J Med Syst (2015)39:77 DOI 10.1007/s10916-015-0260-0

SYSTEMS-LEVEL QUALITY IMPROVEMENT

A Secure RFID Tag Authentication Protocol with Privacy Preserving in Telecare Medicine Information System Chun-Ta Li1 · Chi-Yao Weng2 · Cheng-Chi Lee3,4

Received: 2 February 2015 / Accepted: 2 June 2015 © Springer Science+Business Media New York 2015

Abstract Radio Frequency Identification (RFID) based solutions are widely used for providing many healthcare applications include patient monitoring, object traceability, drug administration system and telecare medicine information system (TMIS) etc. In order to reduce malpractices and ensure patient privacy, in 2015, Srivastava et al. proposed a hash based RFID tag authentication protocol in TMIS. Their protocol uses lightweight hash operation and

This article is part of the Topical Collection on Systems-Level Quality Improvement  Cheng-Chi Lee

[email protected] Chun-Ta Li [email protected]

1

synchronized secret value shared between back-end server and tag, which is more secure and efficient than other related RFID authentication protocols. Unfortunately, in this paper, we demonstrate that Srivastava et al.’s tag authentication protocol has a serious security problem in that an adversary may use the stolen/lost reader to connect to the medical back-end server that store information associated with tagged objects and this privacy damage causing the adversary could reveal medical data obtained from stolen/lost readers in a malicious way. Therefore, we propose a secure and efficient RFID tag authentication protocol to overcome security flaws and improve the system efficiency. Compared with Srivastava et al.’s protocol, the proposed protocol not only inherits the advantages of Srivastava et al.’s authentication protocol for TMIS but also provides better security with high system efficiency.

Chi-Yao Weng [email protected]

Keywords Authentication · Privacy · Radio frequency identification · Security attack · Telecare medicine information system

Department of Information Management, Tainan University of Technology, 529 Zhongzheng Road, Tainan City 71002, Taiwan Republic of China

Introduction

2

Department of Computer Science, National Tsing Hua University, 101 Kuang-Fu Road, Hsinchu City 30013, Taiwan Republic of China

3

Department of Library and Information Science, Fu Jen Catholic University, 510 Jhongjheng Road, New Taipei City 24205, Taiwan Republic of China

4

Department of Photonics and Communication Engineering, Asia University, 500 Lioufeng Road, Taichung City 41354, Taiwan Republic of China

With the rapid development of healthcare delivery services and non-contact identification technologies, RFID technology is widely used to provide medical oriented services such as telecare medicine information system, preventing the theft of infants and on-line access of electronic medical record (EMR). In general, RFID systems consist of three key elements such as RFID tags, RFID readers and backend database server that stored information associated with tagged objects [2, 16, 20]. Physicians first use readers to

77

Page 2 of 8

send queries to tagged objects in their wireless transmission ranges for information contained in tags, then tags reply with required information such as identifiers and synchronized secret values. The readers will connect to the back-end database server and receive the medical information associated with tagged objects from back-end database server. Since most healthcare medical information systems are implemented in the public networks, patient privacy and data security are the significant concerns which are affecting RFID systems on account of reader to tag and reader to server channels. With the increase of security attacks [9, 10, 17–19, 21, 25, 30, 31] such as message replaying, participant masquerading and privacy exposing, many RFID based tag authentication and privacy preserving protocols for TMIS have been proposed [1, 3, 4, 7, 8, 11–13, 22–24, 27, 29, 32, 33]. In 2008, Sun et al. proposed a RFID and barcord based solution to build an effective and patient-safety-centric environment and prevent the risk of medication error [27]. However, in 2009, Huang and Ku pointed out that Sun et al.’s solution putting barcodes on container of drugs and wearing a RFID wristband on each patient so that the drug information and patient information could be checked for integrity and they further proposed a RFID grouping protocol to check the accuracy of the assocation of drug and patient information for enhancing medication safety of inpatient [12]. However, in 2011, Chien et al. found that their solution was insecure and the malicious adversaries could easily cheat the verifier into accepting fake records by replay and denial-of-service attacks [4]. In order to enhance medication safety, Chien et al. demonstrated two RFID based authentication protocols for the on-line verifier case and and the off-line verifier case. In 2010, Yu et al. proposed a lightweight binging proof protocol for low cost RFID tags and their protocol applied only logic gates to achieve the goal of proving that two tags exist in the field simultaneously, without using complicated security algorithms [33]. However, in 2012, Wu et al. showed that their protocol is vulnerable to impersonation attacks and further proposed a new lightweight biding proof protocol to provide better security guarantees [29]. In the same year, Chen et al. designed a tamper resistant prescription RFID access control system for different authorized readers and the patients’ privacy can be guaranteed [3]. In 2013, Kaul and Awasthi design a dynamic ID based lightweight RFID authenticaiton protocol to resist the tag from traceability and the secret key and the identity can be updated after each successful authentication between the tag and the server [13]. In 2014, Srivastava et al. propose a hash based mutual RFID tag authentication protocol with resisted various well-known attacks and synchronized secret value shared between server and tag in telecare medicine information system [28]. As mentioned in [14, 15, 28], the following

J Med Syst (2015)39:77

requirements are regarded as important criteria to design an ideal RFID authentication protocol in telecare medicine information system. 1. 2. 3. 4. 5. 6.

Mutual authentication between communicating parties. Resistance to eavesdropping and tracing. Resistance to replay attack. Provision of synchronized secret value. Protection of data security and user privacy. Minimize the tag cost with high efficiency.

In this paper, we find that Srivastava et al.’s hash based tag authentication protocol [28] cannot resist reader stolen/lost attack. The spotted security flaw may allow a malicious adversary to use the stolen/lost reader to collect sensitive information of any tagged object and the medical back-end server is not aware of having caused this weakness. Moreover, their protocol exhibits a low efficiency in TMIS and it fails to provide mutual authentication between reader and back-end server. We will present these weaknesses more clearly later. To overcome theses weaknesses, we present a more secure tag authentication protocol with the same advantages for TMIS and show that our enhanced protocol is more efficient than Srivastava et al.’s protocol in terms of computation costs. The remainder of the paper is organized as follows. Section “Review of Srivastava et al.s RFID tag authentication protocol” reviews Srivastava et al.’s tag authentication protocol and shows the weaknesses on Srivastava et al.’s protocol in section “Weaknesses of Srivastava et al.’s RFID tag authentication protocol”. In section “Proposed RFID tag authentication protocol”, the tag authentication and privacy preserving protocol for TMIS is proposed. Security and performance of our proposed protocol is analyzed in section “Security analysis of our proposed protocol” and section “Performance analysis of our proposed protocol”, respectively. Finally, the paper is concluded in section “Conclusions”.

Review of Srivastava et al.’s RFID tag authentication protocol In this section, Srivastava et al.’s RFID tag authentication protocol [28] will be briefly reviewed. There are seven phases in Srivastava et al.’s protocol. For convenience of description, terminology and notations used in the paper are summarized as follows: – – – – –

I Dk : The identifier of the k th tag. RI Dk : The identifier of the k th reader. RP Wk : The password of the k th reader. blueT : The timestamp [6]. Rr : The random number generated by reader.

J Med Syst (2015)39:77

– – – – – – – – – – –

Rs : The random number generated by tag. sj : The secret value used in the current j th session and it is mutual shared between back-end server and tag. sj −1 : The secret value used in the previous j th session. Initially, the value is set to null. xj : The secret value used in the current j th session and it is mutual shared between back-end server and reader. xj −1 : The secret value used in the previous j th session. Initially, the value is set to null. h(·): A one-way hash function such as SHA-256 [26]. ΔT : The expected legitimate time interval for transmission delay. DB: The data server’s database. Data: Information of the tagged object. ||: The concatenation operation. ⊕: The bitwise XOR operation.

Pre-phase: (1) In this phase, the back-end server and the tag share tag’s identifier I Dk , one-way hash function h(·), and secret value of tag sj . (2) The tag and reader have its own random number generator. (3) The back-end server saves the information I D, sj and sj −1 for each tag. Phase 1: Reader’s request In this phase, the reader randomly generates a number Rr and sends a request with this random number to the tag. Phase 2: Tag’s response message (1) (2) (3) (4)

The tag generates a random number Rt . The tag computes A = h(sj ||I Dk ) ⊕ Rt . The tag computes B = A ⊕ h(I Dk ||Rr ||Rt ). The tag computes C = h(B ⊕ T1 ⊕ Rt ), where T1 is the current timestamp of the tag.

Phase 3: Reader’s response message (1) The tag sends the response message (A, C, T1 ) to the reader. (2) The reader sends the response message (A, C, T1 , Rr ) to the back-end server. Phase 4: Tag authentication and secret value updation (1) After receiving the response message from reader, the back-end server checks if (T2 − T1 ) > T , then the server rejects this request, where T2 is the current timestamp of the back-end server. (2) If above step holds, the back-end server computes Rt∗ = A ⊕ h(sj ||I Dk ). (3) The back-end server computes C ∗ = h(A ⊕ h(I Dk ||Rr ||Rt∗ ) ⊕ Rt∗ ⊕ T1 ) and checks C ∗ ?= C.

Page 3 of 877

(4) The back-end server repeats above steps until C ∗ is the same as C received from response message sent by reader. If so, the right tag is found. If not, it is judged an abnormal authentication message and the session is terminated. (5) After getting appropriate tag, the back-end server informs the relevant data of the tag to the reader and updates the secret value. First, the back-end server computes D = h(A ⊕ h(I Dk ||Rr ||Rt∗ ) ⊕ T2 ⊕ sj ). (6) The back-end server forms a new message E = Data||D, where Data is the tag information which needs to be transmitted to the reader. Phase 5: Reader receives the relevant data of the tag (1) The back-end server delivers the message E to the reader. (2) After receiving the message from back-end server, the reader extracts Data from E and sends the remaining message D to the tag for further communication. Phase 6: Back-end server authentication and secret value updation (1) After receiving the message from reader, the tag checks if (T3 − T2 ) > ΔT , then the tag rejects this request, where T3 is the current timestamp of the tag. (2) The tag computes D ∗ = h(B ⊕ sj ⊕ T2 ) and checks D ∗ ?= D. If not, the session is terminated. (3) If above step holds, it means the back-end server authentication is completed, then updates sj by sj +1 = h(sj ⊕ Rr ⊕ Rt ) on both back-end server and tag sides.

Weaknesses of Srivastava et al.’s RFID tag authentication protocol In this section, we highlight four weaknesses of Srivastava et al.’s authentication protocol. The details of four weaknesses are described in the following subsections. Reader stolen/lost attacks In Srivastava et al.’s protocol, we observe that their protocol may suffer from reader stolen/lost attack. When an adversary steals the reader or gets lost reader, he/she can use the stolen/lost reader to collect sensitive information of any tagged object. Thus, Srivastava et al.’s protocol fails in providing the privacy of tag during the authentication phase. The detailed steps of reader stolen/lost attacks are presented as follows. (1) The adversary uses the stolen/lost reader to generate a random number Rr and sends it to the victim tag.

77

Page 4 of 8

(2) The victim tag will generate the response message (A, C, T1 ) to the stolen/lost reader. (3) The adversary uses the stolen/lost reader to send the response message (A, C, T1 , Rr ) to the back-end server. (4) After receiving the response message from the stolen/lost reader, the back-end server verifies the validity of (A, C, T1 , Rr ) and informs the relevant data of the tag to the reader. Note that (A, C, T1 , Rr ) is a legal response message and it will pass back-end server’s verification. (5) The back-end server forms a new message E = Data||D and sends E to the reader. Thus, the adversary can maliciously extract Data from E by using this attack method. Finally, Srivastava et al.’s protocol does not ensure data privacy in TMIS. Lack of mutual authentication between reader and server In Srivastava et al.’s protocol, the authentication of tag and server rely on the response messages (A, C, T1 , Rr ) and D. Therefore, if an adversary controls the reader, he/she can easily fabricate a request message that can pass the authentication of tag and server. This would make reader as a cheater and it is illogical that authentication messages does not contain any information of reader. From the above analysis, we can see that Srivastava et al.’s protocol has inherent drawbacks on the design of request message and the authentication message and the protocol fails to provide proper authentication between reader and back-end server. Low efficiency in phase 4 When the reader sends a response message (A, C, T1 , Rr ) to the back-end server, the back-end server verifies the authenticity of the authorized identifier by computing Rt∗ and Ci∗ , where i = 1, 2, 3, . . . , n and n is the number of authorized identifiers in the DB. If aforesaid holds, the back-end server must compare Ci∗ = C with all the authorized identifier I Di stored in its DB. Suppose that back-end server takes j milliseconds to compare a Ci∗ = C with a C. Thus it needs j ∗ n milliseconds to be executed to confirm that a response C is valid or not. If the number of n is a million identifiers and there are k authorized identifiers sends access request to the back-end server simultaneously, the back-end server must take k ∗ j ∗ n milliseconds to confirm them and maybe the request readers need to wait a few minutes for a reply acknowledgements from the back-end server. However, in practice, it exhibits a low efficiency in TMIS and it

J Med Syst (2015)39:77

becomes infeasible for access readers to wait for the respondent results for such long time in the tag authentication protocol of Srivastava et al.’s protocol. Therefore, we will propose an improved protocol to decrease the waiting time for access readers and ensure a high rate of efficiency in the tag authentication procedure of their protocol. Lack of timestamp in phase 6 In Phase 6 of Srivastava et al.’s protocol, we observe that the reader only sends the remaining message D to the tag without sending the current timestamp T2 . Consider that tag receives the message D at time T3 and checks if (T3 −T2 ) > ΔT during Phase 6. However, in fact, the tag cannot verify the validity of timestamp without having the timestamp T2 .

Proposed RFID tag authentication protocol In this section, we propose a simple improvement on Srivastava et al.’s RFID tag authentication protocol, which keeps the merits of original protocol. In order to withstand the reader stolen/lost attack that is discussed in section “Reader stolen/lost attacks”, we use a secret value of reader xj , the identifier of k th reader RI Dk and the password of k th reader RP Wk , where xj is used in the current j th session and it is mutual shared between back-end server and reader. Figure 1 shows the entire flowchart of our enhanced protocol for TMIS. Pre-phase: (1) In tag side, the back-end server and the tag share tag’s identifier I Dk , one-way hash function h(·), and secret value of tag sj . (2) In reader side, the back-end server computes Vk = h(xj ||RI Dk ) and Wk = h(xj ||RI Dk ) ⊕ RI Dk ⊕ RP Wk and stores Vk , Wk , one-way hash function h(·), and secret value of reader xj in the memory of it. (3) The tag and reader have its own random number generator. (4) The back-end server saves the information I Dk , sj and sj −1 for each tag. (5) The back-end server saves the information RI Dk , xj and xj −1 for each reader. Phase 1: Boot reader Before the telecare staff can use the reader to provide telecare services, the telecare staff must be successful boot reader. The staff inputs correct identifier RI Dk and password RP Wk . Then the reader computes Vk = WK ⊕

J Med Syst (2015)39:77

Page 5 of 877

Phase 4: Reader’s response message (1) The tag sends the response message (I Dk , C, D, T2 ) to the reader. (2) After receiving the response message from tag, the reader checks if (T2 − T1 ) > ΔT , then the reader rejects tag’s response. (3) If above step holds, the reader sends the response message (RI Dk , A, B, I Dk , C, D, T1 , T2 ) to the backend server. Phase 5: Reader authentication and tag authentication

Fig. 1 The flowchart of our proposed protocol for TMIS

RI Dk ⊕ RP Wk and checks whether Vk = Vk holds or not, If it does not hold, the reader halts the process. Otherwise, the reader is successfully booted. Phase 2: Reader’s request (1) The reader generates a random number Rr . (2) The reader computes A = Vk ⊕ Rr . (3) The reader computes B = h(Vk ⊕ T1 ⊕ Rr ), where T1 is the current timestamp of the reader. (4) The reader sends a request message (RI Dk , A, B, T1 ) to the tag. Phase 3: Tag’s response message (1) The tag generates a random number Rt . (2) The tag computes C = h(sj ||I Dk ) ⊕ Rt . (3) The tag computes D = h(h(sj ||I Dk )⊕T2 ⊕Rt ), where T2 is the current timestamp of the tag.

(1) After receiving the response message from reader, the back-end server checks if (T3 − T2 ) > ΔT , then the server rejects this request, where T3 is the current timestamp of the back-end server. (2) If above step holds, the back-end server computes Rr∗ = A ⊕ h(xj ||RI Dk ). (3) The back-end server computes B ∗ = h(h(xj ||RI Dk ) ⊕T1 ⊕ Rr∗ ) and checks B ∗ ?= B. (4) If above step holds, the back-end server successfully authenticates the reader. If not, it is judged an abnormal authentication message and the session is terminated. (5) The back-end server computes Rt∗ = C ⊕h(sj ||I Dk ). (6) The back-end server computes D ∗ = h(h(sj ||I Dk )⊕ T2 ⊕ Rt∗ ) and checks D ∗ ?= D. (7) If above step holds, the back-end server successfully authenticates the tag. If not, it is judged an abnormal authentication message and the session is terminated. (8) After verifying the reader and the tag, the back-end server updates original xj −1 and xj with xj and xj +1 on both sides (Back-end server and Reader). Note that xj +1 = h(xj ⊕ Rr∗ ). Moreover, the back-end server updates original sj −1 and sj with sj and sj +1 on both sides (Back-end server and tag). Note that sj +1 = h(sj ⊕ Rt∗ ). (9) The back-end informs the relevant data of the tag to the reader and computes E = h(xj ||RI Dk || T1 ||Rr∗ ||h(xj ⊕ Rr∗ )), F = Data ⊕ h(xj ⊕ Rr∗ ), and G = h(sj ||I Dk ||T2 ||Rt∗ ||h(sj ⊕ Rt∗ )), where Data is the tag information which needs to be transmitted to the reader. (10) The back-end server forms a new message (E, F, G) to the reader. Phase 6: Reader receives the relevant data of the tag (1) After receiving the message from back-end server, the reader computes E ∗ = h(xj ||RI Dk ||T1 ||Rr ||h(xj ⊕ Rr )) and checks E ∗ ?= E.

77

Page 6 of 8

(2) If above step holds, the reader successfully authenticates the back-end server and updates original xj with xj +1 = h(xj ⊕ Rr ). If not, it is judged an abnormal authentication message and the session is terminated. (3) The reader extracts Data by computing F ⊕ h(xj ⊕ Rr ) and sends the remaining message G to the tag for further communication. Phase 7: Back-end server authentication and secret value updation (1) After receiving G from reader, the tag computes G∗ = h(sj ||I Dk ||T2 ||Rt || h(sj ⊕ Rt )) and checks G∗ ?= G. (2) If above step holds, the tag successfully authenticates the back-end server and updates original sj with sj +1 = h(sj ⊕ Rt ). If not, it is judged an abnormal authentication message and the session is terminated.

J Med Syst (2015)39:77

changed timestamp. As a result, our proposed protocol is secure against replay attacks. (3) Withstanding the off-line password guessing attack: While in off-line password guessing attack, the adversary may try to eavesdrop all messages exchanged between the reader, the tag and the back-end server. Then the adversary iteratively guesses reader’s real password and verifies whether his/her guess is correct or not in off-line manners. In the communication phases of the proposed protocol, the adversary may collect knowledge of (RI Dk , A, B, T1 ), (I Dk , C, D, T2 ) and (E, F, G) in Phase 2, Phase 4 and Phase 5, respectively. However, all transmitted messages do not include any information about reader passwords. Therefore, our proposed protocol could withstand off-line password guessing attacks. (4) Protection of data privacy:

Security analysis of our proposed protocol In this section, we analyze the security of the proposed tag authentication protocol for the telecare medicine information system using hashing functions. We show the proposed protocol is able to overcome weaknesses in Srivastava et al.’s protocol and withstand various attacks. (1) Withstanding the reader stolen/lost attack: For this attack, it can be assumed that the telecare center has lost its reader by some means. An adversary steals reader and uses it to collect sensitive data of any tagged object. However, in the boot reader phase of the proposed protocol, the adversary cannot successfully boot the reader due to the protection of h(·), xj , Vk and Wk and the adversary knows neither RI Dk nor RP Wk . The above explanation shows that from parameters (Vk , Wk ), it is computationally infeasible for the adversary to derive RI Dk , RP Wk or xj at the same time in polynomial time. In addition, online boot reader testing can be defeated by limiting the number of failed boot requests. (2) Withstanding the replay attack: In communication phases of the proposed protocol, we use timestamps to ensure the freshness of the transmitted messages and the time interval ΔT between the previous timestamp and current timestamp of the receiver side is very less. The reader can detect a replay attack by checking the condition (T2 − T1 ) < ΔT . Moreover, the back-end server can detect a replay attack by checking the condition (T3 − T2 ) < ΔT . Note that if the adversary changes the timestamp T2 in the response message, the back-end server is able to detect this modification by checking D ∗ = h(h(sj ||I Dk ) ⊕ T2∗ ⊕ Rt∗ ) = D, where T2∗ denotes the

In communication phases of the proposed protocol, if the adversary wants to damage the data privacy of tagged object. The adversary may immediately re-sends an eavesdropped response message (RI Dk , A, B, I Dk , C, D, T1 , T2 ) to the back-end server and passes the freshness checking. However, when the adversary intercepts the message (E, F, G) in Phase 5, he/she still cannot reveal Data from F = Data ⊕ h(xj ⊕ Rr ). Since the adversary does not know the reader’s secret value xj and the random number Rr , he/she cannot compute a correct value h(xj ⊕Rr ) and cannot reveal Data by computing F ⊕ h(xj ⊕ Rr ). Therefore, data privacy of tagged object can be protected by executing the communication phases of the proposed protocol. (5) Provision of mutual authentication: In Phase 5 of the proposed protocol, the back-end server can verify the validity of the reader by checking whether computed B ∗ equals received B or not. Moreover, the back-end server can verify the validity of the tag by checking whether computed D ∗ equals received D or not. On the other hand, in Phase 6 of the proposed protocol, the back-end server replies the message (E, F, G) to the reader and the reader could verify it by checking E ∗ = h(xj ||RI Dk ||T1 ||Rr ||h(xj ⊕Rr )) = E holds or not. In addition, in Phase 7 of the proposed protocol, the reader replies message G to the tag and the tag could verify it by checking G∗ = h(sj ||I Dk ||T2 ||Rt ||h(sj ⊕ Rt )) = G holds or not. Since only the reader and the tag possess h(xj ⊕ Rr ) and h(sj ⊕ Rt ), no one can retrieve xj , sj , Rr and Rt and embed them into the message (E, F, G). Therefore, if E ∗ = E and G∗ = G hold, the reader and the tag convinced that the back-end server is a legal server. Finally, the proposed protocol could provide mutual authentication and ensure the security of TMIS.

J Med Syst (2015)39:77 Table 1 Security level comparisons among the proposed protocol and other RFID tag authentication protocols

Page 7 of 877

Protocol → Features ↓

Cho et al.’s protocol [5]

Srivastava et al.’s protocol [28]

Proposed protocol

F1 F2 F3 F4 F5

NO YES NO NO NO

NO YES NO YES NO

YES YES YES YES YES

F1: Provision of mutual authentication F2: Provision of synchronized secret F3: Protection of data privacy F4: Prevention of replay attack F5: Prevention of reader stolen/lost attack

(6) Provision of secret value updation among back-end server and reader: As shown in the communication phases of the proposed protocol, after finishing mutual authentication in Phase 6, the back-end server and the reader can compute the new secret value by computing xj +1 = h(xj ⊕ Rr ). Two entities can use xj +1 to protect the transmitting messages in the (j +1)th session. (7) Provision of secret value updation among back-end server and tag: As shown in the communication phases of the proposed protocol, after finishing mutual authentication in Phase 7, the back-end server and the tag can compute the new secret value by computing sj +1 = h(sj ⊕Rt ). Two entities can use sj +1 to protect the transmitting messages in the (j + 1)th session. A comparison of the security level among the proposed RFID tag authentication protocol and two of the most recent protocols [5, 28] is shown in Table 1. In contrast with the other two related protocols, it can be concluded that security level of proposed protocol meets the required challenges.

our proposed protocol, we can get the comparison as in Fig. 2. On the sides of tag, reader and the back-end server, the computation overheads of all these 2 protocols are approximately equal for a communication session when the total number of tag stored in the back-end server is only one. From Fig. 2, we can see that the proposed protocol requires only 15 hash operations for one communication session and takes 3 ms on average, without respect to total number of tagged objects stored in the back-end database server. On the other hand, for executing one communication session, Srivastava et al.’s protocol requires much more computation time especially for scenarios of increasingly tagged objects stored in the back-end server. From an implementation point of view, our protocol requires less computational power compared with Srivastava et al.’s protocol and this feature makes our solution quite suitable to resourceconstrained environments such as RFID systems and TMIS.

Performance analysis of our proposed protocol In this section, we present the performance analysis of our proposed authentication protocol and compare it with Srivastava et al.’s protocol in terms of computation overhead. For example in the experiment environment (CPU: 3.2 GHz, RAM: 3.0 G), we have run 100 times to get the average result. The result reported that the average time of executing a hash function is 0.2 ms on average and exclusive-or operation are negligible. According to the computation overhead analysis of Srivastava et al.’s protocol and

Fig. 2 Performance comparisons

77

Page 8 of 8

Conclusions In this paper, we first demonstrated that hash based RFID tag authentication protocol proposed by Srivastava et al. is vulnerable to reader stolen/lost attack. Also we have pointed out that in Srivastava et al.’s protocol, there is no provision of mutual authentication between reader and back-end server and it may increase the successful login probability for malicious adversaries. Moreover, during the authentication phases of their scheme, we showed that it exhibits high computation overheads. To remedy the aforementioned weaknesses, we have proposed improvements and security patches, which resist the weak features of their protocol for TMIS environments. Acknowledgments The authors would like to thank the anonymous referee for their valuable discussions and comments. Moreover, this research was partially supported by the Ministry of Science and Technology, Taiwan, R.O.C., under contract no.: MOST 103-2221-E165-003 and MOST 103-2221-E-030-016.

References 1. Azevedo, S.G., and Ferreira, J.J., Radio frequency identification: a case study of healthcare organisations. Int. J. Secur. Netw. 5(2/3):147–155, 2010. 2. Chang, Y.F., Yu, S.H., Shiao, D.R., A uniqueness-and-anonymitypreserving remote user authentication scheme for connected health care. J. Med. Syst. 37:9902, 2013. 3. Chen, Y.Y., Huang, D.C., Tsai, M.L., Jan, J.K., A design of tamper resistant prescription RFID access control system. J. Med. Syst. 36(5):2795–2801, 2012. 4. Chien, H.Y., Yang, C.C., Wu, T.C., Lee, C.F., Two RFID-based solutions to enhance inpatient medication safety. J. Med. Syst. 35(3):369–375, 2011. 5. Cho, J.S., Yeo, S.S., Kim, S.K., Securing against brute-force attack: A hash-based RFID mutual authentication protocol using a secret value. Comput. Commun. 34(3):391–397, 2011. 6. Dyreson, C.E., and Snodgrass, R.T., Timestamp semantics and representation. Inf. Syst. 18(3):143-166, 1993. 7. He, D., Chen, J., Zhang, R., A more secure authentication scheme for telecare medicine information systems. J. Med. Syst. 36(3):1989-1995, 2012. 8. He, D., Kumar, N., Chilamkurti, N., Lee, J.H., Lightweight ECC based RFID authentication integrated with an ID verifier transfer protocol. J. Med. Syst. 38:116, 2014. 9. He, D., and Zeadally, S., Authentication protocol for ambient assisted living system. IEEE Commun. Mag. 35(1):71–77, 2015. 10. He, D., Kumar, N., Chilamkurti, N., A secure temporal-credentialbased mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf. Sci., 2015. doi:10.1016/j.ins.2015.02.010. 11. He, D., Kumar, N., Chen, J., Robust anonymous authentication protocol for healthcare applications using wireless medical sensor networks. Multimedia Systems 21(1):49–60, 2015. 12. Huang, H.H., and Ku, C.Y., A RFID grouping proof protocol for medication safety of inpatient. J. Med. Syst. 33(6):467–474, 2009.

J Med Syst (2015)39:77 13. Kaul, S.D., and Awasthi, A.K., RFID authentication protocol to enhance patient medication safety. J. Med. Syst. 37(6):1–6, 2013. 14. Kim, H.S., Enhanced hash-based RFID mutual authentication protocol. Commun. Comput. Inform. Sci. 339:70–77, 2012. 15. Kim, H.S., RFID mutual authentication protocol based on synchronized secret. Int. J. Secur. Appl. 7(4):37–50, 2013. 16. Lee, C.C., Chen, C.T., Li, C.T., Wu, P.H., A practical RFID authentication mechanism for digital television. Telecommun. Syst. 57(3):239–246, 2014. 17. Lee, C.C., Chiu, S.T., Li, C.T., Improving security of a communication-efficient three-party password authenticated key exchange protocol. Int. J. Netw. Secur. 17(1):1–6, 2015. 18. Li, C.T., and Hwang, M.S., An efficient biometrics-based remote user authentication scheme using smart cards. J. Netw. Comput. Appl. 33(1):1–5, 2010. 19. Li, C.T., and Lee, C.C., A novel user authentication and privacy preserving scheme with smart cards for wireless communications. Math. Comput. Model. 55(1-2):35–44, 2012. 20. Li, C.T., Lee, C.C., Weng, C.Y., Fan, C.I., A RFID-based macropayment scheme with security and authentication for retailing services. ICIC Express Letters 6(12):3163–3170, 2012. 21. Li, C.T., Lee, C.C., Weng, C.Y., An extended chaotic maps based user authentication and privacy preserving scheme against DoS attacks in pervasive and ubiquitous computing environments. Nonlinear Dyn. 74(4):1133–1143, 2013. 22. Li, C.T., Lee, C.C., Weng, C.Y., A secure chaotic maps and smart cards based password authentication and key agreement scheme with user anonymity for telecare medicine information systems. J. Med. Syst. 38(9):77, 2014. 23. Mishra, D., Srinivas, J., Mukhopadhyay, S., A secure and efficient chaotic map-based authenticated key agreement scheme for telecare medicine information systems. J. Med. Syst. 38:120, 2015. 24. Peris-Lopez, P., Orfila, A., Mitrokotsaand, A., van der Lubbe, J.C.A., A comprehensive RFID solution to enhance inpatient medication safety. Int. J. Med. Inform. 80(1):13–24, 2011. 25. Ramasamy, R., and Muniyandi, A.P., An efficient password authentication scheme for smart card. Int. J. Netw. Secur. 14(3):180–186, 2012. 26. National Institute of Standards and Technology: US department of commerce, secure hash standard, US Federal Information Processing Standard Publication, 2002. 27. Sun, P.R., Wang, B.H., Wu, F., A new method to guard inpatient medication safety by the implementation of RFID. J. Med. Syst. 32(4):327–332, 2008. 28. Srivastava, K., Awasthi, A.K., Kaul, S.D., Mittal, R.C., A hash based mutual RFID tag authentication protocol in telecare medicine information system. J. Med. Syst. 39:153, 2015. 29. Wu, S., Chen, K., Zhu, Y., A secure lightweight RFID binding proof protocol for medication errors and patient safety. J. Med. Syst. 36(5):2743–2749, 2012. 30. Wyld, D., Preventing the worst case scenario: an analysis of RFID technology and infant protection in hospitals. The Internet Journal of Healthcare Administration 7(1), 2009. 31. Yang, L., Ma, J.F., Jiang, Q., Mutual authentication scheme with smart cards and password under trusted computing. Int. J. Netw. Secur. 14(3):156–163, 2012. 32. Yen, Y.C., Lo, N.W., Wu, T.C., Two RFID-based solutions for secure inpatient medication administration. J. Med. Syst. 36(5):2769–2778, 2012. 33. Yu, Y., Houand, T., Chiang, T., Low cost RFID real lightweight binding proof protocol for medication errors and patient safety. J. Med. Syst. 36(2):823–828, 2012.