APP: An Ultralightweight Scheme to Authenticate ONS and Protect EPC Privacy without Cryptography in EPCglobal Networks

EPCglobal network is used to share product data between trading partners, which was proposed by EPCglobal. Object Name Service (ONS) in EPCglobal framework raises two critical security risks: the authenticity of IP addresses for Physical Markup Language (PML) servers and the privacy of Electronic Product Codes (EPCs). Existing work considers either the IP address authentication or the EPC privacy. In addition, that work mainly relies on cryptographic tools, in which key distribution is not a trivial task and also causes a large amount of computation overhead. In this paper, we make the first attempt to solve those two security risks together without relying cryptography. We propose a scheme, namely, APP (authenticate ONS and protect EPC privacy), to guarantee the authenticity of IP addresses for PML servers as well as EPC privacy and to maintain ultralightweight computation cost. Moreover, we give formal definition of the authenticity and the privacy in ONS context. The security achievements are strictly analyzed and proved. The extensive analysis results justify the applicability of the proposed scheme.


Introduction
EPCglobal is a typical network framework for the Internet of Things (IoT), machine to Machine (M2M), and RFID networks.It has been envisioned as a key method to recognize, locate, and trace EPC-enabled physical objects (e.g., RFIDs or sensors).Moreover, it is used to facilitate supply chain management, food trace back, logistics, and so forth.
Concretely, EPCglobal relies on Object Name Service (ONS) to map Electronic Product Code (EPC) to an IP address of a server.The server, called Physical Markup Language (PML) server in EPCglobal, provides detailed product information of the EPC.To do so, an EPC tag reader obtains EPCs from tags and submits the EPCs to ONS.Based on the received EPCs, ONS returns the IP address of the corresponding server.Generally speaking, the architecture of ONS consists of distributed server systems and can support iteratively query for scalability and flexibility.
ONS architecture raises two security concerns: one is the authenticity of returning results.If the returning results are fake, the product information will be detoured to a forged server with garbage information.The other is the privacy of EPC.If EPC is revealed by ONS server, the user's privacy may be damaged.For example, a user looks up an EPC for a bottle of medical tablets that is privacy sensitive.Unfortunately, above security risks have not been largely recognized, and rare works exist to address both risks at the same time.
Currently, a few works use some similar methods for DNS security [1], rely on Public Key Infrastructure (PKI) [2], or depend on P2P architecture [3].Those solutions experience many difficulties: The schemes relying on cryptography usually induce extensive computation overhead.The key distribution and management issues raise many deployment hurdles.The assumption of existing PKI is unrealistic in the current situation.Some solutions such as P2P solution require the migration of underlying network architecture.

International Journal of Distributed Sensor Networks
In addition, all schemes can only solve either of the aforementioned security concerns and not both.Moreover, as smartphones start to equip RFID reader function, the EPC reader will become portable.To save the power consumption of such hand-held devices, ultralightweight solutions are desired.
In this paper, we propose an ultralightweight solution to authenticate the ONS record and protect the user's privacy without cryptography.In addition, we strictly prove its security strength in terms of authenticity and privacy.Moreover, we adapt a formal and rigorous method to state, present, and analyze the security goals.That is, we formulate the definition of authenticity and privacy in EPCglobal.We formally prove the achievement of proposed scheme with respect to authenticity and privacy strength.All presentations strictly follow the formal expressions for better clarity and rigorous generality.
The contributions of the paper are listed as follows.
(1) We make the first attempt to propose an ultralightweight scheme in terms of computation overhead without cryptography to solve both aforementioned problems in one solution.
(2) We make the first attempt to strictly define authenticity and privacy in EPCglobal and provide formal proofs for the achievement of security goals.
(3) We propose a general scheme to represent all possible solutions for the problem.
The rest of the paper is organized as follows.Section 2 gives an overview on relevant prior work.In Section 3 we discuss the basic assumption and models used throughout the paper.Section 4 provides the detailed description of our proposed models and analysis.Finally, Section 5 concludes the paper.

Related Work
The security in ONS starts to attract more and more attention.Fabian and Günther [4] reviewed the security challenges of the EPCglobal network.Sun et al. [2] proposed a lightweight Public Key Infrastructure (LPKI) for trustworthy ONS.They proposed to use a new encryption encode or decode strategy of EPC and improved the reliability of the certificate authority by a new multiple customer relation model.Fabian [3] and Fabian and Günther [5] proposed to use structured P2P systems with distributed hash tables (DHT) to replace ONS architecture.They found that the strength of privacy protection slightly increased by using DHT compared to DNS, but strong protection still relied on secure key distribution mechanisms.Rosenkranz et al. [1] compared two mechanisms to improve the trust level of ONS, DNSSEC and DNSCurve.DNSSEC enables integrity and authenticity; DNSCurve additionally enables confidentiality and higher availability.Their security goals are different from our paper, and ONS security cannot be achieved by DNS security enhancement with optimal performance.Schapranow et al. [6] proposed to protect the privacy of querying parties.Their module can smoothly integrate into existing network infrastructures without major efforts.Kurkovsky et al. [7] proposed to use wearable tags embedded in badges or clothing for employee's tracking at the workplace.It may hurt the privacy of employee after continuous authentication.This kind of privacy problem of RFID has been discussed in many papers [8][9][10][11].Shi et al. [12] proposed SecDS, a secure EPC discovery service system in EPCglobal network.They developed a secure and efficient search engine (SecDS) based on EPC Discovery Services (EPCDS) for EPCglobal network.Their work is independent of ours.

Network Model.
There exist two major entities in ONS context: requester (denoted as R) and ONS server (denoted as S).The requester reads RFID tag to obtain EPC and submits it to ONS server.The ONS server subsequently returns the IP address of the server who can provide detailed product information on that EPC.The requester then consults the server with returned IP address so as to fetch the detailed product information.
Although the architecture of ONS is very similar to DNS, we observe that there still exists a major distinction between ONS and DNS: the content on the server returned by ONS for a given EPC is usually fixed and shorter than that in the server returned by DNS as it is the information for a product.The content on the server returned by DNS may be changed frequently as it is the information for a web site.

Attack Model and Trust
Model.We only consider adversaries at ONS servers as the paper concentrates on the authenticity of returned records (IP addresses) and EPC privacy.The adversary is denoted as A. We point out following possible attacks.
Definition 1 (ONS pollution attack (A poll )).ONS server returns a fake IP address upon being requested for an EPC.The PML server at the fake IP address provides forged product information.In shorthand, R → S : {} , where  is the requested EPC;   is the IP address of PML server for that ; MAP ℎ is an imaginary authenticated list containing correct (,   ) pairs.Definition 2 (ONS leakage attack (A leak )).ONS server reveals the pair of submitted EPC and requester's IP address to other third parties who are interested in them.In shorthand, where * means public;  is the requested EPC;   is the requester's IP address.
Definition 3 (ONS inference attack (A infr )).ONS server deduces the activities related to submitted EPCs and reveals those activities and requester's IP address to other third parities who are interested in them.In shorthand, where * means public;  is an activity.
ONS server is untrustworthy as we assume adversaries at ONS server are interested in the user's privacy and intend to break the authenticity.Requester must be trustworthy, as it is a prerequisite requirement for further discussion; otherwise, the discussion is meaningless and no solution exists.

Security Definition and Design Goal.
Informally speaking, the authenticity is guaranteed if adversaries cannot fool the requester to believe a fake IP address.More specifically, we formally state the definitions as follows.
Definition 4 (perfect authenticity of mapping IP address (Auth prft )).In shorthand, it is where Pr{ | } denotes the probability that  happens after event  happens.It is perfect authenticity to defend against A poll .
Definition 5 (computational authenticity of mapping IP address (Auth cmpt )).For any probabilistic polynomial turing machine (PPTM) adversary A, given any , it is computationally infeasible to find ip such that (, ) ∉ , but let R believe it is correct.In shorthand, where negl() is a negligible function with security parameter ; Pr{ | } denotes the probability that  happens after event  happens.It is computational authenticity to defend against A poll .Definition 6. Authentication attacking experiment on scheme Π defending against adversary A-ExpAuth A,Π (), is defined as follows.
(1) Scheme Π is executed with security parameter  in the presence of adversary A.
(2) R sends  to S; A at S finds , where (, ) ∉ MAP ℎ , and sends  to R. R believes  is a correct , then outputs 1, otherwise, outputs 0.
(3) If and only if R outputs 1, the experiment outputs 1.
Definition 7. Scheme Π guarantees perfect (computational) authenticity in the presence of any (PPTM) adversary A (denoted as Auth Π,A = 1), if and only if for any (PPTM) adversary A and scheme Π, the probability that the output of authentication attacking experiment equals 1 satisfies where negl() is a negligible function with parameter .(In the above equation, the contents in parentheses are corresponding and present simultaneously.) The EPC privacy defending against A leak is guaranteed if and only if adversaries cannot know the requested  as   is always known by adversaries at S. In this situation,  should be either encrypted or transformed.
The EPC privacy defending against A infr is guaranteed, if and only if adversaries cannot deduce requester's activities after viewing requested  serials.Note that, it is impossible to hide  from S as  must be known by S to return corresponding .Thus, the privacy requirement is to disturb the requester's activities in  serials.More specifically, we formally state the definitions for EPC privacy as follows: Definition 8 (user activity).It is a behavior related to certain products that are attached with requested EPCs, denoted as  = { 1 ,  2 , . . .,   }, where   ( = 1, . . ., ) is an activity.Definition 10 (perfect privacy).Simply speaking, adversaries cannot link to anyone in ACT after viewing   ().In shorthand, the perfect privacy is where Pr{ | } denotes the probability that  happens after event  happens.
Computational privacy can be defined similarly like computational authenticity.Definition 11.Privacy attacking experiment on scheme Π defending against adversary A-ExpPrvc A,Π (), which is defined as follows (1) Scheme Π is executed with security parameter  in the presence of adversary A.
(3) If and only if A outputs 1, the experiment outputs 1.
International Journal of Distributed Sensor Networks Definition 12. Scheme Π guarantees perfect (computational) privacy in presence of any (PPTM) adversary A (denoted as Prvc Π,A = 1), if and only if for any (PPTM) adversary A and scheme Π, the probability that the output of perfect (computational) privacy attacking experiment equals 1 satisfies where negl() is a negligible function with parameter .(In the above equation, the contents in parentheses are corresponding and present simultaneously.) Therefore, the design goal is to propose a scheme Π satisfying and especially with ultralightweight computation without cryptography.

Proposed Schemes
4.1.Basic Schemes.Before we propose our advanced scheme, we review some basic schemes to illustrate our motivations.
(1) Protect Authenticity via Digital Signature.The straightforward method to protect authenticity of EPC is relying on the digital signature.Suppose there exists Trusted Third Party (TTP).TTP signs the signatures for each pair of (, ) with its private key   .The public key of TTP   is predeployed at R. The authenticity of EPC can be achieved by following method: R → S : {} , S → R : {,  =  ((, ) ,   )} , R :  ((, ) , ,   ) where  is a certificate or a signature from TTP for (, ); (⋅, ⋅) is a digital signature function;   is the secret key of TTP; (⋅, ⋅, ⋅) is a signature verification function;   is the public key of TTP.This method requires TTP to sign a large number of signatures previously and deploy them to S. It is not scalable and flexible when the number of EPCs is large.
(2) Protect Authenticity via PKI Online.If there exists PKI, the certificate for public key can be fetched, and the signature of TTP can be generated on-line.The authenticity of EPC can be achieved by the following method:

(11)
This method requires that TTP exists and signs signatures on-line.It may be scalable when the number of EPCs is large, but more delay and communication overhead are induced.
(3) Protect Privacy via TTP's Encryption and Online Decryption.For protecting the privacy of EPC, the straightforward method is via encryption.The database on pairs of (, ) at S is encrypted by TTP's public key   .That is, S possesses a list of ⟨  ,   ⟩, where   = (,   );   = ((, ),   ); (⋅, ⋅) is a public key encryption function.The EPC privacy can be achieved by the following method: R → S : {  =  (,   )} , This method requires TTP to encrypt a large number of  and (, ) previously, deploy them to S, and decrypt   on-line.It is not scalable and flexible when the number of EPCs is large.Besides, the EPC privacy protection can only defend against adversaries at S but not on the links.
(4) Protect Authenticity via P2P Redundancy.If there does not exist PKI or TTP, the authenticity of EPC has to rely on redundancy information that can be provided from P2P network.The authenticity of EPC can be achieved by the following method: R → S  : {} , where S  , S  are any two Ss in P2P network; S  and S  should not be colluded.The privacy protection cannot be achieved in this method.
With the above warmup, we next propose an advanced scheme to achieve the design goal.We list major notations used in the remainder of the paper in Table 1.

Advanced Scheme: APP.
We propose an advanced scheme APP (authenticate ONS and protect EPC privacy)an ultralightweight scheme for both authenticity and privacy-as follows.

At R the Following Happens
Step 1. R has been predeployed by an authenticated set of (, ) pairs.Indeed, the set is a table with two fields- and -denoted as   .We have ∀ (, ) ∈   , (, ) ∈ MAP ℎ ,           = . (14) where Ω is projection operation for a field  in the table   .
Step 2. Select (, ) pairs from   .The number of pairs is , which form a testing set   .That is, Similarly, all EPCs in   forms a set, denoted as   .
That is, where Π is projection operation for a field  in the table Step 3. Suppose the requested EPC is .R randomly generates  −  − 1 distinct EPCs that are not in the set   and do not equal .It is called a set  −−1 .It mixes three sets, namely,   ,  −−1 , and {}.The union set is   .That is, Step 4. R sends the mixed set   to S: R → S : { 1 , . . .,   } ; At S the Following Happens Step 5. S searches its database and returns corresponding IP addresses to R: At R the Following Happens Step 6. R checks the correctness of IP addresses, namely   = { 1 , . . .,   } ⊂   .That is, check whether are satisfied.
Step 7. If all IP addresses in   are correct, R believes the returning result of .That is, it records IP address for , denoted as .

Extension. (1)
The above can be conducted by R for more rounds.If in all rounds  believes the returning results, the final result will be believed.That is, suppose round number is ; the  is mixed in the final round.In first  − 1 rounds, the  is a dummy.Only if R believes S in first , 1 ≤  ≤  − 1 rounds, R continues the next round (namely,  + 1 round).
(2)   may be updated by adding item (, ).That is, The updating can further be extended to batch V (1 ≤ V ≤  − ) items that are randomly selected from  −−1 .
(3) The verification for IP address can be extended to the verification of EPC information.In case the IP address corresponding to certain EPC is changed, the verification can be migrated to EPC information.The table   can be extended to table   accordingly as the information for designated EPC is usually constant.  is used for authenticating returned IP address.Most processes in above seven steps maintain unchanged, except that the fields in table are changed, and the verification will be delayed upon requesting PML server.
(4) The parameters ,  in scheme APP can be extended to adaptive tuning according to the observation on the trustworthiness of ONS server.If accumulative trustworthiness is over a threshold value, the security parameter ,  can be changed to smaller ones for better performance (with respect to communication overhead).

Discussion. (1)
As an EPC is short (no more than 96 bits), it does not obviously damage communication performance when submitting multiple EPCs.Similarly, an IP address is short (no more than 128 bits), and it does not obviously damage communication performance when returning multiple IP addresses.
(2) The above discussion is independent to buffered ONS architecture.If buffered ONS is available, R does not need to explicitly request S, instead of requesting the buffered ONS.It thus can defend against poisonous ONS buffers.Indeed, buffered ONS records can be looked upon as an imaginary ONS server.
(3) It is better to let authenticated set   be different in the requests for a given ONS server S. We let  ≫ . is lightweight even though  is large.That is, the length of one record in   is no more than 96 + 128 = 224 bits; thus, the total length for   with  records is 224 *  bits.Algorithms proposed for APP scheme are as in Algorithms 1-3.
Proof.If and only if adversaries correctly answer the testing set   in   , requesters will accept the returning results.As |  | =  and |  | = , the probability that adversaries correctly guess the location of   in   is thus (!( − )!)/!.That is the probability that adversaries can cheat requesters to believe a fake returning IP address.Thus, the authenticity strength of APP with one round is 1 − (!( − )!)/!.

Proposition 14. The authenticity strength of APP with 𝑟
Proof.The probability that adversaries can cheat requesters in all  rounds is the probability of a successful guess in all  times, which is (!(−)!/!)  .Thus, the authenticity strength is 1 − (!( − )!/!)  .Proposition 15.The privacy strength of APP with one round is 1/.
Proof.If and only if adversaries correctly guesses the location of  in   , the privacy will be broken.As  −−1 is randomly generated, the linkages between serial EPCs are blurred.That is, (  (),   ) ∈ MAP V .As |  | = , and the privacy strength of one round of APP is 1/.Proof.The computation overhead for authenticity protection is merely the verification of string comparison; no cryptographic computation is induced.Besides, no computation overhead for privacy protection is induced.The induced communications are  − 1 times.As the length of EPCs is no more than 96 bits, and IP address is no more than 128 bits, the total induced extra communication overhead is less than 224 * ( − 1) bits.
If the elements in testing set are recurrent, the security will be damaged. is also a security parameter influencing the authenticity and privacy strength.For simplicity and security, let  ≫ .Otherwise, the following analysis proofs the influence of parameter  in scheme APP.
Proposition 17.The probability that   is recurrent in two subsequent rounds of selection of   at the requestors is 1/(, ) = (!( − )!)/!, where (, ) is the combination counts for selecting  elements from  elements.
Proof.View the selection of   as an event with probability 1/(, ).Suppose   is the set of the first round selection; the recurrence of   in the next round is thus 1/(, ).Proof.Suppose   is the set of the first round selection; the probability that the recurrence of  items in   in any  rounds is 1/((, ) * ( − ,  − )).
Proposition 23.APP is the necessary condition for authenticity and privacy protection without any cryptographic computation and TTP.
Proof (sketch).As there does not exist TTP, the authenticity and privacy have to be achieved by R and S themselves.As there do not exist cryptographic operations, V1  = 2  = .As S must know  to return , adversaries at S can reveal .As  cannot be encrypted, the privacy can be achieved only by requiring multiple EPCs.As there does not exist TTP to judge the authenticity of returning   , an authenticated set   is required as a self-judgement criteria.That is,   ⊂   is required to be possessed by R.

Conclusions
In this paper, we proposed an ultralightweight scheme to authenticate requested IP address of EPC and to protect the user's privacy in EPCglobal network without relying on any cryptographic computation or TTP.We also proposed relevant algorithms and a general scheme that can unify all possible schemes.Moreover, the security of the scheme in terms of authenticity and privacy was strictly proved, and the performance was extensively analyzed.Both justified the applicability of the proposed scheme.