Open access peer-reviewed chapter - ONLINE FIRST

Survey and Analysis of Lightweight Authentication Mechanisms

By Adarsh Kumar and Deepak Kumar Sharma

Submitted: June 19th 2020Reviewed: October 9th 2020Published: December 30th 2020

DOI: 10.5772/intechopen.94407

Downloaded: 29


Interconnection of devices through Radio Frequency IDentification (RFID) brings enormous applications that are increasing constantly day by day. Due to the rapid growth of such applications, security of RFID networks becomes crucial and is a major challenge. Classical or lightweight cryptography primitives and protocols are the solutions to enhance the security standards in such networks. Authentication protocols are one of the important security protocols required to be integrated before exchange of secured information. This work surveyed the recently developed authentication protocols. Further, classifications, security challenges, and attack analysis are explored. A comparative analysis of different types of authentication protocols explains their applications in resourceful and resource constraint Internet of Things (IoT). Authentication protocols are categorized into: symmetric, asymmetric, lightweight, ultra-lightweight and group protocols. Symmetric and asymmetric protocols are more suitable for resourceful devices whereas lightweight and ultra-lightweight protocols are designed for resource constraint devices. Security and cost analysis shows that asymmetric protocols provide higher security than any other protocol at a reasonable cost. However, lightweight authentication protocols are suitable for passive RFID devices but do not provide full security.


  • authentication
  • authorization
  • cost analysis
  • cybersecurity
  • lightweight cryptography
  • primitives
  • protocols

1. Introduction

Kevin Ashton in 2009 proposed an interconnected network of uniquely identifiable objects, devices, and different types of systems called IoT [1]. Some of the important features of IoT are self-configuration, sensing, ad-hoc networking, automatic identification, etc. [2]. In IoT, each object has a unique address and identification. Here, mostly RFID is preferred for assigning an address and unique object identification. The information, captured by IoT objects, is propagated through the internet to other objects. The information communicated captures the current events and responses. The revealed information further requires human intervention to control the results [3]. Several objects are involved to form the interconnected network: RFID devices, sensors, mobiles, back end storage, etc. Resourceful and resource constraints are the types of IoT devices. In resourceful devices, there are sufficient software and hardware resources. There are some hardware and software resource limitations in resource constraint devices. The role of the devices changes with the condition. For example, a metro smart card authenticates the passenger at the entry point, the same card authenticates exit after deducting a charge for the travel. Using the same smart card, information of daily passenger traveling systems is stored in a database server and helps in train counting. Library management, supply chain management, and inventory control systems are some of the applications of RFID enabled things. Here, users are validated using authentication protocols. Unauthenticated users are disallowed to enter into the system. The observation system is maintained to analyze the possibilities of intrusions by unauthenticated users.

There are different types of authentication protocols. Cryptographic primitives, like AES, RSA, SHA, etc. are used in resourceful devices for authentication and authorization. Lightweight primitives and lightweight protocols are the different types of lightweight cryptography [4]. Stream cipher, hash function, block cipher, pseudo-random number generation, etc. are included in symmetric primitives whereas asymmetric primitives include discrete logarithmic constructions, number based systems, and curve based cryptosystems. Authentication, yoking, identification, tag ownership protocols, distance bounding, etc. are some classes of lightweight protocols. Up to 30% of gate equivalents (GEs) can be used in resource constraint devices for cryptographic [5, 6]. With the advancement of technology, the GEs also increase [7].

Tags, readers, and data centers are the three types of RFID devices. Information is written over tags and readers are used to read the information. If required, data center is used for storing the information; otherwise, it is communicated to other objects to increase the information availability. The behavior of readers is similar to duplex links. These devices use different procedure for storing data. The tags get power from these devices and have longer information availability range. Tags, passive, semi-passive, active follows the cryptography procedures as implemented [8]. Passive tags do not have their source of power. These tags have low costs and low memory. These are more suitable for short range. Information on these devices is read many times after writing it for once [9, 10, 11]. Active tags are more costly, have their battery source, limited battery and communication range. Active or Semi-passive tags show economical to active tags and costlier to passive tags [12, 13]. These three tags are used in different applications. Semi-passive tags are mainly used in applications such as alarm systems, thermostats, etc. Active tags are used in applications meant for animal or person tracking, health care systems, etc. Supply chain management, smart cards, etc. are some applications of passive tags [14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29].

1.1 Chapter organization

The rest of the chapter is organized as follows: Section 2 states the important security parameters required to analyze the authentication protocols. Section 3 introduces the classifications of recently developed authentication protocols [30]. Lightweight authentication protocols are discussed in section 4. Section 5 presents group authentication protocols. In this section, authentication protocols are classified, explained and analyzed from important attacks. Comparative security and cost analysis of surveyed authentication protocol is presented in section 6. Finally, conclusive and future scope remarks are given in section 7.

2. Security challenges

RFID is a pervasive system. Security of this system is equally important. An attacker can harm at various points including information eavesdropping at end user sites, obstructing physical access, controlling the devices and stealing the information etc. Protection from these threats demands strong mechanism for confidentiality, integrity, authentication, availability and non-repudiation[31, 32, 33, 34, 35]. This protection mechanisms should addresses major security concerns in RFID system like [36, 37]:

  • Privacy: No one is interested to reveal personnel information to others without being part of authentic process. This privacy leakage could bring up many frauds. For example, if some item is equipped with tag and store name, price, area and other item information then a robber can easily fetch the information that how much he can earn with one or more robberies in a particular area. Similarly, unauthentic reader can scan the information written on e-passport to locate the important persons or count the gathering in an area [38, 39, 40]. This could result in planning of some terrorist activities. Thus, privacy of personnel or correspondence information leakage through RFID system is a major concern.

  • Tracking: Objects, persons, animals etc. tracking through RFID readers and tags increases the information vulnerabilities also. This information availability helps to create profiles and important information can be leaked from these profiles [41]. This information can be used in various unauthentic or uninterested activities like: advertisement, etc. For example, if customer is buying items from a shop on a regular interval and each item is equipped with RFID tag then customer profile can be created in a database. This profile helps to put similar interest customers in a group. An advertisement can be floated of special interests for these groups which may not be interest to customers. Equipments used to track items, people or animal attached with RFID tags are not expensive thus data collection for these advertisements, promotions or gathering future requirements to earn profits is much easier. As compared to other tracking techniques like: video surveillance, RFID system based technique is much cheaper and faster. Thus, it is beneficial to both authentic and unauthentic users. Hence, it demands strong security mechanism to protect the information at any stage of system. Protected information results in wide applications of RFID technology.

  • Eavesdropping: This is one of the most common forms of attack in networks where there is use of radio frequency for data communication. An eavesdropper can deploy an antenna to collect the information transmitted between reader and tag. Tags and readers communicate at different frequency bands like: low, high, ultrahigh and microwave. Thus, distance and location of eavesdropper from reader or tag is important. An attacker eavesdrop information in reader to tag (forward eavesdropping), tag to reader (backward eavesdropping), operation zone of reader and randomly selected distance directions. Since, it is easily feasible to fetch the information at longer distance and without any difficulty hence this attack should be handled properly. In real time applications, if an attacker deploy antenna to eavesdrop the information then information from RFID systems like e-passports, payment systems, identity cards, tickers etc. is on stake [42, 43, 44]. This information could reveal personnel data.

  • Skimming: Eavesdropping is intercepting the information during its transit whereas skimming is reading the information from its store stage. Like eavesdropping, skimming attack can fetch the information from real time applications like: e-passports, identity cards, traveling tickers or passes, consumer products etc. This could again reveal the personnel information like: name, birth date, financial account details, photo etc. Anti-skimming devices designed to protect against this attack uses reverse electromagnetic field. Anti-skimming devices are lightweight, persistent and easy to carry.

  • Cloning: Resource constraint RFID devices are easy to clone because high security classical primitives cannot be implemented on these devices. RFID passive devices are cost effective as it does not require battery source. These devices gain power from reader thus easy to clone. Similarly, cloning devices could be passive and gain power from reader. Passive cloning devices are put closer to original device. Passing a cloning device closer to original device and making a copy of the data for cloning purpose may just take few seconds or minutes. This could be more dangerous for those devices which do not provide strong protection like: employee ID cards, train or bus ticket passes, product vouchers in supply chain management etc. Several solutions have been proposed to protect tags from cloning. Authentication is one of them. In authentication based mechanism, a random number is generated and exchanged. Response to this random number exchange uses cryptography primitives like digital signature, hashing, encryption/decryption, message authentication code etc. Verification of this response is performed at other side. If response is verified then tag is considered to be authentic else unauthentic or cloned. A new random number is generated every time a tag is read. This process further protects the tags from cloning.

  • Replay attacks: In RFID system, one reader scans multiple tags and one tag could be associated with multiple readers. Replay attacks occur when freshness and aliveness of messages are not handled properly. If traceability is not a major concern then random number or nonce help to stop replaying of messages. A sequence number synchronizes the information between tag and reader. Count of numbers generated is limited in fixed length sequence number. Thus, an attacker can play old sequence number in new session. In order to avoid replaying an old sequence number in new session, aliveness of message is important [4, 45, 46, 47]. A computational challenge aliveness of message along with freshness hinders the attacker to play a replay attack. This attack is common among ultra-lightweight protocols where bitwise logical operators are only allowed [46, 48]. These operators are easy to break because of least computational breaking challenge.

  • Relay attack: In this type of attack, RFID tags and readers are mislead by providing false information. For example, if some reader is interested to scan a tag then attacker tag claims that it is the targeted tag [49]. Whereas, attacker tag fetches the information from another attacker reader which is close to authentic tag [50]. Thus, one reader and one tag attacker provide false information to authentic reader and tag [51, 52]. These authentic reader and tag are not in range of each other but attacker readers and tags mislead them to be close [53]. Attackers tries to prove the reader that the destination tag is nearby which is not in actual.

  • Denial of Service (DoS): Radio signal blocks, active and passive jamming, packet overflows etc. are the signs of DoS attack. Low cost passive devices are resource constraint devices thus this attack easily blocks the services and it is more dangerous. An attacker floods the packets towards specific or set of nodes. This results to blockage in services. Many solutions are proposed to observe this attack through graphs, behaviors, trusts, performance, quality of service etc. Detection of this attack is easier as compared to removal of attack in resource constraint networks [54].

  • Spoofing Attack: This attack modifies the identity, address or naming services to provide false information. For example, an attacker claims to have certain IP address, MAC address or domain name which is not true. Here, attacker aims to eavesdrop or modify the information during its transit [55, 56].

  • Secret disclosure attacks: In this attack, vulnerabilities of key updating, data centre processing, reader or tag computing etc. reveal the identity or key information [57]. This attack is common in ultra-lightweight authentication protocols where some secret information is known to adversary. Secret disclosure attack could result to other attacks like: de-synchronization, impersonation, eavesdropping etc. Since, algebraic computing is main cause of this attack thus it is dangerous for low cost passive RFID devices [58].

3. Authentication protocols, classifications and security issues

Recently developed RFID authentication protocols in classical, lightweight, ultra-lightweight and grouping proof protocols are discussed in this section. This section also discusses the latest attacks found on recently developed authentication protocols.

Authentication Protocols in Classical Cryptography Primitives Category.

This work discusses authentication protocols that uses classical cryptography [59]. Symmetric and asymmetric are two major types of classical cryptosystems. Protocols in these categories are as follows:

Symmetric Cryptography Primitives based Authentication Protocols.

Protocol (A1): Cheng et al. Protocol [60].

Premise: Let ‘R’, ‘T’ and ‘DC’ represent the reader, tag and data centre respectively. Let ri, ei and dci are the random numbers. Every tag selects its unique identification (ID) with its hash as H(ID). KSessionOldand KSessionCurrentare the old and current session key between R and T respectively. P(.) represents the enhanced chebyshev polynomial.

Step 1:- R➔T  : r1

Step 2:- T    : temp1 = H(ID)e1 r1

        : temp2=Pr1,e1(KSessionCurrent)

        : temp3=KSessionCurrente1

T➔R  : temp1, temp2, temp3

Step 3:- R➔DC : r1, temp1, temp2, temp3

Step 4:- DC   : Computes H(ID)KSessionCurrent=temp1 temp3 r1

        : temp4 = H(ID)KSessionCurrent

        : if temp4 record exist in data centre then fetch H(ID), KSessionCurrent, KSessionOld: temp5 = temp1 H(ID)r1

        : temp6 = H(ID)r1 dc1

        : if temp2 equals to Pr1(Pe1(KSessionCurrent)) then

        : temp7 = Pdc1,e1(KSessionCurrent), KSessionOld= KSessionCurrentand KSessionCurrent=KSessionCurrent(e1||dc1)

        : else if temp2 equals to Pr1(Pe1(KSessionOld)) then

        : temp7 = Pdc1,e1(KSessionOld) and KSessionCurrent= KSessionOld(dc1||e1)

        : else tag is unauthentic

        : Now, if tag is authentic then

DC➔R : temp6, temp7

Step 5:- R➔T  : temp6, temp7

Step 6:- T    : dc1 = temp6 H(ID)r1

        : if temp7 equals to Pdc1,e1(KSessionCurrent) then KSessionCurrent= KSessionCurrent(e1 ||dc1)

Explanation: Cheng et al. proposed random number and hash based authentication protocol in 2013 [60]. In this protocol, reader starts the authentication process. It selects a random number and sends it to tag (step 1). Tag computes three responses temp1, temp2 and temp3 with the help of random numbers, H(ID), KSessionCurrentand P(.). Now, tag sends r1 and three responses to reader (step 2). Reader forwards this information to datacentre (step3). Data centre verifies the tag entry record in database. Further, if tag is authentic then datacentre computes two responses for reader: temp6 and temp7 (step4). Reader forwards these responses to tag (step5). Tag verifies the authenticity of reader by comparing temp7 withPdc1,e1(KSessionCurrent). If both are equal then reader is considered to be authentic and symmetric session key is generated [36, 37, 46, 61, 62].

Protocol (A2): Single Entity-Single Communication based Unilateral Authentication Protocol.

Premise: Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri and ei are the ith random numbers. A symmetric key ‘K’ is shared between reader and tag. EK(.) and DK(.) are the encryption and decryption functions [63].

Version 1:

Step 1:- R➔T  : EK{IDT}

Step 2:- T    : Verify {DK{IDT}}

Version 2:

Step 1:- T➔R  : EK{IDT}

Step 2:- R    : Verify {DK{IDT}}

Explanation: In single entity-single communication based unilateral authentication protocol, two variations of protocols are possible. In first variation, reader sends an encrypted identification based message to tag (step 1) and tag verify its identity (step 2). In second version, tag sends its encrypted entity to reader (step 1) and reader authenticates it by decryption and verification (step 2) [64].

Protocol (A3): Single Entity-Two Communications based Unilateral Authentication Protocol.

Premise: Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri and ei are the i th random numbers selected by reader and tag respectively. A symmetric key ‘K’ is shared between reader and tag. EK(.) and DK(.) are the encryption and decryption functions.

Version 1:

Step 1:- R➔T  : {r1}

Step 2:- T➔R  : EK{r1}

Step 3:- R    : Verify EK{r1}

Version 2:

Step 1:- T➔R  : {e1}

Step 2:- R➔T  : EK{e1}

Step 3:- T    : Verify EK{r1}

Explanation: There are two version of single entity two communications based unilateral authentication protocol. In first version of protocol, reader initiates the authentication process by sending a random number challenge (step 1). Tag encrypts the received random number with symmetric key shared between tag and reader, and forwards it to reader (step 2). Now, reader re-encrypts its own random number challenge and verifies by comparing with the received data (step 3). If both are equal then tag is considered to be authentic. Similarly in second version, tag initiates the authentication process by sending a random number challenge (step 1). Reader encrypts the challenge with symmetric key and sends it to tag (step 2). Tag verifies the response for authentication (step 3) [65].

Asymmetric Cryptography Primitives based Authentication Protocols.

Like symmetric cryptography, asymmetric cryptography primitives based protocols are also designed to enhance the security of system. Major of recently developed asymmetric protocols are based on elliptic curve cryptography. This section discusses the recently developed elliptic curve cryptography based authentication protocols. Recently analyzed attacks on some of the authentication protocols are also explored.

Elliptic Curve Cryptography (ECC) based Authentication Protocols.

Protocol (B1): Authentication mechanism with ECC Encryption/Decryption for end users.

Premise: Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri is the ith random number selected by reader or tag. Let Cj and Pj represent the ciphertext and plaintext generated at ith side. Where, jϵ{R, T}. Encryption and decryption functions at jth side are represented by Ej() and Dj(). Unique identification of tag and reader is represented by IDT and IDR respectively. Let ‘h’ is the hash function used to generate the digest.

Step 1:- R: Selects ‘r1ϵZn

: Calculate (i) H = h(r1)

            (ii) CR = E(r1,IDT)

R➔T  : CR, IDT, H

Step 2:- T: (y,IDT) = D(CR)

: Verify [h(y)==H] and [decrypted IDT]

T➔R  : y

Step 3:- R: if y== r1 then ‘T’ is authentic else unauthentic.

Explanation: This is random number generation based authentication protocol. Here, reader selects a random number and computes the ciphertext of tag identification with this random number. Reader sends the ciphertext, tag identification and hashing over random number to tag (step 1). After receiving the data, tag decrypt the encrypted information and fetches the random value and tag identification. Here, tag verifies the received hash value with regenerated hash value. If both are verified then tag sends the decrypted random number value to reader (step 2). Reader verifies the received random value with its own generated random value in step 1. If it matches then user associated with tag is considered to be authentic otherwise unauthentic (step 3). This protocol was developed by taking consideration that protocol is protected from replay, reflection and chosen-text attacks due to encryption/decryption and hash functions. Use of encryption/decryption and hash functions is the major cause that this protocol is not suitable for resource constraint devices.

Protocol (B2): ECC based signature-based mechanism for authenticating end users.

Premise: - Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively, IDr represents the identification of reader, CERTTAG represents the certificate pre-shared between tag and reader, and SIGN and VERIFY represents the digital signature based signing and verification processes.

Step 1:- R➔T : r1

Step 2:- T: y = SIGN(r1, r2, IDr)

T➔R: r2, IDr, y, CERTTAG


: if verified then consider that tag is valid.

Explanation: Reader starts the authentication process by sending a random challenge to tag (step 1). Tag selects another challenge and digitally signs both challenges along with the identification of reader. This signature message, random challenge, identification of reader and tag’s certification is sent towards tag (step 2). Now, reader verifies both the certificate and digital signature. If both are verified then tag is considered to be authentic else unauthentic (step 3). Author claims that this protocol prevents existential forgery attack.

Protocol (B3): Schnorr Identification scheme and end-user verification with ECC [55].

Premises:-Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively. Tag’s public key is represented by Z and P is the base point selected on elliptic curve E.

Step 1:- T: Computer X = r1P

T➔R : X

Step 2:- R➔T : e1

Step 3:- T: Compute y = ae1+ r1

T➔R : y

Step 4:-R: if yP+ e1Z==X then authentic else unauthentic

Explanation: Tuyls proposed schnorr identification protocol based on elliptic curve discrete logarithmic problem in 2006. In this protocol, tag starts the communication by sending X = r1P to reader (step 1). Reader receiver the message X. To verify this message and tag, it sends a random number to tag (step 2). Now, tag responds with ‘y’ to the reader (step 3). Reader verifies the message ‘X’ with the help of tag’s public key. If it matches then tag is considered to be authentic else unauthentic. In this protocol, an attacker reader can easily trace the tag by acting as a middle entry between tag and reader. Attacker reader function is explained in attack 1.

Attack 1: Tag tracing by attacker reader on ECC and Schnorr Identification scheme.

Premises: In addition to premises of protocol, let Rattacker is the eavesdropper that want to trace the tag.

Step 1:- T➔ Rattacker  : X

Step 2:- Rattacker➔R  : X

Step 3:- R➔ Rattacker  : e1

Step 4:- Rattacker➔T  : e1

Step 5:- T➔ Rattacker  : y = ae1 + r

: Now, Rattacker is knowing X, e1 and y = ae1 + r.

Step 6:- T➔ Rattacker  : X

Step 7:- Rattacker➔ T  : e2(=e1)

Step 8:- T➔ Rattacker  : y = ae2 + r

 : computes yP + e2Z = X

Explanation: Now, attacker reader can easily trace the tag by checking whether (y-y)P equals (X-X). In this attack, Rattacker communicates with ‘T’ and ‘R’ to trace ‘T’. Here, ‘T’ communicates with Rattacker instead of ‘R’ (step 1). Rattacker does not generate a challenge by itself but forwards the e1 received from ‘R’ to ‘T’ (step 2 to step 4). In continuation, ‘T’ responses to challenge but it go to Rattacker instead of ‘R’(step 5). Later, ‘T’ communicates again with Rattacker. ‘T’ and ‘Rattacker’ again generate new challenges and responses (step 6 and step 8). Now, Rattacker can keep trace of the ‘T’ by computing whether (y-y)P equals (X-X).

Attack 2: If attacker reader knows the public key ‘Z’ of tag then it can easily compute the message by computing yP + e1Z = X. Thus, this mechanism is not considered to be secure against forward secrecy.

In addition to attack 1 and attack 2, this protocol is having scalability issues. Cost of computation at reader side is high since increase in number of tags handled per reader requires most of the public keys to be accessed from database by the reader. This increases the computational cost of reader. Increase in computational cost reduces the power of reader to handle more tag. Thus, scalability of network reduces gradually.

4. Lightweight authentication protocols

Lightweight authentication protocols are less powerful as compared to classical cryptography based protocols. Lightweight cryptography is integrated with protocols to achieve confidentiality, integrity, availability, authentication and non-repudiation. Apart from security, communication and computational cost at reader and tag is another factor taken into consideration for selecting the lightweight authentication protocol.

Protocol (C1):-Yu et al. Protocol [49].

Premises:-Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively. Let ‘m’ represents the m-bit map in form of non-volatile memory. This non-volatile memory is used to store random number information to protect from tracking attack.

Step 1:-R➔T: r1

Step 2:-T: Compute j = h(ki, r1)mod m

: if map[j] is zero then

: map[j] = 1 and

T➔R  : h(ki, r1)

: else if map[j] is non-zero then

T➔R  : h(ki,e1)

Step 3:- R➔DC : h(ki, r1) or h(ki,e1).

Step 4:- DC : find entry for h(ki, r1) or h(ki,e1) in database. If entry found then

: Compute h(ki + 1, r1) or h(ki + 1,e1)

: Update ki with h(ki) and hash value with h(ki, r2)

DC➔R: h(ki + 1, r1) or h(ki + 1,e1)

: if entry does not found in database then


Step 5:- R: if response from DC is DENY then

R➔T: r3

: else

R➔T: h(ki + 1, r1) or h(ki + 1,e1)

Step 6:- T: Compute h(ki + 1, r1) or h(ki + 1,e1) again

: Compare received message with computed message. If they are equal then

: Update its key with h(ki) and all bits of map equals to zero.

Explanation: This is a random number based authentication protocol. Reader starts a process of authentication by selecting a random number and sending towards tag (step 1). Tag computes its position and search the corresponding bit position on map. If bit position is zero on map then it sends its position to reader else selects a new random number and send towards tag (step 2). Reader sends the received value to data centre (step 3). Data centre searches the record in database. If entry found in database then it updates key and hash values. Updated information is forwarded to reader (step 4). If entry is not found in database then a DENY message is replied. Reader checks the received message. If received message is not DENY message then it forwards the received message to tag (step 5). Now, tag re-computes the hash value. If new hash value is equal to received value then tag also updates its hash value. It sets all bits of map to zero (step 6).

Protocol (C2):-Mitra et al. protocol [51].

Premises:-Let ‘R’ and ‘T’ represents reader and tag respectively. Suppose, ri and ei are the ith random number selected by reader and tag respectively.

Step 1:- R➔Ti:{request}

Step 2:- T: Compute IDS = e1*K + IDT

T➔R  : IDS

Step 3:- R: IDT=IDS mod K

Explanation: Mitra proposed authentication protocol to protect against traceability and cloning in 2008 [51]. Reader to tag or tag to reader eavesdropping in communication is feasible in this protocol. In this protocol, reader starts the process by sending a random number (step 1). Tag computes the identification pseudonym and sends it to reader (step 2). Reader extracts the identification from received data (step 3).

Attack:- Cloning attack on Mitra Protocol.

Step 1:- R➔T: {request}

Step 2:- T: Compute IDS1 = e1*K1 + IDT

T➔RAttacker  : IDS1

Step 3:- RAttacker➔R: IDS1

Step 4:- R: IDT=IDS1 mod K1

R➔T: {request}

Step 5:- T➔RAttacker : IDS2 = e2 * K2 + IDT

Step 6:- RAttacker➔R : IDS2



Step n-2:- T➔RAttacker : IDSn = en * Kn + IDn

Step n-1:- RAttacker➔R: IDSn

Step n: - R: IDT=IDSn mod Kn

Step n + 1:- RAttacker: Collects IDS1, IDS2, ...., IDSn.

: Compute temp1 = (IDS2-IDS1)*K1, temp2 = (IDS3-IDS2)*K2, ......, tempn-1 = (IDSn-IDSn-1)*Kn-1.

: Compute Ki = GCD(temp1, temp2, ....tempn-1)

Explanation: In this attack, an attacker observes the communication between tag and reader [52]. Attacker observes and record IDS1 to /IDSn values (step 2, step 5, step n-2). This attacker again calculates temp1 to tempn-1 values and greatest common divisor (GCD) of these values (step n + 1). This GCD value is the secret key of tag in communication. Here, an attacker can start the message exchange with tag by collecting tempi and sending IDSi + ri*tempi to tag. This is an easy way to clone.

Attack:- Traceability attack in Mitra’s protocol.

Step 1:- RAttacker➔T: {request}

Step 2:- T➔RAttacker: IDS1



Step i:- RAttacker➔T: {request}

Step i + 1:- T➔RAttacker: IDSi

Step i + 2:- RAttacker➔T: {request}

RAttacker➔T: {request}

Step i + 3:- T➔RAttacker: IDSn

Step i + 4:- T➔ RAttacker : IDSn + 1

Step i + 5:- RAttacker: accept IDSn if b==0, accept IDSn + 1 if b==1

: Compute temp1 = IDS1-IDSi

: Compute temp2 = IDS1IDSnifb==0IDSnIDSn+1ifb==1

: Select d=0ifGCDtemp1temp22L/2d=1ifGCDtemp1temp2<2L/2

Explanation: Traceability attack in this protocol start with two requests from reader to tag (step 1 to step i + 1). In response to these requests, tag receives encrypted messages: IDS1 and IDSi. Attacker again sends two requests to associated identifications (IDT, IDT) based tags (step i + 2). These tags return encrypted messages: IDSn and IDSn + 1 (step i + 3 and i + 4). Attacker accepts these messages from different tags in different form. It accepts IDSn and IDSn + 1 from tags with identification IDT and IDTrespectively. It uses b = 0 for IDT and b = 1 for IDTto distinguish between tags and further necessary computations. Attacker computes temp1 and temp2 from received encrypted messages (step 5). Now, attacker guesses the bit based on length decision rule. Peris-Lopez found a success probability of guessing equal to 1 and this result in traceability with 50% probability [52].

Attack:- Full disclosure attack on Mitra’s protocol

Explanation: As seen in cloning attack, attacker observes the messages exchange between tags and reader. This results in obtaining the secret key of tag with the help of GCD computations. After getting the secret of tag, attacker can easily reveal the stored and transmitted information. Peris-Lopez calculated the probability of revealing the secret using Riemann zeta function [52]. Authors found a success rate of 60 to 100% of this attack and claim that it is most dangerous among all discussed attacks.

Protocol (C3): Qingling et al.’s protocol [51]

Premises: Let ‘R’, ‘T’ and ‘DC’ represents the reader, tag and data centre respectively. Suppose ri, ei and dci are the random numbers selected by reader, tag and data centre respectively. MSB and LSB represents the most and least significant bits of a unique identifier (UIDT) and access password (PASSWDT).

Step 1:- R➔Ti : ri

Step 2:- Ti: MessageTi= MessageLSBTi||MessageMSBTi



Ti➔R: {MessageTi,eiTi}

Step 3:- R: Verify MessageTiPASSWDTiequals to CRC (UIDLSBTiri ei) || CRC(UIDMSBTiri ei). If this condition holds for any tag in data centre then tag is authentic and process continues else unauthentic.

: Compute MessageR = MessageLSBR||MessageMSBR, Where, MessageLSBR= CRC(UIDLSBTiriTi) PASSWDLSBTiand MessageMSBR= CRC(UIDMSBTiriTi) PASSWDMSBTi.

R➔ Ti: MessageR

Step 4:- T: Verify MessageR PASSWDTiequals to CRC(UIDLSBTiriTi) || CRC(UIDMSBTiriTi). If condition holds then reader isauthentic else unauthentic.

Explanation: Qingling et al. [66] proposed a lightweight authentication protocol based on password challenge [51]. Reader starts the authentication process by sending a random number challenge to tag (step 1). Tag constructs most significant and least significant part of message to generate response for reader. Most significant and least significant parts are XORed with passwords before sending it to reader (step 2). Reader verifies the received messages and generates new challenge for tag to prove its authenticity (step 3). Tag verifies the received message for reader authenticity (step 4).

Attack:- Attack on Qingling et al.’s protocol.

Premise:- An attacker eavesdrops one session between ‘R’ and ‘T’.

Step 1:- RAttacker➔ Ti : MessageLSBTiCRC(α)||MessageMSBTiCRC(α), einew. Where, α = δ + γ. δ=einewei, γ=rinewri.

Step 2:- RAttacker➔ R : MessageLSBRCRC(δ)|| MessageMSBTiCRC(δ). Where, δ=einewei.

Explanation: Peris-Lopez et al. discovered impersonation of tag and reader in two communications [52]. This is possible by passively observing the one session between tag and reader. This impersonation helps the attacker to send a message with new random values (einewand rinew). Now, verification of this message at tag side is easy (step 1). Similarly, an attacker can supplant the reader with a message containing new random variables (einew). This message authenticates the attacker as a genuine reader. Tag can not detect this attack easily (step 2).

Attack:- Traceability attack on Qingling et al. protocol.

Step 1 (Learning):

RAttacer   : Acquire r1, e1 and MessageT0= MessageLSBT0||MessageMSBT0, MessageLSBT0= CRC(UIDLSBT0r1 e1)PASSWDLSBT0, MessageMSBT0= CRC(UIDMSBT0r1 e1) PASSWDMSBT0.

Step 2 (Challenge):

RAttacer   : Selects two tags with UIDT0and UIDT1. It execute a test query that result to return two random numbers r1newand e2Ti, and message MessageTi{MessageT0,MessageT1}.Selection of message is dependent on random bit b{0,1}. {CRC(UIDLSBT0r1newe2T0) PASSWDLSBT0|| CRC(UIDMSBT0r1newe2T0) PASSWDMSBT0if {b==0}or {CRC(UIDLSBT0r1newe2T1) PASSWDLSBT1|| CRC(UIDMSBT1r1newe2T1) PASSWDMSBT1if b==1}

Step 3 (Guessing):

RAttacer   : An attacker obtains constant 1 and constant 2 values from step 1 and step 2 respectively. These values are associated to T0. Constant1LSB = MessageLSBT0CRC(r1)CRC(e1) = CRC(UIDLSBT0)PASSWDLSBT0. Constant1MSB = MessageLSBT0CRC(r1)CRC(e1) = CRC(UIDMSBT0)PASSWDMSBT0. Constant1 = Constant1LSB|| Constant1MSB. {CRCUIDLSBT0PASSWDLSBT0|| CRC(UIDMSBT0)PASSWDMSBT0if {b==0}or {CRCUIDLSBT0PASSWDLSBT1|| CRC(UIDMSBT1PASSWDMSBT1if b==1. An attacker calculate value of output bit d = {0 if constant1 equals to constant2, 1 if constant 1 not equals to constant 2}.

Explanation: Peris-Lopex et al. calculated the probability to distinguish between tags in order to interact for traceability [52]. This probability is high because it is easy to distinguish between tags. Thus, it is easy to implement traceability attack with above sequence of steps. There are three stage of observation: learning, challenge and guessing. Learning state observe the transactions between reader and tag to collect the secret parameters. Challenge step put random number based challenges to tag through attacker. Finally guessing state finds the probability of receiving 0 or 1.

Protocol (C4): LRAP (Lightweight RFID Authentication protocol) [67]

Premises:- Let ‘R’, ‘T’ and ‘DC’ represents the reader, tag and data centre respectively. Suppose ri, ei and dci are the random numbers selected by reader, tag and data centre respectively. Further, IDS, Ci, KE, KD are the identification pseudonym, ith ciphertext, encryption and decryption keys respectively.

Step 1:- R➔T: {Hello}

Step 2:- T➔R: {IDS}

Step 3:- R: Compute ciphertext, (C1, C2, C3) = EKE(r1, r2), C3 = r3P, (temp1, temp2) = r3KE, C1 = temp1 . r1 mod N, C2 = temp2 .r2 mod N, temp3 = (IDS + r1 + r2)KE.

R➔T  : (C1, C2, C3) || temp3

Step 4:- T: Extract (r1, r2) from (C1, C2, C3), (temp1, temp2) = KD.C3, r1 = C1. temp11mod N, r2 = C2. temp21mod N, Compute temp3= (IDS + r1 + r2)KDP and verifies whether temp3equals to temp3. If both are equal then compute temp4 = (r1 r2) + ID.

T➔R  : temp4

: Updation IDSold = IDS, IDSnew = (IDSold + r1) + (ID+r2)

Step 5:- R: Computes temp4= (r1 r2) + ID, Verifies temp4equals to temp4. If both are equal then tag is authentic else unauthentic.

: Updation IDS = (IDS + r1) (ID+ r2).

Explanation: LRAP is elliptic curve based lightweight authentication protocol proposed by Liu et al. in 2013 [67]. Reader starts the authentication process by sending a hello request (step 1). Tag responds with its identification pseudonym (step 2). Reader response to tag includes the ciphertexts append with identification pseudonym (step 3). These ciphertexts are generated by encrypting the reader generated random numbers with encryption key. After receiving the response from reader, tag extracts the random numbers and verifies it. If these are verified then compute a new identification and random number based response to reader (step 4). After this communication, tag initiates the identification pseudonym updating process. On receiving the response, reader verifies it for authenticity and initiated the identification pseudonym updating process (step 5).

5. Grouping/yoking authentication protocols

This section discusses the protocols that allows the multiple tags to authentication simultaneously with same reader. Multiple tag authentication constructs groups with unique group identifications. Group construction is possible through collaborations of tag to jointly request the reader for authentication. Following are the important group authentication protocols [68].

Protocol (E1): Juels Yoking Protocol [69, 70].

Premise:- Let ‘R’, ‘T’ and ‘DC’ represents the reader, tag and data centre respectively. Let ri and ei are the random number selected by reader and tag respectively. Suppose, ‘Ki’ is the shared key between reader and ith tag, MAC is the message authentication code.

Step 1:- R➔T1  : {hello}

Step 2:- T1➔R  : IDT1, e1

Step 3:- R➔T2  : e1

Step 4:- T2➔R  : IDT2, e2, temp1=MACK2[e1]

Step 5:- R➔T1  : e2

Step 6:- T1➔R  : temp2=MACK1[e2]

Step 7:- R➔DC : {IDT1, e1, temp2, IDT2, e2, temp1}

Explanation: Juel’s grouping protocol is the first group authentication protocol [71, 72]. This is the simplest protocol to understand and implement. Reader starts the authentication process by sending a random number based challenge (step 1). Tag responds with its identification mark and another random number challenge (step 2).

Protocol (E2): Saito and Sakurai’s Protocol [73].

Premise:- Let ‘R’, ‘T’ and ‘DC’ represents the reader, tag and data centre respectively. Suppose, ‘Ki’ is the shared key between reader and ith tag, MAC is the message authentication code. PT is the pallet tag.

Step 1:- DC➔R  : {timestamp}

Step 2:- R➔Ti  : {timestamp}, Where i{1,n}

Step 3:- Ti➔R  : tempi= MACKi[timestamp]

Step 4:- R➔PT  : {timestamp}, tempi,

Step 5:- PT➔R  : EK[{timestamp}, tempi]

Step 6:- R➔DC  : {timestamp, EK[{timestamp}, tempi], IDT1}

Explanation: Saito and Sakurai protocol tried to remove replay attack from juel’s protocol [74]. Data centre initiated the group authentication proof protocol by sending a timestamp message to reader (step 1). Reader forwards the timestamp to all tags (step 2). All tags then send a message authentication code of timestamp to reader (step 3). There is use of pallet tag in this protocol. This tag is assumed to have abundance of resources as compared to any existing tag. Reader forwards the timestamp message and message authentication code of all tags to pallet tag (step 4). Pallet tag encrypts the received message and sends it to reader (step 5). Reader forwards this message to data centre for storage (step 6). This stored entry is a grouping proof.

Attack: Secret disclosure attack on Kazahaya.

Explanation: Bagheri et al. found that it is possible for an attacker to retrieve tag’s secret parameters at cost of O(216) offline random number evaluations [75]. In this attack, an attacker eavesdrops one session between tag and reader. Further, at cost of O(216) operations, it fetches private key of tag, identification of tag and group identification. These secret disclosure parameters increase the chance of tag and reader impersonation, and traceability. An attack can forge proofs at any time. It is found that verification of forged proofs is possible at cost of one session eavesdropping. Thus, forgery attack is another threat to this protocol and probability of this attack is ‘1’.

6. Comparisons

Security and cost analysis of authentication protocols is presented in this section. Security analysis is performed based on parameters selected in Section 3. Similarly, cost estimation is analyzed through communication and computational cost parameters. This analysis is performed to find authentication protocol suitable for resource constraint or resourceful devices in IoT.

6.1 Security analysis

Possibilities of attacks on surveyed authentication protocols are analyzed in security analysis. This comparison of authentication protocols is made through infeasible, strong, medium and weak possibilities of attacks. Authentication protocol attacks and their chance on studied protocols are searched from literature. If a direct attack is found then possibility of attack is considered to be strong (S). Otherwise, attacker’s dependency on existing attack is searched. For example, man-in-the-middle and denial of service attacks lead to de-synchronization and traceability attacks. Hence, if chances of man-in-the-middle and denial of service attacks is strong then de-synchronization and traceability attacks provide medium (M) chances. Similarly, eavesdropping leads to secret disclosure attack. Chances of indirect attacks are considered to be medium because extra computational and communication cost is required to perform these attacks. Further, chances of indirect attacks with high computational and communication cost are considered to be weak (W). Overall, it is analyzed that the recent trends is to design authentication protocols based on asymmetric key based cryptosystem because such protocol provide high security and low communicational cost as compared to symmetric key cryptosystem based protocols. Symmetric or asymmetric cryptosystem based authentication protocols are suitable for resourceful devices such as active RFID devices. These devices can afford the computational cost of protocols. Lightweight and ultra-lightweight protocols are designed for resource constraint devices like: passive RFID devices. These devices cannot afford high computations or storage. Security of such protocols is a major concern. It is impossible to fully secure such protocols from attacks. Protocol with higher attack resistant probability is considered to be more reliable. Hence protocol like C4, D2 and D3 are more reliable. Further, these authentication protocols can be extended to create groups called grouping or yoking protocols.

6.2 Cost analysis

Communication and computational cost of studied authentication protocols is analyzed in Table 1. Communication cost is measured in terms of number of transactions made between reader and tag. Different levels to measure the cost are Low (L), Medium (M) and High (H). If number of transactions is between 1 and 3 then communication cost is considered to be low. If it varies from 4 to 6 then communication cost is medium. Communication cost is considered to be high if number of transactions is more than 6. It is found that communication cost of asymmetric cryptography primitives based authentication protocols is much lower than any other type of authentication protocols. Although lightweight and ultra-lightweight protocols claim to be efficient for resource constraint devices but asymmetric cryptography based protocols can also be designed to reduce the overhead through reduction in communication cost. For example, protocol C4 is based on elliptic curve cryptosystem based asymmetric cryptography and it is efficient than any other lightweight protocol. Like communication cost, computational cost is also divided into three levels: Low, Medium and High. A high cost authentication protocol includes encryption, decryption, hashing or high computational functions. Medium cost based protocols include mathematical functions like elliptic curve based addition, multiplication or inverse, shift or permutation operations etc. A low cost protocol affords simple mathematical functions like: logical operations (AND, OR, NOT etc.), simple permutation, rotation random number generator etc. Lightweight and ultra-lightweight protocols are especially designed to count these low computational cost factors into considerations. Computational cost of these protocols is much lower than any classical cryptography based symmetric or asymmetric authentication protocols.

Possibility of Attacks on Authentication ProtocolsCost Analysis
Symmetric Cryptography Primitives Based Authentication Protocols
Asymmetric Cryptography Primitives Based Authentication Protocols
Lightweight Authentication Protocols
Ultra-lightweight Authentication Protocols
Group Authentication Protocols

Table 1.

Security and cost analysis of authentication protocols.

Pr = Privacy, Tr = Tracking, FS = Forward Secrecy, BS = Backward Secrecy, Ea = Eavesdropping, Sk = Skimming, Cl = Cloning, RP = Replay, RL = Relay, DoS = Denial of Service, SP = Spoofing, SD = Secret Disclosure. DE = De-synchronization, MM = Man-in-the-middle, W = Weak, M = Medium, S = Strong, Comm = Communication Cost, Comp = Computational Cost, L = Low, H = High.

7. Conclusion

In this work, RFID authentication protocols from different categories are studied and compared on security requirements and cost. Authentication protocols are categorized as: symmetric, asymmetric, lightweight, ultra-lightweight and group based authentication based protocols. It is found that asymmetric cryptography based protocols are gaining popularity day-by-day and provide enough security. Symmetric and asymmetric cryptography based authentication protocols are suitable for resourceful devices. Passive RFID devices are resource constraint devices thus lightweight or ultra-lightweight protocols are more suitable. Security in lightweight protocols is a major challenge. Hardware limitations restrict the implementation of full security on these devices. Thus, these devices can not be fully protected. Integration of asymmetric key cryptography based lightweight authentication protocols is contemporary topic of research. These unilateral or mutual authentication protocols can be extended for group authentication. Multiple tags authenticate itself with reader and store group information in data centre. This concept of group authentication is important for IoT. Authenticated devices in IoT increase the chances of secure communication in a network. Future work demands to construct a secure grouping proof protocol that is not affected with relay, replay or de-synchronization attacks.

Key terms and definitions

Active attacks

an illegal act of modifying the information or operation to affect the system

Asymmetric key cryptography

a cryptosystem that uses public and private keys for encryption and decryption process is known as asymmetric key cryptosystem


a process to confirm the attributes of message/user is known as message or user authentication

Lightweight cryptography

a least computational cost based cryptosystem designed to provide security for resource constraint devices

Passive attacks

an illegal use of using the important system information using affecting the resources

Symmetric key cryptography

a cryptosystem that uses same or symmetric key for encryption and decryption operation

Yoking protocol

a group of participants authenticates each other for constructing a secure environment

Download for free

chapter PDF

© 2020 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite and reference

Link to this chapter Copy to clipboard

Cite this chapter Copy to clipboard

Adarsh Kumar and Deepak Kumar Sharma (December 30th 2020). <sans-serif>Survey and Analysis of Lightweight Authentication Mechanisms</sans-serif> [Online First], IntechOpen, DOI: 10.5772/intechopen.94407. Available from:

chapter statistics

29total chapter downloads

More statistics for editors and authors

Login to your personal dashboard for more detailed statistics on your publications.

Access personal reporting

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

More About Us