Research Article An Elliptic Curve Cryptography-Based RFID...
Transcript of Research Article An Elliptic Curve Cryptography-Based RFID...
Research ArticleAn Elliptic Curve Cryptography-Based RFIDAuthentication Securing E-Health System
Chin-I Lee1 and Hung-Yu Chien2
1Department of Information Management, Ling Tung University, No. 1, Ling Tung Road, Taichung 408, Taiwan2Department of Information Management, National Chi Nan University, No. 1, University Road, Puli, Nantou 545, Taiwan
Correspondence should be addressed to Hung-Yu Chien; [email protected]
Received 11 September 2015; Accepted 6 December 2015
Academic Editor: Kijun Han
Copyright ยฉ 2015 C.-I. Lee and H.-Y. Chien. This is an open access article distributed under the Creative Commons AttributionLicense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properlycited.
Mobile healthcare (M-health) systems can monitor the patientsโ conditions remotely and provide the patients and doctors withaccess to electronic medical records, and Radio Frequency Identification (RFID) technology plays an important role in M-healthservices. It is important to securely access RFID data in M-health systems: here, authentication, privacy, anonymity, and trackingresistance are desirable security properties. In 2014, He et al. proposed an elliptic curve cryptography- (ECC-) based RFIDauthentication protocol which is quite attractive to M-health applications, owing to its claimed performance of security, scalability,and efficiency. Unfortunately, we find their scheme fails to achieve the privacy protection if an adversary launches active trackingattacks. In this paper, we demonstrate our active attack on He et al.โs scheme and propose a new scheme to improve the security.Performance evaluation shows the improved scheme could meet the challenges of M-health applications.
1. Introduction
Mobile healthcare (M-health) systems can monitor thepatientsโ conditions remotely and provide the patients anddoctors with access to electronic medical records. Such asystem improves both convenience and efficiency, becausethe patients and doctors are no longer required to be presentat the same place; therefore, patients can contact their doctorat home and obtain the instant diagnosis and prescription.In the development of M-health systems, Radio FrequencyIdentification (RFID) technology plays an important role foridentifying and accessing patients and objects. Therefore,securely accessing these RFID tags and systems is critical tothe success of M-health systems [1, 2].
In aRFID system, there are three types of roles: RFID tags,RFID readers, and a back-end server. Each tag has a uniquenumber which is used to identify a RFID-tagged product. Toobtain data from a tag, a reader first issues a query to thetag and then forwards the received information provided bythe tag to a back-end server. The back-end server maintains
a database of the information of tags and their labelled prod-ucts. However, since a tag automatically responds to any read-ersโ queries via radio signal, the owner of the tagged product iseven unaware of this action. If the tag transmits a fixed valuein response to readersโ queries, it raises potential privacythreats to the labelled objects and the ownerโs location.
Privacy protection in a RFID system is investigated intwo respects. One is anonymity; the other is tracking attackresistance. The former is to provide confidentiality of tagโsidentity such that an unauthorized observer cannot learnthe identity of the tag. The latter is to provide unlinkabilityof any two RFID transmission sessions; that is, given anytwo RFID transactions, an attacker cannot tell whether thetwo transactions came from the same tag or not. Trackingattack could be classified into two categories: passive trackingattack and active tracking attack. The passive tracking attackis that an adversary tries to distinguish whether two RFIDtransactions came from the same tag by eavesdropping only,while the active tracking attack is that an adversary canactively participate in the transactions (like eavesdropping,
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2015, Article ID 642425, 7 pageshttp://dx.doi.org/10.1155/2015/642425
2 International Journal of Distributed Sensor Networks
interrupt, replay, and modification) to get the data to tellwhether two transactions came from the same tag. Both typesof tracking might be used to infer usersโ location informationor even their personal profiles.
Due to the advances of hardware development, manyRFID schemes based on the public key techniques have beenproposed and implemented [3]. Compared with the othercryptography mechanisms, the elliptic curve cryptography(ECC) [4, 5] is more competitive since it could provide thesame security level with much smaller key size. Lee et al.[6] proposed an ECC-based RFID authentication scheme.Bringer et al. [7] and Deursen and Radomirovic [8] foundthat Lee et al.โs scheme is vulnerable to the tracking attackand the replay attack. Liao and Hsiao [9] proposed an ECC-based RFID authentication scheme integrated with an IDverifier transfer protocol; nevertheless, Peeters and Hermans[10] showed Liao and Hsiaoโs scheme cannot resist the serverimpersonation attack. Tan [11] proposed ECC-based RFIDthree-factor authentication. Arshad and Nikooghadam [12]found that Tanโs scheme is not resistant to the replay attackand the denial-of-service attack.
In 2014, He et al. [13] proposed an elliptic curvecryptography- (ECC-) based RFID authentication protocolwhich aimed at protecting tagโs anonymity and unlinkabilityand improving the computational complexity. Comparedwith the previous authentication schemes, He et al.โs schemehas better performance in terms of security, computationalcost, and storage requirement. Unfortunately, we find thattheir scheme fails to achieve the privacy protection if anadversary launches active tracking attacks. We will show theweaknesses and propose an improved scheme.The rest of thispaper is organized as follows. Section 2 gives the preliminarysketch of the elliptic curve cryptography and bilinear pairing.Section 3 reviews He et al.โs scheme and shows its securityweakness. In Section 4, we propose our new scheme, whichis followed by security analysis and performance evaluationin Section 5. Finally, conclusions are given in Section 6.
2. Preliminaries
We briefly introduce the elliptic curve cryptography and thebilinear pairing.
2.1. Elliptic Curve Cryptography. Koblitz [4] and Miller [5]introduced elliptic curves for cryptographic applications.Since then, elliptic curve cryptography (ECC) has played animportant role in many cryptosystems. An elliptic curve ๐ธ isdefined over the equation ๐ฆ2 = ๐ฅ3 +๐๐ฅ+๐ over ๐น(๐), where ๐is a large prime and ๐น(๐) is a finite field of order ๐. The mainattraction of ECC is that ECC with 160-bit key can reach asecurity level the same as that of 1024-bit RSA and therebysignificantly reduce the key size.
The security of He et al.โs protocol is based on thecomplexity of the elliptic curve discrete logarithm problem(ECDLP) [14].
Elliptic Curve Discrete Logarithm Problem (ECDLP).Given anelliptic curve ๐ธ over ๐น(๐) and two points ๐ and ๐ on ๐ธ, the
elliptic curve discrete logarithm problem is to find an integer๐ฅ โ ๐
โ
๐such that ๐ฅ๐ = ๐.
2.2. The Bilinear Pairing. The bilinear pairing was initiallyconsidered as a negative property on the design of ellipticcurve cryptosystems, because it reduces the discrete loga-rithm problem on some elliptic curves (especially for super-singular curves) to the discrete logarithm problem in a finitefield [15]. Such property diminishes the strength of super-singular curves in practice [16]. However, followed by thetripartite key agreement protocol proposed by Joux [17] andthe identity-based encryption scheme proposed by Bonehand Franklin [18], pairing becomes beneficial and favorable tothe design of cryptographic protocols or cryptosystems [19].
Let ๐บ1be an additive cyclic group (which is the elliptic
curve group ๐ธ(๐น๐) here) and let ๐บ
2be a multiplicative cyclic
group with the same prime order ๐; that is, |๐บ1| = |๐บ
2| = ๐.
Bilinear pairing is defined by ๐ : ๐บ1ร๐บ1โ ๐บ2which satisfies
the following properties:
(1) Bilinear: for all ๐,๐ โ ๐บ1and all ๐ข, V โ ๐
โ
๐, we have
๐(๐ข๐, V๐) = ๐(๐ขV๐,๐) = ๐(๐, ๐ขV๐) = ๐(๐, ๐)๐ขV.(2) Nondegenerate: ๐(๐, ๐) ฬธ= 1 for some ๐ โ ๐บ
1.
(3) Computable: given ๐,๐ โ ๐บ1, there is an efficient
algorithm to compute ๐(๐, ๐).
We find that He et al.โs protocol is vulnerable to activetracking attack.Wewill utilize the bilinear pairing to facilitateour active attacks in Section 4.
3. Weaknesses of He et al.โs Protocol
3.1. Review of He et al.โs Protocol. This section reviews Heet al.โs protocol [13]. The system consists of three kinds ofentities: readers, a back-end server, and a set of tags; but theRFID reader is omitted from the protocol description since itacts as an intermediate party that relays messages exchangedbetween a tag and the server. It is assumed that the communi-cation between the reader and back-end server is secure. Theproposed protocol comprises two phases: setup and authenti-cation. Notations used in the protocol are defined as follows:
(i) ๐, ๐: two large primes.(ii) ๐น(๐): a finite field of order ๐.(iii) ๐ธ: an elliptic curve defined by the equation ๐ฆ2 = ๐ฅ3 +
๐๐ฅ + ๐ over ๐น(๐).(iv) ๐: a generator point for a group of order ๐ over ๐ธ.(v) ๐ฅ๐ : the private key of the server.
(vi) ๐๐ : the public key of the server ๐
๐ = ๐ฅ๐ ๐.
(vii) ๐๐: the ID verifier of the tag.
Setup Phase. To set up the system, the back-end serverperforms the following tasks:
(i) Define params = {๐, ๐, ๐, ๐, ๐} as the elliptic curvedomain parameters.
International Journal of Distributed Sensor Networks 3
Server (xs, Ps, XT) TagX๐(Ps, XT)
R1 = r1Pm1 = {R1
r1 โR Zโ
n
r2 โR Zโ
n
R2 = r2P
TKT1 = r2Ps
TKT2 = r2R1
AuthT = (XT + TKT1) โ TKT2
m2 = {R2,AuthTTKs1 = xsR2
TKs2 = r1R2
XT = (AuthT โ TKs2) โ TKs1
Search XTAuths = (XT + 2TKs1) โ (2TKs2)
m3 = {Auths
Check Auths = (XT + 2TKT1) โ (2TKT2)
}
}
}
Figure 1: The authentication phase of He et al.โs protocol.
(ii) Choose a random number ๐ฅ๐ โ ๐โ
๐as the serverโs
private key, and compute ๐๐ = ๐ฅ๐ ๐ as the serverโs
public key.(iii) Choose a random point๐
๐on ๐ธ denoted as a tagโs ID
verifier.(iv) (params, ๐
๐ , ๐๐) is stored at both the tag and the
serverโs database.(v) The server also keeps ๐ฅ
๐ secret.
Authentication Phase. To achieve mutual authentication, theserver (๐) and the tag (Tag
๐๐) do the following steps. The
authentication phase is illustrated in Figure 1.
Step 1 (๐ โ Tag๐๐
: ๐1= {๐ 1}). ๐ randomly chooses ๐
1โ
๐โ
๐, computes ๐
1= ๐1๐, and sends ๐
1= {๐ 1} as a challenge
to the tag.
Step 2 (Tag๐๐
โ ๐ : ๐2= {๐ 2,Auth
๐}). Tag
๐๐randomly
chooses ๐2โ ๐โ
๐and computes ๐
2= ๐2๐, TK
๐1= ๐2๐๐ ,
TK๐2= ๐2๐ 1, and Auth
๐= (๐๐+TK๐1) โTK
๐2. Then, Tag
๐๐
sends back๐2= {๐ 2,Auth
๐} to ๐.
Step 3 (๐ โ Tag๐๐
: ๐3={Auth๐ }). ๐ computes TK๐ 1
=
๐ฅ๐ ๐ 2, TK๐ 2
= ๐1๐ 2, and ๐
๐= (Auth
๐โ TK
๐ 2) โ TK
๐ 1
and then searches the serverโs database for ๐๐. If it is not
found, the server ๐ rejects the tag; otherwise, the tag Tag๐๐
is authenticated and thereafter ๐ computes Auth๐ = (๐๐+
2TK๐ 1) โ (2TK
๐ 2) and sends back๐
3= {Auth
๐ } to Tag
๐๐.
Step 4. Upon receiving the serverโs response, Tag๐๐
checks if(๐๐+ 2TK
๐1) โ (2TK
๐2) = Auth
๐ . If it succeeds, the server ๐
is authenticated; otherwise, the tag stops the procedure.
3.2. The Weaknesses. We find that He et al.โs protocol isvulnerable to active tracking attack. We utilize the bilinearpairing to check whether the two transactions came from
the same tag or not. We demonstrate our active attack asfollows, where Adv denotes the notion that the adversaryimpersonates the server to get the responses for tracking.First of all, Adv randomly chooses ๐
1โ ๐โ
๐, computes
๐ 1= ๐1๐, and sends message ๐
1= {๐ 1} to probe the tags it
encounters. In the following, we assume Adv encounters thesame tag Tag
๐๐.
Upon receiving the query, Tag๐๐
randomly chooses ๐2โ
๐โ
๐and computes ๐
2= ๐2๐, TK
๐1= ๐2๐๐ , TK๐2
= ๐2๐ 1, and
Auth๐= (๐๐+ TK๐1) โ TK
๐2. Then, Tag
๐๐sends back๐
2=
{๐ 2,Auth
๐} to ๐. Adv can compute TK
๐ 2= ๐1๐ 2, which equals
TK๐2. So Adv obtains (๐
๐+ TK๐1) โ TK
๐2โ TK๐ 2= (๐๐+
TK๐1).
When Tag๐๐
is probed again, it randomly chooses ๐2โ
๐โ
๐and computes ๐
2= ๐2๐, TK
๐1= ๐2๐๐ , TK๐2
= ๐2๐ 1,
and Auth๐= (๐๐+ TK๐1) โ TK
๐2. Then, Tag
๐๐responds
with ๐2= {๐ 2,Auth
๐}. Adv computes TK
๐ 2= ๐1๐ 2, which
equals TK๐2. Then, it obtains (๐
๐+ TK๐1) โ TK
๐2โ TK๐ 2=
(๐๐+TK๐1). Now Adv performs the following steps to verify
whether the two transactions came from the same tag:
(1) It computes (๐๐+ TK๐1) โ (๐
๐+ TK๐1) = TK
๐1โ
TK๐1= (๐2โ๐2)๐๐ and๐
2โ๐ 2= ๐2๐โ๐2๐ = (๐
2โ๐2)๐.
(2) It checks whether the equation ๐(๐ 2โ ๐ 2, ๐๐)?
=
๐((๐๐+ TK๐1) โ (๐
๐+ TK๐1), ๐) holds.
If the transactions came from the same tag, the aboveverification equation should hold, because ๐(๐
๐+ TK๐1) โ
(๐๐+ TK๐1), ๐) = ๐((๐
2โ ๐2)๐๐, ๐) = ๐((๐
2โ ๐2)๐, ๐)
๐ฅ๐ =
๐((๐2โ๐2)๐, ๐ฅ๐ ๐) = ๐((๐
2โ๐ 2), ๐๐).That is, He et al.โs protocol
cannot resist the active tracking attack.
4. The Proposed Scheme
We propose a new ECC-based scheme, which owns excellentperformance in terms of security, computational complexity,
4 International Journal of Distributed Sensor Networks
Server (xs, Ps, XT)
R1 = r1Pm1 = {R1
r1 โR Zโ
n
r2 โR Zโ
n
R2 = r2P
TKT1 = r2Ps
TKT2 = r2R1
m2 = {R2,AuthTTKs1 = xsR2
TKs2 = r1R2
Search XT
m3 = {Auths
AuthT = (XT + TKT2) โ H(R1 + TKT1)
XT = (AuthT โ H(R1 + TKs1))โ TKs2
Auths = (XT + 2TKs2) โ 2H(R1 + TKs1)
Check Auths = (XT + 2TKT2) โ 2H(R1 + TKT1)
TagX๐(Ps, XT)
}
}
}
Figure 2: The authentication phase of the proposed protocol.
and communicational cost. Our scheme can resist all securitythreats including active tracking attack. Regarding compu-tational complexity, we reduce the number of elliptic curvescalar multiplications, which is the most computationallyexpensive operation in ECC cryptography. For embeddedsystems like RFID and wireless sensor network, the commu-nication operations consume the highest amount of energyof all the operations; therefore, reducing the message lengthis critical for saving the energy of these devices.The proposedscheme consists of two phases: setup and authentication.Since the setup phase is the same as that in He et al.โs protocol,it is omitted here. The authentication phase is described asfollows.
Authentication Phase. To achieve mutual authentication, theserver (๐) and the tag (Tag
๐๐) do the following steps. The
authentication phase is illustrated in Figure 2.
Step 1 (๐ โ Tag๐๐
: ๐1= {๐ 1}). ๐ randomly chooses ๐
1โ
๐โ
๐, computes ๐
1= ๐1๐, and sends ๐
1= {๐ 1} as a challenge
to the tag.
Step 2 (Tag๐๐
โ ๐ : ๐2= {๐ 2,Auth
๐}). Tag
๐๐randomly
chooses ๐2โ ๐โ
๐and computes ๐
2= ๐2๐, TK
๐1= ๐2๐๐ ,
TK๐2
= ๐2๐ 1, and Auth
๐= (๐๐+ TK๐2) โ ๐ป(๐
1+ TK๐1).
Then, Tag๐๐
sends back๐2= {๐ 2,Auth
๐} to ๐.
Step 3 (๐ โ Tag๐๐
: ๐3= {Auth
๐ }). ๐ computes TK
๐ 1=
๐ฅ๐ ๐ 2, TK๐ 2
= ๐1๐ 2, and ๐
๐= (Auth
๐โ ๐ป(๐
1+ TK๐ 1)) โ
TK๐ 2and then searches the serverโs database for๐
๐. If it is not
found, the server ๐ rejects the tag; otherwise, the tag Tag๐๐
is authenticated and thereafter ๐ computes Auth๐ = (๐๐+
2TK๐ 2) โ 2๐ป(๐
1+ TK๐ 1) and sends back ๐
3= {Auth
๐ } to
Tag๐๐.
Step 4. Upon receiving the serverโs response, Tag๐๐
checksif (๐๐+ 2TK
๐2) โ 2๐ป(๐
1+ TK๐1) = Auth
๐ . If it succeeds,
the server ๐ is authenticated; otherwise, the tag stops theprocedure.
5. Security Analysis andPerformance Evaluation
5.1. Security Analysis. We analyze the security of the pro-posed scheme as follows.
Mutual Authentication. The authentication of the tag isdependent on tagโs ability to prove its knowledge of the secret๐๐. In our scheme, the server receives the message ๐
2=
{๐ 2,Auth
๐}, where ๐
2= ๐2๐ and Auth
๐= (๐๐+ TK๐2) โ
๐ป(๐ 1+TK๐1).The serverwill use its private key๐ฅ
๐ to compute
TK๐ 1= ๐ฅ๐ ๐ 2and TK
๐ 2= ๐1๐ 2and to extract ๐
๐= (Auth
๐โ
๐ป(๐ 1+ TK๐ 1)) โ TK
๐ 2. Then, the server checks whether ๐
๐
is stored in the database. Only the genuine tag that owns thesecret๐
๐can generate valid Auth
๐.
The authentication of the server is dependent on serverโsability to extract ๐
๐and generate valid Auth
๐ . Only the
genuine server that owns the secret ๐ฅ๐ can correctly extract
๐๐from Auth
๐and then compute valid Auth
๐ = (๐
๐+
2TK๐ 2) โ 2๐ป(๐
1+ TK๐ 1). Without knowledge of the serverโs
secret key ๐ฅ๐ , the adversary cannot obtain TK
๐ 1= ๐ฅ๐ ๐ 2. The
tag checks the validity of Auth๐ . If it is valid, then the server
is authenticated.
Anonymity. In our scheme, ๐1= {๐ 1}, ๐2= {๐ 2,Auth
๐},
and ๐3= {Auth
๐ } are transmitted, where the tag-identity-
related messages are Auth๐
= (๐๐+ TK
๐2) โ ๐ป(๐
1+
TK๐1) and Auth
๐ = (๐
๐+ 2TK
๐ 2) โ 2๐ป(๐
1+ TK
๐ 1)
which are random due to two random and fresh numbers๐1and ๐2in each session. Therefore, the adversary can learn
nothing about the identity of the tag from the transmission.The randomness and freshness of the two random numbersensure the anonymity of the proposed scheme.
Tracking Attack Resistance.The essence of the active trackingresistance of the proposed scheme is that each calculation ofAuth๐= (๐๐+TK๐2)โ๐ป(๐
1+TK๐1) involves the confusion
value ๐ป(๐ 1+ TK๐1), where the computation of TK
๐1needs
either tagโs secret ๐2or the serverโs private key ๐ฅ
๐ ; therefore,
International Journal of Distributed Sensor Networks 5
Table1:Perfo
rmance
comparis
on.
ArshadandNikoo
ghadam
[12]
Liao
andHsia
o[9]
Hee
tal.[13]
Ours
Thes
erverโs
compu
tatio
nalcost
2๐๐ธ๐+๐๐+๐IN
V+8๐๐ป=490.58๐๐ธ๐ด+8๐๐ป
5๐๐ธ๐+3๐๐ธ๐ด=1208๐๐ธ๐ด
5๐๐ธ๐+2๐๐ธ๐ด=1207๐๐ธ๐ด
4๐๐ธ๐+4๐๐ธ๐ด+2๐๐ป=968๐๐ธ๐ด+2๐๐ป
Thetagโscompu
tatio
nalcost
2๐๐ธ๐+๐๐+7๐๐ป=490.58๐๐ธ๐ด+7๐๐ป
5๐๐ธ๐+3๐๐ธ๐ด=1208๐๐ธ๐ด
5๐๐ธ๐+2๐๐ธ๐ด=1207๐๐ธ๐ด
4๐๐ธ๐+4๐๐ธ๐ด+2๐๐ป=968๐๐ธ๐ด+2๐๐ป
Num
bero
frou
nds/ste
ps3
33
3To
tallengthof
transm
itted
message
8|๐ฅ|+2๐ฟEC
C4๐ฟEC
C4๐ฟEC
C4๐ฟEC
CTh
etagโstransm
issionleng
th4|๐ฅ|+๐ฟEC
C2๐ฟEC
C2๐ฟEC
C2๐ฟEC
CTh
eserverโs
storage
cost
(๐+1)|๐ฅ|+๐ฟEC
C(๐+1)|๐ฅ|+๐๐ฟEC
C|๐ฅ|+(๐+1)๐ฟEC
C|๐ฅ|+(๐+1)๐ฟEC
CTh
etagโssto
rage
cost
5|๐ฅ|+๐ฟEC
C|๐ฅ|+2๐ฟEC
C2๐ฟEC
C2๐ฟEC
CSecurityweakn
esses
Serverim
personation
Activ
etracking
No
6 International Journal of Distributed Sensor Networks
an active tracker has no way to derive any verifiable data fromthe transmissions. We can verify this by launching the sameactive attack on our proposed protocol as follows, where Advdenotes the notion that the adversary impersonates the serverto get the responses for tracking.
First of all, Adv randomly chooses ๐1โ ๐โ
๐, computes
๐ 1= ๐1๐, and sends message ๐
1= {๐ 1} to probe the tags it
encounters. In the following, we assume Adv encounters thesame tag Tag
๐๐.
Upon receiving the query, Tag๐๐
randomly chooses ๐2โ
๐โ
๐and computes ๐
2= ๐2๐, TK
๐1= ๐2๐๐ , TK๐2
= ๐2๐ 1,
and Auth๐= (๐๐+ TK๐2) โ ๐ป(๐
1+ TK๐1). Then, Tag
๐๐
sends back๐2= {๐ 2,Auth
๐} to ๐. Since Adv cannot compute
TK๐1
= ๐2๐๐ , Adv obtains nothing except Auth
๐. When
Tag๐๐
is probed again, it randomly chooses ๐2โ ๐โ
๐and
computes ๐ 2= ๐2๐, TK
๐1= ๐2๐๐ , TK๐2
= ๐2๐ 1, and
Auth๐= (๐๐+TK๐2)โ๐ป(๐
1+TK๐1). Then, Tag
๐๐responds
with ๐2= {๐ 2,Auth
๐}. Adv cannot compute TK
๐1= ๐2๐๐ ,
and Adv obtains nothing except Auth๐. Adv cannot verify
whether the two transactions came from the same tag. Thatis, our proposed protocol can resist the active tracking attack.
Tag Masquerade Attack Resistance. To impersonate a tag, theadversary must be able to generate a valid message ๐
2=
{๐ 2,AuthT}, where Auth๐ = (๐
๐+ TK๐2) โ ๐ป(๐
1+ TK๐1).
However, it is difficult to generate such a message withoutknowing the identity of the tag๐
๐.
Server Spoofing Attack Resistance. To impersonate the server,the adversary must be able to generate a valid message ๐
3=
{Auth๐ }, where๐
1= ๐1๐ andAuth
๐ = (๐๐+2TK
๐ 2)โ2๐ป(๐
1+
TK๐ 1). It is easy for the adversary to generate ๐
1, but it is
difficult to generate Auth๐ without knowledge of the serverโs
secret key ๐ฅ๐ and the tagโs identity๐
๐.
5.2. Performance Evaluation. We compare the proposedschemewithHe et al.โs protocol [13] and some related schemes[9, 12] in terms of computational cost, communicational cost,and storage cost. Let ๐
๐ธ๐ดdenote the cost of point addition
over an elliptic curve ๐ธ, let ๐๐ธ๐
denote the cost of scalarmultiplication over an elliptic curve ๐ธ, let ๐
๐denote the cost
of modular multiplication over the underlying field ๐น(๐), let๐INV denote the cost of modular inverse over the underlyingfield ๐น(๐), let ๐
๐ปdenote the cost of computing a hash value,
let ๐ฟECC denote the bit length of one elliptic curve point, let|๐ฅ| denote the size of integer ๐ฅ, and let ๐ denote the numberof tags in the system. To evaluate the complexity, we adopt thepractical figures from [20]. In [20], it lists the timing for com-puting ๐๐ and ๐๐ mod ๐, where ๐ธ is an elliptic curve definedover ๐น(๐), ๐ โ 2
160, ๐ is a point whose order is 160-bit primeover๐ธ, ๐ is a random 160-bit integer, and๐ is a 1024-bit prime.Therefore, we can conclude that ๐
๐โ (41/5)๐
๐ธ๐ดโ 8๐๐ธ๐ด,
๐๐ธ๐
โ (29/0.12)๐๐ธ๐ด
โ 241๐๐ธ๐ด, and ๐INV โ (3 โ 8/41)๐
๐ธ๐ดโ
0.58๐๐ธ๐ด
[20]. Note that the cost of executing an exclusive-or operation (XOR) is negligible when compared with otheroperations stated above. Since the parameters params =
{๐, ๐, ๐, ๐, ๐} are stored in both the server and the tag, the stor-age cost of params is omitted in the following comparison.
The performance comparison is summarized in Table 1. SinceHe et al.โs protocol [13], Liao and Hsiaoโs scheme [9], Arshadand Nikooghadamโs scheme [12], and our proposed schemerely on the ECDLP, the elliptic curve scalar multiplicationis the most time-consuming operation in the elliptic curvecryptosystem. Although our proposed scheme has the samecommunicational and storage costs as He et al.โs protocol, ourproposed scheme owns better computational performance byeliminating one elliptic curve scalarmultiplication operation.Our proposed scheme is more efficient than Liao and Hsiaoโsscheme because our proposed scheme requires less cost interms of computation, communication, and storage. Table 1shows that Arshad and Nikooghadamโs scheme requires lesscomputational cost than our proposed scheme. However, ithas been studied that communication consumesmore energythan computation in embedded wireless communicationsystems like RFID and wireless sensor network [21, 22].Studies in the past have shown that 3000 instructions couldbe executed for the same energy usage as sending a bit 100mby radio [23]; therefore, many studies in these fields devotedlots of efforts to reducing the communication complexity[24, 25]. It is important to optimize communication andminimize energy consumption. In our proposed scheme, thetag communication requires only 50% of that of Arshad andNikooghadamโs scheme, while our scheme achieves the samesecurity properties with slightly more computations.
6. Conclusions
Mobile healthcare systems are becoming more and morepopular. Lack of protecting patient and data privacy mayhinder the utility of mobile healthcare system. In this paper,we have shown the weakness of He et al.โs protocol. Theprotocol cannot meet privacy protection requirement sinceit is vulnerable to active tracking attack. We have proposed anew schemewhich not only conquers the securityweaknessesbut also improves the computational performance.
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper.
Acknowledgment
This project is partially supported by the National ScienceCouncil, Taiwan, under Grant no. MOST 103-2221-E-260-022.
References
[1] A.-R. Sadeghi, I. Visconti, and C. Wachsmann, โUser privacyin transport systems based on RFID e-tickets,โ in Proceedingsof the 1st International Workshop on Privacy in Location-BasedApplications, pp. 102โ122, Malaga, Spain, October 2008.
[2] Y.-C. Yen, N.-W. Lo, and T.-C. Wu, โTwo RFID-based solutionsfor secure inpatient medication administration,โ Journal ofMedical Systems, vol. 36, no. 5, pp. 2769โ2778, 2012.
International Journal of Distributed Sensor Networks 7
[3] Y. Chen, J.-S. Chou, and H.-M. Sun, โA novel mutual authenti-cation scheme based on quadratic residues for RFID systems,โComputer Networks, vol. 52, no. 12, pp. 2373โ2380, 2008.
[4] N. Koblitz, โElliptic curve cryptosystems,โ Mathematics ofComputation, vol. 48, no. 177, pp. 203โ209, 1987.
[5] V.Miller, โUse of elliptic curves in cryptography,โ inAdvances inCryptologyโCRYPTO โ85 Proceedings, vol. 218 of Lecture Notesin Computer Science, pp. 417โ426, Springer, Berlin, Germany,1985.
[6] Y. Lee, L. Batina, and I. Verbauwhede, โEC-RAC (ECDLP basedrandomized access control): provably secure RFID authentica-tion protocol,โ in IEEE International Conference on RFID, pp.97โ104, Las Vegas, Nev, USA, April 2008.
[7] J. Bringer, H. Chabanne, and T. Icart, โCryptanalysis of EC-RAC, a RFID identification protocol,โ in Cryptology and Net-work Security: 7th International Conference, CANS 2008, Hong-Kong, China, December 2โ4, 2008. Proceedings, vol. 5339 ofLecture Notes in Computer Science, pp. 149โ161, Springer, Berlin,Germany, 2008.
[8] T. Deursen and S. Radomirovic, โAttacks on RFID protocols(version 1.1),โ Tech. Rep., University of Luxembourg, 2009.
[9] Y.-P. Liao and C.-M. Hsiao, โA secure ECC-based RFID authen-tication scheme integrated with ID-verifier transfer protocol,โAd Hoc Networks, vol. 18, pp. 133โ146, 2014.
[10] R. Peeters and J. Hermans, Attack on Liao and Hsiaoโs SecureECC-based RFID Authentication Scheme Integrated with ID-Verifier Transfer Protocol, Cryptology ePrint Archive, 2013.
[11] Z. Tan, โA user anonymity preserving three-factor authentica-tion scheme for telecaremedicine information systems,โ Journalof Medical Systems, vol. 38, article 16, 2014.
[12] H. Arshad and M. Nikooghadam, โThree-factor anony-mous authentication and key agreement scheme for TelecareMedicine Information Systems,โ Journal ofMedical Systems, vol.38, no. 12, article 136, 2014.
[13] D. He, N. Kumar, N. Chilamkurti, and J.-H. Lee, โLightweightECC based RFID authentication integrated with an ID verifiertransfer protocol,โ Journal ofMedical Systems, vol. 38, article 116,2014.
[14] V. Miller, โShort programs for functions on curves,โ 1986,https://crypto.stanford.edu/miller/miller.pdf.
[15] A. J. Menezes, T. Okamoto, and S. Vanstone, โReducing ellipticcurve logarithms to logarithms in a finite field,โ IEEE Transac-tions on Information Theory, vol. 39, no. 5, pp. 1639โ1646, 1993.
[16] C.-Y. Lin, T.-C. Wu, F. Zhang, and J.-J. Hwang, โNew identity-based society oriented signature schemes from pairings onelliptic curves,โAppliedMathematics and Computation, vol. 160,no. 1, pp. 245โ260, 2005.
[17] A. Joux, โA one round protocol for tripartite Diffie-Hellman,โ inProceedings of the 4th Algorithmic Number Theory Symposium(ANTS โ00), pp. 385โ394, Leiden, The Netherlands, July 2000.
[18] D. Boneh andM. Franklin, โIdentity-based encryption from theWeil pairing,โ in Advances in CryptologyโCRYPTO 2001, vol.2139 of Lecture Notes in Computer Science, pp. 213โ229, 2001.
[19] D. Boneh, B. Lynn, and H. Shacham, โShort signatures from theWeil pairing,โ in Advances in CryptologyโASIACRYPT 2001,vol. 2248 of Lecture Notes in Computer Science, pp. 514โ532,Springer, Berlin, Germany, 2001.
[20] A. Jurisic and A.-J. Menezes, โElliptic curves and cryptography,โDr. Dobbโs Journal, pp. 26โ36, 1997.
[21] F. Zhao and L. J. Guibas, Wireless Sensor Networks: An Infor-mation Processing Approach, Elsevier-Morgan Kaufmann, SanFrancisco, Calif, USA, 2004.
[22] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci,โWireless sensor networks: a survey,โ Computer Networks, vol.38, no. 4, pp. 393โ422, 2002.
[23] J. Pottie and W. J. Kaiser, โEmbedding the internet wirelessintegrated network sensors,โ Communications of the ACM, vol.43, no. 5, pp. 51โ58, 2000.
[24] S. Tilak, N. B. Abu-Ghazaleh, andW.Heinzelman, โA taxonomyof wireless micro-sensor network models,โ ACM SIGMOBILEMobile Computing and Communications Review, vol. 6, no. 2,pp. 28โ36, 2002.
[25] J. Heidemann, F. Silva, C. Intanagonwiwat, R. Govindan, D.Estrin, and D. Ganesan, โBuilding efficient wireless sensornetworks with low-level naming,โ in Proceedings of the 18thACMSymposiumonOperating Systems Principles (SOSP โ01), pp.146โ159, Banff, Canada, 2001.
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Hindawi Publishing Corporation http://www.hindawi.com
Journal ofEngineeringVolume 2014
Submit your manuscripts athttp://www.hindawi.com
VLSI Design
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation http://www.hindawi.com
Volume 2014
The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014
DistributedSensor Networks
International Journal of