A lightweight inter-zonal authentication protocol for moving objects in low powered RF systems

Automatic identification systems represent a wide classification of devices used primarily in commercial settings for inventory/logistics control. Familiar examples of such devices are bar codes, magnetic strips, smart cards, RFID (Radio frequency identification) and biometric and voice recognition. Security is especially lax in low powered RF (radio frequency) systems communicating through an unsecured radio wave channel. Security represents a critical component for enabling the large scale adoption of automatic identification systems. Providing an effective security solution for low powered systems is a major area of concern; it directs research towards ‘power consumption aware’ computations in security solutions. This paper proposes a Lightweight Inter-Zonal Authentication Protocol for moving objects in low powered RF systems. Formal validation and a thorough analysis of the protocol in SPAN security tool reveals its effectiveness and resiliency to attacks–eaves dropping, reader and tag impersonation, replay and desynchronization.


ISSN: 2528-2417 n
A lightweight inter-zonal authentication protocol for moving objects in low... (C.K. Shyamala) 107 RF systems use low cost tag/label for identifying objects and obviously are restricted in terms of storage capacity and computational power [21].Low powered RF systems need to benefit from light weight solutions to security.Use of simple operations and limited cryptographic functionalities permit minimum levels of computations and energy consumptions, while at the same time supporting cryptographic goals of security.Security solutions for RF systems can be classified by the weight of cryptographic primitives used-Middle-weight, light-weight and ultra-lightweight solutions.Middleweight solutions [22], [23] for applications with higher security requirements such as finance, and military) use full symmetric/asymmetric encryption (e.g., elliptic curve cryptography (ECC)).Lightweight solutions use operations and functions such as cyclic redundancy code (CRC) operator, message authentication code (MAC) and hash function.While research has focused on light weight solutions for RF systems security, the studies from [8]- [10] suggests the use of simple and basic bitwise logical operations, shift operations and pseudo-random number generator (PRNG) which support the least computationally demanding class called the ultra-lightweight.
Proposes a light weight mutual authentication and ownership management scheme by using limited cryptographic functionality [1].The scheme is done in two phases.Phase 1 covers the mutual authentication between entities in a RF system and Phase 2 covers the delegation and ownership managements.Rahman et.al [7] presents a lightweight mutual authentication protocol to achieve basic security goals, i.e. confidentiality, integrity and authentication using a unique choice of pseudorandom numbers.The authentication process in [2] introduces time stamps to help protect tag privacy and prevent the tracking from an attacker.On the other hand, [18] Osaka et al. proposes a light weight security method for RF systems that achieves the security requirements using hash functions, symmetric cryptography, and the XOR operation.This security system achieves several security requirements: the indistinguishability, the forward security, the security against the replay attack, and the security against the tag killing.Further, the proposed method allows for ownership transfer.The proposed method is reasonably efficient, but vulnerable to tracking and DoS attacks brought out by [24].This is done by manipulating the value of the random number of the tag.Moreover, as brought out in [25], an attacker can add noise to the final message exchange of [18] resulting in the tag holding incorrect secret information, due to which any subsequent authentication would fail.
While [1], [18] have not considered mobile RF systems, [19] implements a light weight authentication for mobile RF system with grouped tags to identify objects.The authentication for tags is based on PRNG mainly because the low-cost tags are restricted in storage capacity and computational power.The Authentication readers are based on hash-function, as reader obviously are not restricted by storage capacity and computation power.The protocol provides security against reader impersonation attack, tag impersonation attack and tracking.Weis et.al [26] proposed a RF system in which the object's identification is hidden using random numbers in the object's responses to avoid its reuse.This system addresses traceability by applying an exhaustive search, but at the cost of an increase in the work load of the back-end server to identify and verify the object.This scheme is vulnerable to impersonation attacks by querying the object for a valid pair and then forwarding this pair to an authenticator for validation.Yu et al.'s [27] protocol uses a 128-bit key set that is dynamically updated by the server.It uses the least significant 30 bits of the tag ID used to identify the object for authentication.However, this results in the possibility of compromising the security of the system as a whole, as the uniqueness aspect of a tag ID to identify an object is reduced, by reducing the number of bits used by the tag ID for authentication.
This paper proposes a Light-weight Inter-zonal Authentication Protocol for moving objects in low powered RF systems.The protocol is designed for 'power consumption aware' computations in security solutions.The work presented in this paper is divided into 3 phases: System Registration phase, zonal authentication phase and mutual authentication phase.In phase 1, the object must register itself to the system authenticator (SA).The RFID network is partitioned into various zones based on the coverage of the authenticator of the RF system in a particular area.In phase 2 and phase 3, several events of handshakes are performed between both the object and ZA, object and IZA to mutually authenticate each other and start communicating.This protocol can be adopted by object monitoring and tracking systems for providing secure and reliable data exchanges.The protocol has been verified against security attacks which include eavesdropping, spoofing, authenticator and object impersonation, replay and desynchronization by using the SPAN security tool for formal validation of the protocol.
The contributions of the work presented in the paper are: (i) A multi-zonal authentication schema resilient to eavesdrop, replay, authenticator and impersonation and desynchronization (ii) An inter-zonal authentication protocol that mutually verifies both the tracked object and the authenticator/reader (iii) A light-weight authentication schema performing PRNG, XOR, XTEA with very less computation overhead [28].The work presented in this paper contributes to 'power consumption aware' computations in n ISSN: 2528-2417 APTIKOM J. CSIT Vol. 2, No. 3, 2017 : 106 -116 108 security solutions.A Lightweight Inter-zonal Authentication protocol for moving objects in low powered RF systems is proposed.The protocol uses ultra-light weight XOR and PRNG functions for passing and decoding random numbers.Time stamps are used in interactive sessions between an object and an authenticator to keep the freshness of the challenge-response information in each communication round.Two or more handshakes between the communicating devices is defined as an event.LC (Logical Clock) value present in the communicating devices increments simultaneously on verification of every event.Each communicating device maintains its own LC value.A mismatch in LC value between communicating devices terminates the communication between them.XTEA (Extended Tiny Encryption Algorithm) is used for both encryption and decryption.Wheeler and Needham in [29] made extension to TEA algorithm (XTEA) which is a lightweight block cipher.The rest of the paper is organized as follows.The proposed work, a 3-phase Light-weight Inter-zonal Authentication scheme is discussed in length in Section 2. Analysis of the proposed protocol in terms of resiliency to security attacks and performance is presented in Sections 3. The formal validation of the proposed protocol using the SPAN security tool is presented in Section 3.5.The paper is concluded in Section 4.

Research Method 2.1. RF System Architecture
RF systems largely consist of authenticator and objects; both of which are responsible for verifying the identity of each other invariably ensuring communication with only the intended parties.This paper proposes a Light-weight Inter-zonal Authentication Protocol for moving objects in low powered RF systems.The protocol uses a ticket based authentication approach using cryptographic operations-XOR, PRNG (Pseudo Random Number Generation) and XTEA (Extended Tiny Encryption Algorithm).The multi zonal architecture of the proposed protocol is shown in Figure 1.The architecture includes one SA (System Authenticator) for the entire system.On the onset, the SA registers all the objects to be identified to the system -1 as shown in Figure 1.It is structured to encompass many zones, where each zone defines a geographical region of authentication.The system is partitioned into multiple zones, each employing a ZA (Zonal Authenticator) to authenticate inbound registered objects -2 as shown in Figure 1.Each zone allows communication between objects and Inter Zonal Authenticator (IZA) only after mutual authentication -3 as shown in Figure 1.The proposed mutual authentication protocol is organized to operate in three phases-System Registration phase, Zonal Authentication and Mutual Authentication phase.System registration of an object with the SA generates an encrypted system ticket and sets the identification of the source zone (ID ZONE-S ), identification of tag (ID OBJECT ) and LC (Logical Clock) value for the object.The Zonal Authentication of an object with the ZA verifies the system ticket and generates an encrypted zonal ticket.The zonal ticket is used for further authentication of the object by an inter-zonal authenticator.The entities and their roles of the multi zonal RF system are explicated in Table  Registers an unregistered object to the RF networked system.

1.
A list of registered objects with their identification (IDOBJECT) and default zone identification (IDZONE) 2.
System ticket ZA Authenticates the object for the zone.

1.
A list of access passwords and LC values for all the registered objects.

2.
A list of registered objects and their identification.

3.
A list of ticket keys (kZA-IZA) used between the ZA and IZA.ZR Object Communicates with the object after mutual authentication.
Entity to be authenticated 1.
A list of LC values for all the registered object.

Proposed Light-weight Inter-zonal Authentication Protocol
The assumptions made in designing the protocol are: 1.All entities in the RF system namely, objects and authenticator trust the System Authenticator (SA) and Zonal authenticator (ZA).2. The Authenticators (SA and ZA) maintains the list of ticket keys of all the inter-zonal authenticators in the setup.3.Only the Authenticators (SA and ZA) can access the memory contents of the object to be identified.
The proposed protocol is a three phase mutual authentication protocol.The first phase is the System Registration Phase that registers an object with the RF networked System, generating a System Ticket.The subsequent phase is the Zonal Authentication phase.It authenticates a registered object when it is inbound into a zone, generating a Zonal Ticket.The last phase of the protocol is the Mutual Authentication phase.It mutually authenticates the object in a zone and the inter-zonal authenticator before any application processing is performed by the reader.Notations and terms used in the proposed protocol as shown in Table 2.

Phase I: System Registration Phase
This phase writes significant data in the memory of the object for authentication to be performed by ZA and IZA.The SA writes ID ZONE-s -Identification number of start zone, ID OBJECT -Identification number of object and LC-Logical clock (16-bit integer value, initially zero) into the objects memory.The SA then sends the system ticket to the object thus registering it in the RF networked system.As shown in Figure 2. A registered tag contains the following after the system registration phase: 1. ID ZONE-S -Identification number of start zone 2. ID OBJECT -Identification number of object 3. LC -Logical clock (16-bit integer value, initially zero) 4. Ticket SYSTEM -(ID OBJECT , ID ZONE-S, T 0 , T max , Timestamp, R+S)K ZA-IZA .A ticket in the proposed protocol is encrypted using the shared secret key K ZA-IZA , between ZA and IZR of a Zone.The encryption with K ZA-IZA is performed to prevent alteration of the contents by any unauthorized entity.ID OBJECT and ID ZONE allow verification of the object and zone.The values T 0 , T max and Timestamp permits verification of ticket validity.A ticket is valid only if (Current timestamp - (R+S) serves as one of the components for mutual authentication and is available to IZA via the ticket.LC is logical clock that keeps track of the number of times handshakes have been performed for an object in a zone.Figure 2. Phase I-system registration: registration of an object with the RF system

Phase II: Zonal Authentication Phase
The RF networked system is partitioned into a number of zones based on the coverage of the RF authenticators, each zone defining a geographical region of authentication.A zone consists of one ZA and multiple IZA's as illustrated in Figure 1.Zonal authentication refers to the authentication of inbound registered objects into any one of the zones in the RF networked system.This process is detailed in Figure 3. ZA of a zone accesses an inbound object by accessing its memory and checks for ID ZONE written in the object at registration or any previous zonal authentication.If the ID ZONE in the object does not match the current zone, then the ZA sets the appropriate ID ZONE , issues a zonal ticket for that zone and resets LC for the registered object.If the ZONE matches the current zone, then ZA stores a 16-bit random number S and stores it in the object's memory.It then queries the object for a ticket, this may be a system ticket or a zonal ticket.ZA checks for the ticket's validity and authenticates the object.In case a ticket's validity has expired (invalid ticket), the ticket is renewed at the ZA.obtained from R^S only if the value of S is known and vice versa.As a result, the object can obtain the value of R from R^S using the value of S stored in it.Using R and S, the object computes (R+S), which serves as one of the components for mutual authentication.It is not possible for an unauthorised entity to obtain R or S from R^S.This property prevents unauthorized/illegal entities from obtaining R and S in order to successfully impersonate as system registered object/authenticator.

Phase III: Mutual Authentication Phase
Registered objects and IZA are mutually authenticated in phase III, before any application processing is performed.Steps 2 and 3 in Figure 4. Account for the handshake performed by the object and IZA towards mutual authentication.IZA queries the object in the zone for TICKET ZONE .The object responds by sending Ticket ZONE and PRNG(R + S + LC) to IZA.IZA obtains R+S by decrypting the ticket using the key it shares with ZA.LC of that object is added to (R+S) and PRNG(R+S+LC) sent by the object in step 2 of Figure 4. is verified by IZA by performing the same PRNG(R+S+LC) and comparing the two values.This authenticates the object to the IZA.IZA authenticates itself to the object by sending PRNG(U) and U ^(R+S).The object obtains U by performing (U^(R+S))^(R+S).It performs PRNG(U), verifies the PRNG(U) sent by the IZA in step 3 of Figure 4 to authenticate the IZA.After successful authentication, LC is updated by both the object and the authenticators.This phase mutually authenticates the object and IZA ensuring that the communication is with only the intended parties in the RF networked system.XOR and PRNG (Pseudo Random Number Generator) are the main cryptographic operations used in the proposed protocol.Contribution of XOR operation towards securing the proposed authentication scheme has been highlighted in Phase II discussion.PRNG() function generates a random number using a seed.An important property of PRNG() function is that it is a one-way function-the seed cannot be obtained from the random number.It is not possible for an illegal/unauthorised authenticator to obtain the seed (U) and authenticate itself as a legal IZA of the zone.The properties of both XOR and PRNG are exploited to provide a secure authentication protocol that is resilient to eavesdropping attack, Authenticator and object impersonation attack, replay attack and desynchronization attack.

Security Analysis and Results
Resiliency of the proposed protocol with respect to different types of attacks is analyzed in this section.

Eavesdropping Attack
Eavesdropping attack is an unauthorised real-time interception of the communication between an object and an authenticator.An adversary A, may acquire R^S, PRNG(R+S+LC), ticket, PRNG(U) and (U^(R+S)) from the communication (Phase II and Phase III) between an authenticator and an object.A successful attack can be performed on the RF networked system iff A can perform the following from the intercepted contents: a. Decrypt the encrypted system/zonal ticket to obatin its contents b.Obtain 16 bit random numbers R,S and U c. Obtain LC and compute R+S+LC The proposed protocol is secure against eavesdropping: n ISSN: 2528-2417 a. Ticket is encrypted using K ZA-IZA -The eavesdropper cannot gain any valuable information from a ticket without knowing the shared secret key K ZA-IZR .b.It is not possible for an eavesdropper to obtain R or S from R^S or U from (U^(R+S)) due to the XOR property in (eqn.1).c.PRNG() function is a one-way function, as a result of this property the eavesdropper cannot obtain the values of (R+S+LC), U from PRNG(R+S+LC) and PRNG(U).

Authenticator/Object Impersonation Attack
Authenticator-impersonation refers to a process in which an adversary-authenticator A, deceives a registered object to authenticate it as a valid authenticator.Whereas, object-impersonation is the process in which an adversary-object A, deceives a genuine authenticator to authenticate it as a valid object.For authenticator/object-impersonation attacks to be successful, A must perform the following: a. Access memory contents of an object.b.Obtain contents of system/zonal ticket.
The proposed protocol is secure against authenticator/object-impersonation: a.Only the SA and ZA can access the memory contents of the objects as assumed in the protocol.
Therefore, an adversary A cannot access the memory contents of the object.b.Tickets in the proposed protocol are encrypted using the secret key (K ZA-IZA, ) shared between the zonal authenticator and inter-zonal authenticators in a zone.An impersonating authenticator A has to obtain K ZA-IZA, in order to decrypt the ticket and extract the data needed for authentication.

Replay Attack
Replay attack is performed when an adversary (object or authenticator) A, captures and attempts to reuse the authentication component used in handshake.A captures the authentication component PRNG(R+S+LC) in Phase III, and attempts to replay it (later on) in another authentication session with an authenticator.Logical Clock LC, is an incrementing software counter maintained in each process by which the happened-before ordering can be captured numerically [30].LC is used in the protocol to resist replay attacks.LC values are updated for each authentication by both the object and IZA.For replay attack to be successful A must has the correct LC value of a particular authentication session.This is not possible as the LC value is updated after every handshake in phase III.In Figure 5(a) LC is updated to LC' by both the object and IZA after handshake in phase III.

Desynchronization Attack
An adversary A, performs desynchronization attack with an intent to disrupt the authentication process.A desynchronization attack on the RF system forces the object and authenticator to update their common values to different values.In the proposed protocol, LC is a logical clock that keeps track of the number of times handshakes have been performed for an object in a zone.The LC values are updated by the object and the IZA only after a successful handshake in Phase III.A desynchronization attack can be successful iff the LC updating is desynchronised; LC in the proposed protocol is not updated if the handshake in Phase III is unsuccessful.As a result, the adversary cannot perform a desynchronization attack to disrupt the authentication process of the proposed protocol.

Performance Analysis
Table 3 illustrates an analysis of the proposed protocol in terms resiliency requirements against eavesdropping, impersonation, replay, and desynchronization.Performance of the proposed protocol is analyzed for the time complexity of the operations (TXOR-time complexity of the XOR operation, TRNG-time complexity of the random number generation operation, TPRNG-time complexity of Pseudo Random number function, TEDC-time complexity of the encryption/decryption cryptosystem) used in mutual authentication.Table 4 projects the total time complexity at an object and an authenticator.The proposed protocol performs 2 XOR operations at the object in Phase II and III, 2 XOR operations at the authenticator in phase II and III.Accounting for a total of 4 XOR operations performed by the object and authenticator at the end of phase II and phase III.The total of 2 PRNG operations is performed by the object in phase III, 2 PRNG operations at the authenticator in phase III.Accounting for a total of 4 PRNG operations performed by the object and authenticator at the end of phase II and phase III.Two Random number generation operations are performed at the authenticator in phase II.Only one encryption/decryption operation is performed at the authenticator in phase II and phase III.Therefore, a successful mutual authentication in a zone requires a time complexity of 2T XOR +2T PRNG at the object and 2T XOR + 2T PRNG +1T EDC +2T RNG at the authenticator.Object's data/information may be required to be processed by more than one authenticator in a zone, accounting for multiple authentications.The number of times (x) a object is authenticated in a zone accounts for a total of x *(4T XOR +4T PRNG +1T EDC +2T RNG ).Performance Analysis of MKT phase (mutual authentication, key update and ticket computation) in [1] is analyzed for the time complexity of the operations (TXOR-time complexity of the XOR operation, TRNG -time complexity of the random number generation operation, TPRNG-time complexity of Pseudo Random number function, TPER-time complexity of permutation operation, T MOD -time complexity of modulus operation) used in mutual authentication.
Table 5 projects the total time complexity at a tag identifying the object and a reader (authenticator).The protocol in [1] performs 75 XOR operations at the tag in MKT phase, 63 XOR operations at the Reader in MKT phase.Accounting for a total of 138 XOR operations performed by the tag and reader at the end of MKT phase.The total of 72 PRNG operations is performed by the tag in MKT phase, 36 PRNG operations at the Reader in MKT phase.Accounting for a total of 36 PRNG operations performed by the tag and reader at the end of MKT phase.12 permutation operations, 2 Random number generation operations are performed at the reader in mutual authentication phase.6 modulus operations are performed at the tag in mutual authentication phase.Therefore, a successful mutual authentication requires a time complexity of 75T XOR +36T PRNG +12T PER`+ 6T MOD at the tag and 63T XOR +2T RNG +36T PRNG at the reader.4 and Table 5 infers that the proposed protocol in this paper functions with a lesser time complexity compared to the MKT phase of the protocol proposed in [1].

Formal Validation of the Proposed Protocol
SPAN is a security protocol animator for HLPSL and CAS+ specifications that is similar AVISPA (Automated Validation of Internet Security Protocols and Applications).It facilities analysis of large-scale Internet security-sensitive protocols and applications.SPAN implements an active intruder that allows to interactively find and build attacks over protocols.SPAN automatically build an attack message sequence chart on HLPSL and CAS+ specification of the protocol using the AVISPA verification tools.CL-Atse is one such AVISPA verification tool.It is an efficient versatile automatic analyser for the security of the cryptographic protocols.State-based security property like secrecy, authentication and fairness can be modelled using the CL-Atse tool and the algebraic properties of operators like XOR or exponentiation are taken into account with much less limitations compared to other tools, thanks to a complete modular unification algorithm.The intruder simulation of the proposed protocol is done using SPAN.The intruder simulation of the proposed protocol is shown in Figure 6.The protocol was found to safe from intruder attacks.In addition to the intruder simulation, an CL-Atse tool verification for proposed protocol was performed.Figure 7 and Figure 8 displays the CL-Atse tool summary check for the proposed protocol.The proposed protocol was found to be secure against various attacks simulated by the CL-Atse tool.

Conclusion
In this paper, a Light-weight Inter-zonal Authentication Protocol for moving objects in low powered RF systems.This was done by employing the ultra-light-weight the PRNG function and XOR operation.Such use of a simple operation adds a minimal level of computation and energy consumption for low-powered RF systems while, at the same time, supports the cryptographic goals of the protocol.The proposed protocol was verified for security attacks and was formally validated using the SPAN security tool.Analysis of the proposed protocol and comparison with previous works in section 5 and 6 indicate the following: (i) no disclosure of secret information (ii) no dependency on previously used secret data/information (iv) resiliency against niffing/eavesdropping, and replay attacks is guaranteed (iii) the protocol is free from desynchronization issues (v) lower computational complexity (vi) lower time complexity.

Figure 5 (
b) illustrates a replay attack, where A (adversary object) replays the TICKET ZONE , PRNG(R+S+LC) captured from the session #n during session #(n+i).Since LC ≠LC', the authentication fails.

Table 2 .
Notation and Terms

Table 3 .
Comparison of related protocols