An Elliptic Curve Cryptography-Based RFID Authentication Securing E-Health System

Mobile healthcare (M-health) systems can monitor the patients’ conditions remotely and provide the patients and doctors with access to electronic medical records, and Radio Frequency Identification (RFID) technology plays an important role in M-health services. It is important to securely access RFID data in M-health systems: here, authentication, privacy, anonymity, and tracking resistance are desirable security properties. In 2014, He et al. proposed an elliptic curve cryptography- (ECC-) based RFID authentication protocol which is quite attractive to M-health applications, owing to its claimed performance of security, scalability, and efficiency. Unfortunately, we find their scheme fails to achieve the privacy protection if an adversary launches active tracking attacks. In this paper, we demonstrate our active attack on He et al.'s scheme and propose a new scheme to improve the security. Performance evaluation shows the improved scheme could meet the challenges of M-health applications.


Introduction
Mobile healthcare (M-health) systems can monitor the patients' conditions remotely and provide the patients and doctors with access to electronic medical records. Such a system improves both convenience and efficiency, because the patients and doctors are no longer required to be present at the same place; therefore, patients can contact their doctor at home and obtain the instant diagnosis and prescription. In the development of M-health systems, Radio Frequency Identification (RFID) technology plays an important role for identifying and accessing patients and objects. Therefore, securely accessing these RFID tags and systems is critical to the success of M-health systems [1,2]. In a RFID system, there are three types of roles: RFID tags, RFID readers, and a back-end server. Each tag has a unique number which is used to identify a RFID-tagged product. To obtain data from a tag, a reader first issues a query to the tag and then forwards the received information provided by the tag to a back-end server. The back-end server maintains a database of the information of tags and their labelled products. However, since a tag automatically responds to any readers' queries via radio signal, the owner of the tagged product is even unaware of this action. If the tag transmits a fixed value in response to readers' queries, it raises potential privacy threats to the labelled objects and the owner's location.
Privacy protection in a RFID system is investigated in two respects. One is anonymity; the other is tracking attack resistance. The former is to provide confidentiality of tag's identity such that an unauthorized observer cannot learn the identity of the tag. The latter is to provide unlinkability of any two RFID transmission sessions; that is, given any two RFID transactions, an attacker cannot tell whether the two transactions came from the same tag or not. Tracking attack could be classified into two categories: passive tracking attack and active tracking attack. The passive tracking attack is that an adversary tries to distinguish whether two RFID transactions came from the same tag by eavesdropping only, while the active tracking attack is that an adversary can actively participate in the transactions (like eavesdropping, interrupt, replay, and modification) to get the data to tell whether two transactions came from the same tag. Both types of tracking might be used to infer users' location information or even their personal profiles.
Due to the advances of hardware development, many RFID schemes based on the public key techniques have been proposed and implemented [3]. Compared with the other cryptography mechanisms, the elliptic curve cryptography (ECC) [4,5] is more competitive since it could provide the same security level with much smaller key size. Lee et al. [6] proposed an ECC-based RFID authentication scheme. Bringer et al. [7] and Deursen and Radomirovic [8] found that Lee et al. 's scheme is vulnerable to the tracking attack and the replay attack. Liao and Hsiao [9] proposed an ECCbased RFID authentication scheme integrated with an ID verifier transfer protocol; nevertheless, Peeters and Hermans [10] showed Liao and Hsiao's scheme cannot resist the server impersonation attack. Tan [11] proposed ECC-based RFID three-factor authentication. Arshad and Nikooghadam [12] found that Tan's scheme is not resistant to the replay attack and the denial-of-service attack.
In 2014, He et al. [13] proposed an elliptic curve cryptography-(ECC-) based RFID authentication protocol which aimed at protecting tag's anonymity and unlinkability and improving the computational complexity. Compared with the previous authentication schemes, He et al. 's scheme has better performance in terms of security, computational cost, and storage requirement. Unfortunately, we find that their scheme fails to achieve the privacy protection if an adversary launches active tracking attacks. We will show the weaknesses and propose an improved scheme. The rest of this paper is organized as follows. Section 2 gives the preliminary sketch of the elliptic curve cryptography and bilinear pairing. Section 3 reviews He et al. 's scheme and shows its security weakness. In Section 4, we propose our new scheme, which is followed by security analysis and performance evaluation in Section 5. Finally, conclusions are given in Section 6.

Preliminaries
We briefly introduce the elliptic curve cryptography and the bilinear pairing. Koblitz [4] and Miller [5] introduced elliptic curves for cryptographic applications. Since then, elliptic curve cryptography (ECC) has played an important role in many cryptosystems. An elliptic curve is defined over the equation 2 = 3 + + over ( ), where is a large prime and ( ) is a finite field of order . The main attraction of ECC is that ECC with 160-bit key can reach a security level the same as that of 1024-bit RSA and thereby significantly reduce the key size.

Elliptic Curve Cryptography.
The security of He et al. 's protocol is based on the complexity of the elliptic curve discrete logarithm problem (ECDLP) [14].
Elliptic Curve Discrete Logarithm Problem (ECDLP). Given an elliptic curve over ( ) and two points and on , the elliptic curve discrete logarithm problem is to find an integer ∈ * such that = .

The Bilinear
Pairing. The bilinear pairing was initially considered as a negative property on the design of elliptic curve cryptosystems, because it reduces the discrete logarithm problem on some elliptic curves (especially for supersingular curves) to the discrete logarithm problem in a finite field [15]. Such property diminishes the strength of supersingular curves in practice [16]. However, followed by the tripartite key agreement protocol proposed by Joux [17] and the identity-based encryption scheme proposed by Boneh and Franklin [18], pairing becomes beneficial and favorable to the design of cryptographic protocols or cryptosystems [19]. Let 1 be an additive cyclic group (which is the elliptic curve group ( ) here) and let 2 be a multiplicative cyclic group with the same prime order ; that is, Bilinear pairing is defined bŷ: 1 × 1 → 2 which satisfies the following properties: (1) Bilinear: for all , ∈ 1 and all , V ∈ * , we havê (2) Nondegenerate:̂( , ) ̸ = 1 for some ∈ 1 .
We find that He et al. 's protocol is vulnerable to active tracking attack. We will utilize the bilinear pairing to facilitate our active attacks in Section 4.

Review of He et al. 's Protocol.
This section reviews He et al. 's protocol [13]. The system consists of three kinds of entities: readers, a back-end server, and a set of tags; but the RFID reader is omitted from the protocol description since it acts as an intermediate party that relays messages exchanged between a tag and the server. It is assumed that the communication between the reader and back-end server is secure. The proposed protocol comprises two phases: setup and authentication. Notations used in the protocol are defined as follows: (i) , : two large primes.
(iv) : a generator point for a group of order over .
(v) : the private key of the server.
(vi) : the public key of the server = .
(vii) : the ID verifier of the tag.
Setup Phase. To set up the system, the back-end server performs the following tasks: Server (x s , P s , X T ) Tag X (P s , X T ) (ii) Choose a random number ∈ * as the server's private key, and compute = as the server's public key.
(iii) Choose a random point on denoted as a tag's ID verifier.
(iv) (params, , ) is stored at both the tag and the server's database.
(v) The server also keeps secret.
Authentication Phase. To achieve mutual authentication, the server ( ) and the tag (Tag ) do the following steps. The authentication phase is illustrated in Figure 1.

The Weaknesses.
We find that He et al. 's protocol is vulnerable to active tracking attack. We utilize the bilinear pairing to check whether the two transactions came from the same tag or not. We demonstrate our active attack as follows, where Adv denotes the notion that the adversary impersonates the server to get the responses for tracking. First of all, Adv randomly chooses 1 ∈ * , computes 1 = 1 , and sends message 1 = { 1 } to probe the tags it encounters. In the following, we assume Adv encounters the same tag Tag .

The Proposed Scheme
We propose a new ECC-based scheme, which owns excellent performance in terms of security, computational complexity, 4 International Journal of Distributed Sensor Networks Server (x s , P s , X T ) R 1 = r 1 P m 1 = {R 1 r 1 ∈ R Z * n r 2 ∈ R Z * n R 2 = r 2 P TK T1 = r 2 P s TK T2 = r 2 R 1 Tag X (P s , X T ) } } } Figure 2: The authentication phase of the proposed protocol. and communicational cost. Our scheme can resist all security threats including active tracking attack. Regarding computational complexity, we reduce the number of elliptic curve scalar multiplications, which is the most computationally expensive operation in ECC cryptography. For embedded systems like RFID and wireless sensor network, the communication operations consume the highest amount of energy of all the operations; therefore, reducing the message length is critical for saving the energy of these devices. The proposed scheme consists of two phases: setup and authentication. Since the setup phase is the same as that in He et al. 's protocol, it is omitted here. The authentication phase is described as follows.
Authentication Phase. To achieve mutual authentication, the server ( ) and the tag (Tag ) do the following steps. The authentication phase is illustrated in Figure 2.

Security Analysis.
We analyze the security of the proposed scheme as follows.
Mutual Authentication. The authentication of the tag is dependent on tag's ability to prove its knowledge of the secret . In our scheme, the server receives the message 2 = { 2 , Auth }, where 2 = 2 and Auth = ( + TK 2 ) ⊕ ( 1 +TK 1 ). The server will use its private key to compute TK 1 = 2 and TK 2 = 1 2 and to extract = (Auth ⊕ ( 1 + TK 1 )) − TK 2 . Then, the server checks whether is stored in the database. Only the genuine tag that owns the secret can generate valid Auth . The authentication of the server is dependent on server's ability to extract and generate valid Auth . Only the genuine server that owns the secret can correctly extract from Auth and then compute valid Auth = ( + 2TK 2 ) ⊕ 2 ( 1 + TK 1 ). Without knowledge of the server's secret key , the adversary cannot obtain TK 1 = 2 . The tag checks the validity of Auth . If it is valid, then the server is authenticated.
Anonymity. In our scheme, 1 = { 1 }, 2 = { 2 , Auth }, and 3 = {Auth } are transmitted, where the tag-identityrelated messages are Auth = ( + TK 2 ) ⊕ ( 1 + TK 1 ) and Auth = ( + 2TK 2 ) ⊕ 2 ( 1 + TK 1 ) which are random due to two random and fresh numbers 1 and 2 in each session. Therefore, the adversary can learn nothing about the identity of the tag from the transmission. The randomness and freshness of the two random numbers ensure the anonymity of the proposed scheme.
Tracking Attack Resistance. The essence of the active tracking resistance of the proposed scheme is that each calculation of Auth = ( + TK 2 ) ⊕ ( 1 + TK 1 ) involves the confusion value ( 1 + TK 1 ), where the computation of TK 1 needs either tag's secret 2 or the server's private key ; therefore, Arshad and Nikooghadam [12] Liao and Hsiao [9] He et al. [13] Ours The server's computational cost International Journal of Distributed Sensor Networks an active tracker has no way to derive any verifiable data from the transmissions. We can verify this by launching the same active attack on our proposed protocol as follows, where Adv denotes the notion that the adversary impersonates the server to get the responses for tracking. First of all, Adv randomly chooses 1 ∈ * , computes 1 = 1 , and sends message 1 = { 1 } to probe the tags it encounters. In the following, we assume Adv encounters the same tag Tag .
Tag Masquerade Attack Resistance. To impersonate a tag, the adversary must be able to generate a valid message 2 = { 2 , Auth T }, where Auth = ( + TK 2 ) ⊕ ( 1 + TK 1 ). However, it is difficult to generate such a message without knowing the identity of the tag .
Server Spoofing Attack Resistance. To impersonate the server, the adversary must be able to generate a valid message 3 = {Auth }, where 1 = 1 and Auth = ( +2TK 2 )⊕2 ( 1 + TK 1 ). It is easy for the adversary to generate 1 , but it is difficult to generate Auth without knowledge of the server's secret key and the tag's identity .

Performance Evaluation.
We compare the proposed scheme with He et al. 's protocol [13] and some related schemes [9,12] in terms of computational cost, communicational cost, and storage cost. Let denote the cost of point addition over an elliptic curve , let denote the cost of scalar multiplication over an elliptic curve , let denote the cost of modular multiplication over the underlying field ( ), let INV denote the cost of modular inverse over the underlying field ( ), let denote the cost of computing a hash value, let ECC denote the bit length of one elliptic curve point, let | | denote the size of integer , and let denote the number of tags in the system. To evaluate the complexity, we adopt the practical figures from [20]. In [20], it lists the timing for computing and mod , where is an elliptic curve defined over ( ), ≈ 2 160 , is a point whose order is 160-bit prime over , is a random 160-bit integer, and is a 1024-bit prime. Therefore, we can conclude that ≈ (41/5) ≈ 8 , ≈ (29/0.12) ≈ 241 , and INV ≈ (3 * 8/41) ≈ 0.58 [20]. Note that the cost of executing an exclusiveor operation (XOR) is negligible when compared with other operations stated above. Since the parameters params = { , , , , } are stored in both the server and the tag, the storage cost of params is omitted in the following comparison.
The performance comparison is summarized in Table 1. Since He et al. 's protocol [13], Liao and Hsiao's scheme [9], Arshad and Nikooghadam's scheme [12], and our proposed scheme rely on the ECDLP, the elliptic curve scalar multiplication is the most time-consuming operation in the elliptic curve cryptosystem. Although our proposed scheme has the same communicational and storage costs as He et al. 's protocol, our proposed scheme owns better computational performance by eliminating one elliptic curve scalar multiplication operation. Our proposed scheme is more efficient than Liao and Hsiao's scheme because our proposed scheme requires less cost in terms of computation, communication, and storage. Table 1 shows that Arshad and Nikooghadam's scheme requires less computational cost than our proposed scheme. However, it has been studied that communication consumes more energy than computation in embedded wireless communication systems like RFID and wireless sensor network [21,22]. Studies in the past have shown that 3000 instructions could be executed for the same energy usage as sending a bit 100 m by radio [23]; therefore, many studies in these fields devoted lots of efforts to reducing the communication complexity [24,25]. It is important to optimize communication and minimize energy consumption. In our proposed scheme, the tag communication requires only 50% of that of Arshad and Nikooghadam's scheme, while our scheme achieves the same security properties with slightly more computations.

Conclusions
Mobile healthcare systems are becoming more and more popular. Lack of protecting patient and data privacy may hinder the utility of mobile healthcare system. In this paper, we have shown the weakness of He et al. 's protocol. The protocol cannot meet privacy protection requirement since it is vulnerable to active tracking attack. We have proposed a new scheme which not only conquers the security weaknesses but also improves the computational performance.