A New Secure RFID Anti-Counterfeiting and Anti-Theft Scheme for Merchandise

: Counterfeiting and theft have always been problems that incur high costs and result in considerable losses for international markets. In this research paper, we address the issue of counterfeiting while using radio frequency identiﬁcation RFID technology in retail systems or other industries by presenting a new anti-counterfeiting and anti-theft system for the retail market. This system addresses the two abovementioned issues and provides a solution that can save retail systems millions of dollars yearly. The proposed system achieves the objective of preventing or minimising the counterfeiting and theft of tagged products. At the same time, it provides a strong indication of suspiciously sold or obtained items. Furthermore, we conducted a security analysis to prove the correctness of our protocol on the basis of the strand spaces.


Introduction
Counterfeiting is one of the major problems affecting merchandising and retailing systems worldwide. According to a Grand View research report, the counterfeiting industry has cost US manufacturers more than USD 200 billion over the past two decades [1,2]. Although many researchers have adopted radio frequency identification RFID technology instead of barcode technology to address the counterfeiting problem, the problem continues to plague this industry. RFID is a reliable technology that can address many security issues, including counterfeiting and cloning. A number of researchers have proposed several methods to address these problems. Some of these methods are track-and-trace methods or Physical Unclonable Function (PUF) -based methods. However, most of the existing methods do not provide a sufficiently integrated picture to address counterfeiting and theft problems. Here, we propose a new anti-counterfeiting and anti-theft scheme for retail systems, which prevents the counterfeiting of the RFID tags attached to the products. The proposed protocol also addresses other security aspects such as authentication and confidentiality. The proposed scheme establishes strong authentication by using shared secrets, the XOR function, and randomly generated numbers, as it needs to establish trust before exchanging the tags' information to identify these tags and determine whether the products are counterfeit or not. The communication between readers and tags is processed with wireless RF. signals in an RFID tag; therefore, eavesdroppers may listen to the communication to obtain the secret. Moreover, a tag's memory can be read in the absence of access control; the proposed protocol also addresses this variability issue. RFID systems can be composed of frequency jamming, denial-of service (DOS) attacks, or RFID blocking, as well as exploiting tag signalling anti-collision USD 512 billion yearly loss in global sales. US companies also lose between USD 200 billion and USD 250 billion every year [4,5]. In addition, 2.5 million jobs have been lost as a result of fake products. Furthermore, a significant number of injuries and deaths have occurred because of counterfeit materials, such as fake pharmaceutical medicines [6][7][8]. As a result, many anti-counterfeiting techniques or solutions have been proposed, such as barcodes and RFID tags.

RFID Counterfeiting Definition
RFID tag counterfeiting can be defined as creating a replica of a tag by either replicating the hardware component of a tag or by copying its software in such a way that the genuine reader, database, or users would not know the difference between the genuine tag and the replicated one.

Our Previous Work
Previously, in Reference [8], we compared the available methods which are used to address RFID counterfeiting. We also showed results of the comparison between the available techniques, such as physical [9,10] or PUF [11], track and trace [12], distance bounding [13,14] and cryptography [15] in relation to cost, adaptability and security. In Reference [16] and Reference [17], the authors presented a new method to manage RFID tags in the supply chain and to prevent tags and goods from being counterfeited by using a new protocol called the Matryoshka protocol. This protocol is a new method for managing RFID tags that reduces the reads to a minimum to achieve better security and privacy results. This was not the first work which the authors produced in the field of RFID tag security as they had previously researched the topic and proposed a secure method of authentication in Reference [18][19][20] and Reference [21]. In addition, we proposed a framework to prevent counterfeiting in Reference [3]; this was not the first work of its kind as recent system proposed by Reference [15] consists of a tag authentication protocol, which has four key players: the RFID tag, the reader, the server and the seller; and the database correction protocol, which has two players: the seller and the server. The first protocol authenticates the tags without revealing their sensitive information and allows the customer to inquire whether the tag is genuine or not; while the database correction protocol guarantees the correctness of the tag status. The tag authentication protocol determines whether a product is genuine by using t-id and the random number R1. The authors also used a cryptographic one-way function F to share the secret S which is known by the legit tag. With respect to their security analysis, the authors assumed that there would be two major goals for the potential adversary: the first was to counterfeit tags by stealing the secret information of the tags, and the second was to corrupt the system functionality by attacking the server database. Both of them can be intercepted and protected against by the tag authentication protocol and the database correction protocol. In contrast, in the case of RFID tag counterfeiting, the adversary must know the secret (S) corresponding to the tag t-id, as this S is at least 128 bits in length, which satisfies the key size requirement according to ECRYPT II NIST, which enables the adversary to brute force a search to figure out S, according to the authors in Reference [22].

Other Anti-Counterfeiting Proposed Schemes
Cheung [23] also proposed a two-layer RFID-based track-and-trace anti-counterfeiting system: the front-end RFID-enabled layer is for tag programming and product data acquisition, and the back-end anti-counterfeiting layer is for processing product pedigree and authentication for high-end bottled products, such as brandy and MouTai wine. The back-end layer consists of a set of system servers that enforce a track-and-trace anti-counterfeiting information server to collect the company's information from the Sc, an authentication server to verify the transaction records, a pedigree server to generate the complete pedigree for the products through the Internet and the mobile network, and a record server to store the screened records. At the same time, the products are identified by the embedded RFID tags which have a unique tag identification number (ID) that is used to form the transaction record, which will be later verified by the authentication server to detect suspicious activities while the supply chain partners verify the partial product pedigree from the pedigree server. However, the system faces a couple of implementation issues in RFID-based track-and-trace anti-counterfeiting, such as partial tag programming; this is data loss when the tag moving speed is too fast, which leads to an incomplete information write on the tag, as it stays for such a short period of time. Other implementation issues, such as a duplication error, might occur when a unique number is programmed into two or more tags, which hamper the subsequent product authentication. A case study was also conducted to examine the implementation problems; it revealed that the use of a C1G2 UHF RFID reader for tag programming was possible by designing an Electronic Product Code (EPC) numbering scheme for the product identifier and the implementation for tag programming. Earlier, in Reference [24], the researchers proposed a feasible security mechanism for anti-counterfeiting and privacy protection, which featured mutual two-pass authentication and used a hash function as well as an XOR operation to enhance the RFID tag's security. Although the protocol can be described as a low-cost protocol which deals with low-cost RFID tags, the protocol requires the system to store the authorised reader IDs, which might lead to further security complications. In Reference [25], the authors discussed an RFID anti-counterfeiting system for liquor products on the basis of RFID and two-dimensional barcode technologies. Furthermore, in Reference [26], the authors presented an anti-counterfeiting system for agricultural production based on five phases, which can be divided into the design of readers, tags, and the data management system. These phases are the production phase, process phase, transportation phase, storage phase, and sales phase. The idea is basic; it deals with each phase independently, yet the design needs more elaboration to clearly identify the scenarios of the anti-counterfeiting solution. In Reference [27], the authors presented a track-and-trace system for RFID-based anti-counterfeiting for pharmaceutical drugs and wine products, as they caused huge losses in revenue to genuine companies. However, some enterprises used packaging technologies such as holograms, barcodes, security inks, chemical markers, and radio frequency identification (RFID) systems. In addition, some work was done in off-the-shelf passive RFID tags in Reference [28] and Reference [29], then in Reference [30], the researchers designed a crowd monitoring approach using a mobile phone for crowd detection which adopted clustering methods and implemented the design on off-the-shelf smartphones. Furthermore, in Reference [31], the authors modified an ownership transfer protocol proposed by Kapoor and Piramuthu in Reference [32]. They could detect the counterfeit and track and trace the products in the supply chain. The suggested protocol had three phases to operate: the product delivery phase, the product takeover phase and the product sale phase. However, the researchers did not show exactly how the system was secure against all the security attacks although they claimed that their protocol protects against all types of security attacks (see Table 1).

System Set-Up
Before we go through the system, we first assume that the tagged items are in a retail store and have not been compromised, as they have all been stored in a secure environment. We also assume the following: • The product always has two tags: one attached to the product itself, and the other attached with the warranty card; • The tag issuer is the product manufacturer who feeds the system with t-id; • The product manufacturer also feeds the anti-counterfeiting server (AC) with the warranty card ID Wt-id; • The product service hub (PSH), see Table 2, which is an intermediate server connected to both the AC and the anti-theft (AT) servers, is accessible by any reader with a correct user-id to prevent the use of unauthorised or malicious applications. The reader is a device used by the customer or any Supply Chain (SC) entity and can be a smartphone with the authentication protocol downloaded from the PSH; only readers with this application can check and verify whether the product is genuine; • Every time the buyer, customer, seller, distributor or any SC entity downloads the application from the PSH, the AT server issues an application ID to the downloader; • If the application ID is not correct, the PSH responds 'not correct application' and terminates; • The AC responds with Ok to the PSH once the product is verified using the authentication method which we discuss later; • The reader must read both tags simultaneously, otherwise, the read is incorrect or missing. In case of missing read, the PSH checks with the AT server whether the reader has an existing owner ID and application ID database, and if the tag ID is correct, it responds with OK to the PSH; • If the AC did not respond or responds incorrectly to the PSH, the PSH responds with 'not genuine product' (NGP), indicating that the product is not genuine; • If both the AC and the AT server respond with OK to the PSH, the PSH responds with OK and the AT server issues a new owner record; • If there is no warranty card tag ID and no existing owner number, the PSH provides the response 'invalid' and report the application ID for checking; • Every two tags for the same product have the same secret stored in the tags (S).

System Flow
Now, we consider a seller/buyer case were each RFID tag attached to the product stores a unique t-id and the corresponding secret S as well as the item number Q. The reader is a device used by the customer such as a mobile phone with a genuine user ID user-id and authentication software, which is downloaded from the PSH. The Wt-id is a unique tag ID for the warranty card which can be found on the labels, boxes or warranty cards of the products; the same reader must read both t-id and Wt-id simultaneously in order to authenticate the product, as we discuss later in this paper. If the products are very small and numerous, such as is the case where many products share one box, we might also use the Matryoshka protocol. The product manufacturer is the tag issuer for both the product tags and the warranty card tags. It feeds the data of the tags to the AC server which provides authentication and confidentiality to the scheme. The entities of the database are t-id, Wt-id, S and user-id, as well as the product serial number Q. In contrast, the AT server is fed by the supplier or the retailers, as they need to provide their consent to store the buyers' records and information in their database, which the manufacturer cannot do easily.

Anti-Counterfeiting (AC) Server Process
The elements which play a role in this process are t-id, user-id, Wt-id, Q, the secret S and the reader secret w or w −1 .
• Step 1: the reader first downloads the software or application from the PSH site. The PSH in return issues a user-id for the buyer, including his name, his address and maybe his apple store or android ID (to obtain more security) depending on the operating system he uses (particularly when using his mobile phone), which is stored later in the AT server. The buyer can use this application to make an enquiry about a certain product in the retail store, for example, by scanning a barcode or entering the product serial number Q and sending it to the PSH through the software downloaded earlier. The reader initiates the protocol by sending Q to the reader, see Figure 1; • Step 2: in this step, once Q is received, the PSH generates a w or a reader secret. This happens each time the reader has a request. Then, the PSH stores the w in the AC server. The PSH also verifies w from Table 3 and calculate RE from Equation (1) by generating a random number R1 and XOR-ing Q, R1 and S, before sending the results to the reader; • Step 3: the reader forwards RE to the tags attached to the product and the warranty card. Then, the tags solve RE, determine R1 and calculate A and B. Then, the tags respond to the reader with A and B from Equations (2) and (3), as shown in Figure 2; • Step 4: once A and B have been received by the reader, the reader generates the random number R2 then calculate RF, Q and create C and D from Equations (4)- (7). Then, the reader sends C,D to PSH; • Step 5: in this step, the PSH determines the user-id and the secret S, if the user-id and S are correct, it continues. If not, it terminates, then it contacts the AC server via a secure channel to determine the database of the t-id as well as the wt-ID in the record with Q, see the Table 3; The PSH gets R2 from Equation (8) then checks if Q= Q ⊕ w ⊕ R2 or Q= Q ⊕ w − 1 ⊕ R2 and if it is true, then it extracts C and D then check if t − id = A ⊕ R1 ⊕ S and if Wt-id=B ⊕ R1 ⊕ S, again if true, the PSH determines the N value from Table 4.
If all the elements t-id, Wt-id and S match the record, then it responds with OK signifying that the product is genuine to the PSH; if the t-id or the secret S is not correct, the server responds NGP signifying that the product is not genuine. If the tw − id is missing or 0, the PSH replies Mt or tag missing. Then, it calculates E and F from Equations (9) and (10) and generate a new w before updating w(−1) with w and sending E and F to the reader; • Step 6: in this step, the reader checks if user-id= F ⊕ R2, and if N= E ⊕ w ⊕ user − id, then it updates the w.

Anti-Theft Server AT Process
The system can provide a feature to determine whether the product which is subject to investigation is stolen or not. The PSH and the AT server are the main players in this process after the AC server has responded with OK. A case whereby the buyers check if the product is genuine and want to buy it from the legal retailer or seller is called the 'theft-check use case'. The seller generates a NO-ID for the new owner and changes the existing ownership of the product by sending t-id, Wt-id and NO-ID to PSH which is in turn forwarded to the AT for updating. Therefore, in the AT database, the record is saved, as in Table 5 below: Table 5. Anti-theft (AT) server records.

Record Number Tag ID Warranty Tag ID New Owner ID Existing Owner ID
Now, if we assume that the AT server has received a request from PSH to identify if the product is stolen or not; usually, this process is conducted once the AC server has responded with OK. Then, the AT server requests the EX-ID from the PSH which in turn requests it from the user; the user must then submit a valid EX-ID to the PSH. Once the AT server has received a valid EX-ID from the PSH, it compares it to the record to see if it has the same t-id and Wt-id. If it does, then the AT responds with OK. If the EX-ID does not match with the t-id and Wt-id, then the AT responds with 'suspected item'. The seller has to submit a valid EX-ID or a new owner ID in order to declare the product genuine otherwise it will be flagged as a 'suspected item'. When a selling operation occurs, the genuine existing owner has to provide the seller with an owner ID for the product in order to finalise the selling operation; this enables the new owner to obtain a new owner ID. If this does not happen, the selling operation cannot be completed and the old owner can still claim ownership of the product. However, the genuine buyer still has the paperwork in order to stop the old owner claiming ownership, or, in worst case scenario, to have proof if the new owner forgets to obtain the existing owner ID or does not change the ownership of the product to the new owner ID. In other words, both the new owner ID and the existing owner ID provide a genuine ownership claim for the genuine owner who is requesting the AT server for the product; this provides flexibility and also helps trace the product to the previous owner, which helps in cases where the buyer wants to return the product or there is a warranty issue that forces the buyer to return the product.

Security Analysis
In order to test that our protocol Anti-Counterfeiting protocol (ACP) is correct and resistant to attacks, we started analysing it using a formal security method based on the strand and strand space technique [33][34][35][36]. The strand is a finite sequence of transmissions and receptions, or a sequence of events representing executions performed by a legitimate party or by a penetrator. The strand space is a collection of strands generated by casual interactions occurring. We suppose that PSH has executed the first node of a session by sending RE to the the reader which forwards it to the tags. Does the PSH guarantee that an adversary would never be able to replicate or repeat RF by listening to previous rounds? If RE lacks randomness, it would allow an adversary to generate or replicate RE from listening to previous rounds between the reader and the tags or between the PSH and the reader. However, this is not the case in this protocol since RE contains R1 which is a random number generated by the PSH which makes RE unique. Even if the penetrator was able to find the values of Q and RE, he would not be able to discover the randomly generated value of R1 or compromise the secret S since our protocol requires an initiator AA to generate a fresh symmetric key R1 then store it in the value of RE for the responder BB, which is in this case the reader, and the other responders CC1 and CC2 which represent the tags [33]. The responder BB waits for the message A and B, which have to contain the secret S.

AA's Point of View-The Nonce Test and Checking the Secrecy of R1
Proposition 1. Principle 1.1 (the nonce test). Suppose that R1 is unique, and R1 is found in some rounds in the skeleton AA at the node n 1 . Moreover, suppose that, in the message of n 1 , R1 is found outside all of a number of encrypted forms the term RE 1 , and so in any enrichment of BB of AA. such as BB is a possible execution, either: (1) One of the matching decryption keys S is disclosed before n 1 occurs, so that t-id could be extracted by the adversary; or else (2) some regular strand contains a node m 1 in which R1 is transmitted outside RE; however in all previous nodes m 0 = > + m 1 , so R1 was found only with this encryption and m 1 occurs before n 1 . By saying that R1 can be obtained or extracted from the XORed forms then the adversary can do so, as in the first example above, or else some regular strand has done so (the second example above). Case 1 was excluded by the assumption S can be defined as nonoriginating (non). The protocol in Figure 3 does not appoint any instance of the behaviour described in Case 2. Proof of Proposition 1.
We start by exploring AA's point of view by assuming that AA was active in a session of ACP and ask if there was any other behaviour which has occurred during the session. Exploring the behavioural activity from the AA point of view is essential for analysing the protocol as it tells us which behaviour must have occurred in the system. We suppose that the initiator AA has executed the first node of a session, transmitting the secret R1 within the message RE. Does AA guarantee that an adversary can never obtain the value of the secret random number R1? The answer is no in at least two cases.
1. When the secret generator lacks randomness then an adversary may generate the key and test which one was sent. Otherwise, the way R1 was chosen may suggest that it is fresh and not guessable 'uniquely originating' for such a R1. This is not the case in ACP since the value of R1 was XORed with a value that contained the secret S in RE; 2. When the value of RE is compromised, the adversary can then extract the values of S, then also extract R1. It is not important if CC1 or CC2 are dishonest or whether the CC's secret S has been compromised. In both cases, CC's secret has been used in a way that is not stipulated in the protocol definition. All local behaviour divides into a strand of the protocol called a regular strand and an adversary behaviour. Therefore, the principle AA is regular only if its secret key is used in regular strand.
The minimal principle states that in any execution, if a set of transmission EE and reception nodes are not empty in any given execution, then EE has the earliest member. We call this the uncompromised key nonoriginating or 'non'. Because of AA 0 , there is a node in which R1 appears without encryption; however, according to the minimal principle, there is no earliest point which R1 appears outside of cryptography protection RE. The adversary could use S, via the adversary decryption; however, the assumption that S belongs to 'non' excludes that. If the adversary was able to reoriginate the same R1 by chance, then the reorigination would be an earliest unprotected transmission by RE.
The assumption that R1 is unique excludes this. Thus, the earliest transmission of R1 outside the form RE lies in a regular strand of our protocol. Therefore, since R1 is unique, it is impossible for the adversary to compromise the tags. When we examine Figure 4, we notice that the key is received by a participant only on the first node of a responder strand. While BB forwards it to CC after XORing it in RE, and since the step is executed instantly, there is no risk that the adversary or listener node between AA and CC can repeat this message to CC1 and CC2 to obtain the response A and B. However, if the adversary was able to do so, he would not be able to mutate the correct RF. This would lead to the discovery of the attempt, the operation would be held and the secret random number R1 would not be in danger. Which means that AA 0 is a dead end or a dead skeleton.

AA's Point of View-The Encryption Test Checking the Secrecy of t-id
Proposition 2. Principle 1.2 ( the encryption test ). Suppose that t-id is found in some message received in a skeleton BB at a node n 1 . Then, in any enrichment CC of BB such that CC is a possible execution, either: (1) The encryption key S is disclosed before n1 occurs, so that the adversary could construct t s ; or else (2) a regular strand contains a node m1 in which t-id is transmitted, but no earlier node m 0 => + m 1 contains t-id, and m1 occurs before n1. When applying Principle 1.2 to construct skeletons BB1, BB2, using the instance t= S, the aforementioned first example yields BB1 and the second example yields BB2 . The node n1 is the later (reception) node of BB, see Figure 4.

Proof of Proposition 2.
Suppose that an initiator has executed a local session of its role in the protocol. What forms are possible for execution as a whole behaviour? To answer this question, we assume that t 0 = A and B, then we analyse the transmission. Since CC transmits A and B, the first node requires no explanation. The second node, through the BB reception of A and B, requires an explanation, i.e., where did A and B came from? To make it easy, we only discuss A since the same case scenario applies for B. (1) Is it possible that R1 is disclosed to the adversary and he might have used it to prepare the message A? We can test this by adding a listener node to witness the disclosure of the encryption random number R1.
(2) We may add a strand of the protocol, including a node that transmits A, this must be the second node of a responder strand. However, what values are possible for other parameters of the strand? This leads us to BB 2 , since we excluded BB 1 which must be a deadend because it is an enrichment of CC 0 . The BB 2 has an unexplained node, the upper-right node n D receiving A. If we apply principle 1.1, the value R1 is only observed in t 0 , and is now received on n D in a different form. Since S belongs to the 'non' category, the first example does not apply, so we must have a regular strand that receives R1 only with encrypted form t 0 and retransmits it outside of t 0 . However, in analysing CC 0 , we have already seen that the protocol has no strand, which leads us to a single case of BB 2 that is similar to BB 1 , so that any execution compatible with BB must contain at least the behaviour shown in BB 2 1 5.3. CC's Point of View-The Authentication Guarantee Test Checking the Secrecy of S Proposition 3. Principle 1.3 (the CC's authentication guarantee test). Suppose that S is unique, and S is found in some rounds in the skeleton AA at the node n 1 . Moreover, suppose that, in the message of n 1 ,S is found outside all of a number of encrypted forms in the term A 1 , so in any enrichment of CC of AA . Such as CC is a possible execution, either: (1) one of the matching decryption keys S is disclosed before n 1 occurs, so that S could be extracted by the adversary; or else (2) some regular strand contains a node m 1 in which S is transmitted outside A, but in all previous nodes , S was found only with this encryption and m 1 occurs before n 1 . By saying that if S can be obtained or extracted from the XORed forms then the adversary can do so 'Case one' or else some regular strand has done so (Case 2). Case 1 was excluded by the assumption S belongs to non. Proof of Proposition 3.
We start by exploring CC's point of view by assuming that CC was active in a session of ACP and ask if there was any other behaviour which occurred during the session. Exploring the behaviour activity from the CC point of view is essential for analysing the protocol as it tells us which behaviour must have occurred in the system. We suppose that the initiator CC has executed the first node of a session, transmitting the secret S within the message A or B. Does CC guarantee that an adversary can never obtain the value of the secret S? the answer is no in at least two cases. (1) When the secret generator lacks randomness, so an adversary may generate the key and test which one was sent. Otherwise the way S was chosen may suggest that it is fresh and not guessable or 'uniquely originating' for such an S. This is not the case in ACP since the value of S was XORed with a value that contains a random number R1 in A and B. (2) When the value of CC1 or CC2 is compromised, the adversary can then extract the values of R1, t-id,Wt-id then also extract S.
We notice that CC sends S to BB after XORing it in A and B. Because the step is executed instantly, there is no risk that the adversary or the listener node between CC and BB can repeat this message to CC to obtain the response A and B. However, if the adversary was able to do so, he would not be able to mutate the correct A. This would lead to the discovery of the attempt, the operation would be held and the disclosure of the secret S would not be in danger. This means that CC 0 is a deadend or a dead skeleton.

Conclusions
Counterfeiting and theft have always been problems that incur considerable losses for international trading markets. However, not a lot of work has been done to address these problems. Here, we present a new scheme for retail markets that addresses these two issues and provides a solution that can save retailers millions of dollars every year. We applied a formal security analysis based on strand space (see Section 5) in order to prove that our scheme is secure and immune against known attacks, and provides authentication and confidentiality. There is no practical implementation for the proposed scheme yet, but we plan to do that in the near future. We also plan to add benchmarks of results to show the improvement or novelty of our proposed method compared to other proposed schemes.