Contents I. Introduction
Internet of Things (IoT) devices have become in-creasingly essential across various sectors of modern society, industry, and government [1]. The number of connected IoT devices worldwide, which was estimated at 14 billion in 2022, is predicted to more than double by 2025, reaching over 27 billion [3]. Radio-frequency identification (RFID) technologies play a crucial role in the functioning of the Internet of Things (IoT), serving as key enablers for seamless communication and data exchange between devices [2]. RFID technology generally consists of three main components: an RFID tag, which stores data, an RFID reader, which retrieves and processes that data without the need for direct contact or line-of-sight communication, and the backend server that processes and manages the data collected from RFID tags [4]. In RFID communication, PUFs (Physical Unclonable Functions), nonces, public keys, and hash functions each play distinct roles in enhancing security and ensuring authentication, data integrity, and privacy. However, as the adoption of RFID technology increases, the need for strong security measures to protect sensitive data and maintain secure transactions and integrity becomes increasingly important. At the forefront of these security measures is secure communication [5]. Recent protocols for RFID systems [25]– [28], that rely on such mechanisms have shown significant promise, but there are still critical communication-related vulnerabilities that can expose them to various attacks. A preshared key (PSK) is a secret value that is shared in advance between the RFID reader and the RFID tag (or transponder). This key is used for authenticating the tag and establishing a secure communication channel between the tag and the reader. When PSK's are not used between an RFID tag and reader there are several well-documented vulnerabilities and issues associated with authentication schemes based solely on hash functions public keys and nonces [6]. Hash functions alone do not provide encryption, only data integrity. This means that any information that is only hashed and not encrypted can be observed by an attacker. Additionally, using the latest version of a secure hash function is not enough on its own to ensure the security of mutual authentication protocols or any cryptographic system [7]. Consequently when PSK's are not used between an RFID tag and a reader, relying solely on public-key cryptography (such as RSA or ECC) for authentication poses several security risks due to the inherent weaknesses and limitations in such implementations [8]– [10]. Physical Unclonable function (PUF) typically relies on unique, hardware-based responses to challenges. If an attacker gains access to several challenge-response pairs, they could attempt to infer the internal behaviour of the PUF and predict future responses. This could enable them to impersonate the tag in a mutual authentication scheme. Nonces are often used to prevent replay attacks by ensuring that each authentication session is unique. However, if the nonces themselves are not adequately protected, attackers can capture valid nonce values and reuse them to impersonate a legitimate tag. These sources and papers demonstrate the need for stronger security primitives like Elliptic Curve Cryptography (ECC), digital signatures, or key agreements in mutual authentication to address these vulnerabilities [11]. Therefore, this paper introduces secure mutual authentication with dynamic and hybrid key agreement protocol to effectively address the aforementioned security challenges in RFID in the IoT environments. The main contributions of this work include the following:
This protocol introduces secure mutual authentication between the reader and the tag by imple-menting indirect mutual authentication through the secure exchange of public and private keys via a trusted server. Instead of directly relying on PSK's keys between the reader and tag, this approach allows both parties to establish a secure session, where the public and private keys are shared and managed by a server, ensuring the integrity and confidentiality of the communication.
This protocol reduces the dependency on PSK between the reader and the tag in RFID systems and enhances the security, scalability, and flexibility of the system. By eliminating the need for pre-shared symmetric keys, the protocol introduces dynamic, real-time key generation between reader and tag to establish secure communication channels, ad-dressing the inherent vulnerabilities that come with traditional PSK-based approaches.
This protocol introduces hybrid and dynamic key agreements that improves the overall security of the system. Asymmetric keys provide secure identity verification, while symmetric keys offer fast and efficient encryption for data transmission. Additionally’ it provides session-specific keys for each authentication session rather than relying on static keys.
