1. Introduction
RFID, a contactless automatic identification technology based on radio frequency signals [
1], is widely used in logistics management, healthcare, and industrial manufacturing. With the rapid development and application of RFID technology, RFID system security and privacy issues are becoming increasingly prominent, and a high-security authentication protocol needs to be designed to ensure RFID system security. Among public key cryptosystems, an elliptic curve cipher is the preferred cryptosystem for RFID authentication protocols because of its technical advantages such as short key length, high encryption strength, and small bandwidth consumption [
2].
In 2006, Tuyls and Batina [
3] proposed the first RFID authentication protocol based on elliptic curve cryptography (ECC). In 2011, Zhang et al. [
4] introduced the idea of random keys and proposed an ECDLP-based RFID authentication protocol, but they did not solve the most basic mutual authentication problem. Subsequently, Liao et al. [
5] designed an ECC-based RFID two-way authentication protocol in 2013, but the data integrity was flawed and there was a key compromise problem. In 2016, Alamr et al. [
6] proposed an ECDH-based RFID two-way authentication protocol, which solved the key leakage and tracking attack problems but did not consider the data integrity. In 2019, Dinarvand et al. [
7] proposed a new ECC-based RFID authentication scheme with improved security but low efficiency in key finding.
Based on elliptic encryption algorithms, scholars have designed a large number of RFID authentication schemes, but in the process of practical application, there are a variety of attacks. In the face of these problems, scholars have launched a security analysis of the ECC-based RFID authentication protocol. In 2014, Liao et al. [
8] designed an ECC-based RFID authentication scheme and proved the security of the protocol against various attacks using an efficient and convincing formal method. In 2016, Qian et al. [
9] formally analysed the security of an ECC-based RFID lightweight authentication scheme using BAN logic. In 2021, Kumar et al. [
10] designed a new ECC-based RFID authentication scheme by learning from the shortcomings of other scholars and simulated the protocol using AVISPA tool, and the results showed that the protocol is secure against all passive and active attacks. With the continuous development of the IoT, the advantages of information exchange and communication it provides become more and more obvious, and the security of the IoT becomes more and more important. To prevent the IoT from being invaded by malice, scholars have carried out a lot of work from the perspective of overall security [
11,
12,
13].
At present, in the research on security analysis of ECC-based RFID authentication scheme, scholars mainly use BAN logic and some non-formal methods for analysis. The non-formal methods are based on the personal experience of scholars as well as known methods of attack on the protocol, so the security conclusions derived from the analysis of security protocols using the non-formal methods are inaccurate and unreliable. Also, because of the non-formal nature of the modal logic idealisation process, the incomplete logical semantics, and the over-reliance on initial assumptions, it is difficult to use it to institute ECC-based RFID security protocols and to carve out the security properties that need to be satisfied.
LoET belongs to the theorem-proving method, a formal logic for analysing the security of distributed systems [
14]. In 2009, Meihua Xiao, in collaboration with the proponents of the logic of events theory, addressed the shortcomings of PCL [
15] (Protocol Composition Logic), and he applied LoET to analyse security protocols [
16]. In recent years, Prof. Meihua Xiao has led a team to extend LoET to formally analyse the security of security protocols in several different domains [
17,
18,
19]. However, the existing LoET also has limitations: for some authentication protocols with complex cryptographic schemes, the event logic theory cannot perform a formal analysis of them.
In this paper, we look at the authentication protocol’s own authentication to verify the security of the protocol, so as to determine whether there is a replay attack on the protocol, which ensures the security of IoT information exchange. The main work and the innovations of this paper are as follows:
Extending logic of events theory. Two new event classes are added, and relevant axioms and rules are expanded.
Formally abstracting the elliptic curve session key generation function, instituting the mutual authentication process of ECC-based RFID authentication protocol, and portraying the security properties that the protocol needs to satisfy.
Using ECC-based RFID protocol in [
20] as an example, the strong authentication of the protocol is proved using extended LoET. The application of LoET is extended to enable formal analysis of authentication protocols with elliptical cryptography regimes.
The rest of the paper is organised as follows:
Section 2 describes LoET, including the basic concept, proof system, and extension of LoET.
Section 3 introduces the ECC-based RFID protocol. In
Section 4, the proof of the mutual authentication property of ECC-based RFID protocol is elaborated in detail, and finally, our conclusions and suggestions for future work are given in
Section 5. The specific framework is shown in
Figure 1.
3. ECC-Based RFID Protocol
ECC-based RFID is used to provide mutual authentication between reader and tag in low cost RFID systems. The protocol is divided into a system setup phase and an authentication phase. The system setup phase stores the nth-order base point
on the elliptic curve, the server’s public key
, and the tag’s authentication factor
in the tag’s memory. The authentication process of the ECC-based RFID two-way authentication protocol analysed in this paper is shown in
Figure 2.
ECC-based RFID has three subjects involved in the protocol session, which are the tag, the reader, and the server. During the authentication process, we usually assume that the communication between the reader and the server is secure, so we can treat reader and server as a whole. Focusing on analysing the mutual authentication process between the tag and the server, the steps of the authentication process are detailed below.
- (1)
Authentication request: .
- (2)
As the initiator, server generates a random number and performs a scalar multiplication operation, sending to tag.
- (3)
Server authenticates tag: .
- (4)
After receiving the message, the tag generates a random number , performs a scalar multiplication calculation, generates the authentication message , and sends to the server. After receiving the authentication information from the tag, the server recovers , then compares the recovery result with its own locally stored tag authentication factor, and terminates the protocol if it does not exist; otherwise, it certifies the tag as a legitimate tag and then uses its private key to calculate and send to the tag.
- (5)
Tag authenticates server:
- (6)
After the tag receives the authentication message from the server, it checks whether is valid. If it is valid, it accepts the server as a legitimate server; otherwise, it terminates the protocol.
LoET is a theory based on the formal analysis of protocols by process evolution, firstly by defining the processes of the different roles of the protocol, analysing the messages of the matching sessions in the basic sequence, and analysing whether the messages of the sending and receiving actions are the same between subjects and the temporal relationship of the actions, using theorems to inscribe the strong authentication properties to be satisfied by the protocol.
Before studying the ECC-based RFID mutual authentication protocol, it is necessary to first abstract the functions implemented by ECC, as shown in
Figure 3, since the ECC functions cannot be directly described formally in LoET basic modelling theory.
4. Proving Mutual Authentication
We implement the proof of authentication property in four steps, as shown in
Figure 4. Firstly, we need to define the basic sequences of authentication actions in principal threads.
Then, we analyse the message matching conversation in the basic sequence and specify the authentication property of the protocol by analysing whether the messages of sending and receiving actions between principals are the same and whether the time sequence of actions satisfies the Casual Axiom.
Next, we need to analyse all the message actions in the basic sequence of the authentication principal and then infer whether there is a matching message action in the other principal, that is, whether the sending message is consistent with the receiving message of the matching action. If it is consistent, the protocol satisfies the weak authentication.
Finally, we need to further analyse the time sequence of the matching actions among the principals of the protocol. If there are matching sending actions before all the receiving actions of each principal, the protocol satisfies strong authentication.
4.1. Protocol Basic Sequence
Define the processes Initiator and Responder to describe the authentication server and tag body protocol interaction, where I1, I2, I3, and R1, R2, R3 are the Initiator and Responder base sequences, respectively, as shown in
Figure 5.
By analysing the protocol’s basic sequence above, we can see that the initiator must engage in two message sending and receiving actions with the Responder in order to satisfy the protocol’s strong authentication requirements. The property is portrayed as
.
Accordingly, the Responder must prove a strong authenticity that is .
4.2. Proof Process
Assume that the honest subject
(referred to by
,
, respectively, later),
, and
share the public key
and the tag authentication information
, and since the honest subject follows the protocol rules, any threads of
and
participating in the protocol run are instances of the basic sequence of
. Let
be an instance of the basic sequence
. Then, there exists
event sequence for the Atom type parameter
, and the event sequence instances of
are
From the
and
, for the recovery event
, there must be a computation event
in some thread of the protocol and
, and there are
in all basic sequences of the protocol that contain
computation actions. Since it is based on the current event, all events that have not occurred are not taken into account, so
is excluded. Assuming that
is the event in the
sequence thread
, then for the Atom type
, the sequence of events
and
on subject
is present as
Since
, then
can be derived.
From (14)–(17), we can see that and , form two complete events, and a weak matching session of length 2 can be obtained at this point. Next, we analyse whether they are strong matching sessions, i.e., we analyse whether the session events satisfy the time event sequence. In the case that subject ≠ has been specified, the definition of leads to , which proves that was first sent in the event . It follows from that all operations containing must occur after the event , including the event . Therefore, according to the honesty axiom in LoET, the sequence of events can be obtained. Similarly, can be analysed.
The above analysis shows that the subject authentication thread has a strong matching session with subject , i.e., is proven.
4.3. Proof Process
Let
be an instance of the basic sequence
in entity
. Define
to be the event of the thread
. Then, for Atom type parameters
, have
Based on the
and
, there exists an encryption event
that matches the decryption event
and
, and the encryption action that contains
among all the basic sequences of the protocol is
. Assuming that
is the event in
, then for the Atom type
, there exists a sequence of events consisting of
and
in the
thread as follows:
Since
, according to the
, then we have
Then,
, and since there is a recovery event
in the
thread, according to the
and
, there exists
, satisfying
, so a new round of protocol interaction analysis is required. Assume that
is the computation event of the protocol instance
and contains
with
, similar to the analysis in the previous section, excluding the non-occurrence event
. Assume that is the instance computation event of the
thread on
and that for
, the event
occurs for subject
. Then,
From Equations (21) and (22) above, it follows that the computation event
in the thread
instance satisfies the match
with the recovery event
in the
thread. Then,
Based on the results of the above proof, it is obtained that
For any thread of honest subject
, there exists a thread with message number 2 with which honest subject
forms a weak matching session. The next step to prove whether they are strong matching sessions is to prove
. In the case where it has been specified that subject
≠
, by the definition of
, we obtain
Then, prove that is sent for the first time in the event , and from , it follows that all operations containing must occur after the event , including the event . Therefore, according to the in LoET, the sequence of events can be obtained. Similarly, can be analysed.
In summary, it is known that any thread of subject has a strong matching session in subject , i.e., is authenticated. The final protocol satisfies two-way strong authenticity, denoted as .
4.4. Comparison with Other Typical Proof Methods
BAN-like logic requires initialisation assumptions before analysing security protocols, which are subjective to the analyst’s intentions and are not formalised. These initialisation assumptions reflect the subjective intention of the analyst and are not formal, and the idealisation of the protocols relies too much on the analyst’s intuition and experience. The idealisation process will cause problems, and the idealised protocol will have some gap with the original protocol. LoET is based on rigorous mathematical rules that regulate a series of axiomatic inference rule constraints, thus ensuring the reliability of the proof process.
- 2.
Comparison with PCL
In the verification of protocol security properties, PCL can only portray some protocol properties, not the authentication properties of data signature protocols, whereas LoET can portray the authentication properties of other properties. PCL is not rigorous enough in modelling protocol interaction actions, and it lacks the definition of a mechanism for describing the sequence of preceding actions of a thread. LoET specifies the successive thread states in which an event occurs by means of atomic independence.
- 3.
Comparison with Model Checking
The verification approach of the model-checking method is falsification, while the verification approach of LoET is proof, i.e., focusing on proving that the security protocol is correct. The model-checking method requires the system model to have an infinite state space. The number of security protocols running and the number of protocol subjects will make the state space grow exponentially, although there are a series of optimisation algorithms that can reduce the size of the protocol state space, but the problem still exists Meanwhile, LoET has no requirements for the security protocol state space and will not face the problem of state explosion.
5. Conclusions
This paper extends logic of events theory by defining the event classes , , and , adding corresponding axioms and related rules for analysing the security properties of ECC-based RFID mutual authentication protocols, formally abstracting the ECC session key establishment function, defining the protocol process and basic sequences for describing the protocol, and formalising the strong authentication properties that need to satisfied by both parties to the protocol. Theorem-proving methods are used to reason that the basic sequences of both parties of the protocol satisfy strong authentication. Based on extended LoET, we can formally analyse authentication protocols with complex encryption mechanisms (e.g., elliptic curve cryptography), extending the use of LoET.
Although this paper extends LoET to analyse the authenticity of ECC-based RFID authentication protocols, it does not take into account the security of the protocols in the actual operating environment, so further work will be carried out to verify the security at the protocol code implementation level in the future. Verification of protocol security based on a single formal approach is generally flawed and does not guarantee absolute protocol security, and attempts to combine other formal approaches are needed.