IEEE INTERNET OF THINGS JOURNAL, VOL. 0, NO. 0, JULY …renjian/pubs/IoT-08053739.pdfIEEE INTERNET...

2327-4662 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2017.2757918, IEEE Internet ofThings Journal

IEEE INTERNET OF THINGS JOURNAL, VOL. 0, NO. 0, JULY 2017 1

Dynamic Authentication Protocol UsingSelf-powered Timers for Passive Internet of Things

M. H. Afifi, Student Member, IEEE, Liang Zhou, Student Member, IEEE, Shantanu Chakrabartty, SeniorMember, IEEE and Jian Ren, Senior Member, IEEE

Abstract—Passive Internet of Things (IoT) like radio frequencyidentification (RFID) tags can be used to offer a wide rangeof services such as object tracking or classification, markingownership, noting boundaries, and indicating identities. Whilethe communication link between a reader of the tag and theauthentication server is generally assumed to be secure, thecommunication link between the reader and participating tagsis mostly vulnerable to malicious acts. Many authenticationprotocols have been proposed in literature, however, they eitherare vulnerable to certain types of attacks or require prohibitivelya large amount of computational resources to be implementedon a passive tag. In this work we present variants of a novelauthentication protocol that can overcome the security flaws ofprevious protocols while being well suited to the computationalcapability of the tags. At the core of the proposed approach isour recently demonstrated self-powered timing devices that canbe used for robust time-keeping and synchronization withoutthe need for any external powering. The outputs of the timersare processed using a single hash function on the tag toproduce tokens that continuously change with time, while beingsynchronized to tokens generated by the authentication server.The proposed protocol also incorporates margins of tolerancethat make the authentication process robust to any deviations inthe timer responses due to fabrication artifacts.

Index Terms—Internet of Things, dynamic authentication, low-cost and passive tags, self-powered timers.

I. INTRODUCTION

An infrastructure of Internet-of-Things (IoT) consisting ofservers, readers and tags provides connectivity between sys-tems and devices thus enabling a vast range of applicationssuch as smart homes, wearables, retails, health-care, automo-tive and agriculture [1]–[5]. At the core of this infrastructureare tags (for example RFID tags), which are generally re-sponsible for data collection or exchange with readers that areconnected to a server. As these tags operate in an insecure andshared environment, the unprotected communications betweentags and readers over a wireless channel can disclose the data

This work was supported in part by research grants from the NationalScience Foundation (CNS:1525476, ECCS:1550096) and by research con-tracts from Semiconductor Research Corporation (Contract 2015-TS-2639 andContract 2015-TS-2640).

M. H. Afifi and Jian Ren are with the Department of Electrical andComputer Engineering, Michigan State University, MI 48824-1226, Email:{afifi, renjian}@msu.edu.

Liang Zhou and Shantanu Chakrabartty are with the Department of Electri-cal and Systems Engineering, Washington University in St. Louis., St. Louis,MO, U.S.A. {liang.zhou, shantanu}@wustl.edu.

Copyright (c) 2012 IEEE. Personal use of this material is permitted.However, permission to use this material for any other purposes must beobtained from the IEEE by sending a request to [email protected].

collected by the tags and their locations. This raises seriousconcerns about security of participating tags and makes themsusceptible to different security attacks [6]–[8].

Denial-of-Service (DoS) are attacks in which an attackerforces tags to dis-function by disturbing or blocking thecommunication sessions between tags and readers. In tag

impersonation, an attacker can intercept sessions betweena target tag and the reader by eavesdropping open wirelesschannel. Based on the intercepted sessions, the attacker canimpersonate the tag without knowing its secret. It couldcommunicate with readers instead of the tag to get theauthentication from the back-end server. In replay attacks,an attacker reuses communications from previous sessions toperform a successful authentication between a tag and theback-end server. De-synchronization attacks are used by anattacker to update the values in only one part of the network,either the tag or the reader. In such attacks, the tag and thereader can no more synchronously update their secrets. Thismakes future authentication impossible and in turn preventsproper functioning of the tag. While the described attacks donot require the attacker to compromise a target tag, there arestronger attacks that result from the physical possession of anattacker to a target tag. In backward traceability, given theinternal state of a target tag at time t, the attacker is able toidentify tag’s sessions that occurred at a time t

i

< t [9]. Thatis, knowledge of a tag’s current state could help identify thetag’s past sessions, which may allow tracking of the tag’s pastbehavior. On the other hand, in forward traceability a tag’sstate at time t can help to identify tag sessions that occur at atime t

i

> t. That is, knowledge of a tag’s current state couldhelp identify the tag’s future sessions.

In order to tackle these concerns, it is essential to use securecryptographic protocols to guarantee the security of tags andtheir data. However, tags used in such systems are generallypassive, i.e., they typically do not possess an on-board sourceof power. Instead, they gain power by harvesting energy fromthe reader. This limited power availability severely constrainsthe computing resources of the tag as well as its storageresources. As a result of these limitations, it is therefore ex-tremely challenging to design a secure cryptographic protocolthat provides security while efficiently utilizing the availableresources. Therefore, to solve the security problems of thesystem, many lightweight authentication protocols have beenproposed in recent years. Based on the difficulty of invertingthe one-way hash function, it turns out to be the best candidatefor most of these authentication protocols. Although some ofthese protocols are implementable by the resource constrained000-0-0000-0000-0/00/$00.00 c�2017 IEEE




system, most of them have serious security problems.An authentication protocol basically defines a set of com-

munications and computations performed between tag, readerand back-end server. While the basic requirement of anauthentication protocol is to generally authorize a tag if itsID is recognizable by the back-end database and otherwiseunauthorizes it, the designed authentication protocol is alsorequired to follow some guidelines to prevent different typesof security attacks such as those described above. Theseguidelines are to: (1) provide dynamic responses to readerqueries to avoid traceability attacks where a current sessionintercepted by the attacker does not enable him to identifyneither tag’s past nor future sessions, (2) guarantee that thesessions intercepted by the attacker do not qualify him tofurther be authenticated as a legitimate tag to avoid tagimpersonation and replay attacks and (3) maintain the sameshared secret key between the reader and the tag throughoutthe life-time of the tag to avoid de-synchronization attacks. AnIoT system is assumed to be secure if it can consistently followthese guidelines to overcome different attacks on security.

In this paper we propose an authentication protocol thatguarantees a customizable level of security of tags andtheir data. More specifically, the proposed protocol utilizesa set of self-powered timers, reported in [10], to performauthentication. The timers provide a mechanism to achievetemporal synchronization between two passive devices withoutthe need for any external powering or clocks. As a resultthe timers could be used to implement dynamic SecureIDtype authentication involving random keys and tokens thatneed to be periodically generated and synchronized [11]. Toauthenticate any given tag, values of these timers are comparedto a gold standard tag at the reader’s side. These valuesare dynamic where they are essentially periodically updated.Synchronization between the tag and the legitimate reader isefficiently maintained by the timers design and the underlyingreliable timer model. While the values from timers at the tagside would not perfectly match values of the gold standarddue to measurement and fabrication artifacts, we tolerate anerror margin in a more robust and customizable version of theproposed authentication protocol. Threshold of this margin iscustomized and predetermined based on the deterioration rateof the fabricated models. We also provide a comparison ofour protocol with other existing protocols in terms of security,cost and performance.

The rest of this paper is organized as follows. In Section II,we conduct a qualitative analysis of the existing tag authenti-cation protocols. In Section III, preliminaries are introduced.Two versions of our proposed authentication protocol are pro-posed in Section IV. Section V demonstrates the security andperformance analysis. Design considerations are also providedin Section VI. We finally conclude in Section VII.

II. RELATED WORK

In order to protect IoT systems from different attacks, manyauthentication protocols and strategies have been proposed tomeet different security requirements. All authentication proto-cols typically aim to protect tag’s security, with minimizing

impact on the available limited resources. In this section,to get an idea of how they overcome different attacks, weprovide an overview of these authentication protocols. Webriefly discuss the design model for each protocol, and analyzetheir limitations.

In a first attempt to achieve authentication between tag andreader, Hash-Lock protocol was proposed in [12]. To achieveprivacy, instead of using the tag’s ID, this protocol uses thepseudonym of the tag, metaID. However, since eventuallythe secret key and the ID are sent in plain-text, an attackercan eavesdrop the key and the tag can later be impersonated.Therefore Hash-Lock is vulnerable to attacks such as imper-sonation, replay and tracking attacks. In an attempt to avoidthe drawbacks of Hash-Lock protocol, a randomized version ofthe Hash-Lock protocol was proposed in [13]. In this protocoltags respond to reader’s queries by generating a random value.This random value is then concatenated with the hash of the IDand sent to the reader. The reader identifies a tag by searchingits database for the ID that corresponds to the hash value. TheID is then sent to the tag in plain-text. While the tag’s responsevaries in each session, it is easy for an adversary to eavesdropand obtain the identity of the tag. Moreover, the tag’s holderis easily traced if the tag’s ID is leaked. A hash-chain protocolwas proposed in [14]. In this protocol, the tag always replies tothe reader queries with different responses. To achieve this, itmainly depends on incorporating two different hash functions.Although this protocol introduces the dynamic property intag responses, an attacker can disguise a legitimate tag byresending an intercepted authentication message to the reader.Therefore, the protocol is vulnerable to replay attacks.

In [15], a hash function, a pseudo-random number generator,and an XOR operator are used in an authentication protocolfor low cost tags. However, as shown in [16], this protocolis vulnerable to replay and denial of service attacks. In[16], a lightweight anti-desynchronization RFID authenticationprotocol was proposed. In this protocol, the server keeps trackof the updated random key to prevent the active attackers fromdesynchronizing the shared secret between the tag and theserver. Although this technique prevents the replay attack, itis prone to denial of service attacks. Finally, in [17], a scalablepseudo random based scheme was proposed. This scheme uti-lizes symmetric key cryptography, random number generators,and hash functions for authentication. In this scheme, althoughthe random number generation makes it difficult to predict thenext random value, it is susceptible to reverse engineering dueto the static structure of the seed.

III. PRELIMINARIES

A. Protocol PreliminariesA cryptographic hash function h is a mathematical algo-

rithm that maps data of arbitrary size to a bit string of fixedsize. It is cryptographically secure if it satisfies the following:

• Preimage-Resistance: It should be computationally in-feasible to find any input for any pre-specified outputwhich hashes to that output, i.e. for any given y, itshould be computationally infeasible to find an x suchthat h(x) = y.




Verification Server“Gold Standard”Timer

Reader

Synchronization

Rapid Trust Verification

Self-powered Timer

Random Number Generator

Authentication Tokens

Fig. 1: Rapid authentication of passive IoT devices using self-powered timers.

• Week Collision Resistance: For any given x, it shouldbe computationally infeasible to find x

0 6= x such thath(x

0) = h(x) [18].

• Strong Collision-Resistance: It should be computationallyinfeasible to find any two distinct inputs x and x

0, suchthat h(x) = h(x

0) [19], [20].

B. The System and Adversarial ModelThe System Model: The system usually consists of three

components: a tag T , a reader R and a back-end server S. Atag T is basically a chip that has small storage, limited compu-tation resources and constrained communication capabilities.It requires power to perform different operations such as hashcomputations. Passive tags are battery-less devices operatedby energy harvested from the reader. Since they have verylimited power resources, these tags are assumed to receiveand transmit data within a very short range. A reader R is apowerful device which is authorized by the back-end server toauthenticate a group of tags through a set of communicationsessions. A back-end server S provides the database for tagsand participates with the reader in the tag authentication. Theserver is also in charge of deciding the authorization of theset of operating readers. We particularly consider the case ofa centralized system, where any reader R from the set ofoperating readers is continuously online and connected to acentralized server S. We denote the number of tags in a systemby N

T

, and let Ti

for 1iN

T

denote the identifier for thei

th tag in the system. The back-end server and reader areusually considered to be resource-abundant. They are gener-ally capable of performing intensive cryptographic operations.Therefore the link between the back-end server and the readeris assumed to be secure. Moreover, the server and reader areconsidered to be a single entity in most of the scenarios. Asshown in Fig. 1 from [21], the system model comprises oneor a set of timers on-board of the tags, namely self-poweredtimers. These timers periodically generate random numbersthat are exploited to generate authentication tokens in theproposed authentication protocol.

The Adversarial Model: The adversary could be eitherpassive or active. An active adversary can control a certain

number of tags and readers, and modify the conversationsbetween them enabling himself to initiate and terminate asession. A passive adversary eavesdrops the channel betweena tag and a reader to learn the output of the communicationsessions. The adversary may then deduce information andcombine messages to later impersonate or trace a tag.

C. NotationThe following notations will be used throughout the rest of

the paper.

T The tag in request.R The reader requesting the tag.S The server possessing the database.K The shared private key.NT The number of tags in the system.h(x, y) The cryptographic hash function.IDT The ID of the tag T .n The current number of tag readings.n

0 The expected number of tag readings.A The authentication value (a-bits).V The timer value (v-bits).r The random bits periodically generated by the timer.

IV. THE PROPOSED AUTHENTICATION PROTOCOL

In this section we introduce our authentication protocol.The proposed protocol relies mainly on the existence of oneor a set of M on-chip self-powered timers. In particular, theprotocol exploits a synchronized phenomenon that naturallyhappens to the designed self-powered timer located on-boardof the operating tag. This designed timer provides the proposedprotocol with the desirable dynamic authentication togetherwith the ability of resynchronization with the dedicated readerat any time instance during the tag’s lifetime.

A. Self-powered TimersThe design and principle of operation of the self-powered

timers was reported in [10] and is not the focus of this paper.However, in this section we briefly describe some of thefeatures of the time-keeping devices necessary to describe theauthentication protocol. Fig. 2 summarizes the key featuresof the timers as reported in [10], [21]. Fig. 2(a) shows themicrograph of a timer device that was fabricated on a standardsilicon process and has a form factor less than 100µm ⇥100µm. Thus the device could be easily integrated with anypassive RFID tag. The measured response of the timer isshown in Fig. 2(b) and can be mathematically modeled as

V

i

= K2/ ln(K1ti +K0) +K3, (1)

where V

i

is the value of the timer at time instant t

i

and(K0,K1,K2,K3) are the model parameters which are de-termined by the device form factors and its initializationconditions. As shown in Fig. 2(b), the model in equation 1accurately captures the dynamics of the timer. This featureis important because it ensures that a software model of thetimer running on a remote authentication server is accuratelysynchronized with the hardware timer integrated on a tag.Fig. 2(c) compares the responses from three different timers




Self-powered Timer

Pseudo Random Number Generator

Tunneling Junction

Floating-gate Transistor

Rea

d-ou

t Buf

fer

Vfg

Vcg

Vs

Vd

Vtun

Vo

M

20mmMeasured

Model

Power Token

(a) (b) (c)

(d) (e) (f)

Fig. 2: Design of the self-powered timer: (a) micro-photograph of the fabricated timer device, (b) measured response showingthat the proposed mathematic model can fit the data well, (c) measured data across different dies showing that the timer is robustand showing synchronization accuracy greater than 0.5%, (d) the token generation system proposed in [21], (e) normalizedrandom tokens generated using the timer output from measured response in (c) and (f) the matching result of the randomtokens generated from two synchronized timers [10].

(integrated on three different tags) and shows the maximumtemporal deviation with respect to each other. The responsewas obtained by only taking the change of the timer outputwith respect to a reference time instance. As reported in [10],the timers can be synchronized with respect to each other withan accuracy greater than 0.5%.

In [21] we combined the output of the timer with a pseudorandom number generator (PRNG) to produce authenticationtokens. The system is shown in Fig. 2(d) and comprises of twomodules: (a) the timer which is self-powered and continuouslykeeps track of time; and (b) a PRNG which is externallypowered when an authentication value is requested from thetag. When a request signal is sent to the tag, the timer valueshown in Fig. 2(c) is readout and digitized. The digitized valueis then used to feed the PRNG such as a Linear Feedback ShiftRegister (LFSR) as a seed [22]. After a certain number ofcycles of shift operations, the generated random code V

i

shownin Fig. 2(e) can be further used in the proposed authenticationprotocol at any time instance t

i

. The time-variant seeds breakthe pattern of the PRNG and makes it function like a trueRNG. A synchronized timer stored on the server goes throughthe same process and should generate identical random numberin ideal cases. By comparing the synchronicity between thetwo generated random number tokens, authentication can beachieved. On one hand, due to the existence of the PRNG,the timer value can be masked and protected from machinelearning attacks. On the other hand, the timer breaks thepattern of the PRNG and therefore makes it difficult to predictthe random output. Fig. 2(e) shows the normalized randomtokens generated using the output from two synchronized

timers (as shown in Fig. 2(c)) to feed a software versionof PRNG. As can be observed, at some time instants, thecodes deviate from each other due to the mismatch andquantization error of the digitization process. This issue canbe easily tackled by searching a predetermined range of thereference timer values, therefore providing a level of tolerance.If two synchronized timers are integrated on a tag and serverrespectively, the tokens generated using the described strategycan be used for authentication. As illustrated in Fig. 2(f), inideal cases, the token on the tag should always be equal to thaton the server (plotted as the black solid line), while the realtokens can be different at a small portion of random scatteredpoints due to non-ideal artifacts.

The robustness of the self-powered timer is key to successfulimplementation of the proposed protocol. In [10], timerswith different combinations of form factors were fabricatedand tested at different temperatures. While the device showsvarious temporal behavior at the initial transient stage, themeasurement results verify that at the equilibrium stage, thefabricated designs show high robustness to device mismatchand temperature variations, and the overall synchronizationperformance is better than 40 dB. An extrapolation study wasalso conducted to verify that the timer can operate as long as 3years, which is good enough for passive IoT devices. Detailsof the device performance can be accessed in [10], and areneglected here for the sake of brevity.

After we have briefly described how the self-powered timerscontribute to the authentication protocol. In the two followingsub-sections, we present details of how the timer output V

i

can be used to design two types of authentication models: one




Algorithm 1 The proposed dynamic authentication protocolInitialization secret (K): shared between the Tag T and theReader R.At authentication time t

i

:• R sends request to access T .• T computes A

i

= h(K,V

i

), where V

i

is the v-bits timervalue, and replies with the pair (ID

T

, A

i

).• R retrieves T ’s information from the Server S, computes

˜

A

i

and checks A

i

?=

˜

A

i

. If true, R authenticates T . Else,T is unauthenticated.

using a single timer and the other using an array of timers.

B. The Single Timer ModelIn the case of single timer model, only one timer is on-board

of the tag. At each reading attempt, after being involved in asimple cryptographic operation, the timer value is comparedto that of the corresponding gold standard tag at the serverside. The details of the proposed authentication protocol aresummarized in Algorithm 1 and described as follows.

The tag T and the reader R are assumed to share the privatekey K. At any authentication instance t

i

, the authenticationsession is initiated when the tag is in the reader’s range. Rsends a request to T as an interrogating signal for identificationinformation. T responds or broadcasts to R its identificationID

T

and the authentication value

A

i

= h(K,V

i

), (2)

where V

i

is the v-bits timer value and A

i

is a bits. T thensends A

i

to R for authentication. Similarly, R computes ˜

A

i

and checksA

i

?=

˜

A

i

.

If this holds true, R authenticates T . Otherwise, T is unau-thenticated.

As a matter of fact, the objective of any authentication pro-tocol is to minimize the probability of false positive and false

negative decisions. In false positive, the tag is erroneouslyindicated to be authentic while it is not. On the other hand, inthe false negative, the tag is erroneously indicated to be un-authentic while it is authentic. While this protocol obviouslyachieves dynamic authentication by sending different and un-predictable authentication values at each session, we have notyet elaborated how it is able to continuously re-synchronizethe tag with the server and minimize the probability of falsenegative decisions. As tags are naturally assumed to operatein a non-secure environment, they generally receive frequentattempts to be read by authentic and non-authentic readers.

We consider a scenario where a tag T is attempted to beaccessed by a non-legitimate reader. Since the tag updatesits authentication value A

i

according to equation (2), theauthentication value is therefore neither dependent on pastnor future tag accesses. Moreover it is also independent ofthe number of reading the tag has been read. Therefore, theproposed protocol guarantees the synchronization between thetag and the reader at any time instance t

i

. As we will showlater, this feature also enables our protocol to tackle numerouskinds of security attacks.

We also consider a typical security attacking scenario whereat the time period between two authentication values updatedenoted as T

o

, an adversary might attempt to reuse theintercepted authentication value A

i

to get authenticated. Wetherefore have the following remark.

Remark 1. At any time instance t

i

, when a certain tag IDT

isaccessed by a legitimate reader based on a valid authenticationvalue A

i

, the server no more accepts re-accessing this tag fora predetermined time period T

o

until the authentication valueis updated. In other words, during a time period T

o

, any tag T

can only be accessed once. Any further authentication attemptsfrom the tag ID

T

during T

o

are considered to be illegitimate.

The T

o

can be set dynamically by the server in a way thatthe server does not accept consecutive requests with identicalauthentication value. In other word, if the tag is successfullyauthenticated with value A

i

, the server no longer acceptsauthentication with value equal to A

i

. To initialize anothersuccessful authentication process, the timer value needs to beupdated leading to an updated A

i

. The minimum time durationbetween two successful authentications can be defined as thelower bound of T

o

.

C. The Multiple Timers ModelTo add more robustness to the proposed design, we consider

the incorporation of a set of M timers on-board of the tag.The main motivation behind this model is to account for anypossible error in the timer values as result of aging or possiblesecurity manipulation. In the case of multiple timers, each ofthese timers generates its own value to be involved in the sameprotocol as in Algorithm 1. Specifically, at each authenticationtime t

i

between an authentic reader R and any given tag T , Ris expecting M authentication values from the M self-poweredtimers on-board of T , computed as,

A

j

i

= h(K

j

, V

j

i

) for j = 1, 2, . . . ,M, (3)

where V

j

i

is the v-bits timer value of the j

th timer andA

j

i

is a bits. Based on these values the reader decides theauthentication confidence level of any given tag. The resultingM authentication values {A1

i

, A

2i

, . . . , A

M

i

} from equation((3)) are compared to the set of expected authentication valuesat the reader’s side { ˜

A

1i

,

˜

A

2i

, . . . ,

˜

A

M

i

},

A

j

i

?=

˜

A

j

i

for j = 1, 2, . . . ,M.

The matches between the two sets are used to compute theauthentication confidence level as follows,

Confidence Level =

Number of matches

M

.

To tolerate possible errors in readings of timers-values betweenthe operating tags and their corresponding gold standard atthe reader side, we design the authentication model suchthat it tolerates a predetermined error threshold �. This set-ting enables us to present a customizable version of ourprotocol summarized in Algorithm 2. The modified protocolprovides the flexibility to tolerate different levels of errorscorresponding to different thresholds. These thresholds will




Counterfeited Region

Level 3

Level 2

Level 1

Gold Standardg1

g3

g2

Fig. 3: Classification based on statistical distance to the goldstandard.

Algorithm 2 The multiple timers version of the proposeddynamic authentication protocolInitialization secret (Kj), j = 1, 2, . . . ,M : shared betweenthe Tag T and the Reader R.At authentication time t

i

:• R sends request to access T .• T computes Aj

i

= h(K

j

, V

j

i

) for j = 1, 2, . . . ,M , whereV

j

i

is the v-bits timer value of the j

th timer, and replieswith the pair (ID

T

, A

j

i

).• R checks A

j

i

?=

˜

A

j

i

, computes the Confidence Level and

checks 1� Confidence Level

? �. If true, R authenti-

cates T . Else, T is unauthenticated.

create different safe regions with different confidence levelsas shown in Fig. 3. We define the safe region as follows,

Definition 1 (Safe Region). The safe region is defined as thezone where a tested tag is legitimately following the behaviorof the gold standard. This region is uniquely determined by athreshold radius �.

Selection of the threshold radius � depends on the types ofapplications, prior estimation of the implementation environ-ment and the expected security level. As illustrated in Fig. 3,a larger � implies a looser restriction on the authenticationprocess, leading to a higher authentication success rate. How-ever, this could possibly cause a higher false positive rate andincrease the risk of malicious access. As a result, the trade-offbetween the security level and successful authentication ratedetermines the selection of �. Optimization of the thresholdradius leverages the consideration of the ambient environmentand security requirements. Generally, a more secure systemprefers smaller thresholds such as �1 in Fig. 3.

The multiple timer version of the proposed protocol is prac-tically an M times application of the Algorithm 1. However,in this case, R receives {A1

i

, A

2i

, . . . , A

M

i

} and checks if

1� Confidence Level

? �.

If true, R verifies that T falls in the safe region defined bythe threshold �. R, therefore, authenticates T and updates thestate for the next session. Otherwise, T is unauthenticated.

As we previously mentioned, the tag usually operates in aninsecure environment. Illegitimate readers may continuouslyattempt to maliciously access the tags. Thus, between every

Gold StandardDeviation MarginCounterfeit

Fig. 4: Deviation of the timer response from the referencegold-standard timer.

two legitimate readings, the tag probably had a number ofattempts to be accessed of e = n � n

0 times, where n

and n

0 are the current and the expected number of tagreadings respectively. We point out that between two consec-utive legitimate tag accesses, no matter how many maliciousaccess attempts have been done, correctness of the followinglegitimate authentication session still holds. This is a result ofthe independence of the authentication value of the numberof tag readings. However, it might be useful for the reader tokeep track of the number of illegitimate attempts e to accessthe tag. In particular this gives valuable information about theenvironment and moreover the reader would adaptively adjustthe threshold � based on this information.

Based on the statistical real-life modeling of the incorpo-rated timers, the reader is able to decide whether the deviationin the tag’s behavior is natural or it is a result of somemalicious act. We therefore give the following definitions.

Definition 2 (Natural Deviation). A natural deviation de-scribes the tag’s behavior as a result of natural practicalcircumstances.

Definition 3 (Malicious Deviation). A malicious deviationdescribes the tag’s behavior as a result of any malicious act,where a tested tag fails to continue following the gold standarddeviation pattern or follows it with an unacceptable error.

Intuition of these definitions is clearly illustrated in Fig. 4.Due to nonideal artifacts such as temperature variations andmismatch, the timer device will show natural deviation fromthe ideal case, however, this deviation is usually within asmall range of the gold standard response, as illustrated inFig. 4 marked as “Deviation Margin”. Therefore, by searchinga predefined small range of the gold standard timer at theserver end and selecting a proper threshold radius �, thenatural deviation can be easily eliminated and will not affectthe authentication process. However, a malicious deviation iseither because of malicious tampering or counterfeited tagsthat are not synchronized with that on the server. In eithercase, it is desynchronized and the value of the timer will be farfrom that stored on the server as shown in Fig. 4. It is obviousthat a malicious deviation will definitely lead the tag to be un-authenticated. Therefore the proposed protocol enables us todetect counterfeited or malicious tags not only through instantauthentication at the beginning of its operation but also throughstatistical means at any time during its operation lifetime.




V. SECURITY AND PERFORMANCE ANALYSIS

In this section we analyze the security and performanceof the proposed authentication protocol. We begin by investi-gating the security of the protocol against different kinds ofattacks. To be able to do this analysis, we first need to set ontwo key characteristics of the protocol. One is the secret sharedbetween the tag T and the reader R. The other one is thetransmitted messages at each communication session betweenthe tag and the reader. In the proposed protocol, the secret isthe private key K. The transmitted messages are basically thetag identification ID

T

and the authentication value A

i

.In any authentication attempt at time instance t

i

, while thetag sends the value of the same hash function in equation (2),both of the hash function arguments K and V

i

are secure.More specifically, K is a private key that is never exposed tothe adversary in clear-text and is computationally infeasible toderive. V

i

is dynamically and continuously updated with thefresh r-bits output from the self-powered timers leading to anunpredictable authentication value.

Most importantly, it is worth to point out that underthe assumption that the underlying hash functionshave the previously explained characteristics, namelythe preimage-resistance, second-preimage-resistance andcollision-resistance, the proposed protocol is as secure as thehash functions. Moreover, to achieve the maximum possiblesecurity of the hash functions, the proposed protocol isdesigned to make it infeasible for an adversary, by any meansother than exhaustive search, to guess the authenticationvalue, even by overhearing the transmission channel betweenthe tag and the reader. In particular, the adversary can guess acorrect a-bits authentication value A

0i

= A

i

with probability,

Pr[(A

0i

= A

i

)] = 2

�a

.

We now show how the proposed protocol is secure againstmost kinds of popular attacks.

Theorem 1. Our protocol is secure against de-synchronizationattacks.

Proof: Equation 2 implies that the authentication valueis determined by the current timer value. The robustness ofthe timer behavior ensures that the timer on the tag will keepsynchronized with the timer on the server. The timer’s dynamicresponse cannot be programmed or altered by the reader in theauthentication process. As a result, in the case of malicious tagaccess from an illegitimate reader, the authentication values atany future time instance are independent of the previous read-ings, hence cannot be altered. The synchronization betweenthe tag and the reader is continuously maintained by the self-powered timers and is resistant to de-synchronization attacks.

Theorem 2. The proposed protocol is secure against tagimpersonation attacks based on the security provided by thecombination of the PRNG and the hash function.

Proof: The protocol features three levels of security thatmake the impersonation of a legitimate tag infeasible:

• Conventional technique based on the private key K onlyshared by the tag and the legitimate readers provides theinitial level of security.

• The dynamic timer significantly enhances the perfor-mance of the RNG, enabling unpredictable output V

i

.• The choice of hash functions make it computationally

infeasible for an adversary to find K and V

i

.Therefore, even if the adversary intercepts arbitrary number

of messages at time t < t

i

, it is practically difficult to guessthe output A

i

at ti

for impersonation.

Theorem 3. Our protocol is secure against replay attacks.

Proof: When a tag is authenticated at time t

i

, it goes intoan idle mode for a predetermined time period T

o

. As explainedin remark 1, during this time period, the reader denies any at-tempts from the authenticated tag to be reaccessed. Therefore,for t

i

< t < t

i

+ T

o

, a tag T

i

is only authenticated once. Thisprevents any attempts of replay attacks, where an interceptedauthentication value A

i

is useless during this time period.

Theorem 4. The proposed protocol is secure against backwardand forward traceability attacks based on the security of thehash function.

Proof: The key to avoid traceability attacks is to avoidusing any static or predetermined messages throughout allof the authentication attempts. Our protocol employs thecombination of a dynamic timer and a PRNG to generate“true” random numbers that are not predictable. This randomfeature makes it hard to trace the pattern. The hash functionfurther enhances this attribute. The communicated messagesduring authentication at time instance t

i

can not be inferredfrom other communicated messages at any other time t

j

, wherei 6= j. Therefore, the authentication protocol is immune toforward or backward traceability attacks.

Table I compares the security ability of the proposed pro-tocol to some state-of-the-art protocols proposed in literature.

To evaluate the performance of the proposed protocol weanalyze the design from two main aspects: storage and ef-ficiency. Since tags are typically very resource constrained,this analysis is extremely important to evaluate and comparedifferent designs. Generally, the tag is the part of the systemwith the least storage and power resources. Therefore, in ouranalysis, while we study the resources required by both thetag and the reader, the resources required by the tag are rathermore important. This is a result of the reader being assumedto be powerful and has sufficient storage as compared to thetag. We begin by investigating the amount of storage thatour protocol requires. The tag basically needs to permanentlystore its private key K and ID

T

. This amount of storageis, to the best of our knowledge, equivalent to the leastwe have seen in literature. In terms of communication cost,with only one transmission from the tag to the reader, theproposed protocol is by far the most efficient we have seenin literature. Moreover, for the performance of tags in termsof hash function computation, we compute the execution timeper output of the most well-known hashing algorithm, SecureHash Algorithm (SHA). While it is benchmarked in [23] thatCycles Per Instruction (CPI) for SHA 256 and SHA 512 are




TABLE I: Security comparison against various attacksWeis et al. [13] Ohkubo et al. [14] Song et al. [15] Fu et al. [17] Zhou et al. [16] Our Protocol

DoS Attack X X XMITM Attack X X X X

Traceability Attack X X X XReplay Attack X X X X

De-synchronization Attack X X

TABLE II: Cost comparison# of communications Computation cost for the Tag

Weis et al. [13] 1 CC + CH + CR

Ohkubo et al. [14] 1 2CH

Song et al. [15] 3 6CX+ 3CH + CR

Fu et al. [17] 4 5CC + 2CX + 4CH +2CR

Zhou et al. [16] 3 6CX + 5CH

Our Protocol 1 CR + CH

CC : Concatenation cost, CR: Random number generation cost,CX : XOR cost, CF : Flip operation cost,CH : Hash function cost, CS : Circular shift cost.

SHA-256SHA-512

Fig. 5: Dependence of execution time of SHA-256 and SHA-512 on clock speed.

31.6 and 35.4 cycles/byte respectively, based on these values,we compute the execution time as follows,

ExecutionTime = CPI ⇤ Bytes ⇤ CycleTime.

The results of performance comparison are depicted inFigure 5 where the execution time is measured at a tag’s clock-rate ranging from 0.5 to 5 MHz. In Table II, we present a costanalysis comparison between the proposed protocol and someof the state-of-the-art protocols.

VI. DESIGN CONSIDERATIONS

In this section we introduce an analysis of the set of pa-rameters that control the security, performance and efficiencylevel of the proposed protocol. We explain the effect and theunderlying design trade-offs for each of these parameters.

• r: The number of random bits |r| periodically generatedby the self-powered timers is controlled by their elec-tronic design. As this number increases, the security ofthe authentication protocol increases. r is determined bythe robustness of the timer and limited by the computa-tional resources.

• a: As the number of bits output of the hash functionA

i

= h(K,V

i

) increases, the security of the authentica-tion protocol increases.

• T

o

: The idle time that a tag spends after being read witha legitimate reader. While this value is determined by the

TABLE III: Functional characteristics of SHASHA-256 SHA-384 SHA-512

Size of hash value 256 384 512Complexity of the best attack 2128 2192 2256

Equivalently secure private-key cipher AES-128 AES-192 AES-256Message size < 264 < 2128 < 2128

Message block size 512 1024 1024

electronic design of timers, it is useful to consider that thelonger this value is, the longer the time period a tag willspend in the idle mode. On the other hand, the shorterthis period is, the more strict the protocol will be in termsof accepted time offset.

• M : The bigger the number of self-powered timers on-board of the tag is, the more robust and reliable our designis. However, as M increases, the storage, implementation,communication and chip costs increase.

• �: As the threshold for accepted mismatches betweenthe timers values of the tag and the reader decreases,the accuracy of the authentication protocol increases.However if the threshold is too small, this can result ina higher probability of false negative decisions.

We note that the number of bits a of the critical value A

i

is implicitly determined by the type of the underlying hashfunction. To give an insight of the possible sizes of hasharguments, hash values and their corresponding security level,we give some numerical values for the characteristics of SHA.Table III, from [24], shows the functional characteristics for 3variants of SHA.

VII. CONCLUSION AND FUTURE WORK

In this paper, we introduced a novel dynamic authenticationprotocol for passive IoT systems. Our protocol relies on theexistence of self-powered timers on-board of the authenticatedtags. The self-powered timers do not require any externalpower sources, therefore can continuously run and keep trackof time. Values generated by these timers provide our protocolnot only with the desirable dynamic authentication but also theability to defend different types of attacks such as replay andde-synchronization attacks. Two authentication models wereproposed. The first is a single timer model that depends on theoutput from a single timer on-board of the tag. A more robustmodel incorporates a set of M on-board timers. Depending onthe statistical model of the timers, this model helps tolerate apredetermined error level during authentication by adjustingthe desired threshold. Our protocol is proved to be secureagainst most kinds of attacks and improve the performancein terms of security compared to the state-of-the-art protocols.The proposed design saves storage resources and is validatedto be more efficient compared to the existing authenticationprotocols.




The proposed protocol opens doors to future work. Specif-ically, the tokens generated by the protocol can not only beused for authentication, but also can be used to encrypt thedata transmission between the tag and reader. It can functionas a dynamic encryption key for enhancing the data security.

REFERENCES

[1] F.-Y. Wang, D. Zeng, and L. Yang, “Smart cars on smart roads: anieee intelligent transportation systems society update,” IEEE PervasiveComputing, vol. 5, no. 4, pp. 68–69, 2006.

[2] M. Darianian and M. P. Michael, “Smart home mobile rfid-basedinternet-of-things systems and services,” in Advanced Computer Theoryand Engineering, ICACTE’08, 2008, pp. 116–120.

[3] E. Abad, F. Palacio, M. Nuin, A. G. De Zarate, A. Juarros, J. Gomez,and S. Marco, “Rfid smart tag for traceability and cold chain monitoringof foods: Demonstration in an intercontinental fresh fish logistic chain,”Journal of food engineering, vol. 93, no. 4, pp. 394–399, 2009.

[4] S. Amendola, R. Lodato, S. Manzari, C. Occhiuzzi, and G. Marrocco,“Rfid technology for iot-based personal healthcare in smart spaces,”IEEE Internet of Things Journal, vol. 1, no. 2, pp. 144–152, 2014.

[5] L. Ruiz-Garcia and L. Lunadei, “The role of rfid in agriculture: Ap-plications, limitations and challenges,” Computers and Electronics inAgriculture, vol. 79, no. 1, pp. 42–50, 2011.

[6] A. Juels, “Rfid security and privacy: A research survey,” IEEE journalon selected areas in communications, vol. 24, no. 2, pp. 381–394, 2006.

[7] S. A. Ahson and M. Ilyas, RFID handbook: applications, technology,security, and privacy. CRC press, 2008.

[8] A. Mitrokotsa, M. R. Rieback, and A. S. Tanenbaum, “Classifying rfidattacks and defenses,” Information Systems Frontiers, 2010.

[9] C. Lim and T. Kwon, “Strong and robust rfid authentication enablingperfect ownership transfer.” Conference on Information and Communi-cations Security (ICICS), pp. 1–20, 2006.

[10] L. Zhou and S. Chakrabartty, “Self-powered timekeeping and synchro-nization using fowlernordheim tunneling-based floating-gate integra-tors,” IEEE Transactions on Electron Devices, pp. 1254–1260, 2017.

[11] http://www.emc.com/security/rsa-securid.htm.[12] S. E. Sarma, S. A. Weis, and D. W. Engels, “Rfid systems and security

and privacy implications,” CHES, Springer-Verlag, pp. 454–469, 2003.[13] S. Weis, S. Sarma, R. Rivest, and D. Engels, “Security and privacy

aspects of low-cost radio frequency identification systems,” Proc. of the1st International Conference on Security in Pervasive Computing, pp.201–212, 2003.

[14] M. Ohkubo, K. Suzuki, and S. Kinoshita, “Hash-chain based forwardsecure privacy protection scheme for low-cost rfid,” Proc. of the Sym-posium on Cryptography and Information Security, pp. 719–724, 2004.

[15] B. Song and C. J. Mitchell, “Rfid authentication protocol for low-costtags,” in Proceedings of the First ACM Conference on Wireless NetworkSecurity, 2008, pp. 140–147.

[16] S. Zhou, Z. Zhang, Z. Luo, and E. C. Wong, “A lightweight anti-desynchronization rfid authentication protocol,” Information SystemsFrontiers, vol. 12, no. 5, pp. 521–528, 2010.

[17] J. Fu, C. Wu, X. Chen, R. Fan, and L. Ping, “Scalable pseudo randomrfid private mutual authentication.” 2nd IEEE International Conferenceon Computer Engineering and Technology (ICCET), pp. 497–500, 2010.

[18] M. Naor and M. Yung, “Universal one-way hash functions and theircryptographic applications.” STOC, pp. 33–43, 1989.

[19] I. Damgard, “Collision free hash functions and public key signatureschemes.” EUROCRYPT, pp. 203–216, 1987.

[20] M. Bellare and P. Rogaway, “Collision-resistant hashing: Towards mak-ing uowhfs practical,” Advances in Cryptology - Crypto97, Lecture Notesin Computer Science, vol. 1294, pp. 470–484, 1997.

[21] L. Zhou and S. Chakrabartty, “Secure dynamic authentication of passiveassets and passive iots using self-powered timers,” in ISCAS 2017,Baltimore, MD, USA, May. 28-31 2017.

[22] R. L. T. Hampton, “A hybrid analog-digital pseudo-random noisegenerator,” Proceedings of the spring joint computer conference, ACM,pp. 287–301, 1964.

[23] https://www.cryptopp.com/benchmarks.html.[24] T. Grembowski, R. Lien, K. Gaj, N. Nguyen, P. Bellows, J. Flidr,

T. Lehman, and B. Schott, “Comparative analysis of the hardwareimplementations of hash functions sha-1 and sha-512,” in Proceedingsof the 5th International Conference on Information Security, London,UK, 2002, pp. 75–89.

M. H. Afifi received his B.S. and M.Sc. degreesin electrical engineering from department of Elec-tronics and Communications, Arab Academy forScience, Technology (AAST), Alexandria, Egypt,in 2009 and 2012, respectively. He is currently aResearch Assistant and a Ph. D. student at thedepartment of Electrical and Computer Engineering,Michigan State University (MSU), East Lansing,Michigan, USA. His research interests include cy-bersecurity, data privacy, wireless communications,signal processing and wireless sensor networks. He

is a student member of the IEEE.

Liang Zhou received the B.S. degree in physicsfrom Tsinghua University, Beijing, China, in 2010.Currently, he is working toward the Ph.D. degreein the Department of Computer Science and En-gineering, Washington University in St. Louis, St.Louis, MO, USA. His research interests include self-powered sensory systems, integrated circuits designand hardware security.

Shantanu Chakrabartty (SM’99-M’04-S’09) re-ceived his B.Tech degree from Indian Institute ofTechnology, Delhi in 1996, M.S and Ph.D in Elec-trical Engineering from Johns Hopkins University,Baltimore, MD in 2002 and 2004 respectively. Heis currently a professor in the School of AppliedSciences and Engineering at Washington Universityin St. Louis. From 2004-2015, he was an asso-ciate professor in the department of electrical andcomputer engineering at Michigan State University(MSU). From 1996-1999 he was with Qualcomm

Incorporated, San Diego and during 2002 he was a visiting researcher atThe University of Tokyo. Dr. Chakrabartty’s work covers different aspectsof analog computing, in particular non-volatile circuits, and his currentresearch interests include energy harvesting sensors and neuromorphic andhybrid circuits and systems. Dr. Chakrabartty was a Catalyst foundationfellow from 1999-2004 and is a recipient of National Science FoundationsCAREER award, University Teacher-Scholar Award from MSU and the 2012Technology of the Year Award from MSU Technologies. Dr. Chakrabartty is asenior member of the IEEE and is currently serving as the associate editor forIEEE Transactions of Biomedical Circuits and Systems and a review editorfor Frontiers of Neuromorphic Engineering journal.

Jian Ren (SM’09) received the BS and MS de-grees both in mathematics from Shaanxi NormalUniversity, and received the Ph.D. degree in EEfrom Xidian University, China. He is an AssociateProfessor in the Department of ECE at MichiganState University. His current research interests in-clude network security, cloud computing security,privacy-preserving communications, distributed net-work storage, and Internet of Things. He is a recip-ient of the US National Science Foundation FacultyEarly Career Development (CAREER) award in

2009. Dr. Ren is the TPC Chair of IEEE ICNC’17 and General Chair ofICNC’18. Dr. Ren is a senior member of the IEEE.

IEEE INTERNET OF THINGS JOURNAL, VOL. 0, NO. 0, JULY …renjian/pubs/IoT-08053739.pdfIEEE INTERNET...

Documents

Transcript of IEEE INTERNET OF THINGS JOURNAL, VOL. 0, NO. 0, JULY …renjian/pubs/IoT-08053739.pdfIEEE INTERNET...