks and privacy exposure concerns due to their use of wireless communication and signal broadcasting techniques. It is difficult to apply a comprehensive cryptographic algorithm to an RFID system due to the strictly limited calculation resources, tiny storage capacity, and weak power supply of low-cost tags, and these issues are impeding the rapid development of this technology
[6]. RFID security is fundamentally concerned with authentication and privacy issues. A secure protocol running RFID tags and readers can provide authentication. If a tag contains unique secret information and the RFID reader and RFID tag can convince the RFID reader that they both have that information, the tagged product is considered to be authentic and the person has access to it. Tag anonymity is one of the most important features that any RFID-based authentication technique aspires to attain, and tag untraceability, which ensures the privacy of the tag or the mobility of a user wearing an RFID tag, is a more satisfactory property of tag anonymity. To achieve this attribute, a tag must encode its original identity using a cryptographic primitive such as a one-way secure collision-resistant hash function in existing state-of-the-art authentication protocols. RFID is the simplest form of pervasive sensor network and is widely used for object identification
[7]. RFID systems are made up of a tag with a transceiver that sends and receives radio signals from connected devices
[8][9]. The RFID reader is another device that acts as an access point and can receive and deliver messages to transceivers. The reader is also in charge of ensuring that tag information is available at the application level
[10]. IoT-based RFID tags can be of the passive or active type.
In recent years, numerous exciting anonymous IoT-based RFID authentication and key agreement frameworks have been proposed, which can be classified into Public Key Cryptosystem- (PKC) and Non-Public Key Cryptosystem- (NPKC) based authenticated schemes. These approaches are unsuitable for tiny powered tags due to the modular exponential operations. Hash-based RFID systems, on the other hand, would be the best choice among NPKCs because of their low computational overhead
[7][11][12][13]. Yang et al.
[11] introduced an authentication mechanism based on a one-way secure collision-resistant hash function and exclusive-OR, claiming that it addressed all of the security vulnerabilities that occur in RFID systems. Unfortunately, the protocol is vulnerable to many attacks, including “man-in-the-middle”, forgeries, and loss of untraceability
[14]. Cho et al.
[13] developed a secure hash-based authentication framework, claiming that it addresses all of the security, privacy, and forgery difficulties that exist in RFID communication systems. However, Safkhani et al.
[15] recently demonstrated that the protocol does not meet the authors’ security promises. In their paper, they cryptanalyzed Cho et al.’s
[13] protocol and concluded that it is vulnerable to “de-synchronization or DoS attacks, tag impersonation attacks, and reader impersonation attacks”. Furthermore, they showed in their paper that all proposed lightweight authentication techniques based on one-way hash functions and exclusive-OR are impracticable
[11][12][13][16][17]. Ayaz et al.
[18] suggested another mutual authentication approach for secure RFID communication systems utilizing only symmetric key cryptography operations. In this framework, an authentication is accomplished on the basis of user biometrics’ verification in their protocol. Liu et al.
[19] proposed an authentication protocol for an RFID system by using hash and XoR operations. The correctness of the protocol was proven by using “Burrows–Abadi–Needham (BAN)” logic analysis. Mansoor et al.
[20] proposed a securing IoT-based authentication protocol for RFID systems by using a symmetric cryptography approach. Furthermore, Mansoor et al.
[20] showed that the protocol proposed by Gope et al.
[21] is vulnerable to collision attacks, DoS attacks, and stolen verifier attacks. In 2022, Gao and Lu pretested a new ultra-lightweight RFID authentication protocol in passive RFID systems
[22]. The proposed protocol, they claimed, prevents numerous known attacks, beats several existing ultra-lightweight protocols in terms of computational cost, storage requirements, and communication costs, and is efficient in terms of the computational cost, storage requirements, and communication costs. Wang et al. suggested a protocol
[23] for which they had formal and informal discussions about security and privacy. Xiaomei et al. discussed
[24] the RFID logic of an event-based authentication framework for secure communication. Shariq et al. proposed an RFID-based anonymous and secure framework for deployment in IVs
[25]. Wei et al. proposed an improved security authentication protocol for lightweight RFID based on ECC
[26]. Arslan and Bingöl presented the security and privacy analysis of recently proposed ECC-based RFID authentication schemes
[27].
2. Security Requirements for an IoT-Based RFID Communication System
As far as we know and based on the available literature, many authentication protocols for RFID communication systems have been presented during the last few years. In RFID systems, authentication and key agreement are the best approaches to make them suitable for a wide range of applications. During the transmission of messages between RFID tags and RFID readers, many types of security attacks may occur. Such requirements are utilized as the criteria for assessing the RFID system in order to provide a secure and efficient authentication protocol. The following security criteria should be met by any authentication scheme that attempts to secure a practical RFID-based system:
-
Mutual authentication: This is the most important aspect of any authentication mechanism. Furthermore, mutual authentication must be achieved in the presence of all three RFID system participants. The authentication process takes place between the backend database server and the RFID tag. Messages are sent between the tag, reader, and server over an unsecured communication channel.
-
Tag anonymity: To minimize forgery and ensure security, this is the most important and necessary security requirement. Furthermore, if an opponent is unable to trace an RFID tag during message delivery over a public channel, the RFID authentication system maintains its anonymity. Anonymity can be divided into two categories: strong anonymity and weak anonymity. Furthermore, in IoT communication, the participants involved do not disclose their real identity in order to defend their security and privacy.
-
Message authentication: In Internet operations, this maintains the integrity of message communication.
-
Untraceability: In the RFID communication system, untraceability means that no one can trace the behavior patterns of the participants involved and their forwarded messages.
-
Session key agreement: Following the successful implementation of the proposed protocol, a session key agreement will be established between users with their mobile devices and the network control center for future communication.
-
Confidentiality: Encrypting shared secrets on the public channel ensures the security of RFID communications between the tag and reader.
-
Perfect forward secrecy: Perfect forward secrecy is a technique that should be used in the authentication protocol design to give secrecy to previously communicated messages, where an opponent who discovers the entities private and public keys will be unable to derive a past session key.
-
Scalability: The approach is not scalable if the server conducts an extensive search to verify a tag. Worse, an opponent may conduct a timing attack
[28] against the protocol, which can identify a tag based on how long it took the server to authenticate it. To maintain scalability, an authentication strategy should avoid any exhaustive search operations.
-
Availability: In an RFID system, the authentication and key agreement procedure runs all the time between the RFID tag and RFID backend database server. In most authentication methods, the shared secret information between the RFID tag and RFID backend database server must be updated to achieve the attribute of accessibility. However, security risks such as Denial-Of-Service (DoS) or de-synchronization attacks may disrupt this process. The RFID system’s efficiency may be harmed as a result of these concerns. Thus, when designing an authentication protocol, this issue should be considered.
-
Impersonation attack: An adversary could try to mimic legitimate protocol participants (such as the cloud database server, RFID reader, or RFID tag) by replaying a message captured from the channels. Any impersonation should be avoided at all costs.
-
Replay attack: An outsider attempts to confuse other certified participants by restating intercepted data in this attack. This attack targets a user whose information is intercepted by an uncertified third party.
-
Man-in-the-middle attack: An adversary listens in on transmitted data and then attempts to delete or manipulate the contents of the data sent to receivers in this attack.
-
Insider attack: Any insider can play the role of adversary in the RFID communication system.
-
De-synchronization attack: An adversary may generate desynchronization problems if a protocol authentication is based on shared values. The server may be unable to verify the tag in the future if the shared data are updated by the server, but the tag is not. De-synchronization attempts should be avoided.