# Introduction adio Frequency Identification (RFID) system is the latest technology that plays an important role for object identification as ubiquitous infrastructure. RFID has many applications in access control, manufacturing automation, maintenance, supply chain management, parking garage management, automatic payment, tracking, and inventory control. RFID tag: is a tiny radio chip that comprises a simple silicon microchip attached to a small flat aerial and mounted on a substrate. The whole device can then be encapsulated in different materials (such as plastic) dependent upon its intended usage. The tag can be attached to an object, typically an item, box, or pallet, and read remotely to ascertain its identity, position, or state. For an active tag there will also be a battery. Reader or Interrogator: sends and receives RF data to and from the tag via antennas. A reader may have multiple antennas that are responsible for sending and receiving radio waves. RFID offer several advantages over barcodes: data are read automatically, line of sight not required, and through non conducting materials at high rate and far distance. The reader can read the contents of the tags by broadcasting RF signals via antennas. The tags data acquired by the readers is then passed to a host computer, which may run middleware (API). Middleware offers processing modules or services to reduce load and network traffic within the back-end systems. RFID basic operations can be summarized as in Figure . RFID systems are vulnerable to a broad range of malicious attacks ranging from passive eavesdropping to active interference. Unlike in wired networks, where computing systems typically have both centralized and host-based defenses (e.g. firewalls), attacks against RFID networks can target decentralized parts of the system infrastructure, since RFID readers and RFID tags operate in an inherently unstable and potentially noisy environment. Additionally, RFID technology is evolving quickly -the tags are multiplying and shrinking -and so the threats they are susceptible to, are similarly evolving. Basic Operations of RFID RFID tags may pose a considerable security and privacy risk to organizations and individuals using them. Since a typical tag answers its ID to any reader and the replied ID is always the same, an attacker can easily hack the system by reading out the data of a tag and duplicating it to bogus tags. Unprotected tags may have vulnerabilities to eavesdropping, location privacy, spoofing, or denial of service (DoS). Unauthorized readers may compromise privacy by accessing tags without adequate access control. Even when the content of the tags is protected, individuals may be tracked through predictable tag responses. a) Security Issues 1. Security of the tag and the reader as well as the server: As the data from tag moves to the reader, security has to be maintained during the flow of data. Hence the security is maintained at the tag and the reader for the better efficiency of the data. 2. The original data stored at the receiver side: The original data from the tag is readed by the reader and is stored at the server, if the server can be accessed in an unauthorized manner and if the server damages the data will be lost, hence chances of fault tolerance. 3. Low computational and storage cost: During the manufacturing of tag and the reader devices various functions have been designed for the better authorization of the data, hence when this function are been implemented the tag and the reader should not increase the computational and the storage cost. 4. Various security features implemented in various protocols: The table shown below is the various security features that are implemented in various protocols used in RFID devices. Hence the protocol that doesn't contain these security features is not very efficient and can be attacked by the external or internal user. 5. Chances of eavesdropping: The protocols that are implemented for the security of the data from tag to reader should be authenticated so that the chance of eavesdropping has been reduced. 6. Synchronization between tag and the reader: Synchronization between the tag and the reader is the flow of control from tag to the reader. The data moved from tag to the reader should be synchronized such that the data can't be lost and the chance of congestion has been reduced. # b) Performance RFID schemes cannot use computationally intensive cryptographic algorithms for privacy and security because tight tag cost requirements make tagside resources (such as processing power and storage) scarce. ? Capacity minimization: The volume of data stored in a tag should be minimized because of the limited size of tag memory. It should be able to identify multiple tags using the same radio channel [11]. Performing an exhaustive search to identify individual tags could be difficult when the tag population is large [6]. # II. # Related works Most of the security protocols implemented in RFID are based on cryptographic and hash functions. But these security protocols are not much secure. The OSK protocol was proposed by Ohkubo, Suzuki and Kinoshita (OSK) in 2004. Its aim is to assure the valid answer of the tag even under an active attack. In this scheme each tag is initialized with a secret value xi and two unidirectional functions h1 and h2. When a tag receives a request from a reader, it updates the value xi with the new value obtained from the computation of ht 1(xi). Weis, Sarma, Rivest and Engels proposed in 2003 the use of hash-locks in RFID devices. A first approach, called Deterministic hash locks, was presented in. A tag is usually in a \locked" state until it is queried by a reader with a specific temporary metaidentifier Id. This is the result of hashing a random value (nonce) selected by the reader and stored into the tag. The reader stores the Id and the nonce in order to be able to interact with the tag. The reader can unlock a tag by sending the nonce value. When a tag receives it, the value is checked [22]. Most of the security protocols implemented in RFID are based on cryptographic and hash functions. But these security protocols are not much secure. The OSK protocol was proposed by Ohkubo, Suzuki and Kinoshita (OSK) in 2004 [13]. Its aim is to assure the valid answer of the tag even under an active attack. In this scheme each tag is initialized with a secret value xi and two unidirectional functions h1 and h2. When a tag receives a request from a reader, it updates the value xi with the new value obtained from the computation of ht 1(xi) [8]. YA-TRAP (Yet-Another Trivial RFID Authentication Protocol) was proposed by Tsudik in 2006 [14]. This protocol describes a technique for the inexpensive untraceable identification of RFID tags. YA-TRAP involves minimal interaction between devices and a low computational load on the back-end server. With these features, this scheme is attractive for applications where the information is processed in data groups [8]. Weis, Sarma, Rivest and Engels proposed in 2003 [15] the use of hash-locks in RFID devices. A first approach, called Deterministic hash locks, was presented in. A tag is usually in a \locked" state until it is queried by a reader with a specific temporary metaidentifier Id. This is the result of hashing a random value (nonce) selected by the reader and stored into the tag. The reader stores the Id and the nonce in order to be able to interact with the tag. The reader can unlock a tag by sending the nonce value. When a tag receives it, the value is checked [8]. In 2012, Dr.S.Suja proposed an RFID Authentication protocol for security and privacy which is based on Cyclic Redundancy Check (CRC) and Hamming Distance Calculation in order to achieve reader-to-tag authentication and the memory read command is used to achieve tag-to reader authentication. It will resist against tracing and cloning attacks in the most efficient way [1]. In 2011, Liangmin WANG, Xiaoluo YI, implies improved protocol merely uses CRC and PRNG operations supported by Gen-2 that require very low communication and computation loads. They also develop two methods based on BAN logic and AVISTA to prove the security of RFID protocol. BAN logic is used to give the proof of protocol correctness, and AVISTA is used to affirm the authentication and secrecy properties [2]. In 2008, Tieyan Li analyze the security vulnerabilities of a family of ultra-lightweight RFID mutual authentication protocols: LMAP, M2AP and EMAP [17]*, which are proposed by Peris-Lopez et al. Here they identify two effective attacks, namely de-synchronization attack and full disclosure attack, against their protocols. The former permanently disables the authentication capability of a RFID tag by destroying synchronization between the tag and the RFID reader [3]. The weakness of this authentication protocol comes from the fact that each round the advesary gets some information from the same key. So a quick way to counter our attack is to include a key-updating mechanism similar to OSK [18] at the end of the protocol using a one-way function. In this case, adversaries do not get more than P equations for each key so that the security proof and reduction to the SAT problem become sound. The resulting protocol is even forwardprivate providing that adversaries do not get sidechannel information from the reader [28]. D. N. Duc, J. Park, H. Lee, and K. Kim. Enhancing security of EPCglobal gen-2 RFID tag against traceability and cloning. In Symposium on Cryptography and Information Security -SCIS 2006, Hiroshima, Japan[7], Hash-based Access Control (HAC), as defined by Weis et al. [16]*, is a scheme which involves locking a tag using a vone-way hash function. A locked tag uses the hash of a random key as its metaID. When locked, a tag responds to all queries with its metaID. However, the scheme allows a tag to be tracked because the same metaID is used repeatedly [5]. In [13] Ohkubo, Suzki, and Kinoshita (OSK) propose an RFID privacy protection scheme providing indistinguishability (i.e. a tag output is indistinguishable from a truly random value and unlinkable to the ID of the tag) and backward untraceability. This scheme uses a low-cost hash chain mechanism to update tag secret information to provide these two security properties. # III. # Problem statement The attack on SASI is a passive one. Passive attacks are achievable in practice since they only necessitate only eavesdropping, which is a typical hazard or threat in RFID setting where the physical wireless communication station or channel is open to parties within communication and transmission. The security provided by the SASI might be more but for the passive attacks only and the chances of eavesdropping is more. IV. # Proposed solution Registration Phase -In the registration phase, Tag Ti wants to register himself/herself in remote server S. Firstly Tag chooses his/her ID and PW. Before register on Server, registration authority computes h (ID) and h (ID||PW) and sends to Reader R over a secure channel. Upon receiving the registration request from Tag Ti. Reader R computes same parameters related to the Tag Ti. Where Tu is current time when login request proceed. And send the login request massage {Fi, Ei, Cid, Tu, h (ID)} to remote Reader R. Verification Phase-Upon receiving the login request massage {Fi, Ei, Cid, Tu, h (ID)}. Reader verifies the validity of time delay between Tu" and Tu. Where Tu' is the travel time of the massage. Tu'-Tu ? Î?"T where Î?"T denotes expects valid time interval for transmission delay. Then Reader accepts the login request and go to next process, otherwise the Reader reject login request. V. The proposed scheme requires little more computation cost and equal to related user authentication scheme, Because our proposed scheme has strong secure mutual authentication scheme is resistance to insider attack, resistance to masquerade attacks, parallel session attack, replay attack, password attack, secure password change, protecting server spoofing attack, session key generation and agreement and other possible attack, that why some cost of execution are little more. # Result analysis # Storages ![R computes Ai= h (ID) xor h (X || h (ID)) Bi = Ai xor h (ID || PW) Ci = h (Ai) Di = h (ID || PW) xor h(X) And stored some of them in the memory and issues this to Tag Ti. Login Phase-This phase provides the facility of a secure login to the Tag .Tag wants to access same services on remote server S. first it gain the access right on the remote server S. Tag keys in ID* and PW*. The Tag device memory computes -Ai*= Bi xor h (ID* || PW*) And Ci* = h (Ai*) and checks whether Ci (stored in the Tag memory) and Ci* are equal or not. If not, terminate to again login process. Otherwise yes, Tag Ti is legitimate bearer of the device. Then the Tag device generates a random nonce Ri and computes -Ei = Ai* xor Ri Cid = h (ID || PW) xor Ri Fi = h (Ai || Di || Ri || Tu)](image-2.png "") ![Reader computes -Ai* = h (ID) xor h (X || h (ID)) Ri* = Ai* xor Ci G = h (ID || PW)* =Cid xor Ri Di* = h (ID || PW)* xor h(X) And computes F* = h (Ai* || Di* || Ri* || Tu) And checks whether F and F* are equal or not. If they are not then reject the login request. If equal, then Reader R Computes-Fs = h (h (ID) || Di || Ri || Ts) Where, Ts is remote Reader current time. And send acknowledge massage {Fs, G, Ts} to Tag Ti. Global Journal of Computer Science and Technology Volume XII Issue XVI Version I Upon receiving acknowledge massage Tag device compute G* = h (ID || PW) Fs* = h (h (ID) || Di || Ri || Ts) And checks where G =G*and Fs = Fs* are same or not. It is mutual authentication process. In which both Reader and Tag verify to each other. If they are same then Tag device makes session key (Sk) and both Reader and Tag share it. Sk = h (h (ID) || Ts || Tu || Ai) Otherwise terminate to again login process. Password change Phase-This phase is involved whenever Tag T want to change the password PW with a new Password PWnew. Tag T keys in ID* and PW* and request to change password. The Tag device checks whether C = C* are equal or not. If it is satisfy User U is a legitimate bearer of the device. Then the Tag device asks the Tag Ti to input new password PWnew. After entering the new password the Tag calculate-Bnew = Ai xor h (ID || PWnew) and Dnew = h (ID || PWnew) xor h (ID || PW) xor Di And change B with Bnew and D with Dnew in Tag device memory. mod p) xor h(pWi) Store (ID,A,h(.),E(.) into package <------------card Login and Authentication Phase Input IDi and PWi Select R K=A xor h(PWi) W=EK(R xor Tu) Cu=h(Tu||R||W||IDi) --------? verify IDi and Tu K=h(ID^x mod p) R'=DK(W) xor Tu Cu'=h(Tu||R||W||IDi) Verify cu'=cu Cs=h(IDi||R'||Ts) Verify ID and Ts <-----------Cs=h(IDi||R||Ts) Verify Cs'==Cs Compute Common Secrete Key Sk=h(IDi||Ts|||Tu||R) ?-------? Sk=h(IDi||Ts||Tu||R')](image-3.png "") 1OurYoon YooLiou alR.Song al/SchemeSchemeal et. [3]et. [7]et.[10]Tag480 bits480 bits480 bits320 bitsServer160 bits320 bits320 bits480 bits 2 Resistance to / SchemeOur SchemeYoon Yoo et al. [3]Liou et al. [7]R.Son g et al.[10]Insider attackYesNoYesNoMasquerade attackYesNoYesYesParallel session attackYesNoYesNoReplay attackYesYesYesNoOffline password attackYesNoYesNoSecurepassword change processYesYesYesYesDenial of serviceYesNoYesNoSessionkeygeneration andYesNoNoYesagreement 3 © 2012 Global Journals Inc. (US) © 2012 Global Journals Inc. (US)Efficient Authentication in Rfid Devices Using Et Al's Algorithm © 2012 Global Journals Inc. (US)Global Journal of Computer Science and Technology ## Year VI. ## Conclusion In this paper we show that the other authentication techniques involved in RFID are not so much secure and have high communication cost. We showed that our scheme is vulnerable to Denial-of-Service attack, Insider attack, Offline password attack Forward secrecy attacks. We present an efficient and secure ID-base remote user authentication scheme. The proposed scheme is proved to be able to withstand the various possible attacks. The proposed algorithm provides here provides a more authenticated protocol using the concept of pre shared secrete key for the authenticity between the tags and the reader using the technique of card generation. ## References Références Referencias * computer engineering and mathematics, rovira i virgili university * 18] m. ohkubo, k. suzki, and s. kinoshita. Cryptographic approach to "privacy-friendly" tags. In rfid privacy workshop, mit, ma, usa T BMedeiros 2007/051, iacr, 2007. november 2003 Forward secure rfid authentication and key exchange * hernandez-castro, j. m. esteveztapiador, and a. ribagorda. lmap: a real lightweight mutual authentication protocol for low-cost rfid tags P proc. of 2nd workshop on rfid security of 2nd workshop on rfid security july 2006 * esteveztapiador, and a. ribagorda. m2ap: a minimalist mutual-authentication protocol for low-cost rfid tags PHernandez-Castro proc. of international conference on ubiquitous intelligence and computing uic'06, lncs 4159 of international conference on ubiquitous intelligence and computing uic'06, lncs 4159 springer-verlag 2006 * hernandez-castro, j. m. esteveztapiador, and a. ribagorda. emap: an efficient mutual authentication protocol for low-cost rfid tags P otm federated conferences and workshop: is workshop november 2006 * Efficient hash chain based rfid privacy protection scheme M SKinoshita international con-ference on ubiquitous computingubicomp, workshop privacy: current status and future directions 2004 * Ya-trap: yet another trivial rfid authentication protocol GTsudik fourth annual ieee international conference on pervasive computing and communications work-shops (percomw'06) 2006 * Engels: a brief survey on rfid privacy and security. Crises reserch groupunesco chair in data privacy SarmaWeis 2003 * rfid authentication protocol for low-cost tags" wisec'08 Boyeon Song 2008 acm 978-1-59593-814-5/08/03. march 31-april 2, 2008 alexandria, virginia, usa * security analysis on a family ofultra-lightweight rfid authentication protocols RobertHTieyan Li Deng journal of software 3 3 march 2008 * protecting privacy and ensuring security of rfid systems using private authentication protocols" marquette university Md Hoque 2010 * More efficient and secure remote user authentication scheme using smart card EYoon Yoo proceeding of 11th international conference on Parallel and Distributed System eeding of 11th international conference on Parallel and Distributed System 2005 * A New Dynamic ID Based Remote User Authentication Scheme using Smart Cards YPLiou JLin SSWang Proc. 16th Information Security Conference 16th Information Security ConferenceTaiwan 2006. July. 21. R. Song. 2010. June 32 Computer Standards & Interfaces * RfidBrief Survey On Privacy JSecurity AAragones-Vilella_ AMartinez-Ballest_E Solanas CRISES Reserch Group UNESCO Chair in Data Privacy Dept. of Computer Engineering and Mathematics, Rovira I Virgili University