2015 IEEE 12th Consumer Communications and Networking Conference (CCNC): CCNC 2015 Workshops - IEEE CCAN

Lightweight Protocol for Anonymity and Mutual

Authentication in RFID Systems

Musfiq Rahman Raghav V. Sampangi Srinivas Sampalli

Department of Computing Science Faculty of Computer Science Faculty of Computing Science
Thompson Rivers University, Kamloops Dalhousie University, Halifax Dalhousie University, Halifax
British Columbia, Canada Nova Scotia, Canada Nova Scotia, Canada
Email: [email protected] Email: [email protected] Email: [email protected]

Abstract—Radio Frequency Identification (RFID) technology In spite of the current use and encouraging prospects, some
is rapidly making its way to next generation automatic identifica- of the important organizational concerns that need attention
tion systems. Despite encouraging prospects of RFID technology, are security invasion and privacy disclosure. In 2006, Metro
security threats and privacy concerns limit its widespread deploy- AG, a bit supermarket chain in Germany, used RFID tech-
ment. Security in passive RFID tag based systems is a challenge nology to help customers search their target items quickly.
owing to the severe resource restrictions. In this paper, we present
To promote loyalty, they also introduced VIP cards and gave
a lightweight anonymity / mutual authentication protocol that
uses a unique choice of pseudorandom numbers to achieve basic these cards to the top 10% of the customers, based on their
security goals, i.e. confidentiality, integrity and authentication. historical shopping behavior. However, these VIP costumers
We validate our protocol by security analysis. were not aware of the VIP cards having embedded RFID
chips. This was identified when a VIP customer disassembled
Keywords—Anonymity, Mutual Authentication, Security, RFID his card and recognized the embedded RFID chip. Over ten
Security thousands customers’ location privacy data became vulnerable
to disclosure because the VIP card can be easily read by any
I. I NTRODUCTION unauthorized reader [4]. Similarly, the authors in [5] pointed
out that the same benefit, which make the RFID system more
Radio Frequency Identification (RFID) is a wireless radio appealing i.e. convenient non-line-of-sight long range reading,
wave technology where a small electronic chip can be em- can be covertly used to track people as they move through
bedded in any physical object, and can be uniquely identified the world. Security threats and privacy concerns are, thus,
by an RFID reader. In RFID system, the reader broadcasts a the major factors impeding the widespread adoption of RFID
query signal through the forward channel to all passive tags. A systems.
passive RFID tag powers itself from the broadcast query and
responds back with a unique identification (ID) number via the This implies that focus in RFID security should primarily
backscatter channel. The reader then singulates an unique ID be on confidentiality and integrity of communicated mes-
and forwards it to a backend server for further processing of sages, and verification of authenticity of the system entities
the information associated with the tag’s ID [1]. One of the key communicating. Particularly, mutual authentication between
benefits of an RFID system is its non-line-of-sight operation readers-tags, and secure user/location privacy (anonymity and
to automatically identify labeled (or, tagged) objects. untraceability) are the two major concerns of RFID security. A
straightforward solution to accomplish mutual authentication,
RFID technology is not new, it has been around 60 years privacy and data integrity is to adapt existing sophisticated
and was originally developed for distinguishing friendly air- solutions from other wireless networks, such as WiFi or
craft from enemy aircraft during World War II [2]. However, 3G networks. However, severe resource and computational
with improvements in advanced wireless transmission capa- restrictions on low-cost passive RFID tags increases the chal-
bilities and extended data storage space, this technology is lenge associated with this task. This is further complicated
now becoming the next generation identification technology by the fact that passive RFID tags perform one basic task —
in ubiquitous communication environment — replacing the respond to RF queries by any reader [6]. In addition, since
optical bar-code system. RFID systems provide several ben- the communication in RFID is wireless and broadcast, any
efits including contact-less multiple read in one pass, long adversary may capture the communicated messages between
transmission range, and transaction time saving. With these readers and tags using a wireless eavesdropping device and use
benefits, coupled with an unlimited amount of possibilities these captured message to launch many other types of attacks
for connected devices, it is already generating a wealth of such as object tracking, tag compromise and tag impersonation.
valuable data, which can be applied to a variety of systems Therefore, providing security in RFID is challenging and
to enhance our future lives. The simplicity and convenience of requires alternative approaches.
this technology enables it to be a constituent several innovative
applications including, but not limited to — asset management, In the recent past, many researchers have been looking into
tracking, authenticity verification, matching, process control, several innovative solutions for security and privacy in RFID
access control, automated payment and supply chain manage- systems [4], [7]–[10]. Many of these solutions use existing
ment [3]. cryptographic operations such as public key cryptography,

978-1-4799-6390-4/15/$31.00 ©2015 IEEE 910

one way hash function, and symmetric key cryptography to tag. The server then concludes by sending a random number
accomplish data confidentiality, privacy, and integrity [11]– to the tag so that the tag ID is refreshed and synchronized.
[13]. Although those operations provide better security and However, in this mechanism, the tags do not change their
protection against malicious attacks, many argue that it is still identification in authentication sessions. Therefore, tags always
impractical to perform those operations on a low-cost resource- respond to reader queries with the same hashed value of the ID
constrained passive RFID tags [1]. In fact, a passive RFID tag before the tag successfully updates its current identification at
only contain 5K-10K gates, whereas a single cryptographic the end of authentication session. This flaw allows an attacker
primitive requires 250 - 3K gates [14], which is the reason to track a specific tag by eavesdropping. It also falls prey to
why it has been a challenge to deploy powerful cryptography an attack based on de-synchronization of the counters shared
on a low-cost RFID tag. Therefore, lightweight cryptographic by the tag and backend server. Furthermore, the tag remains
solutions are desirable for RFID systems. With this approach, traceable based on the transaction numbers even though they
a few researchers have proposed lightweight authentication are refreshed.
protocols for RFID that employ only primitive and bit-wise
arithmetic/logical operations such AND, OR, XOR, etc. [15]– The works by Osaka et al. [20] and Gui et al. [21] are based
[17]. However, if security algorithms are designed to be too on using random numbers transmitted by RFID readers being
simple owing to the said constraints, they might prove easy used as encryption keys by the tags, and for authentication
to attack. That is exactly what happens with many of these by the server. Osaka et al.’s [20] algorithm is extended by
lightweight authentication protocols. Many of them either fail [21], to provide forward security and prevention from denial of
to provide some security goals or become vulnerable to some service (DoS) attacks, by including additional random numbers
of the common attacks such as eavesdropping, tracking, replay (used for authentication and to derive future encryption keys).
attack and Denial of Service (DoS) attack. Moreover, backend Both protocols use random numbers transmitted with the
servers in RFID systems play an important role in security, message, to be used as encryption keys and for authentication.
and much of these lightweight solutions use them to manage Similarly, Weis et.al [14] propose an RFID system in which
encryption keys and authentication parameters. Key update random numbers are used in the tag’s responses to hide the
(or, refresh) communication between the servers and tags, identification of the tag and to avoid its reuse. This system
often through readers, increases such systems’ vulnerability addresses traceability, but at the cost of an increase in the
to attacks. Therefore, in this paper, we present a lightweight work load of the back-end server to identify and verify the
protocol that uses only pseudorandom generators (PRNG) to tag, by applying an exhaustive search. Impersonation is also
achieve mutual authentication between readers and tags, to possible using this scheme by performing an off-line attack, in
defend against those security threats as well as provide better which the tag is queried for a valid pair and then forwarding
security. In addition, our protocol also provides anonymity this pair to a reader for validation.
and untraceablity, which supports secure user/location privacy.
Without any modification our protocol is applicable both fixed Yu et al.’s [22] protocol uses a 128-bit key set that is dy-
and mobile hand-held readers. namically updated by the server. It uses the least significant 30
bits of the tag ID for authentication. However, by reducing the
The rest of this paper is organized as follows. Section number of bits of the tag ID for authentication, the uniqueness
II reviews previous work on RFID authentication protocol. aspect of a tag ID is reduced, thereby possibly compromising
Next, we present our authentication scheme for low-cost RFID the authentication process and hence, the security of the system
system in section III. The security analysis of our scheme is as a whole. In [23] the authors propose a protocol where the tag
presented in section IV. Finally, we summarize our conclusion generates a new pseudonym (tag ID) for every communication
in section V. by the “tree of secrets” concept, and the server sends the
reader a set of pseudonyms to authenticate the tag for a limited
II. L ITERATURE R EVIEW amount of time (time-limited delegation). However, if the
reader-server communication is compromised, the adversary
Many contemporary researchers focus on mutual authenti- can determine the tree of secrets, which will compromise the
cation and privacy issues in RFID. Most of these deal exten- system.
sively with protocols that require an external entity, typically
the server, to manage / update encryption keys and to manage We can see that the server has an important role, with a
mechanisms for authentication, whereas some protocols ex- responsibility of managing the encryption keys and authen-
plore alternative options such as pseudonyms. In this section, tication parameters. Most protocols also place a significant
we describe some of the current work in this domain. trust in the reader, and any vulnerability in the reader-server
Ohkubo et al. [18] proposed a high level security pro- communication can result in a potential vulnerability for the
tocol using hash function to achieve data security and user system as a whole.
privacy. Although their scheme provides indistinguishability
and forward security, it leads to increased cost of searching
tags by the back-end server. Similarly, Henrici and Müller [19] III. P ROPOSED P ROTOCOL FOR A NONYMITY AND
proposed a hash-based access control mechanisms using RFID. M UTUAL AUTHENTICATION
This protocol begins when the reader queries the tag, to which
the tag responds with its hashed identification and the current In this section, we introduce an authentication protocol,
transaction number. The response is forwarded by the reader to which uses pseudorandom number generator (PRNG) and the
the back-end server for validation, accomplished by the server exclusive-OR (XOR) operation in a novel way for mutual
checking the validity of the identifying information (ID) of the authentication between readers and tags.

978-1-4799-6390-4/15/$31.00 ©2015 IEEE 911

Fig. 1. Overview of the proposed protocol

TABLE I. L IST OF NOTATIONS USED

A. Assumptions
ST Seed value stored on the tag
We assume a typical RFID setup, which comprised of tag, IDT Tag-pseudonym
reader, and backend server. The tags are passive and commu- KR Symmetric pair-wise key between server and reader
nication is initiated by the readers through a forward channel.
m, t Random positive integers
The tags respond back through backscatter channel. We do not
Rm , RT mth and tth pseudorandom number
have any restrictions over the types of readers; they could be 0
Rn , Rn first usable random number using Rm as seed
fixed or hand-held (mobile). The backend server, in our system
0
is used to analyse and collect data. It may maintain an internal Rm mth random number computer by the tag
database. We also assume, both the forward and backscatter k Concatenation
communication channel between reader and tag are insecure ⊕ Bit-wise exclusive-OR (XOR) operation
and adversary can listen to both the channels. However, the P RN G Pseudorandom number generator
communication channel between reader and backend is well
protected, so that adversary cannot eavesdrop or modify any
transmitted message through this channel. Furthermore, we B. Proposed protocol
assume that the backend server authenticates the reader before
it can communicate with tags. In this section, we describe our proposed lightweight
mutual authentication protocol. Our protocol comprises of
Each tag contains two data fields ID, and ST . The ID is three phases — Reader association, Tag selection, and, Mutual
a index-pseudonym, which is a 96 bit number serving as an authentication. (Fig. 1) illustrates the protocol operation.
index to rows of a database (in the backend server) containing
information about tags. According to EPC global standard, Reader Association:
the length of tag identification can be 64 bits, 96 bits and The reader first needs to be registered with the backend
128 bits and 256 bits. Accordingly, we assume a reasonable server. Upon registration, the server generates a unique sym-
length for the index-pseudonym is 96 bits. In addition, for each metric pair-wise key (KR ) and shares it with the reader. This
tag, the backend server also generates a 128 bits unique seed key is used for securing the communication channel between
value ST and pre-loads it on the tag’s memory. A 128-bit seed the server and the specific reader.
value should produce enough entropy in the generated random
number that would be difficult for adversary to brute force. Tag Selection: The reader selects a tag pseudonym (IDT )
For the purposes of our protocol, we also assume that the and securely requests the server for the seed value (ST ) of
tag’s memory is insecure and vulnerable to physical attacks this tag. The server authenticates the reader and securely
[1], which can reveal their entire contents. In other words, replies with the seed value ST associated with the tag (IDT ).
when the tag is compromised, the secret information of the Alternatively, the reader may securely request the server to
tag, which contains a seed value and identification, can be provide a list of IDs and seed values of tags located in a
retrieved by adversary by a physical attack. We present the specific geographic location. The server would then filter the
system notations in Table I. tags based on the location and securely reply to the reader with

978-1-4799-6390-4/15/$31.00 ©2015 IEEE 912

the list of IDs and the seed values of the tags in the required 2) Mutual authentication: In our protocol, the tag verifies
location. whether the received pseudorandom number, Rn , is the same
as the pseudorandom number Rn0 that it computes. Equality
Mutual Authentication: After receiving the seed (ST ), of these two pseudorandom numbers implies that the reader is
reader begins the mutual authentication process with the tag valid. Furthermore, on receiving the tag’s response, the reader
(IDT ) as follows: verifies if the pseudorandom number, RT0 , that it generates is
the same as the received pseudorandom number, RT . With
1) Reader → Tag. both communicating entities validating each other’s responses,
The reader selects a random positive integer m and we claim that our protocol facilitates mutual authentication.
computes the mth pseudorandom number (Rm ) using This is because only a valid reader with the seed ST of tag
ST as PRNG seed. Then, using Rm as PRNG seed, IDT can generate Rn to prove itself to the tag, and only a
the reader generates a random number Rn . It uses valid tag can generate RT to prove itself to the reader.
Rn to create a hello message, (m||Rn ), which it
sends to the tag (IDT ). Here, || represents message 3) Confidentiality and Message Integrity: Our protocol also
concatenation. Note that IDT is never communicated achieves message integrity since m and Rn (and, t and RT )
to the tag. are linked indirectly (through Rm ), and any attempt to modify
2) At the Tag. either m or Rn (and, t or RT ) can be easily identified.
The tag extracts m and Rn from the hello message. This, in turn, ensures data confidentiality, since the transmitted
0 messages Rn and RT conceal the intended message, Rm .
Then, it computes the mth random number, Rm and
0 0
the random number, Rn using Rm as the seed. It 4) Forward secrecy: In our approach, if an adversary gains
validates the authenticity of the reader by comparing access to a contiguous sequence of values of m and Rn (or,
Rn with Rn0 . t and RT ), the values would not enable deciphering the seed
3) Tag → Reader. of the tag, ST . This is because Rn (and, RT ) are computed
If Rn0 = Rn , the reader is valid, then, the tag selects using Rm and, Rm is computed using ST , which are always
a random positive integer t, and generates a random secret. This would ensure that forward secrecy is maintained.
number, RT , using (Rm ⊕ t) as the seed for PRNG.
It sends response message containing (t||RT ) to the 5) Replay attack resistance: Our protocol is safe from re-
reader. play attack as each tag response is dependent on the randomly
4) At the Reader. chosen integer, t, which is not same for successive messages,
The reader validates the tag by generating RT0 using making practical attacks infeasible.
(Rm ⊕ t) as the PRNG seed, and comparing with the
6) Eavesdropping and Man-in-the-Middle attacks: The
received RT . A match indicates that the tag is valid.
protocol prevents packet sniffing and eavesdropping attacks,
If the tag is invalid, the reader repeats the mutual
since the adversary would not be able to gain any meaningful
authentication phase for a specified number of times.
information from the transmitted messages. This would also
If the tag is not valid for more than an acceptable
imply that man-in-the-middle attack attempts would be futile,
number of trials, the reader reports an error to the
since an adversary would first need to infiltrate the system
server.
through successful eavesdropping in order to launch man-in-
the-middle attacks.
IV. A NALYSIS 7) De-synchronization attack resistance: Attempts at de-
synchronization are intended at making a legitimate entity
In this section, we analyse the security offered by our pro- behave in an undesired manner, since it would respond with
posed protocol, by discussing the security goals it satisfies and a parameter that is out of sync from the state at the other
how it performs when subjected to known attacks. Following entity. In our protocol, there is no need for key updates,
this, we provide a brief performance analysis of our proposal, or for changing parameter states at either the tag, reader or
evaluated in terms of storage, operation and communication the server. This is because, using the same seed, the random
overheads. numbers generated are different. This makes it safe from de-
synchronization attacks.
A. Security analysis A simple comparison of recent authentication protocols is
listed in Table II. We compare the related operations of other
1) Anonymity and its resistance to tag tracking: Our pro- authentication protocols. According to the Table II, our scheme
tocol keeps the tag identity a secret at all times, making this achieve the requirement of security and also provides strong
the foundation towards preserving its anonymity. Although the security against a variety of common attacks.
random positive integers m and t are communicated in the
open, the random number, Rm , and implicitly the seed, ST , are B. Performance analysis
never communicated. This means that the protocol maintains
the tag identity a secret at all times. The fact that the operations We provide a brief performance analysis for our protocol
in our protocol are performed for each communicated message in terms of operation, storage and communication overheads.
further implies that the reader query and the tag response are In our scheme, although we use a 128-bit seed in the PRNG
constantly changing, making it difficult for an adversary to function, we assume that the lengths of the index-pseudonym
track the tag (and hence, the object it represents), thus ensuring identification, random numbers, and nonces are all 96-bit.
the tag’s anonymity. Servers and readers are assumed to be high power devices with

978-1-4799-6390-4/15/$31.00 ©2015 IEEE 913

 TABLE II. S ECURITY C OMPARISON ( Y: S ECURE ; N: I NSECURE )

Li et. al. [24] Lo et. al. [4] Chien et. al. [25] Gui et. al. [7] Peris-Lopez et. al. [26] Proposed Protocol
Anonymity & Traceability N Y N Y N Y
Authentication Y Y Y N Y Y
Confidentiality & Integrity N N Y N Y Y
Forward Secrecy Y Y Y Y N Y
Replay-attack N Y Y Y N Y
Man-in-the-Middle N Y Y N N Y
Desynchronization N Y N Y N Y

TABLE III. OVERHEADS OF THE PROPOSED PROTOCOL

application context. In addition, our protocol possesses privacy
OVERHEAD DETAILS protection features such as anonymity and forward secrecy.
Storage 224 bits Although our discussion is in the context of RFID systems,
Operations 3 × P RN G our protocol can be extended to other resource constrained
1 × Choice of t systems including wireless sensor networks, wireless body area
1 × XOR(Rm , t) networks, vehicular ad-hoc networks and mobile smartphone
0
1 × COM P ARE(Rn , Rn ) applications.
Communication 384 bits
R EFERENCES
[1] K. Hoffman, D. Zage, and C. Nita-Rotaru, “A survey of attack and
the capacity for unrestricted storage, and to perform complex defense techniques for reputation systems,” ACM Comput. Surv., vol. 42,
and sophisticated computations. In other words, they are not no. 1, pp. 1:1–1:31, Dec. 2009.
resource-constrained, and hence, are beyond the scope of our [2] J. Landt, “Shrouds of time: The history of RFID,”
performance analysis. We summarize the overheads of our The Association for Automatic Identification and Data
Capture Technologies, Tech. Rep., 2001. [Online]. Available:
protocol, as applied to RFID tags, in Table III, with details http://www.aimglobal.org/technologies/rfid/resources/shrouds of time.pdf
provided in the paragraphs that follow. [3] A. T. Karygiannis, B. Eydt, G. Barber, L. Bunn, and T. Phillips, “Sp
800-98. guidelines for securing radio frequency identification (rfid)
1) Computation cost: The computational cost on the tag systems,” Gaithersburg, MD, United States, Tech. Rep., 2007.
is the bottleneck for RFID systems. To conform with the
[4] N. Lo, K. Yeh, and T. Yang, A Secure Mutual Authentication Protocol
EPC Class-1 Gen-2 tag specifications, our protocol only uses for Low-Cost RFID System. INTECH Open Access Publisher, 2009.
lightweight bit-wise XOR operations and PRNG function. [Online]. Available: http://books.google.ca/books?id=nal9oAEACAAJ
These operations can be implemented on a passive tag effi- [5] A. Juels, “Rfid security and privacy: A research survey,” JOURNAL OF
ciently. SELECTED AREAS IN COMMUNICATION (J-SAC), vol. 24, no. 2, pp.
381–395, 2006.
2) Communication overhead: Our protocol is very light in [6] R. Want, “An introduction to rfid technology,” IEEE Pervasive Com-
terms of communication overheads. In the proposed protocol, puting, vol. 5, no. 1, pp. 25–33, Jan. 2006.
the tag sends only one message (t, and Rt ) in order to [7] Y.-Q. Gui and J. Zhang, “A new authentication rfid protocol with
be successfully authenticated. Thus, the total length of the ownership transfer,” in ICT Convergence (ICTC), 2013 International
message sent by the tag is 192 bits, since t and Rt are 96 Conference on, Oct 2013, pp. 359–364.
bits each. On the other hand, the reader also sends a 192 [8] S. Bezzateev and D. Kovalev, “Rfid advanced ultra lightweight authenti-
cation protocol,” in Problems of Redundancy in Information and Control
bit message over the channel. Therefore, a total of 384 bits Systems (RED), 2012 XIII International Symposium on, Sept 2012, pp.
are communicated over the channel for the reader and the tag 7–9.
to authenticate each other. Hence, it provides relatively low [9] R. V. Sampangi and S. Sampalli, “Rfid mutual authentication protocols
communication overhead. based on gene mutation and transfer,” Journal of Communications
Software and Systems, vol. 9, no. 1, 2013.
3) Storage overhead: Due to the limitation of tag memory, [10] V. Ramachandra, M. Rahman, and S. Sampalli, “Lightweight matrix-
the volume of data requiring storage on the tag should be based authentication protocol for rfid,” in Software, Telecommunications
minimized. In the proposed protocol, the tag stores two values and Computer Networks (SoftCOM), 2011 19th International Confer-
in a rewritable flash memory namely (ID, ST ). ID is 96 bits ence on, Sept 2011, pp. 1–6.
and ST is 128 bits, requiring a total of 224 bits of storage on [11] M. Feldhofer, S. Dominikus, and J. Wolkerstorfer, “Strong authentica-
the tag. Since the tag memory can store 1 Kilobyte of data, in tion for rfid systems using the aes algorithm,” 2004, pp. 357–370.
our protocol, we use less than 22% of the tag’s memory. [12] S. S. Kumar, “Elliptic curve cryptography for constrained devices,”
Ph.D. dissertation, Ruhr-University Bochum, 2006.
[13] N. Lo and K.-H. Yeh, “An efficient mutual authentication scheme for
V. C ONCLUDING R EMARKS epcglobal class-1 generation-2 rfid system,” in Emerging Directions in
Embedded and Ubiquitous Computing, ser. Lecture Notes in Computer
In this paper, we proposed a secure mutual authentica- Science, M. Denko, C.-s. Shih, K.-C. Li, S.-L. Tsao, Q.-A. Zeng,
tion protocol for low-cost resource-constrained RFID systems S. Park, Y.-B. Ko, S.-H. Hung, and J. Park, Eds. Springer Berlin
under insecure wireless communication environments. Our Heidelberg, 2007, vol. 4809, pp. 43–56.
protocol is lightweight, as it uses simple operations including [14] S. Weis, S. Sarma, R. Rivest, and D. Engels, “Security and privacy
aspects of low-cost radio frequency identification systems,” in Security
pseudorandom number generation and exclusive-OR (XOR), in Pervasive Computing, ser. Lecture Notes in Computer Science,
to accomplish the desired security goals. In doing so, the D. Hutter, G. Mller, W. Stephan, and M. Ullmann, Eds. Springer
protocol is safe from known attacks that are relevant to the Berlin Heidelberg, 2004, vol. 2802, pp. 201–212.

978-1-4799-6390-4/15/$31.00 ©2015 IEEE 914

[15] P. D’Arco and A. D. Santis, “On ultralightweight rfid authentication
protocols,” IEEE Transactions on Dependable and Secure Computing,
vol. 8, no. 4, pp. 548–563, 2011.
[16] T. Li, G. Wang, and R. H. Deng, “Security analysis on a family of
ultra-lightweight rfid authentication protocols.” JSW, vol. 3, no. 3, pp.
1–10, 2008.
[17] T. Li and G. Wang, “Security analysis of two ultra-lightweight rfid
authentication protocols.” in SEC, ser. IFIP, H. S. Venter, M. M. Eloff,
L. Labuschagne, J. H. P. Eloff, and R. von Solms, Eds., vol. 232.
Springer, 2007, pp. 109–120.
[18] M. Ohkubo, K. Suzuki, and S. Kinoshita, “Cryptographic approach to
”privacy-friendly” tags,” in IN RFID PRIVACY WORKSHOP, 2003.
[19] D. Henrici and P. Müller, “Hash-based enhancement of location privacy
for radio-frequency identification devices using varying identifiers,”
in Proceedings of the Second IEEE Annual Conference on Pervasive
Computing and Communications Workshops, ser. PERCOMW ’04.
Washington, DC, USA: IEEE Computer Society, 2004, pp. 149–.
[20] K. Osaka, T. Takagi, K. Yamazaki, and O. Takahashi, “An efficient and
secure rfid security method with ownership transfer,” in Computational
Intelligence and Security, 2006 International Conference on, vol. 2,
2006, pp. 1090–1095.
[21] Y.-Q. Gui, J. Zhang, and H. K. Choi, “An improved rfid security
method with ownership transfer,” in ICT Convergence (ICTC), 2011
International Conference on, 2011, pp. 594–596.
[22] j. Yu, G. Khan, and F. Yuan, “Xtea encryption based novel rfid security
protocol,” in Electrical and Computer Engineering (CCECE), 2011 24th
Canadian Conference on, 2011, pp. 58–62.
[23] D. Molnar, A. Soppera, and D. Wagner, “A scalable, delegatable
pseudonym protocol enabling ownership transfer of rfid tags,” in Se-
lected Areas in Cryptography, ser. Lecture Notes in Computer Science,
B. Preneel and S. Tavares, Eds. Springer Berlin Heidelberg, 2006, vol.
3897, pp. 276–290.
[24] L. Lu, Y. Liu, and M. Li, “Refresh: Weak privacy model for rfid
systems,” in INFOCOM, 2010 Proceedings IEEE, March 2010, pp. 1–9.
[25] H.-Y. Chien and C.-W. Huang, “Security of ultra-lightweight rfid
authentication protocols and its improvements,” SIGOPS Oper. Syst.
Rev., vol. 41, no. 4, pp. 83–86, Jul. 2007.
[26] P. Peris-Lopez, J. C. H. Castro, J. M. Estvez-Tapiador, and A. Rib-
agorda, “M2ap: A minimalist mutual-authentication protocol for low-
cost rfid tags.” in UIC, ser. Lecture Notes in Computer Science, vol.
4159. Springer, 2006, pp. 912–923.

978-1-4799-6390-4/15/$31.00 ©2015 IEEE 915