Survey and Analysis of Lightweight Authentication Mechanisms

Interconnection of devices through Radio Frequency IDentification (RFID) brings enormous applications that are increasing constantly day by day. Due to the rapid growth of such applications, security of RFID networks becomes crucial and is a major challenge. Classical or lightweight cryptography primitives and protocols are the solutions to enhance the security standards in such networks. Authentication protocols are one of the important security protocols required to be integrated before exchange of secured information. This work surveyed the recently developed authentication protocols. Further, classifications, security challenges, and attack analysis are explored. A comparative analysis of different types of authentication protocols explains their applications in resourceful and resource constraint Internet of Things (IoT). Authentication protocols are categorized into: symmetric, asymmetric, lightweight, ultra-lightweight and group protocols. Symmetric and asymmetric protocols are more suitable for resourceful devices whereas lightweight and ultra-lightweight protocols are designed for resource constraint devices. Security and cost analysis shows that asymmetric protocols provide higher security than any other protocol at a reasonable cost. However, lightweight authentication protocols are suitable for passive RFID devices but do not provide full security.


Introduction
proposed an interconnected network of uniquely identifiable objects, devices, and different types of systems called IoT [1]. Some of the important features of IoT are self-configuration, sensing, ad-hoc networking, automatic identification, etc. [2]. In IoT, each object has a unique address and identification. Here, mostly RFID is preferred for assigning an address and unique object identification. The information, captured by IoT objects, is propagated through the internet to other objects. The information communicated captures the current events and responses. The revealed information further requires human intervention to control the results [3]. Several objects are involved to form the interconnected network: RFID devices, sensors, mobiles, back end storage, etc. Resourceful and resource constraints are the types of IoT devices. In resourceful devices, there are sufficient software and hardware resources. There are some hardware and software resource limitations in resource constraint devices. The role user sites, obstructing physical access, controlling the devices and stealing the information etc. Protection from these threats demands strong mechanism for confidentiality, integrity, authentication, availability and non-repudiation [31][32][33][34][35]. This protection mechanisms should addresses major security concerns in RFID system like [36,37]: • Privacy: No one is interested to reveal personnel information to others without being part of authentic process. This privacy leakage could bring up many frauds. For example, if some item is equipped with tag and store name, price, area and other item information then a robber can easily fetch the information that how much he can earn with one or more robberies in a particular area. Similarly, unauthentic reader can scan the information written on e-passport to locate the important persons or count the gathering in an area [38][39][40]. This could result in planning of some terrorist activities. Thus, privacy of personnel or correspondence information leakage through RFID system is a major concern.
• Tracking: Objects, persons, animals etc. tracking through RFID readers and tags increases the information vulnerabilities also. This information availability helps to create profiles and important information can be leaked from these profiles [41]. This information can be used in various unauthentic or uninterested activities like: advertisement, etc. For example, if customer is buying items from a shop on a regular interval and each item is equipped with RFID tag then customer profile can be created in a database. This profile helps to put similar interest customers in a group. An advertisement can be floated of special interests for these groups which may not be interest to customers. Equipments used to track items, people or animal attached with RFID tags are not expensive thus data collection for these advertisements, promotions or gathering future requirements to earn profits is much easier. As compared to other tracking techniques like: video surveillance, RFID system based technique is much cheaper and faster. Thus, it is beneficial to both authentic and unauthentic users. Hence, it demands strong security mechanism to protect the information at any stage of system. Protected information results in wide applications of RFID technology.
• Eavesdropping: This is one of the most common forms of attack in networks where there is use of radio frequency for data communication. An eavesdropper can deploy an antenna to collect the information transmitted between reader and tag. Tags and readers communicate at different frequency bands like: low, high, ultrahigh and microwave. Thus, distance and location of eavesdropper from reader or tag is important. An attacker eavesdrop information in reader to tag (forward eavesdropping), tag to reader (backward eavesdropping), operation zone of reader and randomly selected distance directions. Since, it is easily feasible to fetch the information at longer distance and without any difficulty hence this attack should be handled properly. In real time applications, if an attacker deploy antenna to eavesdrop the information then information from RFID systems like e-passports, payment systems, identity cards, tickers etc. is on stake [42][43][44]. This information could reveal personnel data.
• Skimming: Eavesdropping is intercepting the information during its transit whereas skimming is reading the information from its store stage. Like eavesdropping, skimming attack can fetch the information from real time applications like: e-passports, identity cards, traveling tickers or passes, consumer products etc. This could again reveal the personnel information like: name, birth date, financial account details, photo etc. Anti-skimming devices designed to protect against this attack uses reverse electromagnetic field. Antiskimming devices are lightweight, persistent and easy to carry.
• Cloning: Resource constraint RFID devices are easy to clone because high security classical primitives cannot be implemented on these devices. RFID passive devices are cost effective as it does not require battery source. These devices gain power from reader thus easy to clone. Similarly, cloning devices could be passive and gain power from reader. Passive cloning devices are put closer to original device. Passing a cloning device closer to original device and making a copy of the data for cloning purpose may just take few seconds or minutes. This could be more dangerous for those devices which do not provide strong protection like: employee ID cards, train or bus ticket passes, product vouchers in supply chain management etc. Several solutions have been proposed to protect tags from cloning. Authentication is one of them. In authentication based mechanism, a random number is generated and exchanged. Response to this random number exchange uses cryptography primitives like digital signature, hashing, encryption/decryption, message authentication code etc. Verification of this response is performed at other side. If response is verified then tag is considered to be authentic else unauthentic or cloned. A new random number is generated every time a tag is read. This process further protects the tags from cloning.
• Replay attacks: In RFID system, one reader scans multiple tags and one tag could be associated with multiple readers. Replay attacks occur when freshness and aliveness of messages are not handled properly. If traceability is not a major concern then random number or nonce help to stop replaying of messages. A sequence number synchronizes the information between tag and reader. Count of numbers generated is limited in fixed length sequence number. Thus, an attacker can play old sequence number in new session. In order to avoid replaying an old sequence number in new session, aliveness of message is important [4,[45][46][47]. A computational challenge aliveness of message along with freshness hinders the attacker to play a replay attack. This attack is common among ultra-lightweight protocols where bitwise logical operators are only allowed [46,48]. These operators are easy to break because of least computational breaking challenge.
• Relay attack: In this type of attack, RFID tags and readers are mislead by providing false information. For example, if some reader is interested to scan a tag then attacker tag claims that it is the targeted tag [49]. Whereas, attacker tag fetches the information from another attacker reader which is close to authentic tag [50]. Thus, one reader and one tag attacker provide false information to authentic reader and tag [51,52]. These authentic reader and tag are not in range of each other but attacker readers and tags mislead them to be close [53]. Attackers tries to prove the reader that the destination tag is nearby which is not in actual.
• Denial of Service (DoS): Radio signal blocks, active and passive jamming, packet overflows etc. are the signs of DoS attack. Low cost passive devices are resource constraint devices thus this attack easily blocks the services and it is more dangerous. An attacker floods the packets towards specific or set of nodes. This results to blockage in services. Many solutions are proposed to observe this attack through graphs, behaviors, trusts, performance, quality of service etc. Detection of this attack is easier as compared to removal of attack in resource constraint networks [54].
• Spoofing Attack: This attack modifies the identity, address or naming services to provide false information. For example, an attacker claims to have certain IP address, MAC address or domain name which is not true. Here, attacker aims to eavesdrop or modify the information during its transit [55,56].
• Secret disclosure attacks: In this attack, vulnerabilities of key updating, data centre processing, reader or tag computing etc. reveal the identity or key information [57]. This attack is common in ultra-lightweight authentication protocols where some secret information is known to adversary. Secret disclosure attack could result to other attacks like: de-synchronization, impersonation, eavesdropping etc. Since, algebraic computing is main cause of this attack thus it is dangerous for low cost passive RFID devices [58].

Authentication protocols, classifications and security issues
Recently developed RFID authentication protocols in classical, lightweight, ultra-lightweight and grouping proof protocols are discussed in this section. This section also discusses the latest attacks found on recently developed authentication protocols.
Authentication Protocols in Classical Cryptography Primitives Category. This work discusses authentication protocols that uses classical cryptography [59]. Symmetric and asymmetric are two major types of classical cryptosystems. Protocols in these categories are as follows: Symmetric Cryptography Primitives based Authentication Protocols. Protocol (A1): Cheng et al. Protocol [60]. Premise: Let 'R', 'T' and 'DC' represent the reader, tag and data centre respectively. Let r i ,e i and dc i are the random numbers. Every tag selects its unique identification (ID) with its hash as H(ID). K Old Session and K Current Session are the old and current session key between R and T respectively. P(.) represents the enhanced chebyshev polynomial.
Step 1:-R ➔ T: r 1 Step 2:-T : temp 1  : else if temp 2 equals to P r 1 P e 1 K Old Session À À )) then : temp 7 = P dc 1 ,e 1 K Old Session À ) and K Current Session = K Old Session ⊕ (dc 1 ||e 1 ) : else tag is unauthentic : Now, if tag is authentic then DC ➔ R : temp 6 , temp 7 Step 5:-R ➔ T : temp 6 , temp 7 Step 6:-T: d c 1 = temp 6 ⊕ H(ID) ⊕ r 1 : if temp 7 equals to P dc 1 ,e 1 K Current Session À ) then K Current Session = K Current Session ⊕ (e 1 ||dc 1 ) Explanation: Cheng et al. proposed random number and hash based authentication protocol in 2013 [60]. In this protocol, reader starts the authentication process. It selects a random number and sends it to tag (step 1). Tag computes three responses temp 1 ,temp 2 and temp 3 with the help of random numbers, H(ID), K Current Session and P(.). Now, tag sends r 1 and three responses to reader (step 2). Reader forwards this information to datacentre (step3). Data centre verifies the tag entry record in database. Further, if tag is authentic then datacentre computes two responses for reader: temp 6 and temp 7 (step4). Reader forwards these responses to tag (step5). Tag verifies the authenticity of reader by comparing temp 7 withP dc 1 ,e 1 K Current Session À ). If both are equal then reader is considered to be authentic and symmetric session key is generated [36,37,46,61,62].

Protocol (A2): Single Entity-Single Communication based Unilateral Authentication Protocol.
Premise: Let 'R' and 'T' represents reader and tag respectively. Suppose, r i and e i are the i th random numbers. A symmetric key 'K' is shared between reader and tag. E K (.) and D K (.) are the encryption and decryption functions [63]. Explanation: In single entity-single communication based unilateral authentication protocol, two variations of protocols are possible. In first variation, reader sends an encrypted identification based message to tag (step 1) and tag verify its identity (step 2). In second version, tag sends its encrypted entity to reader (step 1) and reader authenticates it by decryption and verification (step 2) [64].

Protocol (A3): Single Entity-Two Communications based Unilateral Authentication Protocol.
Premise: Let 'R' and 'T' represents reader and tag respectively. Suppose, r i and e i are the i th random numbers selected by reader and tag respectively. A symmetric key 'K' is shared between reader and tag. E K (.) and D K (.) are the encryption and decryption functions. Explanation: There are two version of single entity two communications based unilateral authentication protocol. In first version of protocol, reader initiates the authentication process by sending a random number challenge (step 1). Tag encrypts the received random number with symmetric key shared between tag and reader, and forwards it to reader (step 2). Now, reader re-encrypts its own random number challenge and verifies by comparing with the received data (step 3). If both are equal then tag is considered to be authentic. Similarly in second version, tag initiates the authentication process by sending a random number challenge (step 1). Reader encrypts the challenge with symmetric key and sends it to tag (step 2). Tag verifies the response for authentication (step 3) [65].
Asymmetric Cryptography Primitives based Authentication Protocols. Like symmetric cryptography, asymmetric cryptography primitives based protocols are also designed to enhance the security of system. Major of recently developed asymmetric protocols are based on elliptic curve cryptography. This section discusses the recently developed elliptic curve cryptography based authentication protocols. Recently analyzed attacks on some of the authentication protocols are also explored.

Elliptic Curve Cryptography (ECC) based Authentication Protocols. Protocol (B1): Authentication mechanism with ECC Encryption/Decryption for end users.
Premise: Let 'R' and 'T' represents reader and tag respectively. Suppose, r i is the i th random number selected by reader or tag. Let C j and P j represent the ciphertext and plaintext generated at i th side. Where, jϵ{R, T}. Encryption and decryption functions at j th side are represented by E j () and D j (). Unique identification of tag and reader is represented by ID T and ID R respectively. Let 'h' is the hash function used to generate the digest. Explanation: This is random number generation based authentication protocol. Here, reader selects a random number and computes the ciphertext of tag identification with this random number. Reader sends the ciphertext, tag identification and hashing over random number to tag (step 1). After receiving the data, tag decrypt the encrypted information and fetches the random value and tag identification. Here, tag verifies the received hash value with regenerated hash value. If both are verified then tag sends the decrypted random number value to reader (step 2). Reader verifies the received random value with its own generated random value in step 1. If it matches then user associated with tag is considered to be authentic otherwise unauthentic (step 3). This protocol was developed by taking consideration that protocol is protected from replay, reflection and chosen-text attacks due to encryption/decryption and hash functions. Use of encryption/decryption and hash functions is the major cause that this protocol is not suitable for resource constraint devices.
Protocol (B2): ECC based signature-based mechanism for authenticating end users.
Premise: -Let 'R' and 'T' represents reader and tag respectively. Suppose, r i and e i are the i th random number selected by reader and tag respectively, ID r represents the identification of reader, CERT TAG represents the certificate pre-shared between tag and reader, and SIGN and VERIFY represents the digital signature based signing and verification processes.
Step 1:-R ➔ T: r 1 Step 2:-T : y = SIGN(r 1 ,r 2 ,ID r ) T ➔ R: r 2 ,ID r , y, CERT TAG Step 3:-R : VERIFY CERT TAG and VERIFY y : if verified then consider that tag is valid.
Explanation: Reader starts the authentication process by sending a random challenge to tag (step 1). Tag selects another challenge and digitally signs both challenges along with the identification of reader. This signature message, random challenge, identification of reader and tag's certification is sent towards tag (step 2). Now, reader verifies both the certificate and digital signature. If both are verified then tag is considered to be authentic else unauthentic (step 3). Author claims that this protocol prevents existential forgery attack.
Premises:-Let 'R' and 'T' represents reader and tag respectively. Suppose, r i and e i are the i th random number selected by reader and tag respectively. Tag's public key is represented by Z and P is the base point selected on elliptic curve E.
Step 1:-T : Computer X = r 1 P T ➔ R: X Step 2:-R ➔ T: e 1 Step 3:-T : Compute y = ae 1 +r 1 T ➔ R: y Step 4:-R : if yP+ e 1 Z==X then authentic else unauthentic Explanation: Tuyls proposed schnorr identification protocol based on elliptic curve discrete logarithmic problem in 2006. In this protocol, tag starts the communication by sending X = r 1 P to reader (step 1). Reader receiver the message X. To verify this message and tag, it sends a random number to tag (step 2). Now, tag responds with 'y' to the reader (step 3). Reader verifies the message 'X' with the help of tag's public key. If it matches then tag is considered to be authentic else unauthentic. In this protocol, an attacker reader can easily trace the tag by acting as a middle entry between tag and reader. Attacker reader function is explained in attack 1.
Attack 1: Tag tracing by attacker reader on ECC and Schnorr Identification scheme.
Premises: In addition to premises of protocol, let R attacker is the eavesdropper that want to trace the tag.
Step 6:-T ➔ R attacker :X " Step 7:-R attacker ➔ T: e 2 (=e 1 ) Step 8:-T ➔ R attacker :y ' =ae 2 +r ' : computes y ' P+e 2 Z=X ' Explanation: Now, attacker reader can easily trace the tag by checking whether (y ' -y)P equals (X ' -X). In this attack, R attacker communicates with 'T' and 'R' to trace 'T'. Here, 'T' communicates with R attacker instead of 'R' (step 1). R attacker does not generate a challenge by itself but forwards the e 1 received from 'R' to 'T' (step 2 to step 4). In continuation, 'T' responses to challenge but it go to R attacker instead of 'R'(step 5). Later, 'T' communicates again with R attacker . 'T' and 'R attacker ' again generate new challenges and responses (step 6 and step 8). Now, R attacker can keep trace of the 'T' by computing whether (y ' -y)P equals (X ' -X).
Attack 2: If attacker reader knows the public key 'Z' of tag then it can easily compute the message by computing yP + e 1 Z = X. Thus, this mechanism is not considered to be secure against forward secrecy.
In addition to attack 1 and attack 2, this protocol is having scalability issues. Cost of computation at reader side is high since increase in number of tags handled per reader requires most of the public keys to be accessed from database by the reader. This increases the computational cost of reader. Increase in computational cost reduces the power of reader to handle more tag. Thus, scalability of network reduces gradually.

Lightweight authentication protocols
Lightweight authentication protocols are less powerful as compared to classical cryptography based protocols. Lightweight cryptography is integrated with protocols to achieve confidentiality, integrity, availability, authentication and nonrepudiation. Apart from security, communication and computational cost at reader and tag is another factor taken into consideration for selecting the lightweight authentication protocol.
Premises:-Let 'R' and 'T' represents reader and tag respectively. Suppose, r i and e i are the i th random number selected by reader and tag respectively. Let 'm' represents the mbit map in form of non-volatile memory. This non-volatile memory is used to store random number information to protect from tracking attack.
Step 1:-R ➔ T: r 1 Step 4:-DC : find entry for h(k i ,r 1 ) or h(k i ,e 1 ) in database. If entry found then : Compute h(k i +1,r 1 ) or h(k i + 1,e 1 ) : Update k i with h(k i ) and hash value with h(k i ,r 2 ) DC ➔ R : h(k i +1,r 1 ) or h(k i + 1,e 1 ) : if entry does not found in database then DC ➔ R : DENY Step 5:-R : if response from DC is DENY then R ➔ T: r 3 : else R ➔ T : h(k i +1,r 1 )orh(k i + 1,e 1 ) Step 6:-T : Compute h(k i +1,r 1 )orh(k i + 1,e 1 ) again : Compare received message with computed message. If they are equal then : Update its key with h(k i ) and all bits of map equals to zero.
Explanation: This is a random number based authentication protocol. Reader starts a process of authentication by selecting a random number and sending towards tag (step 1). Tag computes its position and search the corresponding bit position on map. If bit position is zero on map then it sends its position to reader else selects a new random number and send towards tag (step 2). Reader sends the received value to data centre (step 3). Data centre searches the record in database. If entry found in database then it updates key and hash values. Updated information is forwarded to reader (step 4). If entry is not found in database then a DENY message is replied. Reader checks the received message. If received message is not DENY message then it forwards the received message to tag (step 5). Now, tag recomputes the hash value. If new hash value is equal to received value then tag also updates its hash value. It sets all bits of map to zero (step 6).
Premises:-Let 'R' and 'T' represents reader and tag respectively. Suppose, r i and e i are the i th random number selected by reader and tag respectively.
Step 1:-R ➔ T i :{request} Step 2:-T : Compute IDS = e 1 *K + ID T T ➔ R : IDS Step 3:-R: ID 0 T =IDS mod K Explanation: Mitra proposed authentication protocol to protect against traceability and cloning in 2008 [51]. Reader to tag or tag to reader eavesdropping in communication is feasible in this protocol. In this protocol, reader starts the process by sending a random number (step 1). Tag computes the identification pseudonym and sends it to reader (step 2). Reader extracts the identification from received data (step 3). Step n-2:-T ➔ R Attacker : IDS n =e n *K n +ID n Step n-1:-R Attacker ➔ R : IDS n Step n: -R: ID 0 T =IDS n mod K n Step n + 1:-R Attacker : Collects IDS 1 , IDS 2 , ...., IDS n . : Compute temp 1 = (IDS 2 -IDS 1 )*K 1 , temp 2 = (IDS 3 -IDS 2 )*K 2 , ......, temp n-1 = (IDS n -IDS n-1 )*K n-1 . : Compute K i = GCD(temp 1 , temp 2 , ....temp n-1 ) Explanation: In this attack, an attacker observes the communication between tag and reader [52]. Attacker observes and record IDS 1 to /IDS n values (step 2, step 5, step n-2). This attacker again calculates temp 1 to temp n-1 values and greatest common divisor (GCD) of these values (step n + 1). This GCD value is the secret key of tag in communication. Here, an attacker can start the message exchange with tag by collecting temp i and sending IDS i +r i *temp i to tag. This is an easy way to clone.
Attack:-Traceability attack in Mitra's protocol. Step Explanation: Traceability attack in this protocol start with two requests from reader to tag (step 1 to step i + 1). In response to these requests, tag receives encrypted messages: IDS 1 and IDS i . Attacker again sends two requests to associated identifications (ID T , ID 0 T ) based tags (step i + 2). These tags return encrypted messages: IDS n and IDS n+1 (step i + 3 and i + 4). Attacker accepts these messages from different tags in different form. It accepts IDS n and IDS n+1 from tags with identification ID T and ID 0 T respectively. It uses b = 0 for ID T and b = 1 for ID 0 T to distinguish between tags and further necessary computations. Attacker computes temp 1 and temp 2 from received encrypted messages (step 5). Now, attacker guesses the bit based on length decision rule. Peris-Lopez found a success probability of guessing equal to 1 and this result in traceability with 50% probability [52]. 11 Survey and Analysis of Lightweight Authentication Mechanisms DOI: http://dx.doi.org /10.5772/intechopen.94407 Attack:-Full disclosure attack on Mitra's protocol Explanation: As seen in cloning attack, attacker observes the messages exchange between tags and reader. This results in obtaining the secret key of tag with the help of GCD computations. After getting the secret of tag, attacker can easily reveal the stored and transmitted information. Peris-Lopez calculated the probability of revealing the secret using Riemann zeta function [52]. Authors found a success rate of 60 to 100% of this attack and claim that it is most dangerous among all discussed attacks.
Protocol (C3): Qingling et al.'s protocol [51] Premises: Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose r i ,e i and dc i are the random numbers selected by reader, tag and data centre respectively. MSB and LSB represents the most and least significant bits of a unique identifier (UID T ) and access password (PASSWD T ).
Step 1:-R ➔ T i :r i Step 2:-T i : If this condition holds for any tag in data centre then tag is authentic and process continues else unauthentic.
If condition holds then reader is authentic else unauthentic.
Explanation: Qingling et al. [66] proposed a lightweight authentication protocol based on password challenge [51]. Reader starts the authentication process by sending a random number challenge to tag (step 1). Tag constructs most significant and least significant part of message to generate response for reader. Most significant and least significant parts are XORed with passwords before sending it to reader (step 2). Reader verifies the received messages and generates new challenge for tag to prove its authenticity (step 3). Tag verifies the received message for reader authenticity (step 4).
Step 1:-R Attacker ➔ T i : Explanation: Peris-Lopez et al. discovered impersonation of tag and reader in two communications [52]. This is possible by passively observing the one session between tag and reader. This impersonation helps the attacker to send a message with new random values (e new i and r new i ). Now, verification of this message at tag side is easy (step 1). Similarly, an attacker can supplant the reader with a message containing new random variables (e new i ). This message authenticates the attacker as a genuine reader. Tag can not detect this attack easily (step 2).

Step 2 (Challenge):
R Attacer : Selects two tags with UID T 0 and UID T 1 . It execute a test query that result to return two random numbers r new 1 and e T i 2 , and message Step 3 (Guessing): R Attacer : An attacker obtains constant 1 and constant 2 values from step 1 and step 2 respectively. These values are associated An attacker calculate value of output bit d = {0 if constant1 equals to constant2, 1 if constant 1 not equals to constant 2}.
Explanation: Peris-Lopex et al. calculated the probability to distinguish between tags in order to interact for traceability [52]. This probability is high because it is easy to distinguish between tags. Thus, it is easy to implement traceability attack with above sequence of steps. There are three stage of observation: learning, challenge and guessing. Learning state observe the transactions between reader and tag to collect the secret parameters. Challenge step put random number based challenges to tag through attacker. Finally guessing state finds the probability of receiving 0 or 1.
Explanation: LRAP is elliptic curve based lightweight authentication protocol proposed by Liu et al. in 2013 [67]. Reader starts the authentication process by sending a hello request (step 1). Tag responds with its identification pseudonym (step 2). Reader response to tag includes the ciphertexts append with identification pseudonym (step 3). These ciphertexts are generated by encrypting the reader generated random numbers with encryption key. After receiving the response from reader, tag extracts the random numbers and verifies it. If these are verified then compute a new identification and random number based response to reader (step 4). After this communication, tag initiates the identification pseudonym updating process. On receiving the response, reader verifies it for authenticity and initiated the identification pseudonym updating process (step 5).

Grouping/yoking authentication protocols
This section discusses the protocols that allows the multiple tags to authentication simultaneously with same reader. Multiple tag authentication constructs groups with unique group identifications. Group construction is possible through collaborations of tag to jointly request the reader for authentication. Following are the important group authentication protocols [68].
Protocol (E1): Juels Yoking Protocol [69,70]. Premise:-Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Let r i and e i are the random number selected by reader and tag respectively. Suppose, 'K i ' is the shared key between reader and i th tag, MAC is the message authentication code.
Protocol (E2): Saito and Sakurai's Protocol [73]. Premise:-Let 'R', 'T' and 'DC' represents the reader, tag and data centre respectively. Suppose, 'K i ' is the shared key between reader and i th tag, MAC is the message authentication code. PT is the pallet tag.
Step Explanation: Saito and Sakurai protocol tried to remove replay attack from juel's protocol [74]. Data centre initiated the group authentication proof protocol by sending a timestamp message to reader (step 1). Reader forwards the timestamp to all tags (step 2). All tags then send a message authentication code of timestamp to reader (step 3). There is use of pallet tag in this protocol. This tag is assumed to have abundance of resources as compared to any existing tag. Reader forwards the timestamp message and message authentication code of all tags to pallet tag (step 4). Pallet tag encrypts the received message and sends it to reader (step 5). Reader forwards this message to data centre for storage (step 6). This stored entry is a grouping proof.
Attack: Secret disclosure attack on Kazahaya. Explanation: Bagheri et al. found that it is possible for an attacker to retrieve tag's secret parameters at cost of O(2 16 ) offline random number evaluations [75]. In this attack, an attacker eavesdrops one session between tag and reader. Further, at cost of O(2 16 ) operations, it fetches private key of tag, identification of tag and group identification. These secret disclosure parameters increase the chance of tag and reader impersonation, and traceability. An attack can forge proofs at any time. It is found that verification of forged proofs is possible at cost of one session eavesdropping. Thus, forgery attack is another threat to this protocol and probability of this attack is '1'.

Comparisons
Security and cost analysis of authentication protocols is presented in this section. Security analysis is performed based on parameters selected in Section 3. Similarly, cost estimation is analyzed through communication and computational cost parameters. This analysis is performed to find authentication protocol suitable for resource constraint or resourceful devices in IoT.

Security analysis
Possibilities of attacks on surveyed authentication protocols are analyzed in security analysis. This comparison of authentication protocols is made through infeasible, strong, medium and weak possibilities of attacks. Authentication protocol attacks and their chance on studied protocols are searched from literature. If a direct attack is found then possibility of attack is considered to be strong (S).
Otherwise, attacker's dependency on existing attack is searched. For example, manin-the-middle and denial of service attacks lead to de-synchronization and traceability attacks. Hence, if chances of man-in-the-middle and denial of service attacks is strong then de-synchronization and traceability attacks provide medium (M) chances. Similarly, eavesdropping leads to secret disclosure attack. Chances of indirect attacks are considered to be medium because extra computational and communication cost is required to perform these attacks. Further, chances of indirect attacks with high computational and communication cost are considered to be weak (W). Overall, it is analyzed that the recent trends is to design authentication protocols based on asymmetric key based cryptosystem because such protocol provide high security and low communicational cost as compared to symmetric key cryptosystem based protocols. Symmetric or asymmetric cryptosystem based authentication protocols are suitable for resourceful devices such as active RFID devices. These devices can afford the computational cost of protocols. Lightweight and ultra-lightweight protocols are designed for resource constraint devices like: passive RFID devices. These devices cannot afford high computations or storage. Security of such protocols is a major concern. It is impossible to fully secure such protocols from attacks. Protocol with higher attack resistant probability is considered to be more reliable. Hence protocol like C4, D2 and D3 are more reliable. Further, these authentication protocols can be extended to create groups called grouping or yoking protocols.

Cost analysis
Communication and computational cost of studied authentication protocols is analyzed in Table 1. Communication cost is measured in terms of number of transactions made between reader and tag. Different levels to measure the cost are Low (L), Medium (M) and High (H). If number of transactions is between 1 and 3 then communication cost is considered to be low. If it varies from 4 to 6 then communication cost is medium. Communication cost is considered to be high if number of transactions is more than 6. It is found that communication cost of asymmetric cryptography primitives based authentication protocols is much lower than any other type of authentication protocols. Although lightweight and ultra-lightweight protocols claim to be efficient for resource constraint devices but asymmetric cryptography based protocols can also be designed to reduce the overhead through reduction in communication cost. For example, protocol C4 is based on elliptic curve cryptosystem based asymmetric cryptography and it is efficient than any other lightweight protocol. Like communication cost, computational cost is also divided into three levels: Low, Medium and High. A high cost authentication protocol includes encryption, decryption, hashing or high computational functions. Medium cost based protocols include mathematical functions like elliptic curve based addition, multiplication or inverse, shift or permutation operations etc. A low cost protocol affords simple mathematical functions like: logical operations (AND, OR, NOT etc.), simple permutation, rotation random number generator etc. Lightweight and ultra-lightweight protocols are especially designed to count these low computational cost factors into considerations. Computational cost of these protocols is much lower than any classical cryptography based symmetric or asymmetric authentication protocols.

Conclusion
In this work, RFID authentication protocols from different categories are studied and compared on security requirements and cost. Authentication protocols are categorized as: symmetric, asymmetric, lightweight, ultra-lightweight and group based authentication based protocols. It is found that asymmetric cryptography based protocols are gaining popularity day-by-day and provide enough security. Symmetric and asymmetric cryptography based authentication protocols are suitable for resourceful devices. Passive RFID devices are resource constraint devices thus lightweight or ultra-lightweight protocols are more suitable. Security in lightweight protocols is a major challenge. Hardware limitations restrict the

Possibility of Attacks on Authentication Protocols
Cost Analysis    implementation of full security on these devices. Thus, these devices can not be fully protected. Integration of asymmetric key cryptography based lightweight authentication protocols is contemporary topic of research. These unilateral or mutual authentication protocols can be extended for group authentication. Multiple tags authenticate itself with reader and store group information in data centre. This concept of group authentication is important for IoT. Authenticated devices in IoT increase the chances of secure communication in a network. Future work demands to construct a secure grouping proof protocol that is not affected with relay, replay or de-synchronization attacks.

Key terms and definitions
Active attacks an illegal act of modifying the information or operation to affect the system Asymmetric key cryptography a cryptosystem that uses public and private keys for encryption and decryption process is known as asymmetric key cryptosystem Authentication a process to confirm the attributes of message/ user is known as message or user authentication Lightweight cryptography a least computational cost based cryptosystem designed to provide security for resource constraint devices Passive attacks an illegal use of using the important system information using affecting the resources Symmetric key cryptography a cryptosystem that uses same or symmetric key for encryption and decryption operation Yoking protocol a group of participants authenticates each other for constructing a secure environment