CN113489722B - Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain - Google Patents

Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain Download PDF

Info

Publication number
CN113489722B
CN113489722B CN202110756322.9A CN202110756322A CN113489722B CN 113489722 B CN113489722 B CN 113489722B CN 202110756322 A CN202110756322 A CN 202110756322A CN 113489722 B CN113489722 B CN 113489722B
Authority
CN
China
Prior art keywords
server
sid
srid
new
tag
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110756322.9A
Other languages
Chinese (zh)
Other versions
CN113489722A (en
Inventor
陈秀清
张潇
鲁凡
潘帅飞
陈俊树
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xuzhou Medical University
Original Assignee
Xuzhou Medical University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xuzhou Medical University filed Critical Xuzhou Medical University
Priority to CN202110756322.9A priority Critical patent/CN113489722B/en
Publication of CN113489722A publication Critical patent/CN113489722A/en
Application granted granted Critical
Publication of CN113489722B publication Critical patent/CN113489722B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K7/00Methods or arrangements for sensing record carriers, e.g. for reading patterns
    • G06K7/10Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation
    • G06K7/10009Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves
    • G06K7/10257Methods or arrangements for sensing record carriers, e.g. for reading patterns by electromagnetic radiation, e.g. optical sensing; by corpuscular radiation sensing by radiation using wavelengths larger than 0.1 mm, e.g. radio-waves or microwaves arrangements for protecting the interrogation against piracy attacks
    • GPHYSICS
    • G16INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
    • G16HHEALTHCARE INFORMATICS, i.e. INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR THE HANDLING OR PROCESSING OF MEDICAL OR HEALTHCARE DATA
    • G16H40/00ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices
    • G16H40/20ICT specially adapted for the management or administration of healthcare resources or facilities; ICT specially adapted for the management or operation of medical equipment or devices for the management or administration of healthcare resources or facilities, e.g. managing hospital staff or surgery rooms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain, which comprises an initial stage and an authentication stage; the authentication phase comprises the following steps: the first step is as follows: card reader → server: m 1 ={N R }, the card reader generates a random number N R And sends it to the server; the second step is that: server → card reader: m 2 ={N S }, the server receives M 1 Then, a random number N is generated T And sending to the card reader; the third step: reader → tag: m 3 ={N S Receives M 2 Then, the card reader will N S And forwarded to the tag. The invention is safe and reliable, the secret key can not be revealed, an attacker can not correlate two message parameters, and the two message parameters are separated by a complete scheme operated by an effective scheme party.

Description

Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain
Technical Field
The invention relates to a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain, belonging to the technical field of information security authentication.
Background
The RFID technology is a key technology of the Internet of things and can be used for enhancing visibility and traceability in a supply chain, so that the RFID technology is widely applied to aspects of supply chain management, logistics control, hospital information department neonates, patient identification, medical asset positioning tracking, patient management and the like, but with the rapid increase of data volume collected by the RFID, challenges are brought to data-driven decision making in various fields. Especially in the mobile medical and health industry, mass data can be generated every day, people usually store private medical information databases in cloud storage companies, the safe storage of the data cannot be guaranteed, and the privacy of patients can be possibly leaked. Therefore, a novel lightweight authentication protocol method for a medical system based on RFID in a medical emergency supply chain is needed.
Disclosure of Invention
The invention aims to solve the technical problem of providing a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain, which is very effective in preventing tracing attack, synchronous attack and time measurement attack.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows:
a novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain comprises an initial stage and an authentication stage;
the initial stage comprises the following steps:
the first step is as follows: for each legal label, the administrator assigns a pseudo identifier SID and a key x, and then sets the SID in the index data table of the label old = SID and x old =x,SID old And x old Are all set to 0; wherein SID represents the tag current pseudo-identifier; SID old The last pseudo-identifier representing the tag; x represents the current key of the tag; x is the number of old The last key representing the tag;
the second step is that: for each legitimate reader, the administrator assigns a pseudo-identifier SRID and a secret key y, and then sets the SRID in the reader's index data table old = SRID and y old =y,SRID old And y old Are all set to 0; wherein, SRID represents the current pseudo identifier of the card reader; SRID old Representing the last pseudo identifier of the reader; y represents the current key of the reader; y is old Representing the last key of the reader;
the authentication phase comprises the following steps:
the first step is as follows: card reader → server: m 1 ={N R }, the card reader generates a random number N R And sends it to the server;
the second step is that: server → card reader: m is a group of 2 ={N S Reception of M by server 1 Then, a random number N is generated T And sending to the card reader;
the third step: reader → tag: m 3 ={N S Receive M 2 Then, the card reader will N S Forwarding to the tag;
the fourth step: tag → reader: m 4 ={SID,M T1 ,N T On receipt of M } 3 The tag generates a random number N T Calculating M T1 =PRNG(x||N S ||N T ) And will { SID, M T1 ,N T Sending the data to the card reader;
the fifth step: card reader → server: m 5 ={SRID,M R1 ,SID,M T1 ,N T The card reader receives M 4 Then, calculate M R1 =PRNG(y||N S ||N R ) And compose a reply { SRID, M R1 ,SID,M T1 ,N T To the server;
and a sixth step: server → card reader: m 6 ={M R2 ,M T2 },
Upon receiving M 5 Then, the server searches the received SRID in an index data table of the card reader; if found, the server reads the corresponding y, checks the equation PRNG (yN | |) S ||N R )=M R1 Whether the result is true or not; if the equation is true, the reader is valid; wherein, | | represents a concatenation arithmetic symbol;
then, the server searches the received SID in the index data table of the label; if found, the server reads the corresponding x, checks the equation PRNG (x | | | N) S ||N T )=M T1 Whether the result is true or not; if true, the tag is valid; then confirming the validity of the card reader and the label;
server computing M R2 =PRNG((y+1)||N S ||N R ),SRID new =PRNG(SRID||y||N S ||N R ),y new =PRNG((y+2)||N S ||N R ),M T2 =PRNG((x+1)||N S ||N T ),SID new =PRNG(SID||x||N S ||N T ) And x new =PRNG((x+2)||N S ||N T ) (ii) a Wherein, SRID new A next pseudo identifier representing the reader; y is new The next key representing the reader; SID new A next pseudo identifier representing a tag; x is the number of new The next key representing the tag; x +1 represents the addition of key x by 1; x +2 represents the addition of 2 to the key x; y +1 represents the addition of key y by 1; y +2 represents the key y increased by 2;
then, the server updates the index data table of the card reader and the label;
once the update is complete, the server sends { M } R2 ,M T2 To the card reader;
the seventh step: from the reader to the tag: m is a group of 7 ={M T2 The card reader receives M 6 Then, whether PRNG ((y + 1) | | N) is checked S ||N R )=M R2 If yes, the server is valid and updates the index data table of the card reader; because the server only sends M when the tag is legitimate R2 The card reader passes through M R2 Verifying the label; the reader then calculates the SRID new =PRNG(SRID||y||N S ||N R ),y new =PRNG((y+2)||N S ||N R ) And update SRID = SRID new ,y=y new (ii) a Then, the card reader will M T2 Sending to the label;
eighth step: verifying the label; once M is completed 7 Upon arrival, the tag check equation PRNG ((x + 1) | N) S ||N T )=M T2 If the result is true, the server is valid and the index data table of the label is updated; the tag also implicitly authenticates the reader because the tag does not receive a valid M unless the server authenticates the reader T2 (ii) a The tag then calculates the SID new =PRNG(SID||x||N S ||N T ),x new =PRNG((x+2)||N S ||N T ) And update SID = SID new ,x=x new
The method for updating the index data table of the card reader by the server comprises the following steps:if the SRID is found in the index field of the updated index data table, the server orders the SRID old =SRID,y old =y,SRID=SRID new ,y=y new (ii) a If the SRID is not found in the index field of the updated index data table, the server only makes SRID = SRID new ,y=y new
The method for updating the index data table of the label by the server comprises the following steps: if the SID is found in the index field of the updated index data table, the server allows the SID old =SID,x old =x,SID=SID new ,x=x new (ii) a If SID is not found in the index field of the updated index data table, the server makes SID = SID new ,x=x new
The novel lightweight identity authentication protocol method of the medical system based on the RFID in the medical emergency supply chain is safe and reliable, a secret key cannot be disclosed, an attacker cannot associate two message parameters, the two message parameters are separated by a complete scheme operated by an effective scheme party, and the safety of the protocol is further ensured. In addition, the label of the invention is generally untraceable, can ensure forward confidentiality, can resist simulation attack and desynchronization attack, and has good expandability and time measurement attack resistance.
The invention can meet the following safety requirements:
(a) Untraceable property: an adversary cannot track the tag. An attacker standing between the tag and the reader may eavesdrop and correlate the tag messages from two different sessions to identify the tag, whereas in the present invention, the attacker cannot correlate the two message parameters.
(b) Forward secrecy: even if the secret parameters (i.e., keys) of a tag are exposed to an adversary, it is difficult for the adversary to recognize the previous messages of the tag.
(c) Resilience to simulated attack: an adversary may attempt to simulate a legitimate party (server, reader or tag), for example, by playing back a message intercepted from the channel. The present invention can prevent any emulation.
(d) Resisting desynchronization attack: if one solution relies on shared values for authentication, an adversary may cause desynchronization problems. For example, if the server updates the shared value, but the tag is not updated, the server may not be able to authenticate the tag in the future. The present invention counteracts such desynchronization attacks.
(e) Expandability: this scheme is not scalable if the server needs to do an exhaustive search to verify a tag. The identity verification scheme of the present invention can avoid any exhaustive search operation to ensure scalability.
(f) Lightweight encryption mechanism: the method uses the PRNG function for encryption, a lightweight encryption mechanism is realized, a private medical information database does not need to be stored in a cloud storage company, the safe storage of data is ensured, and the privacy of a patient cannot be leaked.
Drawings
FIG. 1 is a flow chart of the present invention.
Detailed Description
The present invention will be further described with reference to the accompanying drawings.
As shown in fig. 1, the novel lightweight authentication protocol method for RFID-based medical system in medical emergency supply chain includes an initial stage and an authentication stage;
the initial stage comprises the following steps:
the first step is as follows: for each legal label, the administrator assigns a pseudo identifier SID and a key x, and then sets the SID in the index data table of the label old = SID and x old =x,SID old And x old Are all set to 0; wherein SID represents the tag current pseudo-identifier; SID old The last pseudo-identifier representing the tag; x represents the current key of the tag; x is the number of old The last key representing the tag;
the second step: for each legitimate reader, the administrator assigns a pseudo-identifier SRID and a secret key y, and then sets the SRID in the reader's index data table old = SRID and y old =y,SRID old And y old Are all set to 0; wherein the SRID represents a current pseudo identifier of the card reader; SRID old Representing the last pseudo identifier of the reader; y represents the current key of the reader; y is old Representing the last key of the reader;
the authentication phase comprises the following steps:
the first step is as follows: card reader → server: m is a group of 1 ={N R }, the card reader generates a random number N R And sends it to the server;
the second step is that: server → card reader: m 2 ={N S Reception of M by server 1 Then, a random number N is generated T And sending to the card reader;
the third step: reader → tag: m 3 ={N S Receives M 2 Then, the card reader will N S Forwarding to the tag;
the fourth step: tag → reader: m 4 ={SID,M T1 ,N T Upon receipt of M } 3 The tag generates a random number N T Calculate M T1 =PRNG(x||N S ||N T ) And will { SID, M T1 ,N T Sending the data to a card reader;
the fifth step: card reader → server: m 5 ={SRID,M R1 ,SID,M T1 ,N T The card reader receives M 4 Then, calculate M R1 =PRNG(y||N S ||N R ) And compose a reply { SRID, M R1 ,SID,M T1 ,N T -to the server; wherein, | | represents a connection operation symbol;
and a sixth step: server → card reader: m 6 ={M R2 ,M T2 },
Upon receiving M 5 Then, the server searches the received SRID in an index data table of the card reader; if found, the server reads the corresponding y, checks the equation PRNG (yN | |) S ||N R )=M R1 Whether the result is true or not; if the equation is true, the reader is active;
then, the server indexes the tagsSearching the received SID in the data table; if found, the server reads the corresponding x, checks the equation PRNG (x | | | N) S ||N T )=M T1 Whether the result is true or not; if so, the tag is valid; then confirming the validity of the card reader and the label;
server computing M R2 =PRNG((y+1)||N S ||N R ),SRID new =PRNG(SRID||y||N S ||N R ),y new =PRNG((y+2)||N S ||N R ),M T2 =PRNG((x+1)||N S ||N T ),SID new =PRNG(SID||x||N S ||N T ) And x new =PRNG((x+2)||N S ||N T ) (ii) a Wherein, SRID new A next pseudo identifier representing the reader; y is new The next key representing the reader; SID new A next pseudo identifier representing a tag; x is the number of new The next key representing the tag; x +1 represents the addition of key x by 1; x +2 represents the addition of 2 to the key x; y +1 represents the addition of key y by 1; y +2 represents the key y increased by 2;
then, the server updates the index data table of the card reader and the label;
the method for updating the index data table of the card reader by the server comprises the following steps: if the SRID is found in the index field of the updated index data table, the server orders the SRID old =SRID,y old =y,SRID=SRID new ,y=y new (ii) a If the SRID is not found in the index field of the updated index data table, the server only makes SRID = SRID new ,y=y new
The method for updating the index data table of the label by the server comprises the following steps: if the SID is found in the index field of the updated index data table, the server allows the SID old =SID,x old =x,SID=SID new ,x=x new (ii) a If SID is not found in the index field of the updated index data table, the server makes SID = SID new ,x=x new
Once the update is complete, the server sends { M } R2 ,M T2 To the card reader;
seventh aspect of the inventionThe method comprises the following steps: from the reader to the tag: m is a group of 7 ={M T2 }, the card reader receives M 6 Then, whether PRNG ((y + 1) | | N) is checked S ||N R )=M R2 If yes, the server is valid and updates the index data table of the card reader; because the server only sends M when the tag is legitimate R2 The card reader passes through M R2 Verifying the label; the reader then calculates the SRID new =PRNG(SRID||y||N S ||N R ),y new =PRNG((y+2)||N S ||N R ) And update SRID = SRID new ,y=y new (ii) a Then, the card reader will M T2 Sending to the label;
the eighth step: verifying the label; once M is completed 7 Upon arrival, the tag check equation PRNG ((x + 1) | N) S ||N T )=M T2 If the result is true, the server is valid and the index data table of the label is updated; the tag also implicitly authenticates the reader because the tag does not receive a valid M unless the server authenticates the reader T2 (ii) a The tag then calculates the SID new =PRNG(SID||x||N S ||N T ),x new =PRNG((x+2)||N S ||N T ) And update SID = SID new ,x=x new
Security analysis and certification
Introduction 1: in this scheme, the key must call the Reveal oracle to be disclosed.
And (3) proving that: in this scheme, the transfer parameter tag related key x includes M T1 And M T2 Wherein M is T1 =PRNG(x||N S ||N T ) And M T2 =PRNG((x+1)||N S ||N T ). Attacker can not be from M T1 Or M T2 X is obtained because PRNG () is considered an irreversible operation. In another aspect, the associated transmission parameter y comprises a reader key, where M R1 And M R2 Each is composed of M R1 =PRNG(y||N S ||N R ) And M R2 =PRNG((y+1)||N S ||N R ) And (4) generating. Because PRNG () is irreversible, an adversary cannot get fromM R1 Or M R2 To obtain y. Thus, unless an adversary call reveals the oracle, the key cannot be revealed.
2, introduction: in the solution proposed in this embodiment, if the recent oracle is not called, it is not possible to associate two message parameters (before and after the solution is run on the active solution side).
The results prove that: for ease of reading, we will denote the parameter P in the ith session as i And P. Without loss of generality, we assume that an adversary is trying to be going to i P and i+1 p are associated. In our scheme, a message consists of 9 parameters: n is a radical of S 、N R 、N T 、SID、SRID、M T1 、M T2 、M R1 And M R2
First, we consider the parameter N S 、N R And N T ,N S Is a random number generated in each session, so an attacker cannot match i N S And with i+1 N S And (4) associating. Likewise, N R And N T Cannot be respectively connected with i+1 N R And i+1 N T and (4) correlating.
Second, we consider the pseudo-identifier SID and SRID. i+1 SID having a value of
Figure BDA0003147673930000051
According to lemma 1, the enemy cannot obtain i x. Thus, unless a call reveals a prediction, it is very difficult for an adversary to reveal a prediction i SID and i+1 the SIDs are associated. In a similar manner to that described above, i+1 the value of SRID is->
Figure BDA0003147673930000052
Because of the fact that i y is not exposed and the enemy cannot get it i+1 The SRID is associated with the SRID.
Finally, we consider the remaining parameters. Due to the fact that
Figure BDA0003147673930000053
And &>
Figure BDA0003147673930000054
To be connected with i M T1 And i+1 M T1 in connection, the enemy needs to know i x, no oracle (lemma 1) is disclosed to be obtainable. For the same reason that the above-described method is applied, i M T2 is equal to->
Figure BDA0003147673930000055
Can not be connected with i+1 M T2 Is equal to->
Figure BDA0003147673930000056
And (6) associating. Also, due to
Figure BDA0003147673930000057
And &>
Figure BDA0003147673930000061
Without the knowledge of "y", the enemy cannot be expected to i M R1 And i+1 M R1 and (4) associating. For the same reason that the above-mentioned method is applied, i M R2 having a value of
Figure BDA0003147673930000062
Can not be connected with i+1 M R2 Is equal to->
Figure BDA0003147673930000063
And (6) associating. Thus, without invoking the temporal order, an attacker cannot associate two message parameters separated by a complete scheme running with the active scheme side.
Theorem 3: in this scenario, the tags are generally untraceable.
And (3) proving that: in the RFID scheme, tags are generally untraceable if an adversary cannot associate two messages that the tag sends and receives, and is run by one complete scheme with the active scheme party. This is modeled by the game between challenger C and opponent a as an RFID system. Assuming that the power of C and a does not exceed the polynomial time algorithm:
(1) C selects two tags, T 0 And T 1 A reader R and a server S, which are both active.
(2) A is at T 0 、T 1 And the oracle Execute, send, and Block are called on R and S polynomial times.
(3) A stops and notifies C.
(4) Randomly selecting T with T = b bits b
(5) A calls oracle Execute, send, and Block on T, R and S.
(6) A outputs a bit b'. If b' = b, A wins.
The advantage of successful identification of tags is defined as Adv A =2x(P r [b'=b]= 1/2). If adversary A has no advantage in random guessing, P r [b'=b]And (5) =1/2. Thus, if Adv A At 0, the marker is typically untraceable.
P r Represents the probability, P r [b'=b]=1/2 to be interpreted: the probability when b' = b is 1/2.
Suppose challenger C selects two tags T for the game 0 And T 1 One reader R and one server S. A starts the game and calls oracles Execute, send and Block with a polynomial degree of T 1 R and S. Assume that C performs a complete instance of the scheme using each token, denoted as the ith session. A records all the outputs of oracle calls and notifies C. C then selects a random bit b and sets T = T b . Now, A calls oracle Execute, send, and Block on T, R and S. Suppose C performs a complete instance of the scheme with the tag T, denoted as an i +1 session. A records all the outputs of oracle calls and generates a guess bit b'. In the proposed scheme, the tag sends and receives messages M 1 、M 2 And M 7 They consist of the following message parameters: SID, N T 、N R 、M T1 And M T2 Since a cannot associate any message parameter in the ith session with a parameter in the (i + 1) th session (by lemma 2), a can only perform randomMachine guessing. Thus, P r [b'=b]Is 1/2 and Adv A The probability of attack success tends to 0. The tags in our proposed scheme satisfy the untraceable performance.
Theorem 4: the proposed solution can guarantee forward secrecy.
And (3) proving that: in the proof of theorem 3, we model it as a game. Challenger C selects two tags T for the game 0 、T 1 One reader R and one server S. Opponent A begins the game and starts it at T 0 、T 1 R and S call the prediction machines Execute, send and Block multiple times. Assume C performs a complete instance of the scheme using each tag. A records the output of the oracle call. Then, C generates a random bit b and sets T = T b . Thereafter, A calls oracles Reveal (T) to obtain the pseudo identifier and key of the tag T. Finally, a outputs the guessing bit b'.
Because the current key of T is generated by the PRNG of the previous key, a cannot obtain the previous key by the anti-PRNG function. Similarly, a cannot infer a previous pseudo-identifier because the current pseudo-identifier of T was generated by the PRNG of the previous pseudo-identifier. Furthermore, the previous pseudo-identifier of T (T) cannot be assigned by lemma 2,A 0 Pseudo identifier or T of 1 Pseudo identifier of) is associated with the current pseudo identifier of T. Therefore, a has no advantage over random guessing, which means that the scheme can ensure forward confidentiality.
Theorem 5: the scheme can resist simulation attack.
And (3) proving that: an adversary may attempt to impersonate a tag, a reader, or a server. We discuss these three cases as follows.
(a) Mark simulation
We model this as a game between challenger C and opponent a.
(1) The challenger C selects the tag T, the reader R and the server S, which are all active.
(2) A calls oracle Execute, send, and Block polynomial degree on T, R and S.
(3) A stops and notifies C.
(4) A calls Send oracle to model it as a marker.
(5) If A is verified as a valid flag, then A will win the game.
Assume that challenger C selects tag T, reader R and server S for the game. A starts the game and calls oracle Execute, send, and Block polynomial times on T, R and S. Suppose C executes a scenario instance on T, R and S. A records all oracle outputs.
To pass authentication, a valid SID must be sent and valid
Figure BDA0003147673930000071
To do this, a needs to know the tag key x. However, the lemma 1,A is unable to obtain x to generate a valid M T1 . On the other hand, assume that A calls Block oracle to Block message M 5 So that no update occurs, and then notify C. Thereafter, C executes a new instance of the scheme on T, R and S. To simulate as a marker, A calls the SID, M that Send oracle will record T1 And N T As a response M 2 To the reader R. However, since the reader R generates a new N in the operation of the scheme R M thus recorded T1 Cannot be effective unless new N is present R Exactly with old N R The same, the probability is negligible. Therefore, a is difficult to model as a valid marker.
(b) Reader simulation
First, we consider that adversary a attempts to emulate a valid reader of a tag. In the proof of theorem 2, the attempt is modeled as a game. In order to authenticate with tag T, A needs to send a valid one
Figure BDA0003147673930000072
However, theorem 1 cannot get x to generate valid M T2 . On the other hand, assume that A blocks M 7 To prevent any updates on the tag and then notify C. Thereafter, C executes a new instance of the scheme on T, R and S. To simulate a reader as a tag, A sends a recorded M to the tag T T2 . However, M of recording T2 Is not effective exceptNonray N T With N generated during operation of the new scheme T Again, this has a negligible probability.
Second, we consider that A tries to mimic the server 'S active reader, which can be modeled as a game similar to that in theorem 2' S proof, except that in the last step, adversary A should be authenticated by server S. To authenticate, A must send a valid SRID and a valid SRID to the server
Figure BDA0003147673930000081
According to theory 1, the reader key y is not disclosed, so a cannot generate a valid M R1 . On the other hand, assume that A blocks M 5 To prevent any updates and then notify C. Thereafter, C executes a new instance of the scheme on T, R and S. To simulate as a card reader to a server, A will record N R SRID and M R1 To the server S. Since S generates new N in the operation of new scheme S M of record R1 The effective probability is negligible. Thus, the likelihood of impersonating a valid reader is negligible.
(c) Server simulation
We model this attempt as a game similar to case (A) except A calls Send oracle to simulate an active server. To emulate a legitimate server, it must be sent valid
Figure BDA0003147673930000082
However, without knowing y (lem 1), a cannot generate a valid M R2 . On the other hand, assume that A blocks M 6 To prevent any updates on the reader and tag and then notify C. Thereafter, C executes a new instance of the scheme on T, R and S. To simulate a server, A will record M R2 To the reader R. Because of the new N R And old N R Almost different, recorded M R2 The probability of passing authentication is negligible. Thus, adversary a can be modeled as an active server with negligible probability. In conclusion, the scheme provided by the embodiment can resist simulation attacks.
Theorem 6: the scheme can ensure the anti-synchronization attack.
And (3) proving that: in this scheme, the server is receiving message M 5 And updating the index data table after verification. If message M 8 Blocked, the reader will not update its pseudo identifier SRID and key y. Since the SRID and y are stored in the old fields, the server can synchronize with the reader based on them. Assume that there is a new session, and M 6 Again, is prevented. In this session, the old value is not updated since the server finds the received SRID in the old index field. Thus, the server can still synchronize with the reader. Similarly, if M 6 (or M) 7 ) Blocked, the server and the tag can remain synchronized between them. On the other hand, as discussed in the proof of theorem 5, an adversary cannot forge a valid M T1 And M R1 To force the server to update the index data table. Therefore, the scheme can resist desynchronization attack.
Theorem 7: the scheme has scalability.
And (3) proving that: according to the study of Burmester et al, the time overhead is constant if the server can find a record of the tag based on the received data only. If a search operation needs to be verified, each search operation requires a test mark to record. The scheme utilizes the label pseudo identifier as the index of the label index data table, so that the server can find the record of the label only according to the received SID. Similarly, the server can find the reader's record by the received SRID. Thus, the scheme does not require an exhaustive search operation. Therefore, the scheme has good expandability and the capability of resisting time measurement attacks.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention, and such modifications and adaptations are intended to be within the scope of the invention.

Claims (4)

1. A novel lightweight identity authentication protocol method of a medical system based on RFID in a medical emergency supply chain is characterized by comprising an initial stage and an authentication stage;
the initial stage comprises the following steps:
the first step is as follows: for each legal label, the administrator assigns a pseudo identifier SID and a key x, and then sets the SID in the index data table of the label old = SID and x old =x,SID old And x old Are all set to 0; wherein SID represents the tag current pseudo-identifier; SID old The last pseudo-identifier representing the tag; x represents the current key of the tag; x is the number of old The last key representing the tag;
the second step is that: for each legitimate reader, the administrator assigns a pseudo-identifier SRID and a secret key y, and then sets the SRID in the index data table of the reader old = SRID and y old =y,SRID old And y old Are all set to 0; wherein the SRID represents a current pseudo identifier of the card reader; SRID old Representing the last pseudo identifier of the reader; y represents the current key of the reader; y is old Representing the last key of the reader;
the authentication phase comprises the following steps:
the first step is as follows: card reader → server: m 1 ={N R }, the card reader generates a random number N R And sends it to the server;
the second step is that: server → card reader: m is a group of 2 ={N S Reception of M by server 1 Then, a random number N is generated T And sending to the card reader;
the third step: card reader → tag: m 3 ={N S Receive M 2 Then, the card reader will N S Forwarding to the tag;
the fourth step: tag → reader: m 4 ={SID,M T1 ,N T Upon receipt of M } 3 The tag generates a random number N T Calculating M T1 =PRNG(x||N S ||N T ) And will { SID, M T1 ,N T Sending the data to a card reader;
the fifth step: card reader → server: m 5 ={SRID,M R1 ,SID,M T1 ,N T }, the card reader receives M 4 Then, calculate M R1 =PRNG(y||N S ||N R ) And compose a reply { SRID, M R1 ,SID,M T1 ,N T To the server;
and a sixth step: server → card reader: m is a group of 6 ={M R2 ,M T2 },
Upon receiving M 5 Then, the server searches the received SRID in an index data table of the card reader; if found, the server reads the corresponding y, checks the equation PRNG (yN | |) S ||N R )=M R1 Whether the result is true or not; if the equation is true, the reader is valid;
then, the server searches the received SID in the index data table of the label; if found, the server reads the corresponding x, checks the equation PRNG (x | | | N) S ||N T )=M T1 Whether the result is true or not; if true, the tag is valid; then confirms the card reader and the validity of the label;
server computing M R2 =PRNG((y+1)||N S ||N R ),SRID new =PRNG(SRID||y||N S ||N R ),y new =PRNG((y+2)||N S ||N R ),M T2 =PRNG((x+1)||N S ||N T ),SID new =PRNG(SID||x||N S ||N T ) And x new =PRNG((x+2)||N S ||N T ) (ii) a Wherein, SRID new A next pseudo identifier representing the reader; y is new The next key representing the reader; SID new A next pseudo identifier representing a tag; x is the number of new The next key representing the tag; x +1 represents the addition of key x by 1; x +2 represents the addition of 2 to the key x; y +1 represents the addition of key y by 1; y +2 represents the key y increased by 2;
then, the server updates the index data table of the card reader and the label;
once the update is complete, the server sends { M } R2 ,M T2 To the card reader;
the seventh step: from reader to tag: m 7 ={M T2 }, the card reader receives M 6 Thereafter, it is checked whether PRNG ((y + 1) | N) S ||N R )=M R2 If yes, the server is valid and updates the index data table of the card reader; because the server only sends M when the tag is legitimate R2 The card reader passes through M R2 Verifying the label; the card reader then calculates the SRID new =PRNG(SRID||y||N S ||N R ),y new =PRNG((y+2)||N S ||N R ) And update SRID = SRID new ,y=y new (ii) a Then, the card reader will M T2 Sending to the label;
eighth step: verifying the label; once M is completed 7 Upon arrival, the tag check equation PRNG ((x + 1) | N) S ||N T )=M T2 If the result is true, the server is valid and the index data table of the label is updated; the tag also implicitly authenticates the reader because the tag does not receive a valid M unless the server authenticates the reader T2 (ii) a The tag then calculates the SID new =PRNG(SID||x||N S ||N T ),x new =PRNG((x+2)||N S ||N T ) And update SID = SID new ,x=x new
2. The novel lightweight authentication protocol method for the RFID-based medical system in the medical emergency supply chain according to claim 1, wherein the method for the server to update the index data table of the card reader comprises the following steps: if the SRID is found in the index field of the updated index data table, the server orders the SRID old =SRID,y old =y,SRID=SRID new ,y=y new (ii) a If the SRID is not found in the index field of the updated index data table, the server only makes SRID = SRID new ,y=y new
3. The RFID-based in medical emergency supply chain of claim 2The novel lightweight identity authentication protocol method of the medical system is characterized in that the method for updating the index data table of the label by the server comprises the following steps: if the SID is found in the index field of the updated index data table, the server allows the SID old =SID,x old =x,SID=SID new ,x=x new (ii) a If SID is not found in the index field of the updated index data table, the server makes SID = SID new ,x=x new
4. The novel lightweight authentication protocol method for RFID-based medical systems in medical emergency supply chain according to claim 1, wherein | | | represents a connection operation symbol.
CN202110756322.9A 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain Active CN113489722B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110756322.9A CN113489722B (en) 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110756322.9A CN113489722B (en) 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain

Publications (2)

Publication Number Publication Date
CN113489722A CN113489722A (en) 2021-10-08
CN113489722B true CN113489722B (en) 2023-03-24

Family

ID=77940777

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110756322.9A Active CN113489722B (en) 2021-07-05 2021-07-05 Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain

Country Status (1)

Country Link
CN (1) CN113489722B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116633703B (en) * 2023-07-25 2023-11-28 徐州医科大学 Medical sensor monitoring system based on blockchain and RFID protocol

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006129357A1 (en) * 2005-06-02 2006-12-07 Hitachi Ulsi Systems Co., Ltd. Id tag and reader/writer
CN101872460A (en) * 2010-05-27 2010-10-27 上海华彩科技有限公司 Treatment method of RFID online anti-counterfeiting system based on dynamic anti-counterfeiting mark
TW201211903A (en) * 2010-09-14 2012-03-16 Icon Minsky Luo Near field communication device, authentication system using the same and method thereof
WO2012119434A1 (en) * 2011-03-07 2012-09-13 中兴通讯股份有限公司 Method for dynamic authentication between reader and tag, and device therefor
CN110381055A (en) * 2019-07-16 2019-10-25 徐州医科大学 RFID system privacy-protection certification protocol method in healthcare supply chain
CN110418338A (en) * 2019-07-31 2019-11-05 徐州医科大学 The lightweight RFID Wireless Authentication Protocols and its system of implantable medical device

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100699467B1 (en) * 2005-09-28 2007-03-26 삼성전자주식회사 RF-ID tag, RF-ID privacy protection system and method thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006129357A1 (en) * 2005-06-02 2006-12-07 Hitachi Ulsi Systems Co., Ltd. Id tag and reader/writer
CN101872460A (en) * 2010-05-27 2010-10-27 上海华彩科技有限公司 Treatment method of RFID online anti-counterfeiting system based on dynamic anti-counterfeiting mark
TW201211903A (en) * 2010-09-14 2012-03-16 Icon Minsky Luo Near field communication device, authentication system using the same and method thereof
WO2012119434A1 (en) * 2011-03-07 2012-09-13 中兴通讯股份有限公司 Method for dynamic authentication between reader and tag, and device therefor
CN110381055A (en) * 2019-07-16 2019-10-25 徐州医科大学 RFID system privacy-protection certification protocol method in healthcare supply chain
CN110418338A (en) * 2019-07-31 2019-11-05 徐州医科大学 The lightweight RFID Wireless Authentication Protocols and its system of implantable medical device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于不可追踪模型的轻量级RFID认证协议;陈秀清,曹天杰,郭玉;《计算机科学》;20131130;全文 *

Also Published As

Publication number Publication date
CN113489722A (en) 2021-10-08

Similar Documents

Publication Publication Date Title
Li et al. A robust biometrics based three-factor authentication scheme for global mobility networks in smart city
Abdi Nasib Far et al. LAPTAS: lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT
Deng et al. A new framework for RFID privacy
DeMillo et al. Protocols for data security
Qian et al. A Lightweight RFID Security Protocol Based on Elliptic Curve Crytography.
Hermans et al. Efficient, secure, private distance bounding without key updates
CN108777616B (en) Electronic election method, management device and electronic election system for resisting quantum computer attack
Srinivas et al. Provably secure biometric based authentication and key agreement protocol for wireless sensor networks
Islam et al. An anonymous and provably secure authentication scheme for mobile user
Hafizul Islam et al. Dynamic id-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography
Fan et al. On the claimed privacy of EC-RAC III
Akgün et al. Attacks and improvements to chaotic map‐based RFID authentication protocol
Kumari et al. A provably secure biometrics and ECC‐based authentication and key agreement scheme for WSNs
Zhou A Quadratic Residue-Based Lightweight RFID Mutual Authentication Protocol with Constant-Time Identification.
Das A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system
Kumar et al. An enhanced RFID-based authentication protocol using PUF for vehicular cloud computing
CN113489722B (en) Novel lightweight identity authentication protocol method for RFID-based medical system in medical emergency supply chain
Alansari et al. Efficient and privacy-preserving contact tracing system for COVID-19 using blockchain
Yang et al. An efficient single-slow-phase mutually authenticated RFID distance bounding protocol with tag privacy
Asadpour et al. A privacy-friendly RFID protocol using reusable anonymous tickets
CN109309681A (en) A kind of path sharing method and system of secret protection
Asadpour et al. Scalable, privacy preserving radio‐frequency identification protocol for the internet of things
Bilal et al. Multiple attacks on authentication protocols for low-cost RFID tags
Sarvabhatla et al. A secure and robust dynamic ID-based mutual authentication scheme with smart card using elliptic curve cryptography
Xiaohong et al. RFID mutual-authentication protocol with synchronous updated-keys based on Hash function

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant