Weis[8] firstly proposed a hash-based scheme, called Hash Lock. Combined with a backbend database to perform RFID authentication, each tag uses the hash of a random key as its metaID. When locked, a tag responds to all queries with its metaID to the reader. Then, the reader is able to obtain the real ID of the tag from the database via the looking up the received metaID. However, this scheme does not provide forward security because the same metaID is used repeatedly. Therefore, Weis extends the original method to another randomized scheme, called Randomized Access Control, which employs a random number generator to prevent from the tracking attack . However, tag impersonation attack is also possible, since an intercepted response can be replayed.
Mulnar and Wagner[11] suggested a server-less authentication system that both parties use a shared secret and individually contribute a random number to protection the messages communicated in the channel. since the reader knows the shared secret, its own nonce, and previously tag-generated nonce, thus, the reader can obtain the tag ID. They have also built a tree-based protocol to provide scalable authentication with search complexity O(logn). Each tag represents a leaf nodes in the tree, and each edge is associated with a secret between two nodes. In addition, a tag may be loaded with multiple secrets corresponding to the path from the tag to the root. However, this protocol does not guarantee backward untraceability, especially when a reader was compromised. In that case, the adversary compromising the reader can learn the secret keys toe very tag the reader has access to. On the other hand, if a tag is compromised, the attacker can back trace the previous communication from this tag.
Similarly, Dimitriou[12] uses the similar secret-sharing authentication protocol, in which both reader and tags employs their own random nonce. In this challenge-response scheme, when a reader query comes in , the tag response with a hash of its identifier, which the reader gives to the secure server. After authenticating the reader, the secure server sends back the valid message to reader, and reader response this received message back to the tag. The tag will verify the message sent by the reader. If the value match, then the tag knows the reader has been authentication by the server, and updated its secret id. Otherwise, the tag remains the old secret id. One obvious vulnerability in Dimitriou’s protocol is attack against id synchronization. Moreover, the scheme is also prone to tag impersonation attack, because the the same hashed tag identifer could be reused between valid sessions.
Tsudik[13] describes a simple RFID authentication protocol, which he calls YA-TRAP (Yet Another Trivial RFID Authentication Protocol). The author aims this novel approach at preassumption that tag information is processed in batch, and additionally RFID tags have its own power source to keep track of time. In this scheme, the reader send a time-stamp of the current reader time to a tag, which authenticate reader’s identity via evaluating the received time-stamp. If the time-stamp is invalid, the tag will output a random reply, otherwise, it will return an encrypted reply based on the received time-stamp and its own internal time-stamp. Last, the reader sends this reply back to a backbend server to obtain the real tag data. Although Tsudik has not formally analyzed the security properties YA-TRAP, other experiments have proved that this scheme is prone to several security threats. For example, the protocol is vulnerable to ”future-time” attack in which the adversary queries the tag off line with several valid time periods in the near future. Then, the adversary can captures the tag’s responses and use their responses for online authentication when these time periods. Therefore, this protocol does not provide forward untraceable privacy.
To overcome the aforementioned limitations in the existing solutions to the privacy-preserving authentication scenario, we propose a new scheme that is based on computational hardness of well known elliptic curve discrete logarithmic problem (ECDLP).