ULMAP: Ultralightweight NFC Mutual Authentication Protocol ...downloads.hindawi.com/journals/misy/2017/2349149.pdf · ResearchArticle ULMAP: Ultralightweight NFC Mutual Authentication

Research ArticleULMAP Ultralightweight NFC Mutual Authentication Protocolwith Pseudonyms in the Tag for IoT in 5G

Kai Fan1 Panfei Song1 and Yintang Yang2

1State Key Laboratory of Integrated Service Networks Xidian University Xirsquoan China2Key Laboratory of Ministry of Education for Wide Band-Gap Semiconductor Materials and Devices Xidian University Xirsquoan China

Correspondence should be addressed to Kai Fan kfanmailxidianeducn

Received 24 January 2017 Revised 3 March 2017 Accepted 20 March 2017 Published 27 April 2017

Academic Editor Jing Zhao

Copyright copy 2017 Kai Fan et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

As one of the core techniques in 5G the Internet of Things (IoT) is increasingly attracting peoplersquos attention Meanwhile as animportant part of IoT the Near Field Communication (NFC) is widely used on mobile devices and makes it possible to takeadvantage of NFC system to completemobile payment andmerchandise information reading But with the development of NFC itsproblems are increasingly exposed especially the security and privacy of authentication Many NFC authentication protocols havebeen proposed for that some of them only improve the function and performance without considering the security and privacyand most of the protocols are heavyweight In order to overcome these problems this paper proposes an ultralightweight mutualauthentication protocol named ULMAP ULMAP only uses Bit and XOR operations to complete the mutual authentication andprevent the denial of service (DoS) attack In addition it uses subkey and subindex number into its key update process to achievethe forward security The most important thing is that the computation and storage overhead of ULMAP are few Compared withsome traditional schemes our scheme is lightweight economical practical and easy to protect against synchronization attack

1 Introduction

IoT [1] is a large network that consists of various informationsensing devices and the Internet As a new technology theNFC [2 3] is one of the core technologies of IoT and is listed asone of the most promising technologies

NFC is a short-range high-frequency noncontact auto-matic identification wireless communication technologyusing the 1356MHz frequency band at a distance of less than10 cm It is a development and breakthrough of the RFID [4ndash6] technology NFC now has been widely used in electronicticket product security and other fields But the securityissues especially the authentication problem between thereader and the tag have become an important factor restrict-ing its development The problem of authentication is toconfirm the validity of the tag and the reader Since NFCcommunication is completely exposed to the wireless envi-ronment it faces a lot ofmalicious attacks such as clone attack[7 8] man-in-the-middle attack and packet losses attackOnce the authentication protocol is under the above attack

the authenticationwill be failedMeanwhile because theNFCsystem is limited by many factors such as computing powerstorage space and power supply it is a challenging task todesign a secure and efficient NFC authentication protocol

So far although a lot of security authentication schemesfor NFC are presented researchers at home and abroaddo not put forward a universal applicability scheme Forexample Yun-Seok et al [3] proposed a scheme that uses theasymmetric encryption and hash function to try to eliminatethe security and privacy thread Although the solution cansolve the problem of mutual authentication and preventreplay attack and theman-in-the-middle attack it lacks somenecessary security attributes such as the message authenti-cation In 2013 Eun et al [9] presented a new conditionalprivacy preserving security protocol to protect the userrsquosprivacy In 2015 Kannadhasan et al [10] proposed the similarapproach as presented in CPPNFC In the same year He etal [11] proposed a pseudonym-based NFC protocol but itcannot solve the forward security In order to better promote

HindawiMobile Information SystemsVolume 2017 Article ID 2349149 7 pageshttpsdoiorg10115520172349149

2 Mobile Information Systems

the NFC technology a scheme is needed to be proposed tosolve the security and privacy thread

Therefore in this paper we propose an ultralightweightmutual authentication protocol (ULMAP) Compared withthe oldNFC scheme this protocol not only solves the securityand privacy problem but also reduces the computation andstorage cost

Our Contributions In this paper we propose an ultra-lightweight mutual authentication protocol (ULMAP) forNFCusing lessmemory storage and computational power forlow-cost NFC tags Our scheme has the following features

(1) Ultralightweight the scheme is designed only withsimple shift and XOR operations not hash or otherencryption operations

(2) Secure and efficient the scheme we proposed couldmeet requirements of forward security mutualauthentication synchronization and non-denial ofservice by subkey and pseudonym

Paper Organization The remainder of the paper is organizedas follows In Section 2 we will present the detailed protocolof our new NFC mutual authentication protocol (ULMAP)In Section 3 the security proof with BAN logic of theproposed protocol will be provided Section 4 provides thesecurity and performance analysis of our protocol Finallyour conclusion is shown in Section 5

2 NFC Authentication Protocol forMobile Device

In this section we will propose ULMAP and basic ideas areas follows the scheme only with a simple shift and XORoperations greatly reducing the cost of operations And ituses the concept of pseudonym thus improving the systemof security And the scheme uses the concept of subkeyspreventing the man-in-the-middle attack as compared to therelated existing authentication protocols

21 Initialization The explanations of symbols are shown inAbbreviation

MixBits(119883 119884) [12] is defined as follows

119885 = MixBits(119883 119884)

119885 = 119883for (119894 = 0 119894 lt 32 119894 + +)

119885 = (119885 ≫ 1) + 119885 + 119885 + 119884

In this scheme the message (IDS ID 1198701 1198702) is storedin each tag Meanwhile (ID (IDSold 119870

1old 1198702old) (IDSnew

1198701new 1198702new)) is stored in the server corresponding to each tag

22 The Authentication Process The authentication processof ULMAP is shown in Figure 1 The protocol involves threeentities tag reader and database The channel between thereader and the database is assumed to be secure but thatbetween the reader and the tag faces all the possible potentialattacks [13ndash15] Each tag has a unique static identification (ID)and preshares a pseudonym (IDS) and two keys 1198701 1198702 withthe database

Each database actually has two entries of (ID (IDSold1198701old 119870

2old) (IDSnew 119870

1new 119870

2new)) one is for the old values

and the other is for the potential next values The readerfirst sends ldquoQueryrdquo and 119879119877 message to the tag The tag willrespond with its IDS after it verifies that the timestamp 119879119877is larger than 119879119905 Then the reader will use the tagrsquos responseIDS to find a matched entry in the database and goes to themutual authentication stage if a matched entry is found nomatter what IDS = IDSold or IDS = IDSnew In the mutualauthentication phase the reader and the tag authenticate eachother and they respectively update their local pseudonymand the keys after successful authentication which are shownin Figure 1

There are four stages in the scheme thatwe proposed suchas initialization tag identification mutual authenticationand index-pseudonym and key updating Then we will indetail introduce the four stages as follows

InitializationThe database selects a pseudorandomgeneratorPRNG [16] 119892 0 1119896 rarr 0 12119896 to generate pseudorandomnumber The database generates the key 119870 = 1198701 | 1198702 whichis initialized to1198701 = Rot(Rot(1198991198942+ID+1198991198943 1198991198942)+ID 1198991198941)+1198991198943and 1198702 = Rot(Rot(1198991198941 + ID + 1198991198943 1198991198941) + ID 1198991198942) oplus 1198991198943 andplaces it in a valid tag and the legitimate reader 119899119894119895 is the 119895thrandom number of the 119894th tag in the initialization phase 119895 =1 2 3 The database reader and tag will store the IDS and119870 = 1198701 | 1198702 corresponding to the tag

Tag Identification The reader generates the random times-tamp119879119877 and the randomnumber 1198992 and sends authenticationqueries 1198992 Query and 119879119877 to the tag Then the tag judgeswhether119879119877 gt 119879119905 if119879119877 is not larger than119879119905 the authenticationis failed Otherwise the mutual authentication phase willbegin

Mutual Authentication After identification phase the tag willgenerate a randomnumber 1198992 calculate119860119861 and119862 as shownin Figure 1 and send IDS119860 119861 and119862 to the reader Using theIDS the reader tries to find an identical entry in the databaseIf this search succeeds the reader can get the nonce fromsubmessages 119860 and 119861 Then the reader will compute 11989910158403 and119870lowast1 119870

lowast2 and build a local version of submessage 1198621015840 as shown

in Figure 1 It will be compared with the received value If itis verified the tag is authenticated Finally the reader sendsmessage 119863 = (119870 oplus ID) oplus ((1198702 + 1198701) cup 119870lowast2 ) to the tag Whenthe message119863 is received by the tag it will be compared witha computed local version 1198631015840 = (1198701 oplus ID) oplus ((1198702 + 1198701) cup1198702) If comparison is successful the reader is authenticatedOtherwise the authentication protocol is failed

Index-Pseudonym and Key Updating After successfully com-pleting the mutual authentication phase between the tag and

Mobile Information Systems 3

Database Reader Tag

middot middot middot middot middot middot middot middot middot middot middot middot

(2) Calculated as follows

C㰀 = (K1 oplus Klowast2 ) + (K2 oplus Klowast

1 )

DD

C = (K1 oplus K2) + (K2 oplus K1)

K1 = K1 K2 = K2

(ID (IDSold K1old K

2old) (IDSnew K

1new K

2new)) (IDS ID K1 K2)

IDSold K1old K2

old

IDSnew

IDSold

IDSnew

IDSold

IDSnew

K1new K2

new

K1old K2

old

K1new K2

new

K1old K2

old

K1new K2

new

ID1

ID2

ID3

IDS A B C IDS A B C

(1) According to the received IDS queryIDS = IDSold or IDS = IDSnew in database

n㰀1 = ID oplus K1 oplus A

n㰀2 = B minus ID cup K2

Klowast1 = Rot(Rot(n㰀

2 + K1new + n㰀

3 n㰀2) + K2

new n㰀1) + n㰀

3


1 + K2new + n㰀

3 n㰀1) + K1

new n㰀2) oplus n㰀

3

D = (Klowast1 oplus ID) oplus ((K2 + K1) cup Klowast

2 )

A = ID oplus K1 oplus n1 B = ID cup K2 + n2

n3 = MIXBITS(n1 n2)

K1 = Rot(Rot(n2 + K1 + n3 n2) + K2 n1) + n3

K2 = Rot(Rot(n1 + K2 + n3 n1) + K1 n2) oplus n3

IDSold = IDS

K1old = K1

new K2old = K2

new

IDSnew = (IDS + ID) oplus (n㰀3 oplus Klowast

1 )K1

new = Klowast1 K2

new = Klowast2


1 )

D㰀 = (K1 oplus ID) oplus ((K2 + K1) cup K2)

n㰀3 = MIXBITS(n㰀

1 n㰀2)

(1) Calculate D㰀

n1 TR query

(3) If (C㰀 == C) Database is updated

(4) Calculate D and send it to tag

(1) Tag generates random number n2

(2) Calculate by random as follows

(3) Tag sends IDS A B C to reader

Database update

Tag update

(2) If (D == D㰀)Tag is update

(3) Authentication finishes

Figure 1 Authentication process of ULMAP

the reader they locally update IDS and key as indicated inFigure 1

3 Security Proof with BAN Logic

The security assurance of the proposed protocol is the securemutual authentication which means the following securityaims should be achieved

Security Aim 1 The database needs to make sure the receivedmessage IDS 119860 119861 119862 is exactly the one sent by the tag

This means that we need to achieve Database|equiv Tag|sim (IDS119860 119861 119862) and Database|equiv Tag|equiv (IDS 119860 119861 119862)

Security Aim 2 The tag needs to make sure the receivedmessage 119863 is exactly the one sent by the databasewhich means the following formulas need to be achievedTag|equiv Database|sim 119863 and Tag|equiv Database|equiv 119863

31 Security Assumption According to the given protocoland the assumption that the server and the reader areconnected securely the following conditions can be achieved


AS1 Database|equiv Database119899119894119895999448999471 Tag119894

AS2 Tag119894|equiv Database119899119894119895999448999471 Tag119894

AS3 Reader 997904rArr (1198991)AS4 Reader|equiv (1198991)AS5 Database|equiv (1198991)AS6 Tag119894 997904rArr (1198992)AS7 Tag119894|equiv (1198992)

32 Security Analysis According to the proposed protocol(ULMAP) 1198701 = Rot(Rot(1198991198942 + ID + 1198991198943 1198991198942) + ID 1198991198941) +1198991198943 and 1198702 = Rot(Rot(1198991198941 + ID + 1198991198943 1198991198941) + ID 1198991198942) oplus1198991198943 together with the assumptions AS1 and AS2 we can

deduce Tag119894| equiv Database119870119894119895999448999471 Tag119894 and Database| equiv

Database119870119894119895999448999471 Tag119894 because in this scheme the database

will receive the message (IDS 119860 119861 119862) forwarded from thereader where 119862 = (1198701 oplus 1198702) + (1198702 oplus 1198701) As we haveachieved 119870119894119895 as secret between the database and the tag wecan take 119870119894119895 as the secret key to protect messages So we cansimply write the received message of database as (IDS 119860 119861119862)119870119894119895 and we have Database ⊲ (IDS 119860 119861 119862)119870119894119895 For the

reason of ldquomessage-meaning rulerdquo of BAN (119875|equiv 119876119884

119875 119875 ⊲⟨119883⟩119884)(119875| equiv (119876| sim 119883)) we can deduce Database| equiv Tag119894| sim(IDS 119860 119861 119862)

From the assumption AS5 Server|equiv (1198991) andthe BAN rule of (119875|equiv (119883))(119875|equiv (119883 119884)) we knowDatabase|equiv (IDS 119860 119861 119862) Because we have achievedDatabase|equiv Tag119894|sim (IDS 119860 119861 119862) together with the ldquononce-verificationrdquo rule (119875|equiv ((119883)) 119875|equiv (119876|sim 119883))(119875|equiv (119876|equiv 119883))we will achieve Database|equiv Tag119894|equiv (IDS 119860 119861 119862) and thefirst security aim of the given protocol is achieved

For the same reason we can also deduceTag119894|equiv Database|sim 119863 and Tag119894|equiv Database|equiv 119863 and thesecond security aim is also achieved and the security ofmutual authentication of the proposed protocol has beenproved

4 Evaluation

In this section we will analyze the proposed protocol(ULMAP) from the security and performance point of view

41 Security Analysis It is obvious from the protocol speci-fication that not only can the tag and the reader successfullyauthenticate each other but also ULMAP is able to resist thecommon NFC attacks effectively In particular it makes thescheme have the anti-DoS attack capability through using thetimestamp We now analyze our proposed scheme from thepoint of view of security as follows

411 Mutual Authentication The tag and the reader canauthenticate each other by messages 119862 and 119863 because onlythe genuine tag has the subkeys1198701 and1198702 which generate theconsistent message 119862with random numbers 1198991 1198992 Similarly

only the genuine reader keeps the ID that is used to generatethe response message 119863 In this way the reader and the tagcan achieve mutual authentication

412 Tag Anonymity The tag uses the pseudonym in thewhole authentication process The pseudonym of each tagwill be updated after every successful authentication by therandom numbers 1198991 1198992 So the pseudonym from the sametag looks different at each session authentication and theattackers cannot get the real identity of the tag Moreovereven if the attackers intercept authentication pseudonym IDSthey cannot analyze the practical information from it

413 Resistance to Tracking The data stored in the databaseand the tag will be updated after the successful authenticationprocess So the message and the response message aredifferent at each session authentication making it almostimpossible for the attackers to track the tag In additionthe tag uses the pseudonym which improves the difficulty oftracking

414 Data Confidentiality [17] The calculation of each valueof119860 119861 119862 and119863 involves at least two secret values includingthe subkey and random number So it is very hard to get thetag ID except for the tag itself that has1198701 1198702 and 1198991 1198992

415 Forward Security After each successful session the keyand IDS value will be updated in the tag and the databaseSo even if the attacker achieves some session informationhe cannot use it to trace back to previous communicationsIn addition ULMAP makes the subkey and random numberinvolved in the entire update process which makes theentire update process have stronger stochastic properties SoULMAP is forward security

416 Nonreplaying Because the value of IDS will be updatedafter the successful authentication process the responsemessage IDS 119860 119861 119862 from the same tag isdifferent in each session authentication process Moreoverthe timestamp119879119877 is constantly changing over timeThereforethe attacker cannot priorly disguise information to achievelegality certification

417 Non-Denial of Service (Non-DoS) [18] When the readerstarts a new session the tag will judge whether119879119877 gt 119879119905 If notthe authentication is failed Otherwise the authenticationprocess will continue Compared with all most schemesresponding to the query ULMAP can reduce the numberof denial of service attacks to some extent and preventunauthorized readers from continuing to send queries whichconsume lots of resources of the tag Therefore this schemecan resist denial of service attacks in some cases

The comparison between LMAP [19] SASI [20] andULMAP in security is shown in Table 1 ldquoradicrdquo means satisfac-tion ldquotimesrdquo means to dissatisfy and ldquordquo means satisfaction to acertain extend

It is very obvious in Table 1 that neither of SASI andLMAP can resist desynchronization and DoS attacks How-ever in addition to the forward security data confidentiality


Table 1 The security and functionality comparison

SchemeMutual

authentication andforward security

Confidentiality andanonymity Resistance to tracking Nonreplaying

Resistance todesynchronization

attackNon-DoS

LMAP times times times times times times

SASI radic radic radic radic times times

ULMAP radic radic radic radic radic

Table 2 The storage overhead comparison

Scheme Database Reader TagLMAP 6119898119897 0 6119871

SASI 4119898119897 0 7119871

ULMAP 7119898119897 0 5119871

nonreplaying and so forth the proposed protocol ULMAPcan prevent synchronicity attacks effectively and prevent DoSattacks to some extent In summary ULMAP improves thesecurity

418 Synchronization In a normal session if the trackerheads off the last message that the database sends to thetag the database cannot be successfully verified Once thiscase happens the tag cannot be updated but the databasehas been updated successfully So the tag and the databasewill lose the synchronization However in the ULMAPprotocol the IDS 1198701 1198702 used in the last session isstored in (ID (IDSold 119870

1old 1198702old) (IDSnew 119870

1new 119870

2new)) in the

database so that this tag is still able to finish the authentica-tion and get the synchronization again successfully

42 Performance and Complexity Analysis We will compareULMAPwith SASI and LMAP in performance and complex-ity In order to compare easily assume there are119898 tags in thesystem and the length of data is 119871

421 The Cost of Storage To achieve the authenticationin SASI protocol the tag stores the message (ID (IDSnew1198701new 1198702new)(IDSold 1198701old 1198702old)) and (ID IDS 1198701 1198702) isstored in the database so the cost of storage in the tagand database is 7119871 and 4119898119871 respectively As it is shown inTable 2 in LMAP the tag storage space needs 6119871 and thecorresponding database storage space requires 6119898119871 But inour protocol the cost of storage space in the tag is 5119871 and thecost of storage space in the database is 7119898119871

Usually the database has more resources than the tag sothe resource of tag is more valuable Comparing with otherprotocols the ULMAP needs smaller storage space in the tagthat will greatly reduce the cost of the tag and increase a littlecost of storage space in the databaseTherefore the proposedprotocol can greatly reduce input cost The specific storageoverhead is shown in Table 2

422 The Cost of Communication The cost of communica-tion consists of the number of interactions and the length of

Table 3 The cost of communication comparison

Scheme The number of interactions Total cost ofcommunication

LMAP 4 5119871

SASI 4 5119871

ULMAP 3 7119871

Table 4 Computation cost comparison

Scheme LMAP SASI ULMAP

Cost oplus + and or oplus + and orRotoplus + and or

Rot2MixBits

the communication data From Table 3 we can know that theinteraction times of both SASI and LMAP are 4 Althoughthe transmitted data is increased a little our protocol is justtransmitted three times between the reader and the tag whichare four times in other protocols Therefore ULMAP has arelatively low communication overhead

Comparing with other protocols the ULMAP uses thetimestamp for the first timeThis will make theULMAP resistthe attack of DoS to a certain extent Moreover the subkeyand random numbers are used widely in the database andthe tag in the authentication update phase This can makethe whole protocol have stronger random feature which willgreatly improve the ability of resisting desynchronization andthe forward security of ULMAP

423 The Cost of Computation Time In order to bettercompare the computation performance of different protocolsin Table 4 + representsANDoperationoplus represents theXORoperation Rot is the displacement Rot(119909 119910) operation Rot2is two displacement Rot(119909 119910) operations and 119879 representsthe pseudorandom number or timestamp

From Table 4 it is shown that the tag in ULMAP needsone random number generation In addition ULMAP alsoneeds more computation operation (like Rot MixBits) inthe tag compared with SASI and Gossamer Although thiswill increase the cost of computation the computations alsobecome more secure and effective with it

By comparing our protocol with other schemes it showsthat our proposed protocol not only can provide mutualauthentication function but also has the advantage of higherlevel of security and performance


5 Conclusions

This paper proposes a new NFC mutual authentication pro-tocol named ULMAP ULMAP can achieve not only mutualauthentication but also complete anonymity Moreover theproposed scheme possesses higher security and performanceBecause the database stores the new and old session privatekey and IDS when the new session private key of the tag failsto update the corresponding old private key and IDS can alsobe used So the proposed protocol can effectively resist thedesynchronization attack

Abbreviations

IDS The pseudonym of tag identityIDSold The index number used last timeIDSnew The index number successfully used this

timeID The unique static identification of tag119870 The shared key of the tag and database

which is divided into two parts119879119877 The random timestamp generated by the

reader119879119905 The last time timestamp119870old The key of the tag successfully used in the

last round session119870new The key of the tag used in this session1198991 1198992 The random number generated by the tag

and the readerRot(119909 119910) The operation of rotation 119909 ≪ 119882(119910)

where119882(119910) denotes Hamming weight of119910

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

Thiswork has been financially supported by theNationalNat-ural Science Foundation of China (nos 61303216 61272457U1401251 and 61373172) the National High TechnologyResearch andDevelopment Program of China (863 Program)(no 2012AA013102) the Open Research Project of the StateKey Laboratory of Industrial Control Technology ZhejiangUniversity China (no ICT170312) and National 111 Programof China (nos B16037 and B08038)

References

[1] HNing andBWangRFIDMajor Projects and the State Internetof Things Mechanical Industry Press Beijing China 2008

[2] V Odelu A K Das and A Goswami ldquoSEAP secure andefficient authentication protocol for NFC applications usingpseudonymsrdquo IEEE Transactions on Consumer Electronics vol62 no 1 pp 30ndash38 2016

[3] L Yun-Seok K Eun and J Min-Soo ldquoA NFC based authen-tication method for defense of the man in the middle attackrdquoin Proceedings of the 3rd International Conference on Computer

Science and Information Technology Bali Indonesia January2013

[4] K Fan J Li H Li X Liang X Shen and Y Yang ldquoRSEL revo-cable secure efficient lightweight RFID authentication schemerdquoConcurrency Computation Practice and Experience vol 26 no5 pp 1084ndash1096 2014

[5] E Haselsteiner ldquoSecurity in near field communication (NFC)rdquoin Proceedings of the Workshop on RFID Security MalagaHungary 2006

[6] K Fan Y Gong C Liang H Li and Y Yang ldquoLightweightand ultralightweight RFIDmutual authentication protocol withcache in the reader for IoT in 5Grdquo Security and CommunicationNetworks vol 9 pp 3095ndash3104 2016

[7] M Dong K Ota L T Yang A Liu andM Guo ldquoLSCD a low-storage clone detection protocol for cyber-physical systemsrdquoIEEE Transactions on Computer-Aided Design of IntegratedCircuits and Systems vol 35 no 5 pp 712ndash723 2016

[8] L Zhang L Wei D Huang K Zhang M Dong and KOta ldquoMEDAPs secure multi-entities delegated authenticationprotocols for mobile cloud computingrdquo Security and Communi-cation Networks vol 9 no 16 pp 3777ndash3789 2016

[9] J C Pailles C Gaber V Alimi and M Pasquet ldquoPaymentand privacy a key for the development of NFC mobilerdquo inProceedings of the International Symposium on CollaborativeTechnologies and Systems (CTS rsquo10) pp 378ndash385 May 2010

[10] M Hassinen K Hypponen and E Trichina ldquoUtilizing nationalpublic-key infrastructure in mobile payment systemsrdquo Elec-tronic Commerce Research andApplications vol 7 no 2 pp 214ndash231 2008

[11] Z Kabir User centric design of an NFC mobile wallet framework[MS thesis] The Royal Institute of Technology (KTH) Stock-holm Sweden 2011

[12] E G Ahmed E Shaaban andMHashem ldquoLightweightmutualauthentication protocol for low cost RFID tagsrdquo Internationaljournal of Network Security amp Its Applications vol 2 no 2 pp27ndash37 2010

[13] A Juels ldquoStrengthening EPC tags against cloningrdquo in Proceed-ings of the ACM Workshop on Wireless Security (WiSe rsquo05) pp67ndash75 Cologne Germany September 2005

[14] C Mulliner ldquoVulnerability analysis and attacks on NFC-enabled mobile phonesrdquo in Proceedings of the 4th InternationalConference on Availability Reliability and Security pp 695ndash700IEEE Fukuoka Japan March 2009

[15] L Francis G P Hancke K Mayes et al ldquoPractical NFC peer-to-peer relay attack using mobile phonesrdquo in Proceedings of the6th International Workshop on Radio Frequency IdentificationSecurity and Privacy Issues (RFID-SEC rsquo10) pp 35ndash49 IstanbulTurkey 2010

[16] P Peris-Lopez J C Hernandez-Castro J M Estevez-Tapiadorand A Ribagorda ldquoLAMEDmdasha PRNG for EPC class-1generation-2 RFID specificationrdquo Computer Standards andInterfaces vol 31 no 1 pp 88ndash97 2009

[17] L Gu L Wang K Ota M Dong Z Cao and Y Yang ldquoNewpublic key cryptosystems based on non-Abelian factorizationproblemsrdquo Security and Communication Networks vol 6 no 7pp 912ndash922 2013

[18] F FahriantoM F Lubis andA Fiade ldquoDenial-of-service attackpossibilities on NFC technologyrdquo in Proceedings of the 4thInternational Conference on Cyber and IT Service Managementpp 1ndash5 IEEE April 2016


[19] P Peris-Lopez J C Hernandez-Castro J M E Tapiador et alldquoLMAP a real lightweight mutual authentication protocol forlow-cost RFID tagsrdquo in Proceedings of the Workshop on RFIDSecurity Graz Austria July 2006

[20] H-Y Chien ldquoSASI a new ultralightweight RFID authenticationprotocol providing strong authentication and strong integrityrdquoIEEE Transactions on Dependable and Secure Computing vol 4no 4 pp 337ndash340 2007

Submit your manuscripts athttpswwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



the NFC technology a scheme is needed to be proposed tosolve the security and privacy thread

Therefore in this paper we propose an ultralightweightmutual authentication protocol (ULMAP) Compared withthe oldNFC scheme this protocol not only solves the securityand privacy problem but also reduces the computation andstorage cost

Our Contributions In this paper we propose an ultra-lightweight mutual authentication protocol (ULMAP) forNFCusing lessmemory storage and computational power forlow-cost NFC tags Our scheme has the following features

(1) Ultralightweight the scheme is designed only withsimple shift and XOR operations not hash or otherencryption operations

(2) Secure and efficient the scheme we proposed couldmeet requirements of forward security mutualauthentication synchronization and non-denial ofservice by subkey and pseudonym

Paper Organization The remainder of the paper is organizedas follows In Section 2 we will present the detailed protocolof our new NFC mutual authentication protocol (ULMAP)In Section 3 the security proof with BAN logic of theproposed protocol will be provided Section 4 provides thesecurity and performance analysis of our protocol Finallyour conclusion is shown in Section 5

2 NFC Authentication Protocol forMobile Device

In this section we will propose ULMAP and basic ideas areas follows the scheme only with a simple shift and XORoperations greatly reducing the cost of operations And ituses the concept of pseudonym thus improving the systemof security And the scheme uses the concept of subkeyspreventing the man-in-the-middle attack as compared to therelated existing authentication protocols

21 Initialization The explanations of symbols are shown inAbbreviation

MixBits(119883 119884) [12] is defined as follows

119885 = MixBits(119883 119884)

119885 = 119883for (119894 = 0 119894 lt 32 119894 + +)

119885 = (119885 ≫ 1) + 119885 + 119885 + 119884

In this scheme the message (IDS ID 1198701 1198702) is storedin each tag Meanwhile (ID (IDSold 119870

1old 1198702old) (IDSnew

1198701new 1198702new)) is stored in the server corresponding to each tag

22 The Authentication Process The authentication processof ULMAP is shown in Figure 1 The protocol involves threeentities tag reader and database The channel between thereader and the database is assumed to be secure but thatbetween the reader and the tag faces all the possible potentialattacks [13ndash15] Each tag has a unique static identification (ID)and preshares a pseudonym (IDS) and two keys 1198701 1198702 withthe database

Each database actually has two entries of (ID (IDSold1198701old 119870

2old) (IDSnew 119870

1new 119870

2new)) one is for the old values

and the other is for the potential next values The readerfirst sends ldquoQueryrdquo and 119879119877 message to the tag The tag willrespond with its IDS after it verifies that the timestamp 119879119877is larger than 119879119905 Then the reader will use the tagrsquos responseIDS to find a matched entry in the database and goes to themutual authentication stage if a matched entry is found nomatter what IDS = IDSold or IDS = IDSnew In the mutualauthentication phase the reader and the tag authenticate eachother and they respectively update their local pseudonymand the keys after successful authentication which are shownin Figure 1

There are four stages in the scheme thatwe proposed suchas initialization tag identification mutual authenticationand index-pseudonym and key updating Then we will indetail introduce the four stages as follows

InitializationThe database selects a pseudorandomgeneratorPRNG [16] 119892 0 1119896 rarr 0 12119896 to generate pseudorandomnumber The database generates the key 119870 = 1198701 | 1198702 whichis initialized to1198701 = Rot(Rot(1198991198942+ID+1198991198943 1198991198942)+ID 1198991198941)+1198991198943and 1198702 = Rot(Rot(1198991198941 + ID + 1198991198943 1198991198941) + ID 1198991198942) oplus 1198991198943 andplaces it in a valid tag and the legitimate reader 119899119894119895 is the 119895thrandom number of the 119894th tag in the initialization phase 119895 =1 2 3 The database reader and tag will store the IDS and119870 = 1198701 | 1198702 corresponding to the tag

Tag Identification The reader generates the random times-tamp119879119877 and the randomnumber 1198992 and sends authenticationqueries 1198992 Query and 119879119877 to the tag Then the tag judgeswhether119879119877 gt 119879119905 if119879119877 is not larger than119879119905 the authenticationis failed Otherwise the mutual authentication phase willbegin

Mutual Authentication After identification phase the tag willgenerate a randomnumber 1198992 calculate119860119861 and119862 as shownin Figure 1 and send IDS119860 119861 and119862 to the reader Using theIDS the reader tries to find an identical entry in the databaseIf this search succeeds the reader can get the nonce fromsubmessages 119860 and 119861 Then the reader will compute 11989910158403 and119870lowast1 119870

lowast2 and build a local version of submessage 1198621015840 as shown

in Figure 1 It will be compared with the received value If itis verified the tag is authenticated Finally the reader sendsmessage 119863 = (119870 oplus ID) oplus ((1198702 + 1198701) cup 119870lowast2 ) to the tag Whenthe message119863 is received by the tag it will be compared witha computed local version 1198631015840 = (1198701 oplus ID) oplus ((1198702 + 1198701) cup1198702) If comparison is successful the reader is authenticatedOtherwise the authentication protocol is failed

Index-Pseudonym and Key Updating After successfully com-pleting the mutual authentication phase between the tag and


Database Reader Tag




1 )

DD


K1 = K1 K2 = K2

(ID (IDSold K1old K

2old) (IDSnew K

1new K


IDSold K1old K2

old

IDSnew

IDSold

IDSnew

IDSold

IDSnew

K1new K2

new

K1old K2

old

K1new K2

new

K1old K2

old

K1new K2

new

ID1

ID2

ID3

IDS A B C IDS A B C





2 + K1new + n㰀

3 n㰀2) + K2

new n㰀1) + n㰀

3


1 + K2new + n㰀

3 n㰀1) + K1


3


2 )


n3 = MIXBITS(n1 n2)

K1 = Rot(Rot(n2 + K1 + n3 n2) + K2 n1) + n3


IDSold = IDS

K1old = K1

new K2old = K2

new


1 )K1

new = Klowast1 K2

new = Klowast2


1 )



1 n㰀2)

(1) Calculate D㰀

n1 TR query






Database update

Tag update























4 Evaluation















SchemeMutual




attackNon-DoS






SASI 4119898119897 0 7119871

ULMAP 7119898119897 0 5119871



1old 1198702old) (IDSnew 119870

1new 119870

2new)) in the








LMAP 4 5119871

SASI 4 5119871

ULMAP 3 7119871




Rot2MixBits







5 Conclusions


Abbreviations










Acknowledgments


References






























Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




Database Reader Tag




1 )

DD


K1 = K1 K2 = K2

(ID (IDSold K1old K

2old) (IDSnew K

1new K


IDSold K1old K2

old

IDSnew

IDSold

IDSnew

IDSold

IDSnew

K1new K2

new

K1old K2

old

K1new K2

new

K1old K2

old

K1new K2

new

ID1

ID2

ID3

IDS A B C IDS A B C





2 + K1new + n㰀

3 n㰀2) + K2

new n㰀1) + n㰀

3


1 + K2new + n㰀

3 n㰀1) + K1


3


2 )


n3 = MIXBITS(n1 n2)

K1 = Rot(Rot(n2 + K1 + n3 n2) + K2 n1) + n3


IDSold = IDS

K1old = K1

new K2old = K2

new


1 )K1

new = Klowast1 K2

new = Klowast2


1 )



1 n㰀2)

(1) Calculate D㰀

n1 TR query






Database update

Tag update























4 Evaluation















SchemeMutual




attackNon-DoS






SASI 4119898119897 0 7119871

ULMAP 7119898119897 0 5119871



1old 1198702old) (IDSnew 119870

1new 119870

2new)) in the








LMAP 4 5119871

SASI 4 5119871

ULMAP 3 7119871




Rot2MixBits







5 Conclusions


Abbreviations










Acknowledgments


References






























Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in















4 Evaluation















SchemeMutual




attackNon-DoS






SASI 4119898119897 0 7119871

ULMAP 7119898119897 0 5119871



1old 1198702old) (IDSnew 119870

1new 119870

2new)) in the








LMAP 4 5119871

SASI 4 5119871

ULMAP 3 7119871




Rot2MixBits







5 Conclusions


Abbreviations










Acknowledgments


References






























Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in





SchemeMutual




attackNon-DoS






SASI 4119898119897 0 7119871

ULMAP 7119898119897 0 5119871



1old 1198702old) (IDSnew 119870

1new 119870

2new)) in the








LMAP 4 5119871

SASI 4 5119871

ULMAP 3 7119871




Rot2MixBits







5 Conclusions


Abbreviations










Acknowledgments


References






























Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in




5 Conclusions


Abbreviations










Acknowledgments


References






























Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in













Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of



Advances in

Multimedia


Biomedical Imaging


Advances in


RoboticsJournal of










Advances in



Documents

ULMAP: Ultralightweight NFC Mutual Authentication Protocol ...downloads.hindawi.com/journals/misy/2017/2349149.pdf · ResearchArticle ULMAP: Ultralightweight NFC Mutual Authentication