Document Type : Research Article


Department of Electrical Engineering, Khorasgan (Isfahan) Branch, Islamic Azad University, Isfahan, Iran.



Rapid and ever-increasing Internet of things (IoT) developments have brought about great hopes of improving the quality of human life. Radio-frequency identification (RFID) employed as a backup technology in the IoT is widely used in different aspects of life. Therefore, high priority should be given to security problems and user privacy protection. However, limited computational power and storage resources in passive tags have made the implementation of security measures difficult in RFID. In other words, the design of lightweight authentication protocols for RFID systems is still a major challenge in RFID security. A lightweight authentication protocol has been recently proposed for passive tags by Liu et al. Using specific inverse operations in the IOLAS protocol, they claimed that the lightweight bitwise operations would make this protocol resistant against known and potential attacks in RFID systems. This study aimed to show that the same inverse operations pose the main problem so that this protocol fails to guarantee backward security. It was also indicated that the IOLAS protocol is vulnerable to replay, reader impersonation, tag tracking attacks, and secret disclosure attack. Finally, we improved the IOLAS protocol and proposed the POLAS protocol, which is resistant to the currently known attacks. We analyze the security level of the proposed protocols and prove the security of the proposed design using BAN (Burrows-Abadi-Needham) logic. We also formally confirmed the security of the proposal using the Scyther simulation tool. According to security analysis, we can observe that this protocol have a high level of security. A comparison of the performance of the POLAS protocol shows that this protocol is comparable to similar protocols in terms of computational costs, storage costs, and communication costs.


[1] M. Adeli, N. Bagheri, S. Sadeghi, and S. Kumari. (chi) perbp: a Cloud-based Lightweight Mutual Authentication Protocol. Cryptology ePrint Archive, 2021. [ bib | DOI ]
[2] S. F. Aghili, H. Mala, P. Kaliyar, and M. Conti. SecLAP: Secure and lightweight RFID authentication protocol for Medical IoT. Future Generation Computer Systems, 101:621--634, 2019. [ bib | DOI ]
[3] K. Fan, W. Wang, W. Jiang, H. Li, and Y. Yang. Secure ultra-lightweight RFID mutual authentication protocol based on transparent computing for IoV. Peer-to-Peer Networking and Applications, 11(4):723–734, 2018. [ bib | DOI ]
[4] G. Avoine, C. Lauradoux, and T. Martin. When compromised readers meet RFID. In International Workshop on Information Security Applications, pages 36--50. Springer, 2009. [ bib | DOI ]
[5] Y. Bendavid, N.Bagheri, M. Safkhani, and S. Rostampour. IoT Device Security: Challenging “A Lightweight RFID Mutual Authentication Protocol Based on Physical Unclonable Function”. Sensors, 18(12):4444, 2018. [ bib | DOI ]
[6] G. Bertoni, J. Daemen, M. Peeters, and G. V. Assche. Keccak. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 313--314. Springer, 2013. [ bib | DOI ]
[7] M. Burrows, M. Abadi, and R. M. Needham. A logic of authentication. In Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences, pages 233--271. The Royal Society London, 1989. [ bib | DOI ]
[8] C. J. Cremers. The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In International Conference on Computer Aided Verification, pages 414--418. Springer, 2008. [ bib | DOI ]
[9] H. Chien. SASI: A New Ultralightweight RFID Authentication Protocol Providing Strong Authentication and Strong Integrity. IEEE Transactions on Dependable and Secure Computing, 4(4):337 -- 340, 2007. [ bib | DOI ]
[10] C. J. F. Cremers. Scyther: Semantics and verification of security protocols. Eindhoven university of Technology Eindhoven, Netherlands, 2006. [ bib ]
[11] K. Fan, N. Ge, Y. Gong, H. Li, R. Su, and Y. Yang. An ultra-lightweight RFID authentication scheme for mobile commerce. Peer-to-peer Networking and Applications, 10(2):368–376, 2017. [ bib | DOI ]
[12] L. Gao, M. Ma, Y. Shu, and Y. Wei. An ultralightweight RFID authentication protocol with CRC and permutation. Journal of Network and Computer Applications, 41:37--46, 2014. [ bib | DOI ]
[13] P. ope and T. Hwang. A realistic lightweight authentication protocol preserving strong anonymity for securing RFID system. Computers & Security, 55:271--280, 2015. [ bib | DOI ]
[14] M. A. Ferrag, L. A. Maglaras, H. Janicke, J. Jiang, and L. Shu. Authentication Protocols for Internet of Things: A Comprehensive Survey. Security and Communication Networks, 55(2017), 2017. [ bib | DOI ]
[15] V. Gholami and M. R. Alagheband. Provably privacy analysis and improvements of the lightweight RFID authentication protocols. Wireless Networks, 26(3):2153–2169, 2020. [ bib | DOI ]
[16] X. Gao, S. Lv, H. Zhang, X. Li, W. Ji, Y. He, and X. Li. A kind of RFID Security Protocol Based on the Algorithm of Present. In 2018 5th International Conference on Systems and Informatics (ICSAI), pages 50--55. IEEE, 2018. [ bib | DOI ]
[17] L. Heng, G. Fei, X. Yanming, and F. Shuo. Research of RFID Authentication Protocol Based on Hash Function. In Advances in Wireless Networks and Information Systems, pages 177--182. Springer, 2010. [ bib | DOI ]
[18] C. Jin, C. Xu, X. Zhang, and J. Zhao. A secure RFID mutual authentication protocol for healthcare environments using elliptic curve cryptography. Journal of Medical Systems, 39(3):1--8, 2015. [ bib | DOI ]
[19] S. Kardas, M. Akgün, M. Kiraz Sabir, and H. Demirci. Cryptanalysis of lightweight mutual authentication and ownership transfer for RFID systems. In 2011 Workshop on Lightweight Security & Privacy: Devices, Protocols, and Applications, pages 20--25. IEEE, 2011. [ bib | DOI ]
[20] S. Karthikeyan and M. Nesterenko. RFID security without extensive cryptography. In Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks, page 63–67. ACM, 2005. [ bib | DOI ]
[21] L. Kulseng, Z. Yu, Y. Wei, and Y. Guan. Lightweight mutual authentication and ownership transfer for RFID systems. In 2010 Proceedings IEEE INFOCOM, pages 1--5. IEEE, 2010. [ bib | DOI ]
[22] B. Liu, B. Yang, and X. Su. An improved two-way security authentication protocol for RFID system. Information, 9(4):86, 2018. [ bib | DOI ]
[23] Yali Liu, Xinchun Yin, Yongquan Dong, and Keke Huang. Lightweight authentication scheme with inverse operation on passive RFID tags. Journal of the Chinese Institute of Engineers, 42(11):74--79, 2019. [ bib | DOI ]
[24] H. Luo, G. Wen, J. Su, and Z. Huang. SLAP: Succinct and Lightweight Authentication Protocol for low-cost RFID system. Wireless Networks, 24(1):69–78, 2018. [ bib | DOI ]
[25] R. Madhusudhan, M. Hegde, and I. Memon. A secure and enhanced elliptic curve cryptography-based dynamic authentication scheme using smart card. International Journal of Communication Systems, 31(11):69–78, 2018. [ bib | DOI ]
[26] K. Michael and R. Monteleone. Microchipping People is a. Bad Idea”: An Interview with Andreas Sjostrom”, IEEE Technology and Society Magazine, 38(2):18--21, 2019. [ bib | DOI ]
[27] P. Peris-Lopez, J. Hernandez-Castro Cesar, J. M. Estevez-Tapiador, and A. Ribagorda. EMAP: An efficient mutual-authentication protocol for low-cost RFID tags. In OTM Confederated International Conferences" On the Move to Meaningful Internet Systems", pages 352--361. Springer, 2006. [ bib | DOI ]
[28] P. Peris-Lopez, J. Hernandez-Castro Cesar, J. M. Estevez-Tapiador, and A. Ribagorda. LAMED—a PRNG for EPC class-1 generation-2 RFID specification. Computer Standards & Interfaces, 31(1):88--97, 2009. [ bib | DOI ]
[29] P. Peris-Lopez, J. C. Hernandez-Castro, J. M. Tapiador, and A. Ribagorda. Advances in ultralightweight cryptography for low-cost RFID tags: Gossamer protocol. In International Workshop on Information Security Applications, pages 56--68. Springer, 2008. [ bib | DOI ]
[30] M. Safkhani and N. Bagheri. Generalized Desynchronization Attack on UMAP: Application to RCIA, KMAP, SLAP and SASI+ protocols. Cryptology ePrint Archive, 2016. [ bib | DOI ]
[31] A. Tewari and B. B. Gupta. Cryptanalysis of a novel ultra-lightweight mutual authentication protocol for IoT devices using RFID tags. The Journal of Supercomputing, 73(3):1085–1102, 2017. [ bib | DOI ]
[32] Y. Tian, G. Chen, and J. Li. A New Ultralightweight RFID Authentication Protocol with Permutation. IEEE Communications Letters, 16(5):702 -- 705, 2012. [ bib | DOI ]
[33] T. Yeh and C. Wu. An enhanced ultralightweight RFID authentication protocol. In 2009 Joint Conferences on Pervasive Computing (JCPC), pages 799--804. IEEE, 2009. [ bib | DOI ]
[34] J. Wang, H. Hassanieh, D.Katabi, and P. Indyk. Efficient and reliable low-power backscatter networks. ACM SIGCOMM Computer Communication Review, 42(4):61–72, 2012. [ bib | DOI ]
[35] G. Wei and H. Zhang. A lightweight authentication protocol scheme for RFID security. Wuhan University Journal of Natural Sciences, 18(6):504--510, 2013. [ bib | DOI ]
[36] L. Xiao, H. Xu, F. Zhu, R. Wang, and P. Li. SKINNY-Based RFID Lightweight Authentication Protocol. Sensors, 20(5):1366, 2020. [ bib | DOI ]
[37] H. Xu, J. Ding, P. Li, F. Zhu, and R. Wang. A Lightweight RFID Mutual Authentication Protocol Based on Physical Unclonable Function. Sensors, 18(3):760, 2018. [ bib | DOI ]
[38] W. Zhang, S. Liu, S. Wang, B. Yi, and L. Wu. An Efficient Lightweight RFID Authentication Protocol with Strong Trajectory Privacy Protection. Wireless Personal Communications, 96(1):1215–1228, 2017. [ bib | DOI ]
[39] Y. Zhou and D. Feng. Design and analysis of RFID security protocol. In Chin. J. Comput, pages 581--590, 2006. [ bib | DOI ]