RAFI: Robust Authentication Framework for IoT-Based RFID Infrastructure

Abstract

The Internet of Things (IoT) is a future trend that uses the Internet to connect a variety of physical things with the cyber world. IoT technology is rapidly evolving, and it will soon have a significant impact on our daily lives. While the growing number of linked IoT devices makes our daily lives easier, it also puts our personal data at risk. In IoT applications, Radio Frequency Identification (RFID) helps in the automatic identification of linked devices, and the dataflow of the system forms a symmetry in communication between the tags and the readers. However, the security and privacy of RFID-tag-connected devices are the key concerns. The communication link is thought to be wireless or insecure, making the RFID system open to several known threats. In order to address these security issues, we propose a robust authentication framework for IoT-based RFID infrastructure. We use formal security analysis in the random oracle model, as well as information analysis to support the claim of secure communication. Regarding the desirable performance characteristics, we describe and analyze the proposed framework’s performance and compare it to similar systems. According to our findings, the proposed framework satisfies all security requirements while also improving the communication.

1. Introduction

An RFID infrastructure has a symmetric nature. The RFID system is a wireless technology that is used to identify remote objects that have RFID tags embedded in them. RFID technology is utilized in a variety of applications, including transportation, supply chain management, livestock management, e-passport, e-payment, and patient healthcare [1,2,3]. Backend readers, servers, and tags are all a part of a conventional RFID system whose architecture is symmetric, since the dataflow is in one direction from the tag, reader to server, and then, the inverse Table 5. The lack of physical contact between the reader and the tags is a crucial element of RFID systems, and the following are some of the benefits of using them: RFID tags are small and inexpensive, and radio frequency communication can recognize large numbers of RFID tags at the same time [4,5]. RFID systems, on the other hand, are exposed to a variety of security attacks and privacy exposure concerns due to their use of wireless communication and signal broadcasting techniques. It is difficult to apply a comprehensive cryptographic algorithm to an RFID system due to the strictly limited calculation resources, tiny storage capacity, and weak power supply of low-cost tags, and these issues are impeding the rapid development of this technology [6]. RFID security is fundamentally concerned with authentication and privacy issues. A secure protocol running RFID tags and readers can provide authentication. If a tag contains unique secret information and the RFID reader and RFID tag can convince the RFID reader that they both have that information, the tagged product is considered to be authentic and the person has access to it. Tag anonymity is one of the most important features that any RFID-based authentication technique aspires to attain, and tag untraceability, which ensures the privacy of the tag or the mobility of a user wearing an RFID tag, is a more satisfactory property of tag anonymity. To achieve this attribute, a tag must encode its original identity using a cryptographic primitive such as a one-way secure collision-resistant hash function in existing state-of-the-art authentication protocols. RFID is the simplest form of pervasive sensor network and is widely used for object identification [7]. RFID systems are made up of a tag with a transceiver that sends and receives radio signals from connected devices [8,9]. The RFID reader is another device that acts as an access point and can receive and deliver messages to transceivers. The reader is also in charge of ensuring that tag information is available at the application level [10]. IoT-based RFID tags can be of the passive or active type. The differences between these tags are summarized in Table 1.

Table 1. IoT-based RFID tag features’ comparison.

Features	Active Tags	Passive Tags
Data Storage	128 bytes	128 bytes
Tag Battery	Yes	No
Range	Up to 100 M	Up to 3–5 M
Multiple Tag Reading	More then 1000 tags recognized up to 100 mph	Less than a thousand tags within 3 M of the reader’s range
Signal Strength Required to Tag	Very low	Very high
Tag Power	Internal source to tag	Energy transferred through radio frequency from the reader
Availability of Source Power	Continuous	Only in range of radar

1.1. Related Work

In recent years, numerous exciting anonymous IoT-based RFID authentication and key agreement frameworks have been proposed, which can be classified into Public Key Cryptosystem- (PKC) and Non-Public Key Cryptosystem- (NPKC) based authenticated schemes. These approaches are unsuitable for tiny powered tags due to the modular exponential operations. Hash-based RFID systems, on the other hand, would be the best choice among NPKCs because of their low computational overhead [7,11,12,13]. Yang et al. [11] introduced an authentication mechanism based on a one-way secure collision-resistant hash function and exclusive-OR, claiming that it addressed all of the security vulnerabilities that occur in RFID systems. Unfortunately, the protocol is vulnerable to many attacks, including “man-in-the-middle”, forgeries, and loss of untraceability [14]. Cho et al. [13] developed a secure hash-based authentication framework, claiming that it addresses all of the security, privacy, and forgery difficulties that exist in RFID communication systems. However, Safkhani et al. [15] recently demonstrated that the protocol does not meet the authors’ security promises. In their paper, they cryptanalyzed Cho et al.’s [13] protocol and concluded that it is vulnerable to “de-synchronization or DoS attacks, tag impersonation attacks, and reader impersonation attacks”. Furthermore, they showed in their paper that all proposed lightweight authentication techniques based on one-way hash functions and exclusive-OR are impracticable [11,12,13,16,17]. Ayaz et al. [18] suggested another mutual authentication approach for secure RFID communication systems utilizing only symmetric key cryptography operations. In this framework, an authentication is accomplished on the basis of user biometrics’ verification in their protocol. Liu et al. [19] proposed an authentication protocol for an RFID system by using hash and XoR operations. The correctness of the protocol was proven by using “Burrows–Abadi–Needham (BAN)” logic analysis. Mansoor et al. [20] proposed a securing IoT-based authentication protocol for RFID systems by using a symmetric cryptography approach. Unfortunately, we studied their protocol and found the security weaknesses of their protocol. Furthermore, Mansoor et al. [20] showed that the protocol proposed by Gope et al. [21] is vulnerable to collision attacks, DoS attacks, and stolen verifier attacks. In 2022, Gao and Lu pretested a new ultra-lightweight RFID authentication protocol in passive RFID systems [22]. The proposed protocol, they claimed, prevents numerous known attacks, beats several existing ultra-lightweight protocols in terms of computational cost, storage requirements, and communication costs, and is efficient in terms of the computational cost, storage requirements, and communication costs. Wang et al. suggested a protocol [23] for which they had formal and informal discussions about security and privacy. Xiaomei et al. discussed [24] the RFID logic of an event-based authentication framework for secure communication. Shariq et al. proposed an RFID-based anonymous and secure framework for deployment in IVs [25]. Wei et al. proposed an improved security authentication protocol for lightweight RFID based on ECC [26]. Arslan and Bingöl presented the security and privacy analysis of recently proposed ECC-based RFID authentication schemes [27].

1.2. Adversary Model

Our adversary model is based on the threat model of [28], which is well-known and widely recognized. By altering, monitoring, deciding on, and introducing information into the communications channel, the attacker can not only see the communications channel, but also capture session keys, confidential documents, and private keys stored in the contributor memory through explicit attacks. Many assaults, such as replay attacks, man-in-the-middle attacks, impersonation attacks, etc., are now possible in the RFID system due to the utilization of public communication networks and wireless communication networks. As a result, the privacy and security issues are major concerns in RFID frameworks. Thus, an authentication and key management mechanism is required to validate the legitimacy of specified entities.

1.3. Security Requirements for an IoT-Based RFID Communication System

As far as we know and based on the available literature, many authentication protocols for RFID communication systems have been presented during the last few years. In RFID systems, authentication and key agreement are the best approaches to make them suitable for a wide range of applications. During the transmission of messages between RFID tags and RFID readers, many types of security attacks may occur. We outline various security needs in light of these issues, such as forward security, mutual authentication, anonymity, scalability, confidentiality, untraceability,“ man-in-the-middle attack, insider attack, replay attack, impersonation attack”, etc., to provide secure communication for the RFID system. Such requirements are utilized as the criteria for assessing the RFID system in order to provide a secure and efficient authentication protocol. The following security criteria should be met by any authentication scheme that attempts to secure a practical RFID-based system:

• Mutual authentication: This is the most important aspect of any authentication mechanism. Furthermore, mutual authentication must be achieved in the presence of all three RFID system participants. The authentication process takes place between the backend database server and the RFID tag. Messages are sent between the tag, reader, and server over an unsecured communication channel.
• Tag anonymity: To minimize forgery and ensure security, this is the most important and necessary security requirement. Furthermore, if an opponent is unable to trace an RFID tag during message delivery over a public channel, the RFID authentication system maintains its anonymity. Anonymity can be divided into two categories: strong anonymity and weak anonymity. Furthermore, in IoT communication, the participants involved do not disclose their real identity in order to defend their security and privacy.
• Message authentication: In Internet operations, this maintains the integrity of message communication.
• Untraceability: In the RFID communication system, untraceability means that no one can trace the behavior patterns of the participants involved and their forwarded messages.
• Session key agreement: Following the successful implementation of the proposed protocol, a session key agreement will be established between users with their mobile devices and the network control center for future communication.
• Confidentiality: Encrypting shared secrets on the public channel ensures the security of RFID communications between the tag and reader.
• Perfect forward secrecy: Perfect forward secrecy is a technique that should be used in the authentication protocol design to give secrecy to previously communicated messages, where an opponent who discovers the entities private and public keys will be unable to derive a past session key.
• Scalability: The approach is not scalable if the server conducts an extensive search to verify a tag. Worse, an opponent may conduct a timing attack [29] against the protocol, which can identify a tag based on how long it took the server to authenticate it. To maintain scalability, an authentication strategy should avoid any exhaustive search operations.
• Availability: In an RFID system, the authentication and key agreement procedure runs all the time between the RFID tag and RFID backend database server. In most authentication methods, the shared secret information between the RFID tag and RFID backend database server must be updated to achieve the attribute of accessibility. However, security risks such as Denial-Of-Service (DoS) or de-synchronization attacks may disrupt this process. The RFID system’s efficiency may be harmed as a result of these concerns. Thus, when designing an authentication protocol, this issue should be considered.
• Impersonation attack: An adversary could try to mimic legitimate protocol participants (such as the cloud database server, RFID reader, or RFID tag) by replaying a message captured from the channels. Any impersonation should be avoided at all costs.
• Replay attack: An outsider attempts to confuse other certified participants by restating intercepted data in this attack. This attack targets a user whose information is intercepted by an uncertified third party.
• Man-in-the-middle attack: An adversary listens in on transmitted data and then attempts to delete or manipulate the contents of the data sent to receivers in this attack.
• Insider attack: Any insider can play the role of adversary in the RFID communication system.
• De-synchronization attack: An adversary may generate desynchronization problems if a protocol authentication is based on shared values. The server may be unable to verify the tag in the future if the shared data are updated by the server, but the tag is not. De-synchronization attempts should be avoided.

1.4. Motivation and Contribution

Many authentication and key agreement frameworks for RFID systems have been presented during the last few decades, as far as we know and based on the existing literature [13,16,17,19,20,21]. However, a suitable authenticated key agreement protocol for RFID systems that is secure and efficient for RFID systems is missing. RFID systems require an authenticated key agreement scheme because of their varying computing capabilities and privacy requirements. Thus, we propose an authenticated key agreement protocol for RFID communication systems. Table 2 shows the comparative study of the advantages and disadvantages of other protocols with respect to our suggested protocol. The following are some notable characteristics of the proposed framework:

-

We propose a robust authentication protocol that supports key agreement between RFID tags and the database server for IoT-based RFID infrastructure.

-

We give a thorough explanation of the informal security study, proving that the suggested protocol can resist a variety of well-known security attacks.

-

The proposed protocol security is formally demonstrated using a random oracle model.

-

The proposed the RAFI has desirable security features that make the proposed protocol robust and efficient, according to the proof of security.

-

The results of the performance evaluation and comparison show that the proposed RAFI has desirable performance features.

Table 2. Merits and demerits of the existing authentication protocols in RFID environments.

Protocols	Approach Used	Published Year	Merits	Demerits
Tan et al. [16]	Hash function	2008	Provides backward and forward secrecy	Susceptible to replay attack, insider attack,
			and de-synchronization	DoS attack, and tag anonymity problem
Cai et al. [17]	Hash function	2009	Provides a mutual authentication and	Vulnerable to impersonation attack,
			anonymity and secure against stolen verifier attack	insider attack, and DoS attack
Cho et al. [13]	Hash function	2015	Provides a mutual authentication and tag untraceability	Prone to insider attack, man-in-the-middle attack
			and secure against stolen verifier attacks	and impersonation attack
Gope and Hwang [21]	Hash function	2015	Prevents replay attacks, de-synchronization,	Vulnerable to collision attacks,
			and man-in-the-middle attack	DoS attacks, and impersonation attack
Liu et al. [19]	Hash function	2018	Provides mutual authentication,	Susceptible to stolen verifier attacks,
			tag untraceability, and tag anonymity	collision attacks, and DoS attacks
Mansoor et al. [20]	Hash function	2019	Attains mutual authentication, scalability,	Vulnerable to impersonation attack, man-in-
			and data confidentiality	the-middle attack, collision attack, and replay attack

Table 2. Merits and demerits of the existing authentication protocols in RFID environments.

Protocols	Approach Used	Published Year	Merits	Demerits
Tan et al. [16]	Hash function	2008	Provides backward and forward secrecy	Susceptible to replay attack, insider attack,
			and de-synchronization	DoS attack, and tag anonymity problem
Cai et al. [17]	Hash function	2009	Provides a mutual authentication and	Vulnerable to impersonation attack,
			anonymity and secure against stolen verifier attack	insider attack, and DoS attack
Cho et al. [13]	Hash function	2015	Provides a mutual authentication and tag untraceability	Prone to insider attack, man-in-the-middle attack
			and secure against stolen verifier attacks	and impersonation attack
Gope and Hwang [21]	Hash function	2015	Prevents replay attacks, de-synchronization,	Vulnerable to collision attacks,
			and man-in-the-middle attack	DoS attacks, and impersonation attack
Liu et al. [19]	Hash function	2018	Provides mutual authentication,	Susceptible to stolen verifier attacks,
			tag untraceability, and tag anonymity	collision attacks, and DoS attacks
Mansoor et al. [20]	Hash function	2019	Attains mutual authentication, scalability,	Vulnerable to impersonation attack, man-in-
			and data confidentiality	the-middle attack, collision attack, and replay attack

1.5. Organization of the Paper

The remainder of the proposed framework is organized as follows: Section 2 covers the fundamentals of the mathematics. The proposed framework is discussed in Section 3. In Section 4, the proposed framework security is evaluated. Section 5 includes a performance study of the proposed framework. Finally, the findings are summarized in the Section 5.4.

2. Mathematical Preliminaries

The notations and terminology used in the RAFI are defined in this section.

2.1. Notations

As shown in Table 3, the following notations are utilized.

Table 3. Notations.

Symbol	Description
$T_i$	ith RFID tag
$R_j$	jth RFID reader
⊕	Bitwise XoR operation
$h(·)$	Cryptographic one-way hash function
$x_S$	Secret key of S
S	Database server
$▵T$	Maximum time delay in communication
‖	Concatenation operation
$S{K}_{ij}(.)$	Session key agreement between entities i and j
$i\stackrel{?}{=}j$	Whether i equals j
$\mathcal{A}$	Adversary
≈	Approximate value
$I{D}_{T_i}$	The identity of the ith tag
$i···\Rightarrow j:\left\{M\right\}$	i sends message M to j via a secure channel
$i···\to j:\left\{M\right\}$	i sends message M to j via a public channel

2.2. Cryptography Materials

Here, various cryptographic primitives that are used to design the proposed security protocol are discussed. In this regard, we make use of lightweight cryptographic primitives to ensure security and computational efficiency.

2.2.1. Cryptographic Hash Function

The hash operation takes a variable-length message (M) as the input and outputs a fixed string result H(M), which is known as the message digest. In practice, reversing this process is nearly impossible. As a result, this function is referred to as a collision-resistant one-way hash function. Following that, our system integrity will be protected using the Secure Hash Algorithm (SHA-256). The one-way collision-resistant $h:{\{0,1\}}^{*}\to {\{0,1\}}^n$ hash function [30,31,32] takes an input $x\in {\{0,1\}}^{*}$ and returns an output $h\left(x\right)\in {\{0,1\}}^n$ of definite length n of a message. The advantage of any $\mathcal{A}$ for calculating the collision is as follows: Advantage $Ad{v}_{\mathcal{A}}^{HASH}\left(t\right)=Pr[(x_1,x_2){\Leftarrow }_R\mathcal{A}:x_1\ne x_2$, and $h\left(x_1\right)=h\left(x_2\right)]$ and $(x_1,x_2){\Leftarrow }_R\mathcal{A}$ represent the set of $(x_1,x_2)$ computedby attacker $\mathcal{A}$. The probability of this advantage is thus calculated across the random choice values made by $\mathcal{A}$ with the run duration t. Hash function $h(.)$ is collision-resistant if $Ad{v}_{\mathcal{A}}^{HASH}\left(t\right)\le ϵ$, where $ϵ>0$.

2.2.2. XoR Cipher

In cryptography, the XoR operation includes some postulates: $P\oplus (Q\oplus R)=(P\oplus Q)\oplus R$, $P\oplus P=0$, $P\oplus 0=P$, and $(Q\oplus P)\oplus P=Q\oplus 0=Q$.

3. The Proposed Protocol

The steps in the proposed framework are as follows: “ registration phase of RFID with database server” and “login and authentication phase”. The architecture of the proposed protocol given the Figure 1.

Figure 1. Architecture of the RAFI.

3.1. Registration Phase

The following are the instructions for registering the RFID tag with the database server. The detailed of this phase also mentioned in Table 4.

Table 4. Registration phase of RFID tag.

Tag ${\mathit{T}}_{\mathit{i}}$	Database Server S
Inputs $I{D}_{T_i}$
Sends $M_{R_{i1}}=\left\{I{D}_{T_i}\right\}$
$················$⇒	Generates sequence number $S{N}_i$ for $T_i$
	Computes $S_1=I{D}_S\oplus h(I{D}_{T_i}\parallel S{N}_i\parallel x_S)$
	Where $x_S$ is the private key of S
	Computes $S_2=h(S_1\parallel I{D}_{T_i})\oplus I{D}_{T_i}$
	Stores $S_1,S_2,S{N}_i$ in the database
	Sends $M_{R{2}_{i2}}=\{S_1,S_2,S{N}_i,h(.)\}$
upon receiving $M_{R{2}_{i2}}$	⇐$················$
Stores $\{S_1,S_2,S{N}_i\}$ in the database

Step AK1:

To register with database server S, tag $T_i$ inputs $I{D}_{T_i}$ and, then, $T_i\Rightarrow S:M_{R_{i1}}=\left\{I{D}_{T_i}\right\}$ via a secure channel.

Step AK2:

Upon receiving $M_{i1}$, it generates sequence number $S{N}_i$ for $T_i$ and computes $S_1=I{D}_S\oplus h(I{D}_{T_i}\parallel S{N}_i\parallel x_S)$ where $x_S$ is private key for S. Furthermore, the data server computes $S_2=h(S_1\parallel I{D}_{T_i})\oplus I{D}_{T_i}$. Finally, S stores $S_1,S_2,S{N}_i$ in the database and sends $M_{R{2}_{i2}}=\{S_1,S_2,S{N}_i,h(.)\}$ towards the tag via a secure medium.

Step AK3:

Upon receiving $M_{R{2}_{i2}}$, the RFID tag stores parameters $\{S_1,S_2,S{N}_i\}$ in the database for further communication via a secure medium.

3.2. Login and Authentication Phase

$T_i$ successfully registers with S, and when she/he wants to use the service, she/he makes an access request to S. The following is a description of the procedure in steps. Further, The detailed of this phase also mentioned in Table 5.

Table 5. Login and authentication phase of RFID.

RFID Tag ${\mathit{T}}_{\mathit{i}}$	RFID Reader ${\mathit{R}}_{\mathit{j}}$	Database Server S
Generates random value r
Computes $r_1=r\oplus (S_1\oplus S_2)$
Computes $H_1=h(I{D}_{T_i}\parallel S_1\parallel S_2)$
Computes $H_1^1=H_1\oplus S_2$
Sends $M_1=\{r_1,H_1^1,T_1\}$
$················$→	Verifies $T_2-T_1\le ▵T$
	Sends $M_2=\{r_1,H_1^1,T_3\}$
	$················$→	Verifies $T_4-T_3\le ▵T$
		Computes $H_1^{*}=H_1\oplus S_2$
		Verifies $H_1^{*}\stackrel{?}{=}{H}_1^1$
		Computes $r^{*}=r_1\oplus (S_1\oplus S_2)$
		Generates random value $r_2$
		Computes $S{K}_S=h(I{D}_S\parallel I{D}_{T_i}\parallel r^{*}\parallel$
		$r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$
		Computes $H_2=h(S_1\parallel S_2\parallel r^{*})$
		Computes $H_2^2=H_2\oplus (r^{*}\oplus S_2)$
		Computes $K_1=I{D}_{T_i}\oplus h(r^{*}\parallel S{N}_i\parallel H_1^{*})$
		Encrypts $E_1=E_{K1}(H_2^2,r_2,I{D}_S,T_5)$
		Sends $M_3=\{E_1,T_5\}$
		←$················$
	Verifies $T_6-T_5\le ▵T$
	Sends $M_4=\{M_3,T_7\}$
	←$················$
Verifies $T_8-T_7\le ▵T$
Computes $K_2=I{D}_{T_i}\oplus h(r\parallel S{N}_i\parallel H_1)$
Decrypts $(H_2^2,r_2,I{D}_S,T_5)=D_{K2}\left(E_1\right)$
Computes $H_2^{*}=H_2^2\oplus (r\oplus S_2)$
Verifies $H_2^{*}\stackrel{?}{=}{H}_2$
Computes $S{K}_T=h(I{D}_S\parallel I{D}_{T_i}\parallel r\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$

Step MA1:

$T_i$ generates random value r and computes the following values $r_1=r\oplus (S_1\oplus S_2)$, $H_1=h(I{D}_{T_i}\parallel S_1\parallel S_2)$, $H_1^1=H_1\oplus S_2$. Furthermore, $T_i$$\to R_j:M_1=\{r_1,H_1^1,T_1\}$.

Step MA2:

Upon receiving $M_1$, RFID reader $R_j$ verifies $T_2-T_1\le ▵T$ and $R_j$$\to S:M_2=\{r_1,H_1^1,T_3\}$.

Step MA3:

Upon receiving $M_2$, S verifies $T_4-T_3\le ▵T$. Then, S computes $H_1^{*}=H_1\oplus S_2$ and verifies $H_1^{*}\stackrel{?}{=}{H}_1^1$; if this condition does not hold, then it terminates the process; otherwise, S computes $r^{*}=r_1\oplus (S_1\oplus S_2)$, generates a random value $r_2$, computes the link of computations $S{K}_S=h(I{D}_S\parallel I{D}_{T_i}\parallel r^{*}\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$, $H_2=h(S_1\parallel S_2\parallel r^{*})$, $H_2^2=H_2\oplus (r^{*}\oplus S_2)$, $K_1=I{D}_{T_i}\oplus h(r^{*}\parallel S{N}_i\parallel H_1^{*})$, and encrypts $E_1=E_{K_1}(H_2^2,r_2,I{D}_S,T_5)$. Finally, $S\to R_j:M_3=\{E_1,T_5\}$.

Step MA4:

Upon receiving $M_3$, $R_j$ verifies $T_6-T_5\le ▵T$. Furthermore, $R_j\to T_i:M_4=\{M_3,T_7\}$.

Step MA5:

Upon receiving $M_4$, $T_i$ verifies $T_8-T_7\le ▵T$ and decrypts $(H_2^2,r_2,I{D}_S,T_5)=D_{K_2}\left(E_1\right)$ with the help of computed key $K_2=I{D}_{T_i}\oplus h(r\parallel S{N}_i\parallel H_1)$. Furthermore, it computes $H_2^{*}=H_2^2\oplus (r\oplus S_2)$ and verifies $H_2^{*}\stackrel{?}{=}{H}_2$. Finally, Tag sets the session key for furter communication as $S{K}_T=h(I{D}_S\parallel I{D}_{T_i}\parallel r\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$. Hence, session key agreement $SK=S{K}_T=S{K}_S$.

4. Security Analysis

The security analysis of the proposed protocol is conducted by a formal method and an informal method as follows.

4.1. Informal Security Analysis

The following is an informal security analysis of the proposed protocol.

4.1.1. Key Freshness

In the proposed protocol, the session key contains the timestamp and a freshly generated random number. Furthermore, in the authentication procedure, the timestamp and random number are distinct for each session. The uniqueness of these parameters confirms the session’s unique key. Thus, the unique key for each session confirms the key freshness property of the proposed protocol.

4.1.2. Untraceability

If a cryptographic scheme has two features, it is untraceable. $\mathcal{A}$ is unable to distinguish between users’ initial identities; $\mathcal{A}$ is unable to determine whether two distinct sessions starting at different times belong to the same user. Thus, it is intended that both properties be maintained.

4.1.3. Session Key Agreement

In the proposed scheme, the database server calculates $S{K}_S=h(I{D}_S\parallel I{D}_{T_i}\parallel r^{*}\parallel r_2\parallel S{N}_i\parallel$$S_1\parallel S_2\parallel T_5)$ and the RFID tag computes $S{K}_T=h(I{D}_S\parallel I{D}_{T_i}$$\parallel r\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$. Thus, $S{K}_S=S{K}_T$. Thus, the proposed protocol maintains the said cryptographic property.

4.1.4. Session Key Verification

The RFID tag verifies its session key in our proposed system as $H_2^{*}\stackrel{?}{=}{H}_2$, where $H_2^{*}=H_2^2\oplus (r\oplus S_2)$ and $H_2^2=H_2\oplus (r^{*}\oplus S_2)$, embedded with many secret credentials. Therefore, the proposed technique allows for the verification of session keys.

4.1.5. Scalability

In the proposed protocol for the RFID system, the RFID server S does not perform an exhaustive process to authenticate each RFID tag. The RFID server S, on the other hand, validates the RFID tag and reacts immediately to it. This increases the scalability of the proposed protocol.

4.1.6. Forward Secrecy

Given that the proposed protocol only uses symmetric key cryptography, i.e., the secure collision-resistant hash function, and we do not update the shared parameters per session, it is not possible to give this property, similar to any other protocol in this context. It should be emphasized that if the protocol employs a public key primitive, this attribute can be simply provided.

4.1.7. Traceability and Anonymity

In the proposed protocol, the exchanged messages are $M_1$ and $M_2$. In these messages, excluding $T_i$ and $T_j$, which are the timestamps and cannot be connected to any identity to trace or compromise its anonymity, the rest of the information is encrypted values or the output of the one-way hash function and from one session to another session is randomized by fresh nonce values. Hence, the exchanged messages do not reveal any information to trace the tag or server or compromise their anonymity.

4.1.8. Replay Attack

Random numbers and timestamps are common countermeasures in replay attacks. However, in the proposed protocol, both of them are present. The timestamp condition checks $T_i-T_j\le △T$, where $△T$ is the valid period, and $a,b\in Z_q^{*}$, where a, b are fresh random numbers and q is a large prime number.

4.1.9. Privileged Insider Attack

In the proposed protocol, interacting participants and a third party do not maintain any verifier repository. The authentication procedure is performed by participants using their unique secret keys. Thus, the proposed protocol resiststhe stolen verifier and insider threats.

4.1.10. Man-in-the-Middle Attack

The protocol is secure against the man-in-the-middle attack. The adversary is not successful in obtaining the key and pseudonym value. Furthermore, hash functions ensure message integrity, and timestamps control the session time; therefore, any message modification or unexpected delay by a “man-in-the-middle attack” will be detected with a high probability. In the proposed protocol, we verify conditions on both sides, $H_1^{*}\stackrel{?}{=}{H}_1$ and $H_2^{*}\stackrel{?}{=}{H}_2$. As a result, the proposed protocol is protected from the “man-in-the-middle attack”.

4.1.11. Impersonation Attack

To impersonate the RFID tag, the attacker should either perform a replay attack or generate a valid $M_1$. However, the replay attack is not feasible in this proposed protocol, and the attacker also has no chance to compute a valid $M_1$, because it does not have access to $S{K}_i$. The same logic can be applied to an impersonating server. Hence, the proposed framework is safe from impersonation attacks.

4.1.12. De-Synchronization Attack

There is no secret sharing between the RFID tags and the RFIF backend server in the proposed protocol. Furthermore, no value needs to be updated in each authentication session. Thus, our suggested protocol is resistant to the de-synchronization attack.

4.1.13. Parallel Session Attack

When an $\mathcal{A}$ reprocesses past messages in an insecure channel to compose a new request, this is known as a parallel session attack. To retrieve the key, $\mathcal{A}$ impersonates the user tag $T_i$. The secret credentials, which are used to compute the content, must be known by $\mathcal{A}$ before user $T_i$ may compute a valid login request or execute the session key. It is apparent from the preceding study that $\mathcal{A}$ is unable to obtain the session key. Hence, the proposed framework protects against the parallel session attack.

4.2. Formal Security Analysis

In this section, the random oracle model is deployed to demonstrate that the beacons exchanged in the proposed protocol are robust against any form of eavesdropping, and hence, the communicating entities can trust each other as they communicate over insecure channels.

4.2.1. Handshake Model

The handshake stage is used to exchange information and perform device synchronization amongst the participants. This is also the point at which the server takes control of the process and maintains it until the user is authenticated. At this level, the input is in the form of a classical medium, but the output is in the form of a quantum medium. The handshake stage is used to exchange information and perform device synchronization amongst the participants. This is also the point at which the server takes control of the process and maintains it until the user is authenticated. At this level, the input is in the form of a classical medium, but the output is in the form of a quantum medium. The handshake authentication model for the proposed RFID protocol shown in the Table 6.

Table 6. Challenge: handshake authentication for the RAFI.

RFID Tag ${\mathit{T}}_{\mathit{i}}$	RFID Reader ${\mathit{R}}_{\mathit{j}}$	Database Server S
Challenge
$················$→
	Challenge
	$················$→
		Response
		←$················$
	Success then
	Response
	←$················$
Success

4.2.2. Formal Security Model

The formal model for the propose framework, which is based on the random oracle model, is discussed in this section [33,34]. We made some changes to the original to make it work with the proposed framework. We employed three participants to demonstrate our proof, $T,R$, and S as the RFID tag, the RFID reader, and the database server. $I{D}_{T_i}$ is the identity of T. Similarly, $I{D}_S$ is the identity of S. $\mathbf{N}$ is the identities’ dictionary. More information about this model may be found in [35].

4.2.3. Formal Security Proof

In this part, we show the proposed framework’s formal security using a model [28] based on the random oracle model [33,34]. In this model, an adversary $\mathcal{A}$ can interact with framework entities, say $\mathsf{\Omega }$, which is a server.

Theorem 1.

Suppose that $\mathcal{A}$ is a polynomial-time attacker attempting to compromise the protocol semantic security and close to the $Q_H$ hash query, $Q_e$ execute query, $Q_s$ send query, $Ad{v}_{E_K}^{SE}\left(\mathcal{A}\right)$ is the advantage of $\mathcal{A}$, and $\left|\mathcal{D}\right|$ is the set of uniformly distributed cardinality. Thus, the advantage of $\mathcal{A}$ in the proposed protocol is given by

$$\begin{array}{c}\hfill Ad{v}_{rfid}\left(\mathcal{A}\right)\le \frac{(Q_H^2+Q_S)}{2^{L-1}}+\frac{{(Q_S+Q_E)}^2}{p}+\frac{2Q_S}{\left|\mathcal{D}\right|}+2Ad{v}_{E_K}^{SE}\left(\mathcal{A}\right)\end{array}$$

Proof. 

For the proof of this theorem, we introduce the game of series, initially with GM₀ the real attack, and stop with GM₅ where $\mathcal{A}$ has no advantage. The details of these are explained as below in GM₀ to GM₅. Further, the simulation queries based on this random oracle model are ginen in Table 7.

GM₀:

The execution of Game GM₀ is the same as the real attack in the oracle model. We have

$$\begin{array}{c}\hfill Ad{v}_{rfid}\left(\mathcal{A}\right)=|2Pr\left[Suc{c}_0\right]-1|.\end{array}$$

(1)

GM₁:

Different queries are conducted in GM₁, and the results of the queries are kept in the oracle lists, making it impossible for an attacker to distinguish between the two oracle games. As a result, we have

$$\begin{array}{c}\hfill Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right].\end{array}$$

(2)

GM₂:

The execution of GM₂ is like GM₁, except that GM₂ stops when a collision is present in the hash function and information messages. Therefore, the birth day paradox, the probability of collision in the transcript is $\frac{{(Q_S+Q_E)}^2}{2p}$ at most [36], and the success probability of secure hash function collision is at most $\frac{Q_H^2}{2^{L+1}}$. Hence, we have

$$|Pr\left[Suc{c}_2\right]-Pr\left[Suc{c}_1\right]|\le \frac{Q_H^2}{2^{L+1}}+\frac{{(Q_S+Q_E)}^2}{2p}.$$

(3)

GM₃:

The simulation of $G{M}_3$ is identical to that of $G{M}_2$, with the exception that $G{M}_3$ will be terminated if $\mathcal{A}$ guesses the verifier operations without knowing the random oracle. Until the server grid fails in a legitimate authentication request, $G{M}_3$ and the preceding game are different. As a result, we have

$$|Pr\left[Suc{c}_3\right]-Pr\left[Suc{c}_2\right]|\le \frac{Q_S}{2^L}$$

(4)

GM₄:

$G{M}_4$ is the same as $G{M}_3$, except that only the test inquiry of $G{M}_4$ stops when adversary $\mathcal{A}$ discloses a $TestID$ to obtain the real identity $I{D}_i$ or sends a query to obtain the password information. Therefore, we conclude that

$$|Pr\left[Suc{c}_5\right]-Pr\left[Suc{c}_4\right]|\le \frac{Q_S}{\left|D\right|}+Ad{v}_{E_K}^{SE}\left(\mathcal{A}\right).$$

(5)

GM₅:

The execution of $G{M}_5$ is the same as $G{M}_4$, except that only $TestSK$ of $G{M}_5$ will stop when adversary $\mathcal{A}$ publishes a secure hash inquiry with $h(I{D}_S\parallel I{D}_{T_i}\parallel r\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$, because $\mathcal{A}$ by utilizing the secure hash inquiry obtains the SK with success probability $Q_H^2/2^{L+1}$. Therefore, we have

$$|Pr\left[Suc{c}_6\right]-Pr\left[Suc{c}_5\right]|\le \frac{Q_H^2}{2^{L+1}}$$

(6)

         

Thus, $\mathcal{A}$ does not contain a favorable advantage in perceiving the actual $SK$ from an arbitrary random one without making a hash query with the true input, $Pr\left[Suc{c}_6\right]=1/2$. Adding every one of these probabilities, we can conclude that the theorem is proven.

□

Table 7. Simulation of oracles.

Simulation Queries
Hash queries $h_n\left(m\right)$, n = 0, 1, 2, 3, 4, 5. If $(m,h{v}_n)$ exists in the index list of $L_{h_n}$, the value $h{v}_n$ will be returned. Otherwise, the generated random value will be added to the index list $L_{h_n}$.
Computes $r_1=r\oplus (S_1\oplus S_2)$
Computes $H_1=h(I{D}_{T_i}{S}_1\parallel S_2)$
Computes $H_1^1=H_1\oplus S_2$
Then, it answers with $M_1=\{r_1,H_1^1,T_1\}$
For the $send(V,\{r_1,H_1^1,T_1\}$ query, the G oracle simulates the following steps:
Verifies $T_2-T_1\le ▵T$
Then, it answers with $M_2=\{r_1,H_1^1,T_3\}$
For $send(G,\{r_1,H_1^1,T_3\}$ query, the V oracle simulates the following steps:
Computes $H_1^{*}=H_1\oplus S_2$
Verifies $H_1^{*}\stackrel{?}{=}{H}_1$
Computes $r^{*}=r_1\oplus (S_1\oplus S_2)$
Generates random value $r_2$
Computes $S{K}_S=h(I{D}_S\parallel I{D}_{T_i}\parallel r^{*}\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$
Computes $H_2^2=H_2\oplus (r^{*}\oplus S_2)$
Computes $K_1=I{D}_{T_i}h(r^{*}\parallel S{N}_i\parallel H_1^{*})$
Encrypts $E_1=E_{K1}(H_2^2,r_2,I{D}_S,T_S)$
Then, it answers with $M_3=\{E_1,T_5\}$
For the $send(V,\{E_1,T_5\}$ query, the oracle simulate the following steps
Verifies $T_6-T_5\le ▵T$
Then, it answer with $M_4=\{M_3,T_7\}$
For $send(G,\{M_3,T_7\}$ query, the T oracle simulates the following steps:
Verifies $T_8-T_7\le ▵T$
Computes $K_2=I{D}_{T_i}h(r\parallel S{N}_i\parallel H_1)$
Decrypts $(H_2^2,r_2,I{D}_S,T_S)=D_{K2}\left(E_1\right)$
Computes $H_2^{*}=H_2^2\oplus (r\oplus S_2)$
Verifies $H_2^{*}\stackrel{?}{=}{H}_2$
Computes $S{K}_T=h(I{D}_S\parallel I{D}_{T_i}\parallel r\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$
For an Execute $(T^i,R^t,S^j)$ query, all Send queries are consecutively completed.
Massage $(M_1,M_2,M_3,M_4)$ is the output.
For a $Reveal\left(I^K\right)$ query, if the chance $I^K$ has been settled and provided a safe session key, output $S{K}_T$ or $S{K}_S$; otherwise, ⊥ is the response.
For a $Corrupt\left(I^K\right)$ query, all the information of $I^K$ is returned.
For a $Test\left(I^K\right)$ query, if $I^K$ is not $fresh$, return ⊥; otherwise, a coin $\gamma$ is tossed.
If $\gamma =0$, the output is a random value with length l.
If $\gamma =1$, the conclusion is the appropriate session key.

Table 7. Simulation of oracles.

Simulation Queries
Hash queries $h_n\left(m\right)$, n = 0, 1, 2, 3, 4, 5. If $(m,h{v}_n)$ exists in the index list of $L_{h_n}$, the value $h{v}_n$ will be returned. Otherwise, the generated random value will be added to the index list $L_{h_n}$.
Computes $r_1=r\oplus (S_1\oplus S_2)$
Computes $H_1=h(I{D}_{T_i}{S}_1\parallel S_2)$
Computes $H_1^1=H_1\oplus S_2$
Then, it answers with $M_1=\{r_1,H_1^1,T_1\}$
For the $send(V,\{r_1,H_1^1,T_1\}$ query, the G oracle simulates the following steps:
Verifies $T_2-T_1\le ▵T$
Then, it answers with $M_2=\{r_1,H_1^1,T_3\}$
For $send(G,\{r_1,H_1^1,T_3\}$ query, the V oracle simulates the following steps:
Computes $H_1^{*}=H_1\oplus S_2$
Verifies $H_1^{*}\stackrel{?}{=}{H}_1$
Computes $r^{*}=r_1\oplus (S_1\oplus S_2)$
Generates random value $r_2$
Computes $S{K}_S=h(I{D}_S\parallel I{D}_{T_i}\parallel r^{*}\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$
Computes $H_2^2=H_2\oplus (r^{*}\oplus S_2)$
Computes $K_1=I{D}_{T_i}h(r^{*}\parallel S{N}_i\parallel H_1^{*})$
Encrypts $E_1=E_{K1}(H_2^2,r_2,I{D}_S,T_S)$
Then, it answers with $M_3=\{E_1,T_5\}$
For the $send(V,\{E_1,T_5\}$ query, the oracle simulate the following steps
Verifies $T_6-T_5\le ▵T$
Then, it answer with $M_4=\{M_3,T_7\}$
For $send(G,\{M_3,T_7\}$ query, the T oracle simulates the following steps:
Verifies $T_8-T_7\le ▵T$
Computes $K_2=I{D}_{T_i}h(r\parallel S{N}_i\parallel H_1)$
Decrypts $(H_2^2,r_2,I{D}_S,T_S)=D_{K2}\left(E_1\right)$
Computes $H_2^{*}=H_2^2\oplus (r\oplus S_2)$
Verifies $H_2^{*}\stackrel{?}{=}{H}_2$
Computes $S{K}_T=h(I{D}_S\parallel I{D}_{T_i}\parallel r\parallel r_2\parallel S{N}_i\parallel S_1\parallel S_2\parallel T_5)$
For an Execute $(T^i,R^t,S^j)$ query, all Send queries are consecutively completed.
Massage $(M_1,M_2,M_3,M_4)$ is the output.
For a $Reveal\left(I^K\right)$ query, if the chance $I^K$ has been settled and provided a safe session key, output $S{K}_T$ or $S{K}_S$; otherwise, ⊥ is the response.
For a $Corrupt\left(I^K\right)$ query, all the information of $I^K$ is returned.
For a $Test\left(I^K\right)$ query, if $I^K$ is not $fresh$, return ⊥; otherwise, a coin $\gamma$ is tossed.
If $\gamma =0$, the output is a random value with length l.
If $\gamma =1$, the conclusion is the appropriate session key.

5. Performance Analysis

The performance analysis of the proposed framework compared to related frameworks [13,16,17,19,20,21] is given in three subsections: comparison of the security and functionality features and the computational and communication cost comparisons. The conclusion of the performance analysis demonstrates that the proposed framework has better efficiency and security in RFID communication systems.

5.1. Comparison of the Security and Functionality Features

The features that an authentication protocol is supposed to have are known as security requirements. These properties or needs must be guaranteed by every authentication protocol. The suggested protocol was compared to current protocols based on these requirements. The features/requirements examined for the comparison analysis are listed below.

In Table 8, we summarize the security properties of the proposed framework and those schemes that are available in literature [13,16,17,19,20,21]. The related schemes can be seen with different security shortcomings against various security attacks.

Table 8. Comparison security and functionality features.

Security Features	[16]	[17]	[13]	[21]	[19]	[20]	Proposed
$RAF{I}_1$	×	✓	✓	✓	✓	✓	✓
$RAF{I}_2$	×	×	✓	✓	✓	×	✓
$RAF{I}_3$	×	✓	×	✓	✓	×	✓
$RAF{I}_4$	✓	×	✓	✓	×	×	✓
$RAF{I}_5$	×	×	×	✓	×	✓	✓
$RAF{I}_6$	×	×	✓	×	×	×	✓
$RAF{I}_7$	×	×	✓	×	×	×	✓
$RAF{I}_8$	×	×	×	✓	✓	×	✓
$RAF{I}_9$	✓	✓	✓	×	×	✓	✓
$RAF{I}_{10}$	✓	×	✓	✓	✓	✓	✓
$RAF{I}_{11}$	×	×	×	✓	✓	×	✓
$RAF{I}_{12}$	✓	×	×	×	✓	×	✓
$RAF{I}_{13}$	×	✓	✓	✓	✓	×	✓
$RAF{I}_{14}$	×	×	×	✓	×	✓	✓
$RAF{I}_{15}$	×	×	×	✓	✓	×	✓

Note ⇒ ×: not secure against the attack; ✓: secure against the attack; “RAFI₁: mutual authentication; RAFI₂: tag untraceability; RAFI₃: tag anonymity; RAFI₄: backward/forward secrecy; RAFI₅: scalability; RAFI₆: collision attacks; RAFI₇: dos attacks; RAFI₈: replay attacks; RAFI₉: stolen verifier attacks; RAFI₁₀: de-synchronization attacks; RAFI₁₁: man-in-the-middle attack; RAFI₁₂: impersonation attack; RAFI₁₃: message authentication; RAFI₁₄: data confidentiality; RAFI₁₅: insider attack”.

5.2. Comparison of the Computational Cost

We calculated the computational cost of the RAFI and compared it to other frameworks [13,16,17,19,20,21], which is illustrated in Table 9. The computation time of the execution of hash operation ($T_h$) was 0.0023 ms, while the computation time of the execution of the encryption and decryption ($T_{E/D}$) was 0.0046 ms. The experiment was conducted on an Ubuntu system with a 2.20 GHz Intel dual-core Pentium CPU with a 2048 MB processor and RAM [20,37].

Table 9. Comparison of the computational cost.

	Tag	Reader	Server	Total Operations	Execution Cost (ms)
[16]	$2\ast T_h$	$2\ast T_h$	3$\ast T_h$	$4\ast T_h$	0.0161
[17]	$4\ast T_h$	$2\ast T_h$	$6\ast T_h$	$12\ast T_h$	0.0276
[13]	3$\ast T_h$	$2\ast T_h$	$5\ast T_h$	$10\ast T_h$	0.023
[21]	$5\ast T_h$	$2\ast T_h$	$7\ast T_h$	$14\ast T_h$	0.0322
[19]	$2\ast T_h$	$2\ast T_h$	$4\ast T_h$	$8\ast T_h$	0.0184
[20]	$2\ast T_h$	$2\ast T_h$	$4\ast T_h+2\ast T_{E/D}$	$8\ast T_h+2\ast T_{E/D}$	0.0276
Proposed	$2\ast T_h+T_{E/D}$	−	$2\ast T_h+T_{E/D}$	$4\ast T_h+2\ast T_{E/D}$	0.0184

The protocol presented in [16] incurred 2$T_h$, 2$T_h$, and 3$T_h$ for each RFID tag, RFID reader, and database server, respectively, and the total computational cost in their protocol was 4$T_h\approx 0.0161$. In the same way, the protocols’ computational cost was provided in [17] to be 4$T_h$, 2$T_h$, and 6$T_h$ for each RFID tag, RFID reader, and database server, respectively, for each participant, totaling 12$T_h\approx 0.0276$. The computational cost presented in [13] was 3$T_h$, 2$T_h$, and 5$T_h$ for each participant, totaling 10$T_h\approx 0.023$. The computational cost in [21] was 5$T_h$ for the RFID tag, 2$T_h$ for the reader, and 7$T_h$ for the database serve; therefore, the total computational cost in their framework was 14$T_h\approx 0.0322$. The computational cost in [19] for the RFID tag was 2$T_h$, for the RFID reader was 2$T_h$, and for the database server was 4$T_h$; therefore, the total computational cost in their framework was 8$T_h\approx 0.0184$. The protocol presented in [20] required 2$T_h$, 2$T_h$, and 4$T_h+2T_{E/D}$ for each RFID tag, RFID reader, and database server, respectively, and its total computational cost was 8$T_h+2T_{E/D}\approx 0.0276$.

Furthermore, we computed the computational cost of the proposed framework, which required $2T_h+T_{E/D}$ for the RFID tag and for the database side $2T_h+T_{E/D}$; thus, the total computational cost of the operations of the proposed framework was $4T_h+2T_{E/D}\approx 0.0184$. The results based on the comparison given in Table 9 are also visualized in Figure 2.

Figure 2. Comparison of the computational cost.

5.3. Communication Cost Comparison

In Table 10, we compute the communication cost of our proposed protocol and other existing protocols [13,16,17,19,20,21]. After that, in Figure 3, we compare the communication costs of the proposed framework to those of different frameworks in the same environment. This demonstrates that the suggested framework has less communication cost than alternative frameworks [13,16,17,19,20,21]. Furthermore, we computed the communication cost of every framework as under a random number, timestamp, and identity taking 64 bits. Here, we used 160 bits for the hash function message digest (SHA-1) and 256 bits for symmetric key encryption/decryption (AES-256).

Table 10. Communication cost comparison with relevant frameworks.

	Communication Costs in Bits	No. of Messages
[16]	2432	4
[17]	1056	5
[13]	1280	5
[21]	1408	4
[19]	896	4
[20]	1792	4
Proposed	832	4

Figure 3. Comparison of the computation cost.

5.4. Conclusions

In this paper, we proposed a unique hash-based lightweight authentication framework for IoT-based RFID communication environments, after a thorough examination of the various types of RFID authentication and key agreement protocols and their benefits and drawbacks. For secure authentication between valid participants, the protocol uses a hash function and the XoR operations mechanism. We were able to minimize the computational cost of the authentication process by using this technique. When we compared it to other current protocols, our proposed protocol provided improved security while consuming less communication, computational, and storage resources. In the future, the suggested framework could be used in IoT applications such as medical privacy protection, the Internet of Vehicles (IoV), smart city environments, and healthcare systems.