IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 4, AUGUST 2018 2927

Dynamic Authentication Protocol UsingSelf-Powered Timers for Passive Internet of Things

M. H. Afifi , Student Member, IEEE, Liang Zhou, Student Member, IEEE,Shantanu Chakrabartty, Senior Member, IEEE, and Jian Ren, Senior Member, IEEE

Abstract—Passive Internet of Things (IoT) like radio frequencyidentification (RFID) tags can be used to offer a wide rangeof services, such as object tracking or classification, markingownership, noting boundaries, and indicating identities. Whilethe communication link between a reader of the tag and theauthentication server is generally assumed to be secure, the com-munication link between the reader and participating tags ismostly vulnerable to malicious acts. Many authentication pro-tocols have been proposed in literature, however, they eitherare vulnerable to certain types of attacks or require pro-hibitively a large amount of computational resources to beimplemented on a passive tag. In this paper, we present vari-ants of a novel authentication protocol that can overcome thesecurity flaws of previous protocols while being well suited tothe computational capability of the tags. At the core of theproposed approach is our recently demonstrated self-poweredtiming devices that can be used for robust time-keeping and syn-chronization without the need for any external powering. Theoutputs of the timers are processed using a single hash func-tion on the tag to produce tokens that continuously changewith time, while being synchronized to tokens generated bythe authentication server. The proposed protocol also incorpo-rates margins of tolerance that make the authentication processrobust to any deviations in the timer responses due to fabricationartifacts.

Index Terms—Dynamic authentication, Internet of Things(IoT), low-cost and passive tags, self-powered timers.

I. INTRODUCTION

AN infrastructure of Internet-of-Things (IoT) consisting ofservers, readers, and tags provides connectivity between

systems and devices thus enabling a vast range of applica-tions, such as smart homes, wearables, retails, health-care,automotive, and agriculture [1]–[5]. At the core of this infras-tructure are tags [for example, radio frequency identification(RFID) tags], which are generally responsible for data collec-tion or exchange with readers that are connected to a server.As these tags operate in an insecure and shared environment,

Manuscript received June 28, 2017; revised August 22, 2017; acceptedSeptember 25, 2017. Date of publication September 29, 2017; date of currentversion August 9, 2018. This work was supported in part by the NationalScience Foundation under Grant CNS:1525476 and Grant ECCS:1550096,and in part by the Semiconductor Research Corporation under Contract 2015-TS-2639 and Contract 2015-TS-2640. (Corresponding author: M. H. Afifi.)

M. H. Afifi and J. Ren are with the Department of Electrical and ComputerEngineering, Michigan State University, East Lansing, MI 48824-1226 USA(e-mail: afifi@msu.edu; renjian@msu.edu).

L. Zhou and S. Chakrabartty are with the Department of Electrical andSystems Engineering, Washington University at St. Louis, St. Louis, MO63130 USA (e-mail: liang.zhou@wustl.edu; shantanu@wustl.edu).

Digital Object Identifier 10.1109/JIOT.2017.2757918

the unprotected communications between tags and readers overa wireless channel can disclose the data collected by the tagsand their locations. This raises serious concerns about securityof participating tags and makes them susceptible to differentsecurity attacks [6]–[8].

Denial-of-service are attacks in which an attacker forcestags to dis-function by disturbing or blocking the communica-tion sessions between tags and readers. In tag impersonation,an attacker can intercept sessions between a target tag andthe reader by eavesdropping open wireless channel. Based onthe intercepted sessions, the attacker can impersonate the tagwithout knowing its secret. It could communicate with readersinstead of the tag to get the authentication from the back-endserver. In replay attacks, an attacker reuses communicationsfrom previous sessions to perform a successful authenticationbetween a tag and the back-end server. De-synchronizationattacks are used by an attacker to update the values in onlyone part of the network, either the tag or the reader. In suchattacks, the tag and the reader can no more synchronouslyupdate their secrets. This makes future authentication impos-sible and in turn prevents proper functioning of the tag. Whilethe described attacks do not require the attacker to compro-mise a target tag, there are stronger attacks that result from thephysical possession of an attacker to a target tag. In backwardtraceability, given the internal state of a target tag at time t,the attacker is able to identify tag’s sessions that occurred ata time ti < t [9]. That is, knowledge of a tag’s current statecould help identify the tag’s past sessions, which may allowtracking of the tag’s past behavior. On the other hand, in for-ward traceability a tag’s state at time t can help to identify tagsessions that occur at a time ti > t. That is, knowledge of atag’s current state could help identify the tag’s future sessions.

In order to tackle these concerns, it is essential to usesecure cryptographic protocols to guarantee the security oftags and their data. However, tags used in such systems aregenerally passive, i.e., they typically do not possess an on-board source of power. Instead, they gain power by harvestingenergy from the reader. This limited power availability severelyconstrains the computing resources of the tag as well as itsstorage resources. As a result of these limitations, it is thereforeextremely challenging to design a secure cryptographic protocolthat provides security while efficiently utilizing the availableresources. Therefore, to solve the security problems of thesystem, many lightweight authentication protocols have beenproposed in recent years. Based on the difficulty of invertingthe one-way hash function, it turns out to be the best candidate

2327-4662 c⃝ 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

2928 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 4, AUGUST 2018

for most of these authentication protocols. Although some ofthese protocols are implementable by the resource constrainedsystem, most of them have serious security problems.

An authentication protocol basically defines a set of com-munications and computations performed between tag, reader,and back-end server. While the basic requirement of an authen-tication protocol is to generally authorize a tag if its ID isrecognizable by the back-end database and otherwise unautho-rizes it, the designed authentication protocol is also requiredto follow some guidelines to prevent different types of securityattacks, such as those described above. These guidelines areto: 1) provide dynamic responses to reader queries to avoidtraceability attacks, where a current session intercepted by theattacker does not enable him to identify neither tag’s past norfuture sessions; 2) guarantee that the sessions intercepted bythe attacker do not qualify him to further be authenticatedas a legitimate tag to avoid tag impersonation and replayattacks; and 3) maintain the same shared secret key betweenthe reader and the tag throughout the life-time of the tag toavoid de-synchronization attacks. An IoT system is assumedto be secure if it can consistently follow these guidelines toovercome different attacks on security.

In this paper, we propose an authentication protocol thatguarantees a customizable level of security of tags and theirdata. More specifically, the proposed protocol utilizes a setof self-powered timers, reported in [10], to perform authenti-cation. The timers provide a mechanism to achieve temporalsynchronization between two passive devices without the needfor any external powering or clocks. As a result the timerscould be used to implement dynamic SecureID type authen-tication involving random keys and tokens that need to beperiodically generated and synchronized [11]. To authenti-cate any given tag, values of these timers are comparedto a gold standard tag at the reader’s side. These valuesare dynamic, where they are essentially periodically updated.Synchronization between the tag and the legitimate reader isefficiently maintained by the timers design and the underlyingreliable timer model. While the values from timers at the tagside would not perfectly match values of the gold standarddue to measurement and fabrication artifacts, we tolerate anerror margin in a more robust and customizable version of theproposed authentication protocol. Threshold of this margin iscustomized and predetermined based on the deterioration rateof the fabricated models. We also provide a comparison ofour protocol with other existing protocols in terms of security,cost, and performance.

The rest of this paper is organized as follows. In Section II,we conduct a qualitative analysis of the existing tag authenti-cation protocols. In Section III, preliminaries are introduced.Two versions of our proposed authentication protocol areproposed in Section IV. Section V demonstrates the secu-rity and performance analysis. Design considerations are alsoprovided in Section VI. We finally conclude in Section VII.

II. RELATED WORK

In order to protect IoT systems from different attacks, manyauthentication protocols and strategies have been proposed to

meet different security requirements. All authentication proto-cols typically aim to protect tag’s security, with minimizingimpact on the available limited resources. In this section, toget an idea of how they overcome different attacks, we pro-vide an overview of these authentication protocols. We brieflydiscuss the design model for each protocol, and analyze theirlimitations.

In a first attempt to achieve authentication between tag andreader, hash-lock protocol was proposed in [12]. To achieveprivacy, instead of using the tag’s ID, this protocol uses thepseudonym of the tag, metaID. However, since eventuallythe secret key and the ID are sent in plain-text, an attackercan eavesdrop the key and the tag can later be impersonated.Therefore, hash-lock is vulnerable to attacks, such as imper-sonation, replay, and tracking attacks. In an attempt to avoidthe drawbacks of hash-lock protocol, a randomized version ofthe hash-lock protocol was proposed in [13]. In this protocoltags respond to reader’s queries by generating a random value.This random value is then concatenated with the hash of the IDand sent to the reader. The reader identifies a tag by searchingits database for the ID that corresponds to the hash value. TheID is then sent to the tag in plain-text. While the tag’s responsevaries in each session, it is easy for an adversary to eavesdropand obtain the identity of the tag. Moreover, the tag’s holderis easily traced if the tag’s ID is leaked. A hash-chain protocolwas proposed in [14]. In this protocol, the tag always repliesto the reader queries with different responses. To achieve this,it mainly depends on incorporating two different hash func-tions. Although this protocol introduces the dynamic propertyin tag responses, an attacker can disguise a legitimate tag byresending an intercepted authentication message to the reader.Therefore, the protocol is vulnerable to replay attacks.

In [15], a hash function, a pseudo-random number generator(PRNG), and an XOR operator are used in an authenticationprotocol for low cost tags. However, as shown in [16], thisprotocol is vulnerable to replay and denial of service attacks.In [16], a lightweight anti-desynchronization RFID authentica-tion protocol was proposed. In this protocol, the server keepstrack of the updated random key to prevent the active attack-ers from desynchronizing the shared secret between the tagand the server. Although this technique prevents the replayattack, it is prone to denial of service attacks. Finally, in [17],a scalable pseudo random-based scheme was proposed. Thisscheme utilizes symmetric key cryptography, random num-ber generators, and hash functions for authentication. In thisscheme, although the random number generation makes it dif-ficult to predict the next random value, it is susceptible toreverse engineering due to the static structure of the seed.

III. PRELIMINARIES

A. Protocol Preliminaries

A cryptographic hash function h is a mathematical algorithmthat maps data of arbitrary size to a bit string of fixed size. Itis cryptographically secure if it satisfies the following.

1) Preimage-Resistance: It should be computationallyinfeasible to find any input for any prespecified out-put which hashes to that output, i.e., for any given y,

AFIFI et al.: DYNAMIC AUTHENTICATION PROTOCOL USING SELF-POWERED TIMERS FOR PASSIVE IoT 2929

Fig. 1. Rapid authentication of passive IoT devices using self-powered timers.

it should be computationally infeasible to find an x suchthat h(x) = y.

2) Week Collision Resistance: For any given x, it shouldbe computationally infeasible to find x′ = x such thath(x′) = h(x) [18].

3) Strong Collision-Resistance: It should be computation-ally infeasible to find any two distinct inputs x and x′,such that h(x) = h(x′) [19], [20].

B. System and Adversarial Model

1) System Model: The system usually consists of threecomponents: 1) a tag T; 2) a reader R; and 3) a back-end serverS. A tag T is basically a chip that has small storage, limitedcomputation resources, and constrained communication capa-bilities. It requires power to perform different operations, suchas hash computations. Passive tags are battery-less devicesoperated by energy harvested from the reader. Since they havevery limited power resources, these tags are assumed to receiveand transmit data within a very short range. A reader R is apowerful device which is authorized by the back-end serverto authenticate a group of tags through a set of communica-tion sessions. A back-end server S provides the database fortags and participates with the reader in the tag authentica-tion. The server is also in charge of deciding the authorizationof the set of operating readers. We particularly consider thecase of a centralized system, where any reader R from theset of operating readers is continuously online and connectedto a centralized server S. We denote the number of tags in asystem by NT , and let Ti for 1≤i≤NT denote the identifier forthe ith tag in the system. The back-end server and reader areusually considered to be resource-abundant. They are gener-ally capable of performing intensive cryptographic operations.Therefore, the link between the back-end server and the readeris assumed to be secure. Moreover, the server and reader areconsidered to be a single entity in most of the scenarios. Asshown in [21, Fig. 1], the system model comprises one or a setof timers on-board of the tags, namely, self-powered timers.These timers periodically generate random numbers that areexploited to generate authentication tokens in the proposedauthentication protocol.

2) Adversarial Model: The adversary could be either pas-sive or active. An active adversary can control a certain numberof tags and readers, and modify the conversations betweenthem enabling himself to initiate and terminate a session. Apassive adversary eavesdrops the channel between a tag and areader to learn the output of the communication sessions. Theadversary may then deduce information and combine messagesto later impersonate or trace a tag.

C. Notation

The following notations will be used throughout the rest ofthis paper.

IV. PROPOSED AUTHENTICATION PROTOCOL

In this section, we introduce our authentication protocol.The proposed protocol relies mainly on the existence of oneor a set of M on-chip self-powered timers. In particular, theprotocol exploits a synchronized phenomenon that naturallyhappens to the designed self-powered timer located on-boardof the operating tag. This designed timer provides the proposedprotocol with the desirable dynamic authentication togetherwith the ability of resynchronization with the dedicated readerat any time instance during the tag’s lifetime.

A. Self-Powered Timers

The design and principle of operation of the self-poweredtimers was reported in [10] and is not the focus of this paper.However, in this section we briefly describe some of the fea-tures of the time-keeping devices necessary to describe theauthentication protocol. Fig. 2 summarizes the key features ofthe timers as reported in [10] and [21]. Fig. 2(a) shows themicrograph of a timer device that was fabricated on a standardsilicon process and has a form factor less than 100 µm ×100 µm. Thus, the device could be easily integrated withany passive RFID tag. The measured response of the timeris shown in Fig. 2(b) and can be mathematically modeled as

Vi = K2/ ln(K1ti + K0) + K3 (1)

where Vi is the value of the timer at time instant ti and(K0, K1, K2, K3) are the model parameters which are deter-mined by the device form factors and its initialization con-ditions. As shown in Fig. 2(b), the model in (1) accuratelycaptures the dynamics of the timer. This feature is importantbecause it ensures that a software model of the timer runningon a remote authentication server is accurately synchronized

2930 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 4, AUGUST 2018

(a) (b) (c)

(d) (e) (f)

Fig. 2. Design of the self-powered timer: (a) micro-photograph of the fabricated timer device, (b) measured response showing that the proposed mathematicmodel can fit the data well, (c) measured data across different dies showing that the timer is robust and showing synchronization accuracy greater than 0.5%,(d) token generation system proposed in [21], (e) normalized random tokens generated using the timer output from measured response in (c), and (f) matchingresult of the random tokens generated from two synchronized timers [10].

with the hardware timer integrated on a tag. Fig. 2(c) com-pares the responses from three different timers (integrated onthree different tags) and shows the maximum temporal devi-ation with respect to each other. The response was obtainedby only taking the change of the timer output with respect toa reference time instance. As reported in [10], the timers canbe synchronized with respect to each other with an accuracygreater than 0.5%.

In [21] we combined the output of the timer with a PRNGto produce authentication tokens. The system is shown inFig. 2(d) and comprises of two modules: 1) the timer whichis self-powered and continuously keeps track of time and2) a PRNG which is externally powered when an authenti-cation value is requested from the tag. When a request signalis sent to the tag, the timer value shown in Fig. 2(c) is read-out and digitized. The digitized value is then used to feed thePRNG, such as a linear feedback shift register as a seed [22].After a certain number of cycles of shift operations, the gen-erated random code Vi shown in Fig. 2(e) can be further usedin the proposed authentication protocol at any time instanceti. The time-variant seeds break the pattern of the PRNG andmakes it function like a true RNG. A synchronized timer storedon the server goes through the same process and should gen-erate identical random number in ideal cases. By comparingthe synchronicity between the two generated random numbertokens, authentication can be achieved. On one hand, due tothe existence of the PRNG, the timer value can be masked andprotected from machine learning attacks. On the other hand,the timer breaks the pattern of the PRNG and therefore makesit difficult to predict the random output. Fig. 2(e) shows thenormalized random tokens generated using the output fromtwo synchronized timers [as shown in Fig. 2(c)] to feed asoftware version of PRNG. As can be observed, at some time

instants, the codes deviate from each other due to the mismatchand quantization error of the digitization process. This issuecan be easily tackled by searching a predetermined range of thereference timer values, therefore providing a level of tolerance.If two synchronized timers are integrated on a tag and server,respectively, the tokens generated using the described strategycan be used for authentication. As illustrated in Fig. 2(f), inideal cases, the token on the tag should always be equal to thaton the server (plotted as the black solid line), while the realtokens can be different at a small portion of random scatteredpoints due to nonideal artifacts.

The robustness of the self-powered timer is key to success-ful implementation of the proposed protocol. In [10], timerswith different combinations of form factors were fabricatedand tested at different temperatures. While the device showsvarious temporal behavior at the initial transient stage, themeasurement results verify that at the equilibrium stage, thefabricated designs show high robustness to device mismatchand temperature variations, and the overall synchronizationperformance is better than 40 dB. An extrapolation study wasalso conducted to verify that the timer can operate as longas three years, which is good enough for passive IoT devices.Details of the device performance can be accessed in [10], andare neglected here for the sake of brevity.

After we have briefly described how the self-powered timerscontribute to the authentication protocol. In the two followingsections, we present details of how the timer output Vi can beused to design two types of authentication models: one usinga single timer and the other using an array of timers.

B. Single Timer Model

In the case of single timer model, only one timer is on-boardof the tag. At each reading attempt, after being involved in a

AFIFI et al.: DYNAMIC AUTHENTICATION PROTOCOL USING SELF-POWERED TIMERS FOR PASSIVE IoT 2931

Algorithm 1 Proposed Dynamic Authentication ProtocolInitialization secret (K): shared between the Tag T and theReader R. At authentication time ti:

• R sends request to access T .• T computes Ai = h(K, Vi), where Vi is the v-bits timer

value, and replies with the pair (IDT , Ai).• R retrieves T’s information from the Server S, computes

Ai and checks Ai?= Ai. If true, R authenticates T . Else,

T is unauthenticated.

simple cryptographic operation, the timer value is comparedto that of the corresponding gold standard tag at the serverside. The details of the proposed authentication protocol aresummarized in Algorithm 1 and described as follows.

The tag T and the reader R are assumed to share the privatekey K. At any authentication instance ti, the authenticationsession is initiated when the tag is in the reader’s range. Rsends a request to T as an interrogating signal for identificationinformation. T responds or broadcasts to R its identificationIDT and the authentication value

Ai = h(K, Vi) (2)

where Vi is the v-bits timer value and Ai is a bits. T thensends Ai to R for authentication. Similarly, R computes Ai andchecks

Ai?= Ai.

If this holds true, R authenticates T . Otherwise, T is unauthen-ticated.

As a matter of fact, the objective of any authentication pro-tocol is to minimize the probability of false positive and falsenegative decisions. In false positive, the tag is erroneouslyindicated to be authentic while it is not. On the other hand,in the false negative, the tag is erroneously indicated to beun-authentic while it is authentic. While this protocol obvi-ously achieves dynamic authentication by sending differentand unpredictable authentication values at each session, wehave not yet elaborated how it is able to continuously resyn-chronize the tag with the server and minimize the probabilityof false negative decisions. As tags are naturally assumed tooperate in a nonsecure environment, they generally receivefrequent attempts to be read by authentic and nonauthenticreaders.

We consider a scenario, where a tag T is attempted to beaccessed by a nonlegitimate reader. Since the tag updates itsauthentication value Ai according to (2), the authenticationvalue is therefore neither dependent on past nor future tagaccesses. Moreover it is also independent of the number ofreading the tag has been read. Therefore, the proposed protocolguarantees the synchronization between the tag and the readerat any time instance ti. As we will show later, this featurealso enables our protocol to tackle numerous kinds of securityattacks.

We also consider a typical security attacking scenario,where at the time period between two authentication valuesupdate denoted as To, an adversary might attempt to reuse the

intercepted authentication value Ai to get authenticated. Wetherefore have the following remark.

Remark 1: At any time instance ti, when a certain tag IDT isaccessed by a legitimate reader based on a valid authenticationvalue Ai, the server no more accepts reaccessing this tag for apredetermined time period To until the authentication value isupdated. In other words, during a time period To, any tag Tcan only be accessed once. Any further authentication attemptsfrom the tag IDT during To are considered to be illegitimate.

The To can be set dynamically by the server in a way thatthe server does not accept consecutive requests with identicalauthentication value. In other word, if the tag is success-fully authenticated with value Ai, the server no longer acceptsauthentication with value equal to Ai. To initialize anothersuccessful authentication process, the timer value needs to beupdated leading to an updated Ai. The minimum time durationbetween two successful authentications can be defined as thelower bound of To.

C. Multiple Timers Model

To add more robustness to the proposed design, we considerthe incorporation of a set of M timers on-board of the tag.The main motivation behind this model is to account for anypossible error in the timer values as result of aging or possiblesecurity manipulation. In the case of multiple timers, each ofthese timers generates its own value to be involved in the sameprotocol as in Algorithm 1. Specifically, at each authenticationtime ti between an authentic reader R and any given tag T , Ris expecting M authentication values from the M self-poweredtimers on-board of T , computed as

Aji = h

!Kj, Vj

i

", for j = 1, 2, . . . , M (3)

where Vji is the v-bits timer value of the jth timer and Aj

i isa bits. Based on these values the reader decides the authen-tication confidence level of any given tag. The resulting Mauthentication values {A1

i , A2i , . . . , AM

i } from (3) are comparedto the set of expected authentication values at the reader’s side{A1

i , A2i , . . . , AM

i }

Aji

?= Aji, for j = 1, 2, . . . , M.

The matches between the two sets are used to compute theauthentication confidence level as follows:

Confidence Level = Number of matchesM

.

To tolerate possible errors in readings of timers-values betweenthe operating tags and their corresponding gold standard at thereader side, we design the authentication model such that it tol-erates a predetermined error threshold γ . This setting enablesus to present a customizable version of our protocol sum-marized in Algorithm 2. The modified protocol provides theflexibility to tolerate different levels of errors corresponding todifferent thresholds. These thresholds will create different saferegions with different confidence levels as shown in Fig. 3. Wedefine the safe region as follows.

Definition 1 (Safe Region): The safe region is defined asthe zone, where a tested tag is legitimately following the

2932 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 4, AUGUST 2018

Fig. 3. Classification based on statistical distance to the gold standard.

Algorithm 2 Multiple Timers Version of the ProposedDynamic Authentication Protocol

Initialization secret (Kj), j = 1, 2, . . . , M: shared between theTag T and the Reader R.At authentication time ti:

• R sends request to access T .• T computes Aj

i = h(Kj, Vji ) for j = 1, 2, . . . , M, where Vj

iis the v-bits timer value of the jth timer, and replies withthe pair (IDT , Aj

i).

• R checks Aji

?= Aji, computes the Confidence Level and

checks 1 − Confidence Level?≤ γ . If true, R authenticates

T . Else, T is unauthenticated.

behavior of the gold standard. This region is uniquely deter-mined by a threshold radius γ .

Selection of the threshold radius γ depends on the types ofapplications, prior estimation of the implementation environ-ment and the expected security level. As illustrated in Fig. 3, alarger γ implies a looser restriction on the authentication pro-cess, leading to a higher authentication success rate. However,this could possibly cause a higher false positive rate andincrease the risk of malicious access. As a result, the tradeoffbetween the security level and successful authentication ratedetermines the selection of γ . Optimization of the thresholdradius leverages the consideration of the ambient environmentand security requirements. Generally, a more secure systemprefers smaller thresholds, such as γ1 in Fig. 3.

The multiple timer version of the proposed protocol is prac-tically an M times application of Algorithm 1. However, in thiscase, R receives {A1

i , A2i , . . . , AM

i } and checks if

1 − Confidence Level?≤ γ .

If true, R verifies that T falls in the safe region defined bythe threshold γ . R, therefore, authenticates T and updates thestate for the next session. Otherwise, T is unauthenticated.

As we previously mentioned, the tag usually operates inan insecure environment. Illegitimate readers may continu-ously attempt to maliciously access the tags. Thus, betweenevery two legitimate readings, the tag probably had a num-ber of attempts to be accessed of e = n − n′ times, where nand n′ are the current and the expected number of tag read-ings, respectively. We point out that between two consecutive

Fig. 4. Deviation of the timer response from the reference gold-standardtimer.

legitimate tag accesses, no matter how many malicious accessattempts have been done, correctness of the following legiti-mate authentication session still holds. This is a result of theindependence of the authentication value of the number oftag readings. However, it might be useful for the reader tokeep track of the number of illegitimate attempts e to accessthe tag. In particular this gives valuable information about theenvironment and moreover the reader would adaptively adjustthe threshold γ based on this information.

Based on the statistical real-life modeling of the incorpo-rated timers, the reader is able to decide whether the deviationin the tag’s behavior is natural or it is a result of somemalicious act. We therefore give the following definitions.

Definition 2 (Natural Deviation): A natural deviationdescribes the tag’s behavior as a result of natural practicalcircumstances.

Definition 3 (Malicious Deviation): A malicious deviationdescribes the tag’s behavior as a result of any malicious act,where a tested tag fails to continue following the gold standarddeviation pattern or follows it with an unacceptable error.

Intuition of these definitions is clearly illustrated in Fig. 4.Due to nonideal artifacts, such as temperature variations andmismatch, the timer device will show natural deviation fromthe ideal case, however, this deviation is usually within asmall range of the gold standard response, as illustrated inFig. 4 marked as “deviation margin.” Therefore, by search-ing a predefined small range of the gold standard timer atthe server end and selecting a proper threshold radius γ , thenatural deviation can be easily eliminated and will not affectthe authentication process. However, a malicious deviation iseither because of malicious tampering or counterfeited tagsthat are not synchronized with that on the server. In eithercase, it is desynchronized and the value of the timer will be farfrom that stored on the server as shown in Fig. 4. It is obviousthat a malicious deviation will definitely lead the tag to be un-authenticated. Therefore, the proposed protocol enables us todetect counterfeited or malicious tags not only through instantauthentication at the beginning of its operation but also throughstatistical means at any time during its operation lifetime.

V. SECURITY AND PERFORMANCE ANALYSIS

In this section, we analyze the security and performanceof the proposed authentication protocol. We begin by

AFIFI et al.: DYNAMIC AUTHENTICATION PROTOCOL USING SELF-POWERED TIMERS FOR PASSIVE IoT 2933

investigating the security of the protocol against different kindsof attacks. To be able to do this analysis, we first need to seton two key characteristics of the protocol. One is the secretshared between the tag T and the reader R. The other one is thetransmitted messages at each communication session betweenthe tag and the reader. In the proposed protocol, the secret isthe private key K. The transmitted messages are basically thetag identification IDT and the authentication value Ai.

In any authentication attempt at time instance ti, while thetag sends the value of the same hash function in (2), bothof the hash function arguments K and Vi are secure. Morespecifically, K is a private key that is never exposed to theadversary in clear-text and is computationally infeasible toderive. Vi is dynamically and continuously updated with thefresh r-bits output from the self-powered timers leading to anunpredictable authentication value.

Most importantly, it is worth to point out that underthe assumption that the underlying hash functions havethe previously explained characteristics, namely thepreimage-resistance, second-preimage-resistance, andcollision-resistance, the proposed protocol is as secureas the hash functions. Moreover, to achieve the maximumpossible security of the hash functions, the proposed protocolis designed to make it infeasible for an adversary, by anymeans other than exhaustive search, to guess the authenti-cation value, even by overhearing the transmission channelbetween the tag and the reader. In particular, the adversarycan guess a correct a-bits authentication value A′

i = Ai withprobability

Pr#$

A′i = Ai

%&= 2−a.

We now show how the proposed protocol is secure againstmost kinds of popular attacks.

Theorem 1: Our protocol is secure againstde-synchronization attacks.

Proof: Equation (2) implies that the authentication valueis determined by the current timer value. The robustness of thetimer behavior ensures that the timer on the tag will keep syn-chronized with the timer on the server. The timer’s dynamicresponse cannot be programmed or altered by the reader in theauthentication process. As a result, in the case of malicious tagaccess from an illegitimate reader, the authentication values atany future time instance are independent of the previous read-ings, hence cannot be altered. The synchronization betweenthe tag and the reader is continuously maintained by theself-powered timers and is resistant to de-synchronizationattacks.

Theorem 2: The proposed protocol is secure against tagimpersonation attacks based on the security provided by thecombination of the PRNG and the hash function.

Proof: The protocol features three levels of security thatmake the impersonation of a legitimate tag infeasible.

1) Conventional technique based on the private key K onlyshared by the tag and the legitimate readers provides theinitial level of security.

2) The dynamic timer significantly enhances theperformance of the RNG, enabling unpredictableoutput Vi.

3) The choice of hash functions make it computationallyinfeasible for an adversary to find K and Vi.

Therefore, even if the adversary intercepts arbitrary numberof messages at time t < ti, it is practically difficult to guessthe output Ai at ti for impersonation.

Theorem 3: Our protocol is secure against replay attacks.Proof: When a tag is authenticated at time ti, it goes into

an idle mode for a predetermined time period To. As explainedin Remark 1, during this time period, the reader deniesany attempts from the authenticated tag to be reaccessed.Therefore, for ti < t < ti + To, a tag Ti is only authenti-cated once. This prevents any attempts of replay attacks, wherean intercepted authentication value Ai is useless during thistime period.

Theorem 4: The proposed protocol is secure against back-ward and forward traceability attacks based on the security ofthe hash function.

Proof: The key to avoid traceability attacks is to avoidusing any static or predetermined messages throughout all ofthe authentication attempts. Our protocol employs the com-bination of a dynamic timer and a PRNG to generate “true”random numbers that are not predictable. This random featuremakes it hard to trace the pattern. The hash function furtherenhances this attribute. The communicated messages duringauthentication at time instance ti cannot be inferred from othercommunicated messages at any other time tj, where i = j.Therefore, the authentication protocol is immune to forwardor backward traceability attacks.

Table I compares the security ability of the proposed pro-tocol to some state-of-the-art protocols proposed in literature.

To evaluate the performance of the proposed protocol weanalyze the design from two main aspects: 1) storage and2) efficiency. Since tags are typically very resource con-strained, this analysis is extremely important to evaluate andcompare different designs. Generally, the tag is the part of thesystem with the least storage and power resources. Therefore,in our analysis, while we study the resources required by boththe tag and the reader, the resources required by the tag arerather more important. This is a result of the reader beingassumed to be powerful and has sufficient storage as com-pared to the tag. We begin by investigating the amount ofstorage that our protocol requires. The tag basically needs topermanently store its private key K and IDT . This amount ofstorage is, to the best of our knowledge, equivalent to the leastwe have seen in literature. In terms of communication cost,with only one transmission from the tag to the reader, theproposed protocol is by far the most efficient we have seenin literature. Moreover, for the performance of tags in termsof hash function computation, we compute the execution timeper output of the most well-known hashing algorithm, securehash algorithm (SHA). While it is benchmarked in [23] thatcycles per instruction (CPI) for SHA 256 and SHA 512 are31.6 and 35.4 cycles/byte, respectively, based on these values,we compute the execution time as follows:

Execution Time = CPI ∗ Bytes ∗ Cycle Time.

The results of performance comparison are depicted inFig. 5, where the execution time is measured at a tag’s

2934 IEEE INTERNET OF THINGS JOURNAL, VOL. 5, NO. 4, AUGUST 2018

TABLE ISECURITY COMPARISON AGAINST VARIOUS ATTACKS

TABLE IICOST COMPARISON

Fig. 5. Dependence of execution time of SHA-256 and SHA-512 on clockspeed.

clock-rate ranging from 0.5 to 5 MHz. In Table II, we presenta cost analysis comparison between the proposed protocol andsome of the state-of-the-art protocols.

VI. DESIGN CONSIDERATIONS

In this section we introduce an analysis of the set of param-eters that control the security, performance, and efficiencylevel of the proposed protocol. We explain the effect and theunderlying design tradeoffs for each of these parameters.

1) r: The number of random bits |r| periodically gener-ated by the self-powered timers is controlled by theirelectronic design. As this number increases, the securityof the authentication protocol increases. r is deter-mined by the robustness of the timer and limited bythe computational resources.

2) a: As the number of bits output of the hash function Ai =h(K, Vi) increases, the security of the authenticationprotocol increases.

3) To: The idle time that a tag spends after being read witha legitimate reader. While this value is determined by theelectronic design of timers, it is useful to consider thatthe longer this value is, the longer the time period atag will spend in the idle mode. On the other hand, the

TABLE IIIFUNCTIONAL CHARACTERISTICS OF SHA

shorter this period is, the more strict the protocol willbe in terms of accepted time offset.

4) M: The bigger the number of self-powered timers on-board of the tag is, the more robust and reliable ourdesign is. However, as M increases, the storage, imple-mentation, communication, and chip costs increase.

5) γ : As the threshold for accepted mismatches betweenthe timers values of the tag and the reader decreases,the accuracy of the authentication protocol increases.However, if the threshold is too small, this can resultin a higher probability of false negative decisions.

We note that the number of bits a of the critical value Aiis implicitly determined by the type of the underlying hashfunction. To give an insight of the possible sizes of hash argu-ments, hash values and their corresponding security level, wegive some numerical values for the characteristics of SHA.Table III, from [24], shows the functional characteristics forthree variants of SHA.

VII. CONCLUSION

In this paper, we introduced a novel dynamic authentica-tion protocol for passive IoT systems. Our protocol relies onthe existence of self-powered timers on-board of the authenti-cated tags. The self-powered timers do not require any externalpower sources, therefore can continuously run and keep trackof time. Values generated by these timers provide our protocolnot only with the desirable dynamic authentication but also theability to defend different types of attacks, such as replay andde-synchronization attacks. Two authentication models wereproposed. The first is a single timer model that depends on theoutput from a single timer on-board of the tag. A more robustmodel incorporates a set of M on-board timers. Depending onthe statistical model of the timers, this model helps toleratea predetermined error level during authentication by adjust-ing the desired threshold. Our protocol is proved to be secureagainst most kinds of attacks and improve the performance interms of security compared to the state-of-the-art protocols.The proposed design saves storage resources and is validatedto be more efficient compared to the existing authenticationprotocols.

AFIFI et al.: DYNAMIC AUTHENTICATION PROTOCOL USING SELF-POWERED TIMERS FOR PASSIVE IoT 2935

The proposed protocol opens doors to future work.Specifically, the tokens generated by the protocol can not onlybe used for authentication, but also can be used to encrypt thedata transmission between the tag and reader. It can functionas a dynamic encryption key for enhancing the data security.

REFERENCES

[1] F.-Y. Wang, D. Zeng, and L. Yang, “Smart cars on smart roads: AnIEEE intelligent transportation systems society update,” IEEE PervasiveComput., vol. 5, no. 4, pp. 68–69, Oct./Dec. 2006.

[2] M. Darianian and M. P. Michael, “Smart home mobile RFID-basedInternet-of-Things systems and services,” in Proc. Adv. Comput. TheoryEng. (ICACTE), 2008, pp. 116–120.

[3] E. Abad et al., “RFID smart tag for traceability and cold chain moni-toring of foods: Demonstration in an intercontinental fresh fish logisticchain,” J. Food Eng., vol. 93, no. 4, pp. 394–399, 2009.

[4] S. Amendola, R. Lodato, S. Manzari, C. Occhiuzzi, and G. Marrocco,“RFID technology for IoT-based personal healthcare in smart spaces,”IEEE Internet Things J., vol. 1, no. 2, pp. 144–152, Apr. 2014.

[5] L. Ruiz-Garcia and L. Lunadei, “The role of RFID in agriculture:Applications, limitations and challenges,” Comput. Electron. Agricul.,vol. 79, no. 1, pp. 42–50, 2011.

[6] A. Juels, “RFID security and privacy: A research survey,” IEEE J. Sel.Areas Commun., vol. 24, no. 2, pp. 381–394, Feb. 2006.

[7] S. A. Ahson and M. Ilyas, RFID Handbook: Applications, Technology,Security, and Privacy. Boca Raton, FL, USA: CRC Press, 2008.

[8] A. Mitrokotsa, M. R. Rieback, and A. S. Tanenbaum, “Classifying RFIDattacks and defenses,” Inf. Syst. Front., vol. 12, no. 5, pp. 491–505, 2010.

[9] C. H. Lim and T. Kwon, “Strong and robust RFID authenticationenabling perfect ownership transfer,” in Proc. Conf. Inf. Commun.Security (ICICS), Raleigh, NC, USA, 2006, pp. 1–20.

[10] L. Zhou and S. Chakrabartty, “Self-powered timekeeping and synchro-nization using Fowler–Nordheim tunneling-based floating-gate integra-tors,” IEEE Trans. Electron Devices, vol. 64, no. 3, pp. 1254–1260,Mar. 2017.

[11] RSA Secure ID. Accessed: Feb. 6, 2017. [Online]. Available:http://www.emc.com/security/rsa-securid.htm

[12] S. E. Sarma, S. A. Weis, and D. W. Engels, “RFID systems and securityand privacy implications,” in Proc. CHES, Redwood Shores, CA, USA,2003, pp. 454–469.

[13] S. A. Weis, S. E. Sarma, R. L. Rivest, and D. W. Engels, “Securityand privacy aspects of low-cost radio frequency identification systems,”in Proc. 1st Int. Conf. Security Pervasive Comput., Boppard, Germany,2003, pp. 201–212.

[14] M. Ohkubo, K. Suzuki, and S. Kinoshita, “Hash-chain based forwardsecure privacy protection scheme for low-cost RFID,” in Proc. Symp.Cryptograph. Inf. Security, Sendai, Japan, 2004, pp. 719–724.

[15] B. Song and C. J. Mitchell, “RFID authentication protocol for low-costtags,” in Proc. 1st ACM Conf. Wireless Netw. Security, Alexandria, VA,USA, 2008, pp. 140–147.

[16] S. Zhou, Z. Zhang, Z. Luo, and E. C. Wong, “A lightweight anti-desynchronization RFID authentication protocol,” Inf. Syst. Front.,vol. 12, no. 5, pp. 521–528, 2010.

[17] J. Fu, C. Wu, X. Chen, R. Fan, and L. Ping, “Scalable pseudo ran-dom RFID private mutual authentication,” in Proc. 2nd IEEE Int. Conf.Comput. Eng. Technol. (ICCET), Chengdu, China, 2010, pp. 497–500.

[18] M. Naor and M. Yung, “Universal one-way hash functions and theircryptographic applications,” in Proc. STOC, Seattle, WA, USA, 1989,pp. 33–43.

[19] I. B. Damgard, “Collision free hash functions and public key signatureschemes,” in Proc. EUROCRYPT, Amsterdam, The Netherlands, 1987,pp. 203–216.

[20] M. Bellare and P. Rogaway, “Collision-resistant hashing: Towardsmaking UOWHFs practical,” in Advances in Cryptology—Crypto’97(LNCS 1294). Heidelberg, Germany: Springer, 1997, pp. 470–484.

[21] L. Zhou and S. Chakrabartty, “Secure dynamic authentication of passiveassets and passive IoTs using self-powered timers,” in Proc. ISCAS,Baltimore, MD, USA, May 2017, pp. 1–4.

[22] R. L. T. Hampton, “A hybrid analog-digital pseudo-random noise gen-erator,” in Proc. Spring Joint Comput. Conf., Washington, DC, USA,1964, pp. 287–301.

[23] Speed Benchmarks for Some Commonly Used CryptographicAlgorithms. Accessed: Jan. 14, 2017. [Online]. Available:https://www.cryptopp.com/benchmarks.html

[24] T. Grembowski et al., “Comparative analysis of the hardware implemen-tations of hash functions SHA-1 and SHA-512,” in Proc. 5th Int. Conf.Inf. Security, São Paulo, Brazil, 2002, pp. 75–89.

M. H. Afifi (S’17) received the B.S. andM.Sc. degrees in electrical engineering from theDepartment of Electronics and Communications,Arab Academy for Science, Technology, Alexandria,Egypt, in 2009 and 2012, respectively. He is cur-rently pursuing the Ph.D. degree at the Departmentof Electrical and Computer Engineering, MichiganState University (MSU), East Lansing, MI, USA.

He is currently a Research Assistant with theDepartment of Electrical and Computer Engineering,MSU. His current research interests include cyberse-

curity, data privacy, wireless communications, signal processing, and wirelesssensor networks.

Liang Zhou (GS’14–M’17) received the B.S.degree in physics from Tsinghua University, Beijing,China, in 2010. He is currently pursuing the Ph.D.degree at the Department of Computer Science andEngineering, Washington University at St. Louis,St. Louis, MO, USA.

His current research interests include self-poweredsensory systems, integrated circuits design, and hard-ware security.

Shantanu Chakrabartty (S’99–M’04–SM’09)received the B.Tech. degree from the IndianInstitute of Technology Delhi, New Delhi, India,in 1996, and the M.S. and Ph.D. degrees inelectrical engineering from The Johns HopkinsUniversity, Baltimore, MD, USA, in 2002 and2004, respectively.

He is currently a Professor with the School ofApplied Sciences and Engineering, WashingtonUniversity at St. Louis, St. Louis, MO, USA.From 2004 to 2015, he was an Associate Professor

with the Department of Electrical and Computer Engineering, MichiganState University (MSU), East Lansing, MI, USA. From 1996 to 1999, hewas with Qualcomm Inc., San Diego, CA, USA, and in 2002, he was aVisiting Researcher with the University of Tokyo, Tokyo, Japan. His researchcovers different aspects of analog computing, in particular nonvolatilecircuits. His current research interests include energy harvesting sensors andneuromorphic, and hybrid circuits and systems.

Dr. Chakrabartty was a recipient of the National Science FoundationsCAREER Award, the University Teacher–Scholar Award from MSU, andthe 2012 Technology of the Year Award from MSU Technologies. He iscurrently serving as an Associate Editor for the IEEE TRANSACTIONSOF BIOMEDICAL CIRCUITS AND SYSTEMS and a Review Editor forthe Frontiers of Neuromorphic Engineering Journal. He was a CatalystFoundation Fellow from 1999 to 2004.

Jian Ren (SM’09) received the B.S. and M.S.degrees in mathematics from Shaanxi NormalUniversity, Xi’an, China, and the Ph.D. degree inEE from Xidian University, Xi’an.

He is an Associate Professor with the Departmentof ECE, Michigan State University, East Lansing,MI, USA. His current research interests includenetwork security, cloud computing security, privacy-preserving communications, distributed networkstorage, and Internet of Things.

Dr. Ren was a recipient of the U.S. NationalScience Foundation Faculty Early Career Development (CAREER) Awardin 2009. He is the TPC Chair of IEEE ICNC’17 and the General Chair ofICNC’18.