CN113489722A - Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain - Google Patents

Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain Download PDF

Info

Publication number
CN113489722A
CN113489722A CN202110756322.9A CN202110756322A CN113489722A CN 113489722 A CN113489722 A CN 113489722A CN 202110756322 A CN202110756322 A CN 202110756322A CN 113489722 A CN113489722 A CN 113489722A
Authority
CN
China
Prior art keywords
server
sid
srid
new
tag
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110756322.9A
Other languages
Chinese (zh)
Other versions
CN113489722B (en
Inventor
陈秀清
张潇
鲁凡
潘帅飞
陈俊树
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuzhou Medical University
Original Assignee
Xuzhou Medical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xuzhou Medical University filed Critical Xuzhou Medical University
Priority to CN202110756322.9A priority Critical patent/CN113489722B/en
Publication of CN113489722A publication Critical patent/CN113489722A/en
Application granted granted Critical
Publication of CN113489722B publication Critical patent/CN113489722B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10257Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H40/00ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices
    • G16H40/20ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the management or administration of healthcare resources or facilities, e.g. managing hospital staff or surgery rooms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain, which comprises an initial stage and an authentication stage; the authentication phase comprises the following steps: the first step is as follows: card reader → server: m1={NR}, the card reader generates a random number NRAnd sends it to the server; the second step is that: server → card reader: m2={NSReception of M by server1Then, a random number N is generatedTAnd sending to the card reader; the third step: reader → tag: m3={NSReceive M2Then, the card reader will NSAnd forwarded to the tag. The invention is safe and reliable, the secret key can not be revealed, and an attacker can not correlate two message parametersThe two message parameters are then separated by a complete scheme that runs using the active scheme side.

Description

Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain
Technical Field
The invention relates to a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain, belonging to the technical field of information security authentication.
Background
The RFID technology is a key technology of the Internet of things and can be used for enhancing visibility and traceability in a supply chain, so that the RFID technology is widely applied to aspects of supply chain management, logistics control, hospital information department neonates, patient identification, medical asset positioning tracking, patient management and the like, but with the rapid increase of data volume collected by the RFID, challenges are brought to data-driven decision making in various fields. Especially in the mobile medical and health industry, mass data can be generated every day, people usually store private medical information databases in cloud storage companies, the safe storage of the data cannot be guaranteed, and the privacy of patients can be possibly leaked. Therefore, a novel lightweight authentication protocol method for a medical system based on RFID in a medical emergency supply chain is needed.
Disclosure of Invention
The invention aims to solve the technical problem of providing a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain, which is very effective in preventing tracing attack, synchronous attack and time measurement attack.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain comprises an initial stage and an authentication stage;
the initial stage comprises the following steps:
the first step is as follows: for each legal label, the administrator assigns a pseudo identifier SID and a key x, and then sets the SID in the index data table of the labeloldSID and xold=x,SIDoldAnd xoldAre all set to 0; wherein SID represents the tag current pseudo-identifier; SIDoldThe last pseudo-identifier representing the tag; x represents the current key of the tag; x is the number ofoldThe last key representing the tag;
the second step is that: for each legitimate reader, the administrator assigns a pseudo-identifier SRID and a secret key y, and then sets the SRID in the index data table of the readeroldSRID and yold=y,SRIDoldAnd yoldAre all set to 0; wherein the SRID represents a current pseudo identifier of the card reader; SRIDoldRepresenting the last pseudo identifier of the reader; y represents the current key of the reader; y isoldRepresenting the last key of the reader;
the authentication phase comprises the following steps:
the first step is as follows: card reader → server: m1={NR}, the card reader generates a random number NRAnd sends it to the server;
the second step is that: server → card reader: m2={NSReception of M by server1Then, a random number N is generatedTAnd sending to the card reader;
the third step: reader → tag: m3={NSReceive M2Then, the card reader will NSForwarding to the tag;
the fourth step: tag → reader: m4={SID,MT1,NTUpon receipt of M }3The tag generates a random number NTCalculate MT1=PRNG(x||NS||NT) And will { SID, MT1,NTSending the data to a card reader;
the fifth step: card reader → server: m5={SRID,MR1,SID,MT1,NTThe card reader receives M4Then, calculate MR1=PRNG(y||NS||NR) And compose a reply { SRID, MR1,SID,MT1,NTTo the server;
and a sixth step: server → card reader: m6={MR2,MT2},
Upon receiving M5Then, the server searches the received SRID in an index data table of the card reader; if found, the server reads the phaseCorresponding to y, check the equation PRNG (y N |)S||NR)=MR1Whether the result is true or not; if the equation is true, the reader is valid; wherein, | | represents a connection operation symbol;
then, the server searches the received SID in the index data table of the label; if found, the server reads the corresponding x, checks the equation PRNG (x | | | N)S||NT)=MT1Whether the result is true or not; if true, the tag is valid; then confirming the validity of the card reader and the label;
server computing MR2=PRNG((y+1)||NS||NR),SRIDnew=PRNG(SRID||y||NS||NR),ynew=PRNG((y+2)||NS||NR),MT2=PRNG((x+1)||NS||NT),SIDnew=PRNG(SID||x||NS||NT) And xnew=PRNG((x+2)||NS||NT) (ii) a Wherein, SRIDnewA next pseudo identifier representing the reader; y isnewThe next key representing the reader; SIDnewA next pseudo identifier representing a tag; x is the number ofnewThe next key representing the tag; x +1 represents the addition of key x by 1; x +2 represents the addition of 2 to the key x; y +1 represents the addition of key y by 1; y +2 represents the key y increased by 2;
then, the server updates the index data table of the card reader and the label;
once the update is complete, the server sends { M }R2,MT2To the card reader;
the seventh step: from reader to tag: m7={MT2The card reader receives M6Thereafter, it is checked whether PRNG ((y +1) | N)S||NR)=MR2If yes, the server is valid and updates the index data table of the card reader; because the server only sends M when the tag is legitimateR2The card reader passes through MR2Verifying the label; the reader then calculates the SRIDnew=PRNG(SRID||y||NS||NR),ynew=PRNG((y+2)||NS||NR) And updating the SRID to SRIDnew,y=ynew(ii) a Then, the card reader will MT2Sending to the label;
eighth step: verifying the label; once M is completed7Upon arrival, the tag check equation PRNG ((x +1) | N)S||NT)=MT2If the result is true, the server is valid and the index data table of the label is updated; the tag also implicitly authenticates the reader because the tag does not receive a valid M unless the server authenticates the readerT2(ii) a The tag then calculates the SIDnew=PRNG(SID||x||NS||NT),xnew=PRNG((x+2)||NS||NT) And updating SID ═ SIDnew,x=xnew
The method for updating the index data table of the card reader by the server comprises the following steps: if the SRID is found in the index field of the updated index data table, the server orders the SRIDold=SRID,yold=y,SRID=SRIDnew,y=ynew(ii) a If the SRID is not found in the index field of the updated index data table, the server only makes the SRID equal to the SRIDnew,y=ynew
The method for updating the index data table of the label by the server comprises the following steps: if the SID is found in the index field of the updated index data table, the server allows the SIDold=SID,xold=x,SID=SIDnew,x=xnew(ii) a If the SID is not found in the index field of the updated index data table, the server makes the SID equal to the SIDnew,x=xnew
The novel lightweight identity authentication protocol method of the medical system based on the RFID in the medical emergency supply chain is safe and reliable, a secret key cannot be disclosed, an attacker cannot associate two message parameters, the two message parameters are separated by a complete scheme operated by an effective scheme party, and the safety of the protocol is further ensured. In addition, the label of the invention is generally untraceable, can ensure forward confidentiality, can resist simulation attack and desynchronization attack, and has good expandability and time measurement attack resistance.
The invention can meet the following safety requirements:
(a) untraceable property: an adversary cannot track the tag. An attacker standing between the tag and the reader may eavesdrop and correlate the tag messages from two different sessions to identify the tag, whereas in the present invention, the attacker cannot correlate the two message parameters.
(b) Forward secrecy: even if the secret parameters (i.e., keys) of a tag are exposed to an adversary, it is difficult for the adversary to recognize the previous messages of the tag.
(c) Resilience to simulated attack: an adversary may attempt to simulate a legitimate party (server, reader or tag), for example, by playing back a message intercepted from the channel. The present invention can prevent any emulation.
(d) Resisting desynchronization attack: if one solution relies on shared values for authentication, an adversary may cause desynchronization problems. For example, if the server updates the shared value, but the tag is not updated, the server may not be able to authenticate the tag in the future. The present invention counteracts such desynchronization attacks.
(e) And (3) expandability: this scheme is not scalable if the server needs to do an exhaustive search to verify a tag. The identity verification scheme of the present invention can avoid any exhaustive search operation to ensure scalability.
(f) Lightweight encryption mechanism: the method uses the PRNG function for encryption, a lightweight encryption mechanism is realized, a private medical information database does not need to be stored in a cloud storage company, the safe storage of data is ensured, and the privacy of a patient cannot be leaked.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings.
As shown in fig. 1, the novel lightweight authentication protocol method for RFID-based medical system in medical emergency supply chain includes an initial stage and an authentication stage;
the initial stage comprises the following steps:
the first step is as follows: for each legal label, the administrator assigns a pseudo identifier SID and a key x, and then sets the SID in the index data table of the labeloldSID and xold=x,SIDoldAnd xoldAre all set to 0; wherein SID represents the tag current pseudo-identifier; SIDoldThe last pseudo-identifier representing the tag; x represents the current key of the tag; x is the number ofoldThe last key representing the tag;
the second step is that: for each legitimate reader, the administrator assigns a pseudo-identifier SRID and a secret key y, and then sets the SRID in the index data table of the readeroldSRID and yold=y,SRIDoldAnd yoldAre all set to 0; wherein the SRID represents a current pseudo identifier of the card reader; SRIDoldRepresenting the last pseudo identifier of the reader; y represents the current key of the reader; y isoldRepresenting the last key of the reader;
the authentication phase comprises the following steps:
the first step is as follows: card reader → server: m1={NR}, the card reader generates a random number NRAnd sends it to the server;
the second step is that: server → card reader: m2={NSReception of M by server1Then, a random number N is generatedTAnd sending to the card reader;
the third step: reader → tag: m3={NSReceive M2Then, the card reader will NSForwarding to the tag;
the fourth step: tag → reader: m4={SID,MT1,NTUpon receipt of M }3The tag generates a random number NTCalculate MT1=PRNG(x||NS||NT) And will { SID, MT1,NTSending the data to a card reader;
the fifth step: card reader → server: m5={SRID,MR1,SID,MT1,NTThe card reader receives M4Then, calculate MR1=PRNG(y||NS||NR) And compose a reply { SRID, MR1,SID,MT1,NTTo the server; wherein, | | represents a connection operation symbol;
and a sixth step: server → card reader: m6={MR2,MT2},
Upon receiving M5Then, the server searches the received SRID in an index data table of the card reader; if found, the server reads the corresponding y, checks the equation PRNG (yN | |)S||NR)=MR1Whether the result is true or not; if the equation is true, the reader is valid;
then, the server searches the received SID in the index data table of the label; if found, the server reads the corresponding x, checks the equation PRNG (x | | | N)S||NT)=MT1Whether the result is true or not; if true, the tag is valid; then confirming the validity of the card reader and the label;
server computing MR2=PRNG((y+1)||NS||NR),SRIDnew=PRNG(SRID||y||NS||NR),ynew=PRNG((y+2)||NS||NR),MT2=PRNG((x+1)||NS||NT),SIDnew=PRNG(SID||x||NS||NT) And xnew=PRNG((x+2)||NS||NT) (ii) a Wherein, SRIDnewA next pseudo identifier representing the reader; y isnewThe next key representing the reader; SIDnewA next pseudo identifier representing a tag; x is the number ofnewThe next key representing the tag; x +1 represents the addition of key x by 1; x +2 represents the addition of 2 to the key x; y +1 represents the addition of key y by 1; y +2 represents the key y increased by 2;
then, the server updates the index data table of the card reader and the label;
the method for updating the index data table of the card reader by the server comprises the following steps: if the SRID is found in the index field of the updated index data table, the server orderSRIDold=SRID,yold=y,SRID=SRIDnew,y=ynew(ii) a If the SRID is not found in the index field of the updated index data table, the server only makes the SRID equal to the SRIDnew,y=ynew
The method for updating the index data table of the label by the server comprises the following steps: if the SID is found in the index field of the updated index data table, the server allows the SIDold=SID,xold=x,SID=SIDnew,x=xnew(ii) a If the SID is not found in the index field of the updated index data table, the server makes the SID equal to the SIDnew,x=xnew
Once the update is complete, the server sends { M }R2,MT2To the card reader;
the seventh step: from reader to tag: m7={MT2The card reader receives M6Thereafter, it is checked whether PRNG ((y +1) | N)S||NR)=MR2If yes, the server is valid and updates the index data table of the card reader; because the server only sends M when the tag is legitimateR2The card reader passes through MR2Verifying the label; the reader then calculates the SRIDnew=PRNG(SRID||y||NS||NR),ynew=PRNG((y+2)||NS||NR) And updating the SRID to SRIDnew,y=ynew(ii) a Then, the card reader will MT2Sending to the label;
eighth step: verifying the label; once M is completed7Upon arrival, the tag check equation PRNG ((x +1) | N)S||NT)=MT2If the result is true, the server is valid and the index data table of the label is updated; the tag also implicitly authenticates the reader because the tag does not receive a valid M unless the server authenticates the readerT2(ii) a The tag then calculates the SIDnew=PRNG(SID||x||NS||NT),xnew=PRNG((x+2)||NS||NT) And updating SID ═ SIDnew,x=xnew
Security analysis and certification
Introduction 1: in this scheme, the key must call the Reveal oracle to be disclosed.
And (3) proving that: in this scheme, the transfer parameter tag-related key x includes MT1And MT2Wherein M isT1=PRNG(x||NS||NT) And MT2=PRNG((x+1)||NS||NT). Attacker can not be from MT1Or MT2X is obtained because PRNG () is considered an irreversible operation. In another aspect, the associated transmission parameter y comprises a reader key, where MR1And MR2Each is composed of MR1=PRNG(y||NS||NR) And MR2=PRNG((y+1)||NS||NR) And (4) generating. Because PRNG () is irreversible, an adversary cannot slave MR1Or MR2To obtain y. Thus, unless an adversary call reveals the oracle, the key cannot be revealed.
2, leading: in the solution proposed in this embodiment, if the recent oracle is not called, it is not possible to associate two message parameters (before and after the solution is run on the active solution side).
The results prove that: for ease of reading, we will denote the parameter P in the ith session asiAnd P. Without loss of generality, we assume that an adversary is trying to be going toiP andi+1p are associated. In our scheme, the message consists of 9 parameters: n is a radical ofS、NR、NT、SID、SRID、MT1、MT2、MR1And MR2
First, we consider the parameter NS、NRAnd NT,NSIs a random number generated in each session, so an attacker cannot matchiNSAndi+1NSand (4) associating. Likewise, NRAnd NTCannot be respectively connected withi+1NRAndi+1NTand (4) correlating.
Second, we consider the pseudo-identifier SID and SRID.i+1SID having a value of
Figure BDA0003147673930000051
According to lemma 1, the enemy cannot obtainix. Thus, unless a call reveals a prediction, it is very difficult for an adversary to reveal a predictioniSID andi+1the SIDs are associated. In a similar manner to that described above,i+1the value of SRID is
Figure BDA0003147673930000052
Because of the fact thatiy is not exposed and the enemy cannot get iti+1The SRID is associated with the SRID.
Finally, we consider the remaining parameters. Due to the fact that
Figure BDA0003147673930000053
And
Figure BDA0003147673930000054
to be connected withiMT1Andi+1MT1in connection, the enemy needs to knowix, do not reveal that oracle (lemma 1) is not available. For the same reason that the above-mentioned method is applied,iMT2having a value of
Figure BDA0003147673930000055
Can not be connected withi+1MT2Having a value of
Figure BDA0003147673930000056
And (6) associating. Also, due to
Figure BDA0003147673930000057
And
Figure BDA0003147673930000061
without the knowledge of "y", the enemy cannot be expected toiMR1Andi+1MR1and (4) associating. For the same reason that the above-mentioned method is applied,iMR2having a value of
Figure BDA0003147673930000062
Can not be connected withi+1MR2Having a value of
Figure BDA0003147673930000063
And (6) associating. Thus, without invoking the temporal order, an attacker cannot associate two message parameters separated by a complete scheme running with the active scheme side.
Theorem 3: in this scenario, the tags are generally untraceable.
And (3) proving that: in the RFID scheme, tags are generally untraceable if an adversary cannot associate two messages that the tag sends and receives, and is run by one complete scheme with the active scheme party. This is modeled by the game between challenger C and opponent a as an RFID system. Assuming that the power of C and a does not exceed the polynomial time algorithm:
(1) c selects two tags, T0And T1A reader R and a server S, which are both active.
(2) A is at T0、T1R and S call oracle Execute, Send, and Block in polynomial order.
(3) A stops and notifies C.
(4) Randomly selecting T with b bitb
(5) A calls oracle Execute, Send, and Block on T, R and S.
(6) A outputs bit b'. If b' is b, A wins.
The advantage of successful identification of tags is defined as AdvA=2x(Pr[b'=b]1/2). If adversary A has no advantage in random guessing, Pr[b'=b]1/2. Thus, if AdvAAt 0, the mark is generally untraceable.
PrRepresentative of the probability, Pr[b'=b]1/2 is interpreted as: the probability when b' is 1/2.
Suppose challenger C selects two tags T for the game0And T1One reader R and one server S. A starts the game and calls oracles Execute, Send and Block for a number of timesTerm of, respectively T1R and S. Assume that C performs a complete instance of the scheme using each token, denoted as the ith session. A records all the outputs of oracle calls and notifies C. C then selects a random bit b and sets T ═ Tb. Now, A calls oracle Execute, Send, and Block on T, R and S. Suppose C performs a complete instance of the scheme with the tag T, denoted as an i +1 session. A records all the outputs of oracle calls and generates a guess bit b'. In the proposed scheme, the tag sends and receives messages M1、M2And M7They consist of the following message parameters: SID, NT、NR、MT1And MT2Since a cannot associate any message parameter in the ith session with a parameter in the (i +1) th session (by lemma 2), a can only perform random guessing. Thus, Pr[b'=b]1/2 and AdvAThe probability of attack success tends to 0. The tags in our proposed scheme satisfy the untraceable performance.
Theorem 4: the proposed solution can guarantee forward security.
And (3) proving that: in the proof of theorem 3, we model it as a game. Challenger C selects two tags T for the game0、T1One reader R and one server S. Opponent A starts the game and starts it at T0、T1R and S call the prediction machines Execute, Send and Block multiple times. Assume C performs a complete instance of the scheme using each tag. A records the output of the oracle call. C then generates a random bit b and sets T ═ Tb. Thereafter, A calls oracles Reveal (T) to obtain the pseudo identifier and key of the tag T. Finally, a outputs the guessing bit b'.
Because the current key of T is generated by the PRNG of the previous key, a cannot obtain the previous key by the anti-PRNG function. Similarly, a cannot infer a previous pseudo-identifier because the current pseudo-identifier of T was generated by the PRNG of the previous pseudo-identifier. Furthermore, by lemma 2, a cannot refer to the previous pseudo-identifier of T (T)0Pseudo identifier or T of1Pseudo identifier of) is associated with the current pseudo identifier of T. Thus, A andmachine guessing has no advantage over it, which means that this scheme can ensure forward privacy.
Theorem 5: the scheme can resist simulation attack.
And (3) proving that: an adversary may attempt to impersonate a tag, a reader, or a server. We discuss these three cases as follows.
(a) Mark simulation
We model this as a game between challenger C and opponent a.
(1) The challenger C selects the tag T, the reader R and the server S, which are all active.
(2) A calls oracle Execute, Send, and Block polynomial times on T, R and S.
(3) A stops and notifies C.
(4) A calls Send oracle to model it as a marker.
(5) If A is verified as a valid flag, then A will win the game.
Assume that challenger C selects tag T, reader R and server S for the game. A starts the game and calls the oracle Execute, Send, and Block polynomials on T, R and S. Assume C executes a scenario instance at T, R and S. A records all oracle outputs.
To pass authentication, a valid SID must be sent and valid
Figure BDA0003147673930000071
To do this, a needs to know the tag key x. However, theorem 1, A cannot obtain x to generate a valid MT1. On the other hand, assume that A calls Block oracle to Block message M5So that no update occurs, and then notify C. Thereafter, C executes a new instance of the schema at T, R and S. To simulate as a marker, A calls the SID, M that Send oracle will recordT1And NTAs a response M2To the reader R. However, since the reader R generates a new N in the operation of the schemeRM thus recordedT1Cannot be effective unless new N is presentRExactly with old NRThe same, the probability is negligible. Therefore, A is difficult to be modeled as havingAnd (5) marking the effect.
(b) Reader simulation
First, we consider that adversary a attempts to emulate a valid reader of a tag. In the proof of theorem 2, the attempt is modeled as a game. In order to authenticate with tag T, A needs to send a valid one
Figure BDA0003147673930000072
However, theorem 1 cannot get x to generate valid MT2. On the other hand, assume that A blocks M7To prevent any updates on the tag and then notify C. Thereafter, C executes a new instance of the schema at T, R and S. To simulate a reader as a tag, A sends a recorded M to the tag TT2. However, M of recordingT2Cannot be effective unless the old NTWith N generated during operation of the new schemeTAgain, this has a negligible probability.
Second, we consider that A tries to mimic the server 'S active reader, which can be modeled as a game similar to that in theorem 2' S proof, except that in the last step, adversary A should be authenticated by server S. To authenticate, A must send a valid SRID and a valid SRID to the server
Figure BDA0003147673930000081
According to theory 1, the reader key y is not disclosed, so a cannot generate a valid MR1. On the other hand, assume that A blocks M5To prevent any updates and then notify C. Thereafter, C executes a new instance of the schema at T, R and S. To simulate as a card reader to a server, A will record NRSRID and MR1To the server S. Since S generates new N in the operation of new schemeSM of recordR1The effective probability is negligible. Thus, the likelihood of impersonating a valid reader is negligible.
(c) Server simulation
We model this attempt as a game similar to case (A) except A calls Send oracle to simulate an active server. To be simulated as legal clothesServer, must send valid
Figure BDA0003147673930000082
However, without knowing y (lem 1), a cannot generate a valid MR2. On the other hand, assume that A blocks M6To prevent any updates on the reader and tag and then notify C. Thereafter, C executes a new instance of the schema at T, R and S. To simulate a server, A will record MR2To the reader R. Because of the new NRAnd old NRAlmost different, recorded MR2The probability of passing authentication is negligible. Thus, adversary a can be modeled as an active server with negligible probability. In conclusion, the scheme provided by the embodiment can resist simulation attacks.
Theorem 6: the scheme can ensure the anti-synchronization attack.
And (3) proving that: in this scheme, the server is receiving message M5And updating the index data table after verification. If message M8Blocked, the reader will not update its pseudo identifier SRID and key y. Since the SRID and y are stored in the old fields, the server can synchronize with the reader based on them. Assume that there is a new session, and M6Again, is prevented. In this session, the old value is not updated since the server finds the received SRID in the old index field. Thus, the server can still synchronize with the reader. Similarly, if M6(or M)7) Blocked, the server and the tag can remain synchronized between them. On the other hand, as discussed in the proof of theorem 5, an adversary cannot forge a valid MT1And MR1To force the server to update the index data table. Therefore, the scheme can resist desynchronization attack.
Theorem 7: the scheme has scalability.
And (3) proving that: according to the study of Burmester et al, the time overhead is constant if the server can find a record of the tag based on the received data only. If a certain search operation needs to be verified, each search operation needs a test mark to be recorded. The scheme utilizes the label pseudo identifier as the index of the label index data table, so that the server can find the record of the label only according to the received SID. Similarly, the server can find the reader's record by the received SRID. Thus, the scheme does not require exhaustive search operations. Therefore, the scheme has good expandability and the capability of resisting time measurement attacks.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention and these are intended to be within the scope of the invention.

Claims (4)

1. A novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain is characterized by comprising an initial stage and an authentication stage;
the initial stage comprises the following steps:
the first step is as follows: for each legal label, the administrator assigns a pseudo identifier SID and a key x, and then sets the SID in the index data table of the labeloldSID and xold=x,SIDoldAnd xoldAre all set to 0; wherein SID represents the tag current pseudo-identifier; SIDoldThe last pseudo-identifier representing the tag; x represents the current key of the tag; x is the number ofoldThe last key representing the tag;
the second step is that: for each legitimate reader, the administrator assigns a pseudo-identifier SRID and a secret key y, and then sets the SRID in the index data table of the readeroldSRID and yold=y,SRIDoldAnd yoldAre all set to 0; wherein the SRID represents a current pseudo identifier of the card reader; SRIDoldRepresenting the last pseudo identifier of the reader; y represents the current key of the reader; y isoldRepresenting the last key of the reader;
the authentication phase comprises the following steps:
the first step is as follows: card reader → server: m1={NR}, the card reader generates a random number NRAnd sends it to the server;
the second step is that: server → card reader: m2={NSReception of M by server1Then, a random number N is generatedTAnd sending to the card reader;
the third step: reader → tag: m3={NSReceive M2Then, the card reader will NSForwarding to the tag;
the fourth step: tag → reader: m4={SID,MT1,NTUpon receipt of M }3The tag generates a random number NTCalculate MT1=PRNG(x||NS||NT) And will { SID, MT1,NTSending the data to a card reader;
the fifth step: card reader → server: m5={SRID,MR1,SID,MT1,NTThe card reader receives M4Then, calculate MR1=PRNG(y||NS||NR) And compose a reply { SRID, MR1,SID,MT1,NTTo the server;
and a sixth step: server → card reader: m6={MR2,MT2},
Upon receiving M5Then, the server searches the received SRID in an index data table of the card reader; if found, the server reads the corresponding y, checks the equation PRNG (yN | |)S||NR)=MR1Whether the result is true or not; if the equation is true, the reader is valid;
then, the server searches the received SID in the index data table of the label; if found, the server reads the corresponding x, checks the equation PRNG (x | | | N)S||NT)=MT1Whether the result is true or not; if true, the tag is valid; then confirming the validity of the card reader and the label;
server computing MR2=PRNG((y+1)||NS||NR),SRIDnew=PRNG(SRID||y||NS||NR),ynew=PRNG((y+2)||NS||NR),MT2=PRNG((x+1)||NS||NT),SIDnew=PRNG(SID||x||NS||NT) And xnew=PRNG((x+2)||NS||NT) (ii) a Wherein, SRIDnewA next pseudo identifier representing the reader; y isnewThe next key representing the reader; SIDnewA next pseudo identifier representing a tag; x is the number ofnewThe next key representing the tag; x +1 represents the addition of key x by 1; x +2 represents the addition of 2 to the key x; y +1 represents the addition of key y by 1; y +2 represents the key y increased by 2;
then, the server updates the index data table of the card reader and the label;
once the update is complete, the server sends { M }R2,MT2To the card reader;
the seventh step: from reader to tag: m7={MT2The card reader receives M6Thereafter, it is checked whether PRNG ((y +1) | N)S||NR)=MR2If yes, the server is valid and updates the index data table of the card reader; because the server only sends M when the tag is legitimateR2The card reader passes through MR2Verifying the label; the reader then calculates the SRIDnew=PRNG(SRID||y||NS||NR),ynew=PRNG((y+2)||NS||NR) And updating the SRID to SRIDnew,y=ynew(ii) a Then, the card reader will MT2Sending to the label;
eighth step: verifying the label; once M is completed7Upon arrival, the tag check equation PRNG ((x +1) | N)S||NT)=MT2If the result is true, the server is valid and the index data table of the label is updated; the tag also implicitly authenticates the reader because the tag does not receive a valid M unless the server authenticates the readerT2(ii) a The tag then calculates the SIDnew=PRNG(SID||x||NS||NT),xnew=PRNG((x+2)||NS||NT) And updating SID ═ SIDnew,x=xnew
2. The novel lightweight authentication protocol method for the RFID-based medical system in the medical emergency supply chain according to claim 1, wherein the method for the server to update the index data table of the card reader comprises the following steps: if the SRID is found in the index field of the updated index data table, the server orders the SRIDold=SRID,yold=y,SRID=SRIDnew,y=ynew(ii) a If the SRID is not found in the index field of the updated index data table, the server only makes the SRID equal to the SRIDnew,y=ynew
3. The novel lightweight authentication protocol method for the RFID-based medical system in the medical emergency supply chain according to claim 2, wherein the method for updating the index data table of the tag by the server comprises the following steps: if the SID is found in the index field of the updated index data table, the server allows the SIDold=SID,xold=x,SID=SIDnew,x=xnew(ii) a If the SID is not found in the index field of the updated index data table, the server makes the SID equal to the SIDnew,x=xnew
4. The novel lightweight authentication protocol method for RFID-based medical systems in medical emergency supply chain according to claim 1, wherein | | | represents a connection operation symbol.
CN202110756322.9A 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain Active CN113489722B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110756322.9A CN113489722B (en) 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110756322.9A CN113489722B (en) 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain

Publications (2)

Publication Number Publication Date
CN113489722A true CN113489722A (en) 2021-10-08
CN113489722B CN113489722B (en) 2023-03-24

Family

ID=77940777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110756322.9A Active CN113489722B (en) 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain

Country Status (1)

Country Link
CN (1) CN113489722B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633703A (en) * 2023-07-25 2023-08-22 徐州医科大学 Medical sensor monitoring system based on blockchain and RFID protocol

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006129357A1 (en) * 2005-06-02 2006-12-07 Hitachi Ulsi Systems Co., Ltd. Id tag and reader/writer
US20070069851A1 (en) * 2005-09-28 2007-03-29 Samsung Electronics Co., Ltd. Radio frequency identification tag and radio frequency identification privacy protection system and method
CN101872460A (en) * 2010-05-27 2010-10-27 上海华彩科技有限公司 Treatment method of RFID online anti-counterfeiting system based on dynamic anti-counterfeiting mark
TW201211903A (en) * 2010-09-14 2012-03-16 Icon Minsky Luo Near field communication device, authentication system using the same and method thereof
WO2012119434A1 (en) * 2011-03-07 2012-09-13 中兴通讯股份有限公司 Method for dynamic authentication between reader and tag, and device therefor
CN110381055A (en) * 2019-07-16 2019-10-25 徐州医科大学 RFID system privacy-protection certification protocol method in healthcare supply chain
CN110418338A (en) * 2019-07-31 2019-11-05 徐州医科大学 The lightweight RFID Wireless Authentication Protocols and its system of implantable medical device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006129357A1 (en) * 2005-06-02 2006-12-07 Hitachi Ulsi Systems Co., Ltd. Id tag and reader/writer
US20070069851A1 (en) * 2005-09-28 2007-03-29 Samsung Electronics Co., Ltd. Radio frequency identification tag and radio frequency identification privacy protection system and method
CN101872460A (en) * 2010-05-27 2010-10-27 上海华彩科技有限公司 Treatment method of RFID online anti-counterfeiting system based on dynamic anti-counterfeiting mark
TW201211903A (en) * 2010-09-14 2012-03-16 Icon Minsky Luo Near field communication device, authentication system using the same and method thereof
WO2012119434A1 (en) * 2011-03-07 2012-09-13 中兴通讯股份有限公司 Method for dynamic authentication between reader and tag, and device therefor
CN110381055A (en) * 2019-07-16 2019-10-25 徐州医科大学 RFID system privacy-protection certification protocol method in healthcare supply chain
CN110418338A (en) * 2019-07-31 2019-11-05 徐州医科大学 The lightweight RFID Wireless Authentication Protocols and its system of implantable medical device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈秀清,曹天杰,郭玉: "基于不可追踪模型的轻量级RFID认证协议", 《计算机科学》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633703A (en) * 2023-07-25 2023-08-22 徐州医科大学 Medical sensor monitoring system based on blockchain and RFID protocol
CN116633703B (en) * 2023-07-25 2023-11-28 徐州医科大学 Medical sensor monitoring system based on blockchain and RFID protocol

Also Published As

Publication number Publication date
CN113489722B (en) 2023-03-24

Similar Documents

Publication Publication Date Title
Wazid et al. LAM-CIoT: Lightweight authentication mechanism in cloud-based IoT environment
Li et al. A robust biometrics based three-factor authentication scheme for global mobility networks in smart city
Deng et al. A new framework for RFID privacy
Abdi Nasib Far et al. LAPTAS: lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT
Liu et al. A physically secure, lightweight three-factor and anonymous user authentication protocol for IoT
Qian et al. A Lightweight RFID Security Protocol Based on Elliptic Curve Crytography.
Hermans et al. Efficient, secure, private distance bounding without key updates
Srinivas et al. Provably secure biometric based authentication and key agreement protocol for wireless sensor networks
CN108777616B (en) Electronic election method, management device and electronic election system for resisting quantum computer attack
Hafizul Islam et al. Dynamic id-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography
Fan et al. On the claimed privacy of EC-RAC III
CN107147498B (en) Authentication method and encryption method for transmitting information in RFID authentication process
Akgün et al. Attacks and improvements to chaotic map‐based RFID authentication protocol
Zhou A Quadratic Residue-Based Lightweight RFID Mutual Authentication Protocol with Constant-Time Identification.
Das A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system
Kumar et al. An enhanced RFID-based authentication protocol using PUF for vehicular cloud computing
CN113489722B (en) Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain
Asadpour et al. A privacy-friendly RFID protocol using reusable anonymous tickets
Alansari et al. Efficient and privacy-preserving contact tracing system for COVID-19 using blockchain
Bilal et al. Multiple attacks on authentication protocols for low-cost RFID tags
Xiaohong et al. RFID mutual-authentication protocol with synchronous updated-keys based on Hash function
Sarvabhatla et al. A secure and robust dynamic ID-based mutual authentication scheme with smart card using elliptic curve cryptography
Liu et al. An Improved Secure RFID Authentication Protocol Using Elliptic Curve Cryptography
Abughazalah et al. A mutual authentication protocol for low-cost rfid tags formally verified using casperfdr and avispa
Fischlin et al. Provably secure distance-bounding: an analysis of prominent protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant